The Barracuda Web Application Firewall features a flexible rule-matching engine which gives administrators the flexibility to create rules for handling and manipulating traffic. Different modules of the Barracuda Web Application Firewall rely on the rule-matching engine to perform different operations, such as:
- Send Web requests coming in from a specific IP network to a defined set of servers.
- Send traffic from mobile phones or other devices to a designated set of servers while simultaneously directing traffic from desktop or laptop browsers to other servers.
- Ensure that search engine bots that access the Web site for indexing are directed to only one server, avoiding unnecessary load on the remainder of the servers.
- Cache static data or compress responses from a portion of the Web site.
- Translate URLs, or add/modify/delete headers of the incoming requests and/or outgoing responses.
Administrators can block, allow or process incoming requests from clients based on different rules. Examples:
- Blacklist known bad headers
- Block a given set of Client IPs
- Apply rate control based on user agent
- Allow only Google / Yahoo / Microsoft search engine bots to access the Web site
Authentication and Authorization
Authentication may be required for only one part of the Web site but there are times when administrators want to allow access to only a portion of the Web site after ensuring that the user has the correct browser versions. This can be handled via the rule matching engine.
There are some capabilities which are exposed as composite features so that the capability is available right out of the box. These features include:
- Instant SSL: Enables administrators to quickly deploy an HTTP application as an HTTPS application. This feature has two important aspects:
- Ability to redirect all incoming HTTP requests to an HTTPS service so that old bookmarked HTTP URLs can be redirected to the HTTPS service.
- Ability to rewrite all the URL in the response from http:// to https://. This helps the administrator eliminate the need to scan the code and manually change all hard-coded links from http:// to https://.
- Cookie security: As many applications manage their state by setting session data in the cookie it becomes important to ensure that the Cookies cannot be tampered with on the client side. The Cookie security module can digitally sign or encrypt the cookies going out. In addition, the WAF has a set of other security measures to provide protection against cookie replay protection type of threats.
- Data theft protection: The Barracuda Web Application Firewall’s data theft module can be utilized to scan all outgoing responses for sensitive information such as credit card numbers or social security numbers. In addition, these rules can be applied to specific parts of the Web application – such as personal identification numbers, phone numbers or important dates.
We encourage Barracuda Web Application Firewall customers to try these rules or share their own unique rule sets in the comments section below, or with the larger Barracuda Web Application Firewall Community at http://forum.barracuda.com.