And how it stood against competing solutions like Fortinet and F5 in this deployment case
In our previous post we talked with you about Web Application Firewalls, who needs them and why. If you haven’t read it yet, we recommend you give it a read before finishing this one. As we’ll be diving deep into cybersecurity deployments that protect web and online-facing applications from the modern threats landscape targeting APIs, forms and eventually sensitive data.
We’ll be sharing this through a story from a previous WAF deployment, and how the stakeholders arrived at Barracuda’s Web Application Protection ecosystem. Before we get on with the technical bits and pieces, we would like to share with you a couple of requirements that usually c-level executives highlight when sharing their thoughts about integrating a new module in their cybersecurity portfolio.
The most common first question our presales team gets is “how easy is it to deploy?”. No IT professional ever wished for a system that requires going back to the drawing board to rewrite complete routes of data because “we must have it”. And this is one of the main motivations for the development of the SaaS market, and the constant competition between vendors to steer towards platform-based offerings with simpler, more intuitive user interfaces.
The second is almost always budgetary. Cybersecurity investments are usually tough to release mainly because the business side is more concerned with probabilities on the long run, not immediate resolutions.
Client story
How Barracuda’s WAFaaS solution saved one of our client businesses in Egypt EGP300K in 1 year
Which brings us to a client we’d like to highlight first. For confidentiality reasons, the name of the client will not be disclosed in this context. But the key information is this; the hardware investment in this project was EGP10MM+ running tens of online-facing applications collecting http(s) forms and is processed in the on-premises datacenter. While the datacenter security strategy was quite vigorous, the data WITHIN the datacenter was 99.9% secure. Naturally, there were still some web vulnerabilities.
On a rainy day, the client was hit with a 22Gbps DDoS attack vectoring a form that fetched sensitive data from the on-prem data center. The catastrophic outcome was a complete halt in the client’s logistics team that used the portal to access their shipments’ details.
From a financial standpoint the business lost almost EGP50,000 in late and rejected delivery penalties. A disaster recovery meeting with the technical team handling the account raised the vitality of adding a Web Application Firewall to the portfolio.
To learn more about the threats scene in the web app security market, it then made sense to start with the OWASP's top 10 threats list. With that in hand, the client had a standardized methodology on how to position the security modules against the common threat. Being a vendor agnostic team, MHE’s solution architects shortlisted three solutions for the client: Barracuda WAF, Fortinet WAF and F5 Advanced WAF.
In terms of performance, the comparison was close and there was no clear dark horse. All three solutions were equally effective in securing against the threats that are keeping the security team up at night, according to the data sheets. Also, our client is in the shipping & logistics business, so the data transactions were usually strings or fields of text that was not bandwidth demanding, so there was no real “stress test” on the engines.
The idea rooted from protecting the web-forms particularly against DDoS attacks to prevent similar incidents from happening again; But while discussing the client’s technology roadmap, MHE’s technical team spotted the need to secure API integrations in a couple of quarters. With that being a future requirement, the whole strategy shifted towards a comprehensive security solution, not just WAF but rather what's referred to as a WAAP solution (Web Application and API Protection).
F5 was a very competitive technical offering from the start despite the hefty budget. However, the administration environment in the client’s IT department was very congested at the time. The objective key result from implementing WAF was to future-proof the system against API and BOT attacks. F5 did that excellently, but it was too complex to operationalize in these two modules, particularly because it required coding skills, and this isn't very practical for small teams to initiate and configure on-the-go.
"F5 was a very competitive technical offering from the start despite the hefty budget, but it required coding skills to configure and operationalize"
During the shortlisting process, demos of the user and admin interfaces were conducted with the client’s team, emulating fractions of the live environment. Barracuda’s cloud-based admin panel showed promising levels of flexibility and visibility, and quickly became a crowd-favorite. Fortinet’s UI seemed suspiciously similar to Barracuda’s, but the tuning and configuration were not as easy. And to everyone’s surprise, it was missing API protection! It had no security module for the file upload form in one of the clients’ apps either. Because of these unmet requirements, it was not the best fit for such a project.
