Web Application Protection Against Hackers and Vulnerabilities Barracuda Web Application Controllers Web Application Protection Against Hackers and Vulnerabilities Barracuda Networks Confidential 1 1

Agenda Introductions Barracuda Networks Company Overview Barracuda Web Application Controller Deployment Options Detection / Protection Methods Profiling – Positive vs. Negative Security Model Authentication Traffic Management Logging and Reporting Performance Roadmap Q&A

Company Information Mission Leader in Email and Web Security Deliver comprehensive mid-market appliance-based solutions Leader in Email and Web Security Company started in late 2003 Headquarters in Campbell, California Sales and support presence in Australia, Brazil, Belgium, Canada, China, France, Germany, India, Japan, Spain, Taiwan, UK and USA 400+ employees worldwide Privately Funded Cash flow positive for more than 4 years First outside investment $40 million: Sequoia Capital & Francisco Partners (January 2006) Market Leader 70,000 customers worldwide Barracuda Networks Confidential

Barracuda Networks Management Team Dean Drako, President & CEO – Velosel, Boldfish, Design Acceleration, 3DO, Apple Michael Perone, Executive VP & CMO – Address.com, Spinway, GE, JPL Zach Levow, CTO – Affinity Path, Spinway, Sun, Cadence David Faugno, CFO – Cisco Systems, AT&T Blair Hankins, VP Engineering – Nokia, Intellisync, Lotus Stephen Pao, VP Product Management – Cisco Systems, Nuance, Oracle Sales Management Ezra Hookano, VP Sales North America – SonicWALL, U4EA José Luis Sanchez, VP Sales Latin America – Netscreen Paul Thackeray, VP & Managing Director EMEA – SonicWALL Peter He, Managing Director China – Pandaguard, PricewaterhouseCoopers Niall King, VP Sales APAC – Neoteris, Cacheflow Barracuda Networks Confidential

Barracuda Networks Company Strategy Powerful, easy-to-use hardware solutions Simple sales process Aggressive price point No per user licensing fees Yearly subscription Energize Updates Enterprise and SMB market Great customer service and technical support Streamlined manufacturing and delivery Barracuda Networks Confidential

Barracuda Networks Product Strategy Integrated hardware and software solutions Comprehensive products Complete problem solutions in a single product No “options” to add extra charges Ease of use Flexible deployment options Easy to use interfaces Single vendor for service and support No per user license fees Ongoing security services Barracuda Networks Confidential

Products For All Parts of the Network DMZ Barracuda Spam Firewall Barracuda IM Firewall Inside the Network Barracuda Web Filter Barracuda Message Archiver Data Center Barracuda Load Balancer Barracuda Web Site Firewall Barracuda Networks Confidential

Barracuda Networks Worldwide Products in multiple languages Offices in more than 10 countries Distributors in more than 80 countries Barracuda Networks Confidential

USA Customers Barracuda Networks Confidential

Vertical Customers Education Government Financial Technology / Internet Corporate Barracuda Networks Confidential

Worldwide Customers (70,000 +) APAC EMEA Latin America Barracuda Networks Confidential

Award-Winning Products “(The Barracuda Web Filter is) an attractive proposition for the enterprise market, designed for simple administration and high throughput.” -SC Magazine, February 2007 “Despite being heavy on the features, (Barracuda) Web Filter 310 remains easy to use and fully customizable.” -CRN, June 2007 Barracuda Networks Confidential

Barracuda Networks & NetContinuum NetContinuum acquired in July 2007 Leading provider of Web Application Firewall and Application Gateway appliances Ranked No. 1 in Forrester Research WAVE Report 2006 Strategic acquisition puts Barracuda Networks in strong position to expand Web Application Firewall market Barracuda Networks support and product investment Building upon existing NetContinuum products Additional plans to address needs of smaller customers Increasing investment in Web Application Firewall product category Barracuda Networks Confidential

Web Application Controllers Major Features Comprehensive Web site protection Attacks Unauthorized access Data theft Web site defacement Web XML services protection Application access control Application delivery and acceleration Logging, monitoring and reporting Barracuda Networks Confidential

