Automation of Barracuda Web Application Firewall with Puppet

Print Friendly, PDF & Email

Automating Application Security

Contents:

Introduction

Organizations are adopting infrastructure as code to be more agile to business requirements. Configuration automation solutions such as Puppet have been leaders in this space and have successfully migrated applications from conventional development practices.
At the same time, the challenges that organizations have been facing from external threats has been growing exponentially. The challenge is to enhance proven security best practices to be adopted to the agility of the application development lifecycle.

Barracuda Web Application Firewall (WAF) has been a long-standing cloud enabled security solution for application security needs. This article is a perspective on how the Barracuda Web Application Firewall can aid the adoption of agile practices for application security in organizations. More specifically, we will focus on public cloud platforms such as Microsoft Azure and how configuration automation solutions like Puppet can be used with the Barracuda Web Application Firewall on Microsoft Azure. The upcoming sections provide an overview of the building blocks for achieving this.

Provisioning Barracuda WAF on Microsoft Azure

Azure solution templates can be used to easily deploy virtual machines in the Microsoft Azure infrastructure. Azure Resource Manager (ARM) templates would also create other Azure resources that are necessary for a seamless installation of the Barracuda WAF. This would include either using an existing azure storage account or creating a new one, a network security group for filtering network traffic, a decoupled network interface card that will be attached to the Barracuda WAF virtual machine and a public IP that gets assigned to the NIC. All these resources would be part of a resource group and can be a reference in another template if needed. A schematic representation of all the resources created by the azure template for Barracuda WAF is shown below:

 

 

REST API for the Barracuda WAF

REST API framework can be used to automate the configuration of the Barracuda WAF. Almost all the WAF configuration tasks can be achieved with API calls. Here’s an example API call to create a service.

curl http://<systemip>:<mgmt-port>/restapi/v1/virtual_services -u  'token:' -X POST -H Content-Type:application/json -d '{"name":  "demo_service", "ip_address": "<ipaddr>",  "port": "80", "type":"http",  "address_version":"ipv4",  "vsite":"demo_vsite", "group":"demo_vsite_group"}'

In the above example, the call to the virtual_service API is sent as a POST request with a JSON body with the required parameters and their values to create a service. It should be noted that this example is for REST APIv1.
The version 9.1 firmware of the Barracuda Web Application Firewall offers a newer version of the REST API that offers API calls for almost all the configuration operations on the Barracuda WAF.

Application Security Best Practices Guideline

When a new application or a new version of the existing application is being introduced in a network, there are a few task items that can be undertaken to ensure that the application is in line with the security guidelines maintained by the organization. The pre-launch security guideline check is most critical in avoiding untoward incidents and to implement a quick incident response strategy.

The guideline typically focuses on the following aspects:

This is further illustrated through a schematic diagram here:

 

 

Blue-Green Deployment

A Blue-Green deployment methodology can be used to reduce any potential downtime and risk by running two identical environments, blue and green.

Blue environment can be the default production environment and the green environment can be the idle staging environment in which the Puppet Agent can execute the puppet catalog to create the workflow.

Once the WAF is fine tuned for optimum configuration, the application URL can be changed to the production URL and the site can be live.

Puppet

Puppet has been a pioneer in the configuration automation scene and has a proven track record for automating the configuration and management of enterprise workloads. Puppet Forge is a hub for publicly available Puppet modules that the community can download and use in their organization.

Application Security Automation Methodology

The following section provides a methodology for automating the best practice guideline described in the previous section, with Puppet, Barracuda Web Application Firewall and the Barracuda Vulnerability Remediation Service. A Puppet environment is created which includes multiple Puppet modules which in turn have manifest files for specific tasks in the application security automation lifecycle. Upon reviewing of the Puppet Forge modules, we have used some of them in our examples, for showcasing the automation features. Here’s a schematic illustration of a Puppet environment structure:

 

Automation Workflow

Note:

  • The module, azureprofiles is used to create the azure resources such as the storage account. It also acts as a place holder for any additional azure resources that need to be created.
  • The module, azureroles is used to include the other modules

Workflow used in the code example is as follows:

 

 

Puppet Manifest Example

Puppet manifest for creating the Barracuda WAF using the ARM template is shown below:

 

Barracuda WAF Configuration

Once the Barracuda WAF is provisioned on Azure, the “azurecudawafconfig” module will be used to configure the WAF. REST API calls are used in a ruby script to connect to the WAF and configure the service and the rule groups.
The sample script available in the module performs the following operations:

  1. Accepts the EULA
  2. Authenticates with the WAF admin username and password and get a RESTAPI access token
  3. Connects to the RESTAPI and creates two service groups
  4. Creates a certificate for use with the HTTPS service
  5. In each of the service groups, creates two services, one each for HTTP and HTTPS
  6. Connect the Barracuda WAF to the Barracuda Cloud Control

Barracuda Vulnerability Remediation Service

Barracuda VRS is a free add-on service to the Barracuda WAF, that enables automatic scanning, remediation, and maintenance of the application security posture using the WAF.
The solution supports REST API calls for all the critical aspects of the product such as listing the services on the WAF, configuring and running a scan operation etc. The sample script available in the module creates a scan for a service mentioned by the administrator.
The script can also be extended to automatically create a scan every time a service is added on the WAF.

What next?

Once the puppet agent run completes, the application infrastructure would include a functional WAF, a fully configured scanning service and provides an easy to use administrative interface through the Barracuda Cloud Control for centrally managing all these resources.

Repositories and Version Control

The framework also allows for the entire environment to be versioned which allows reusing the modules for future deployments. Commonly used hubs like GitHub can be used for maintaining the software code and for version controlling it.

Summary

Modern businesses need agility in all areas of Information technology and it’s important to keep up the pace with agile security practices while ensuring optimum security of the infrastructure. Application Security is the bloodline for modern day businesses, and the security solutions that organizations adopt should be able to cater to the requirements of the business.

Barracuda Web Application Firewall provides a suite of features that not only provide the required security to an application, but also offers automation frameworks that go a long way to reduce human error and fuels productivity.

 


Aravindan Anandan is a Technical Marketing Engineer, Application Security, with Barracuda Networks. Connect with him on LinkedIn here.

Scroll to top
Tweet
Share
Share