The Cloud Application Protection from Barracuda uses a platform approach with a friendly and intuitive UI. While having multiple elements to fit every operational topology, all variants share the same qualities of visibility and control tools. In fact, Barracuda’s WAF-as-a-Service plan has a promised 10-minute setup time (we’ll share the actual, measured deployment time later in the post” A simple 5-step deployment process where you route all your traffic through Barracuda’s WAFaaS engines before your servers welcome it through open ports.
Barracuda stood out for its ease of deployment and integration with other security modules, besides being user-friendly to monitor and administrate. And as mentioned earlier, it was a crowd favorite.
Reasons for selecting Barracuda’s WAFaaS solution for this project:
Simple deployment and Management
Active scanning and remediation
Seamless integration with a diversified stack of APIs (XML/.JSON)
Most cost-effective lifetime investment
Automated and auto-scalable bot protection
The deployment was in 2020, and the client’s WAFaaS solution blocked 2311/2327 attacks targeting their web application ONLY saving the company EGP287,000 until this post was edited in June 2022 (data is extrapolated from the losses of the first attack)
There are multiple other stories that we will be sharing with you later so stay tuned you can also subscribe to our blog to get the latest posts delivered right to your inbox. But for now, we would like to dive deeper into why Barracuda’s WAFaaS solution stands out in day-to-day operability and ownership cost.
Why Barracuda’s WAF stands out against the competition
MHE has been deploying cybersecurity systems in all their shapes and forms since 2009. We have dealt with hundreds, if not thousands of security professionals. The persona of the IT professional in Egypt has developed immensely in the past 5 years. We can now see real concerns towards cybersecurity and how IT is being perceived as a vital tool to leverage over your competition. And with the local digital transformation initiatives, data is becoming a valuable asset to the stakeholders.
Cloud App Protection, A pivoting ecosystem, with your applications in the center.
Barracuda WAFaaS vs. Fortinet WAFaaS:
Unlike Fortinet’s adapted WAFaaS model which uses Fortiweb in its backend, Barracuda’s WAF solution is built from the ground up, keeping every possible deployment scenario in mind. Here's a table to show you how Barracuda's WAFaaS stands against Fortinet's:
 |  | |
Complete Product? | Yes | No |
Core offering for vendor? | Yes | No |
File Upload security? | Built-in | Requires FortiSandBox |
API Protection | Yes | No |
Machine Leaning | Yes - BVM/BVRS | Very Limited |
In the post we referred to earlier we discussed the different forms or formats of a WAF deployment. In essence there are just two approaches, with a total of three variations: an infrastructure-based approach, and a cloud-based service.
The infrastructure-based approach requires either having a WAF appliance installed physically on-premises; OR if you happen to have hosted applications on AWS or Microsoft Azure, chances are that you will find the “Virtual Appliance” option more suitable for you. While robust hosts like AWS and Azure do offer WAF for your hosted applications, their solutions aren’t always the best fit for all use cases, especially because WAF to hosting providers is not a focus product, yet. The second reason why you need WAF for your hosted applications on AWS and Azure, is simply because the Shared Responsibility Model clears their security liability in the cloud. Their accountability stops at the security of the cloud.
The third and relatively easiest deployment scenario would be the WAF-as-a-service or WAFaaS in short. This means that your online facing traffic will have a security officer governing all your web applications’ inbound and outbound transactions on a much wider perimeter with much deeper visibility since the engine analyses multi-layer threats. Which is why it’s a preferred solution for fintech networks.
Having three operating models serving the same function gives Barracuda a competitive advantage over its competition in terms of flexibility. From an administration standpoint, introducing a new module is almost always a bittersweet experience in the IT and cybersecurity domains. On the one hand you’re thinking “Finally, something to handle this for me” but on the other hand, you know you must go through the journey of learning the ins and outs of that new shiny UI.
Reverse-proxy architecture.