Web Application Controllers Detailed Features Web site protection HTTP protocol compliance SQL injection blocking OS command injection protection XSS protection Form/cookie tampering defense Online form field validation Denial of Service Protection Outbound packet scanning Web site cloaking Anti-crawling Advanced learning modes XML services security XML attack prevention Validation of XML schema, SOAP envelopes and XML content WS-I profile validation Web services cloaking XML DoS attack protection Application access control SSO portal LDAP and RADIUS integration PKI support Web access management CA Siteminder RSA Access Manager Application delivery and acceleration Caching Compression Connection pooling Load balancing SSL acceleration High availability Plus much, much more... Barracuda Networks Confidential

Integrates easily into existing systems Authentication LDAP RADIUS X509 / CRL – for two factor authentication with client certificates Logging Syslog FTP - standardized transport for log storage W3C Extended logging – standardized log format to integrate with generic access log parsers

Barracuda Web Site Firewall Product Line NC2000 AG 1 Gbps NC1100 AG Barracuda Application Gateway NC500 AG Enterprise Barracuda Web Site Firewall 660 SMB Barracuda Web Site Firewall 460 Barracuda Web Site Firewall 360 25 Mbps Barracuda Networks Confidential 17 17

Barracuda Web Application Controllers Satisfy Major PCI DSS requirements Credit card companies increase pressure on merchants Must be PCI compliant by June 30, 2008 Acts as both network firewall and Web Application Firewall Proxies Web traffic and insulates Web servers from direct attacks Provides SSL encryption Blocks top 10 most common application vulnerabilities Provides role-based administration LDAP integration and unique ID support Provides application access logging and interacts with AAA systems Barracuda Networks Confidential

Web Application Controllers Architecture Single point of protection for inbound and outbound Web traffic Barracuda Networks Confidential

Terminate Secure Accelerate Centralized Control Session Control TCP Session Termination SSL Termination HTTP Protocol Normalization & Compliance FTP Compliance HTTP Header Re-Write URL Translation URL Rate Control Security Assurance Application Cloaking AAA White List Forms Protection Cookie Protection Data Theft Protection Dynamic Learning SQL & OS CMD Injection XSS Attack Protection Custom Black List: REGEX Availability Assurance Caching GZIP Compression TCP Connection Pooling SSL Cryptographic Offload, Backend Encryption Layer 7 Content Switching Load Balancing Server & App Health Checking with Failover Terminate Secure Accelerate Centralized Control Users Web Applications

Deployment Options Full reverse proxy One-armed proxy Normal bridged Fail open bridged

Proxy vs. Non-proxy: Fundamental Difference in Security Capabilities Non-proxy WAFs expose server operating systems and TCP stacks directly to the Internet You need a proxy based WAF to: Web Address Translation – Non-proxies can not re-write URLs Cloaking – Non-proxies do not Cloak SSL – Non-proxies SSL is VERY slow Cookie security – Non-proxies do not protect against ID theft L7 Rate Control – Non-proxies do not protect against DoS Authentication and Authorization – Non-proxies can not do AAA Data Theft Protection – Non-proxies can not mask outbound data Response time acceleration – Non-proxies can not accelerate

Flexible HTTP / HTTPS deployments Front end SSL (Offload SSL) Front and back end SSL Enforced SSL : automatic redirect of HTTP to HTTPS

Client SSL certificates support The WAC can support client certificates for authentication to an application/VIP. In addition, the WAC can support client certificates for backend communication. Client Certificates for authentication to an application/VIP Client Certificates for backend communication.

Security: Web Site Cloaking Attackers first task: Reconnaissance of network for weakness What Web, database, application servers are being used? What versions, patches or known vulnerabilities are there? Cloaking makes enterprise Web resources invisible to hackers and worms Hides all error codes, HTTP headers, IP addresses

Security: Inbound Attacks Protocol sanitization Injection – SQL, OS commands Scripting – XSS, CSRF Cookie/session poisoning Parameter/form tampering Protocol sanitization Validation Request limit checks Zero-day attacks via Web site profiles Web Applications Port 80/443 traffic goes through 26

Cookie and Session Protection Cookie Protection Session ID Tracking

Security: Outbound Deep inspection of outgoing content blocks Credit cards Social security numbers Custom patterns Web Applications

