Recently, we purchased a Barracuda Web Application Firewall (WAF) 460 to parse user input for a couple of our critical web-applications. Namely, those that need to touch our Credit Card environment. Now just for clarification purposes, I am NOT a web application administer in the least bit. Yes, I can write scripts in PHP with MySQL in the back-end. Nonetheless, I was tasked with setting up this appliance.
So I get the device, push a trunk to my desktop switch, and start digging into the device. Basically, out-of-the-box the WAF will work and will stop users from issuing SQL Injections, Cross Site Scripting (XSS), Data Mining (CC / SSN Numbers), Cookie Poisoning, etc. Yet, this may not be what is needed in your environment.
For instance, say that you have a POST or GET parameter that has a length beyond 40 characters. By default, that parameter would be blocked and the functionality of your web-page or script has been demolished. Or say that you do client-side scripting to alter values of a cookie. When this cookie is presented back to the server, it will flagged as cookie poisoning and the cookie will be blocked. Again this can effectively kill your application.
To help with these issues, the WAF has done two things:
- It has two modes: passive (logs the content but allows it through) and active (logs and blocks the content)
- It allows for web-application profiling
I noticed with the device being in passive that it still blocked some content. After I first installed the device, I setup it to be a reverse proxy for an internal web-site. When I would submit a form, the page would sometimes come back as “Web-Page Not Found”. I coordinated this to the logs on the WAF and found that one of the parameters was more than the default allowed length. I double checked to ensure that it was indeed in “Passive” mode, which is was, yet it was blocking this parameter now and again. I then up’d the allowed length of the parameter. Voila! Suddenly, the page loads every time without any issues whatsoever.
Now for the web-application profiling, it is very handy to be a web-application developer or administrator when it comes to this section. I would say that this is where the Barracuda Web Application Firewall prevails. From here, you can define different pages within the web-site and customize each page to:
- Allow/Disallow specific attacks
- Allow/Disallow specific methods and content types
- Change allowed content and parameter length
- and much more
You can also further define the parameters for each web-page. You can:
- Require the parameter to be present
- Change the parameter type
- Change the parameter class
- And quite a bit more
For instance, one of the profiles I created for a web-page located at ‘/verifications/alpha/*’ (this means that any web-site found under /verifications/alpha. I changed the “Max Content Length” to not be set. This is because this site will parse a SQL DB for audio recordings and post their links to the page. Many warnings and “Page Cannot Be Displayed” errors were cropping up until I changed this value. Also, I changed a parameter to not be validated, as it was not allowing the page to be displayed as it was considered a default parameter and did not meet the expectations of said default parameter.
Now for a couple of issues that I have with the device. The first is that it is based of a Linux Distro, however, I cannot SSH or get into the device with read-only rights. I want to be able to monitor and view the information at /var/log, however this is a no go with Barracuda. Instead, the only way to retrieve the logs is to send them to a syslog server. To me this is unacceptable. I want to see the logs, as I fear that they may not be sending me all of the logs from the device, but just what they find “relevant”. However, the access and the logs are the only two things I have a “bone to pick” with the WAF.
We have been running this device in our network for the past week and we have only ran into one major problem. Basically, the WAF was only allowing for a specific number of established connections and a specific number of “establishing” connections (more in another post). All in all, I believe that this device was not too hard to setup, but if there was more documentation it would be preferred.