Reverse proxy deployments accept traffic on the virtual IP address and proxy the traffic to the back-end server network behind the Barracuda Web Application Firewall. Reverse proxy options include:
Two-Arm Proxy Deployment
The Barracuda Web Application Firewall is in-line with the web servers; it intercepts and inspects incoming and outgoing traffic, preventing attacks from reaching the web servers and preventing the leak of sensitive data to the requesting clients. Apart from web application security, this mode also allows all delivery acceleration features like server/application load balancing and tcp connection pooling to be employed. For details on configuring this deployment type, see Configuring Two-Arm Proxy Mode. This deployment mode is supported by the Barracuda Web Application Firewall virtual appliance (see Virtual Deployment).
One-Arm Proxy Deployment
Allows the deployment of the Barracuda Web Application Firewall with minimal changes to the network configuration of the web servers. However, traffic from the upstream devices will have to explicitly pass through the Barracuda Web Application Firewall. For details on configuring this deployment type, see Configuring One-Arm Proxy Mode. This deployment mode is supported by the Barracuda Web Application Firewall virtual appliance (see Virtual Deployment).
Converge your sensitive application data through a controlled gateway
With full reverse-proxy architecture, your WAF acts as a gateway between your published applications, forms or API connectors and their servers. The collateral advantage is that you get load balancing by default. A reverse-proxy server and a load balancer are sometimes used interchangeably, but when you add that extra layer of security you get a secure, load-balancing gateway for your sensitive data routes.
Advanced Bot Protection
The machine learning model of the engine is cloud based, and crowd-sources bot intelligence to block even almost-human bots. Sounds complicated in theory, but in practice the implementation takes no more than a few clicks. This makes Barracuda’s Advanced Bot Protection a preferred solution in the eCommerce and qCommerce verticals, since it will stop attempts for price or list scraping, scalping, inventory hoarding, DoS, account/credit card takeovers. And with the rapid increase in bot attacks’ frequency and intelligence (bypassing standard defenses like reCAPTCHA), Barracuda’s Advanced Bot protection is a single, comprehensive solution for AppSec and Advanced Bot Attacks.
DDoS Protection Cost & Scalability
Most of the WAF vendors do not offer a reasonably priced DDoS protection service, and when it is reasonably priced, it is limited. Vendors like CloudFlare for example would charge your App based on DDoS throughput, Barracuda’s DDoS protection is a winner in terms of scalability, since it offers unlimited protection, including volumetric, this also applies to your Azure servers on a native level*. And the relieving part is that it scales automatically to handle the load as your traffic increases. Besides buffering, your apps’ performance won’t be compromised by the extra layer of security. Same goes for AWS and GCP, if your applications are hosted on any or all these servers, you can protect the whole mesh connecting them with your back-end data with a single solution. The basic WAFaaS plan comes by default with unlimited DDoS protection.
*Barrracuda CloudGen for Azure
Ease of deployment and Management
In the previous client story, the WAFaaS deployment took around 2 hours from installation to first live testing. The promised implementation time was 10-minutes according to Barracuda (which was true, if by 10 minutes you mean from service delivery to traffic routing, no policies set-up), but then -naturally- we needed to review the firewall policies since there was a new layer on the operating architecture. With Barracuda’s WAF Vx, you simply import your API definition file, and the firewall engines are ready for your policies. Once your policies are defined and set, you can start exploring the BVRS tool, Barracuda’s Vulnerability Remediation Service. The tool can be set up in both active and passive modes. It uses data from Barracuda’s learning bots to identify points of vulnerability within your applications. In active mode, it will automatically deploy a security, while in passive mode, it would simply recommend the solution until you approve the deployment. We took some time with the configuration to monitor the traffic in both passive and active modes, to make sure that the policies imposed do not disrupt delivery.
Conclusion:
In the end, most businesses need to implement WAF. Especially data sensitive businesses that would be affected by such data being compromised. While CISOs, CIOs and CTOs might be the first to realize this need within their organizations, IT professionals in all functional levels are aware of the cyberthreats landscape. The question that is hovering over most of those reading this post now is “sounds good, where do I start?” You could start by getting a free assessment from Barracuda, to pinpoint the threat channels and assess the need to take action. MHE could help you a lot in the decision-making process, as our presales engineers will be happy to hear all your questions and concerns regarding WAF and give you the best solution that fits your environment. You can sign up now from the button below to book your online session with our team.