Brute Force Prevention & Rate Control Slow down attackers via Rate Control

Top 10 threats … Threat Protection Mechanism 1 Un-validated Input Learns accepted application logic to validate incoming and outgoing session content for legitimate application behavior 2 Broken Access Control Sets up and enforces authorization and access control policies to authenticate user access 3 Broken Authentication and Session Management Automatically encrypts session cookies and assigns unique session-IDs to ensure secure user sessions 4 Cross-Site Scripting (XSS) Attacks Validates user input by terminating session and inspecting incoming requests 5 Buffer Overflows Rejects any file from in invalid Web page and limits total Web request length across applications 6 Injection Flaws Inspects each request to the Web application for malicious code and blocks the request prior to reaching 7 Improper Error Handling Cloaks details of Web application infrastructure 8 Insecure Storage Filters and intercepts outbound traffic and also blocks or masks attempts to access sensitive information. 9 Application Denial of Service (DoS) Monitors and controls the amount of queries to the same URL from a single user and queues the requests while allowing legitimate Web site Access 10 Insecure Configuration Management Acts as the DMZ to proxy inbound and outbound Web traffic to neutralize any configuration vulnerabilities White paper with more details available at : www.barracuda.com/whitepapers/

Web Address Translation URL Translations Request Rewrites Response Rewrites Response Body Rewrites

Real-world WAF deployment experience … Multiple geographically distributed deployments Multiple customers with over 5 years of experience – using reverse proxy protection Multiple customers with over 15 Web Application controllers Customers protecting THOUSANDS of Web applications Wide variety of applications – enterprise, government, telecom, energy, e-commerce providers

WAC Customers Bank

Proven WAF Success Model Default Security Policy with Exceptions Negative Security Model Broad based protection Application Templates (OWA, SharePoint, etc.) Positive Security Model Targeted applications Hand Coded Protection Barracuda Networks Confidential

Best Practice – Mix Security Models Positive versus Negative security models Positive: Define the “good” behavior and assume all other traffic is attack traffic Negative: Insulate against “bad” behavior Don’t over-apply positive security model Difficult to understand and maintain profiles Applications change frequently Only provides cost/benefit for certain applications Target specific applications for positive security model Most companies aim for broad protection through negative security model Barracuda Networks Confidential

Is this Madness? NO! Most “real world” security is “negative security model” Spam filters profile spam and viruses and let other email traffic flow Web filters categorize bad sites and let unknown sites pass The same should apply to Web application security Why? Most bad traffic is usually easy to identify False positives are costly and defeat the purpose of security Good traffic changes frequently with new business partners, new business trends, and new applications Barracuda Networks Confidential

Most Bad Traffic is Easy to Identify Do not need a detailed application profile to: Cloak the Web site to hide known areas of vulnerability Digitally sign or encrypt cookies to prevent cookie and session tampering Identify or block common attack types SQL injections, OS command injections Cross-Site Scripting attacks Remote file inclusions Directory traversals Filter outbound content for credit card, SSN, etc. Barracuda Networks Confidential

Defining Policy Exceptions Start with conservative policies to provide protection Can optionally start with passive monitoring Interactive log view differentiates attacks from potential policy problems In many cases, can mitigate issues with a single click Then, enable active protection Priority should be on providing broad-based protection to avoid the majority of attack types upfront and early Barracuda Networks Confidential

Fine grained control … The Barracuda Web Application Controller can be deployed in either active or passive modes for each application/VIP (virtual IP). In addition the following can individually be set to passive mode for further granularity. Header ACLs URL Policies URL Profiles Parameter Profiles Application/VIP:

Easy to use Feedback loop Policy Tuning wizard to make it simple to relax rules and accept false positives.

Full flexibility for power users … The Barracuda Web Application Controller allows a user to create custom signatures via a regular expression wizard.

SharePoint 2007 Deployment with Barracuda Web Application Controller Website Cloaking Request Lengths URL Normalization URL Protection Enhanced Application Profiles Session protection Data/Identity Theft Deployment Scenarios SSL Load balancing and Application monitoring Authentication and Access Control Compression and caching Content Routing Other Ongoing Efforts Virus Protection for uploaded files Enhanced URL protection in the path itself

Learning Mode Ease of configuring the learning mode

Learning Mode : Flexible Deployment … Can deploy in Active OR Passive mode while learning

Avoid Common Pitfalls Take care not to over-apply positive security model Be wary of relying heavily on automated “learning” Learning technology has some “sizzle” with new customers Useful in certain cases (particularly response-based learning on very simple applications) Experienced WAF users prefer implementing broad-based protections early and hand coding targeted application areas Problems Hard to generate complete test traffic cases Can “learn” bad behavior if used against real-world traffic Automated profiles are hard to maintain Analogy: think about automated HTML generators Does not learn “structure” from a human point of view Hard to go “half way” – usually not worth waiting for Barracuda Networks Confidential

Authentication, Authorization & Single Sign On Provides front-end authentication for Web applications Integrates with popular authentication servers Supports two-factor authentication schemes Web Applications Authentication Server

Authentication Service Support Authentication Support Basic Digest Authentication Client Certificate Authentication. Integration with the following authentication services Internal LDAP RADIUS CA SiteMinder RSA Access Manager

Traffic Management Content Switching Load Balancing Caching Server Health monitoring Layer 7 persistence Fall back servers Content Switching Caching Compression Image Server Content Switching www.estore.com/images/banner.jpg www.estore.com/hr/leaveform.html www.estore.com/partner/order.jsp HR Server Partner Portal Cache

Application Delivery and Acceleration SSL Offloading/Acceleration, Backend Encryption Internet High Availability minimizes downtime of critical business Apps Application Health Monitoring ensures optimal Load Balancing TCP Pooling - Multiple requests use same connection Improved Performance

Extensive Logging Capabilities - Audit logs, Web firewall logs, Web logs, System logs, and Network Firewall logs.

Comprehensive reporting and scheduling

Performance Performance Metric Transaction Rates and Throughput NC-1100 R Proven through testing NC-2000 R Proven through testing L2-L4 Maximum Concurrent TCP Connections 400,000 conns 1,400,000 conns Maximum Throughput 1 Gbps Maximum TCP Connections/sec 6,000 cps 23,000 cps   TCP Multiplexing Ratio 7:1 10:1 L7 HTTP HTTP 1.1 Transactions/Requests/sec 12,000 tps 44,000 tps HTTP 1.1 Trans/sec - Security Features - Turned ON 6,000 tps 30,000 tps HTTP 1.1 Trans/sec - Security + Acceleration Features - Turned ON 5,000 tps 28,000 tps Latency during HTTP 1.1 testing <1 ms conns=total simultaneous connections cps=new L4 connections per second tps=new L7 transactions per second Mbps=Megabits per second Gbps=Gigabits per second kbps=kilobits per second ms=milliseconds s=seconds   *Transaction Rate tests measured using 1024 byte objects, except for TCP and SSL Bulk Throughput test using 1Mb object. *Latency testing performed against 5 popular websites (Yahoo.com, Amazon.com, BBC.com, UCLA.edu, Whitehouse.gov), totaling 1,262,608 bytes of data, sustaining 2048 transactions/second unless otherwise stated.

Performance L7 HTTPS HTTPS 1.1 Transactions/Requests/sec 9,000 tps   HTTPS 1.1 Trans/sec - Security Features - Turned ON 6,000 tps 15,000 tps HTTPS 1.1 Trans/sec - Security + Acceleration Features - Turned ON 4,000 tps 10,000 tps Latency during HTTPS 1.1 testing <5 ms <10 ms SSL Maximum Concurrent SSL Connections 100,000 conns Maximum SSL Throughput - Bulk Transfer of 1Mb File 1 Gbps Maximum SSL Transaction Rate with No Session Re-Use 8,000 tps conns=total simultaneous connections cps=new L4 connections per second tps=new L7 transactions per second Mbps=Megabits per second Gbps=Gigabits per second kbps=kilobits per second ms=milliseconds s=seconds   *Transaction Rate tests measured using 1024 byte objects, except for TCP and SSL Bulk Throughput test using 1Mb object. *Latency testing performed against 5 popular websites (Yahoo.com, Amazon.com, BBC.com, UCLA.edu, Whitehouse.gov), totaling 1,262,608 bytes of data, sustaining 2048 transactions/second unless otherwise stated.

Road Ahead : Barracuda Control Center London, DC New York, DC California, DC Mumbai, DC

Barracuda Control Center

Barracuda Control Center: Features Status See all the devices Check on: Hardware Connectivity Subscription Traffic Firmware Reporting Aggregated reporting Restrict data based on user groups Configurations Standardize configuration of multiple appliances Create exceptions for individual appliance Multiple administrators Provide access to a subset of appliances Set permissions 56

Other Roadmap Items Security Authentication Performance Virus Checking for file uploads Automated attack definitions Authentication Built-in single sign-on across Web applications SAML Performance Caching improvements Virus checking for file upload Performance Improved caching / content optimization Scalability Global server load balancing for N-way clustering Larger hardware platform – model 1060 based on model 1000 hardware