In a recent Microsoft Security Advisory, it was recommended that administrators disable the RC4 cipher in light of recent news on the exploitability of RC4. This follows an announcement by Cisco to its customer to avoid RC4 and instead use a stronger encryption suite to ensure security of the communications between client, servers and applications. Complicating the matter is the fact that, RC4 was a useful cipher suite to protect against the BEAST attack demonstrated by security researchers a few years back. However with the mainstreaming of TLS1.2 in the marketplace and more importantly supported by the recent versions of all of the major browser platforms, organizations can now adopt stronger encryption to ensure privacy and security of data communications.
Reverse Proxy Architecture Enables Full SSL/TLS Control
Fortunately for customers of the Barracuda Web Application Firewall, TLS 1.2 is supported by the Barracuda Web Application Firewall and our management interface makes it easy to control cipher suite and enforce rules to ensure the maximum protection of their critical applications without any underlying changes to the application servers themselves. Unlike other solutions that rely on span-port deployments for inspection, the Barracuda Web Application Firewall is architected to be a reverse-proxy from day one. This ensures that it can terminate and offload SSL/TLS encryption before data is passed to the backend servers. Benefits to this architecture are that customers can granularly select the allowed encryption protocols simply with a few clicks of the management interface.
Click here to see the larger version of this screenshot
- Disabling non-TLS 1.2 ProtocolsIn the Barracuda Web Application Firewall, you can turn off any encryption protocol versions earlier than TLS 1.2 simply by enabling or disabling the SSL or TLS versions. However given that some customers may still be using older browsers that only support TLS 1.1 or earlier versions, administrators may need to allow TLS 1.1 for a period of time as users transition to the latest browser platforms. The good news is that if you enable TLS 1.2 along with older TLS versions, the negotiation between the user and the WAF will always select the strongest encryption protocol.
- Customizing Cipher Suites Alternatively, users can granularly select known strong ciphers using the Add/Remove button in the Cipher section. In the case of RC4, you can simply block any RC4 encryption requests by the client and force them to use a stronger protocol. What’s also nice about this interface is that you can select the priority by ciphers by selecting the order on the “Selected Cipher” box. If you have customers who insist on using older versions of browsers or applications that absolutely must use RC4, you can minimize the impact of RC4 simply by putting it as the last entry in list of ciphers. In this case, clients only connect via RC4 as a very last resort.
Simplifying Security Management
As with all Barracuda products, the design philosophy with our products is to simplify IT for our customers. With the Barracuda Web Application Firewall, organizations can easily and granularly control level security and encryption without any cumbersome changes to their applications. Equally importantly, flexibility and granular control provided by the Barracuda Web Application Firewall allows organizations to adapt and change their security posture to adapt to the latest targeted and/or automated threats.
Learn how the Barracuda Web Application Firewall can help secure your applications by visiting the Barracuda Web Application Firewall page.
For more information about the Barracuda Web Application Firewall, visit these resources: