Barracuda’s WAF Solution saves a client EGP300k in 18 months!

And how it stood against competing solutions like Fortinet and F5 in this deployment case

In our previous post we talked with you about Web Application Firewalls, who needs them and why. If you haven’t read it yet, we recommend you give it a read before finishing this one. As we’ll be diving deep into cybersecurity deployments that protect web and online-facing applications from the modern threats landscape targeting APIs, forms and eventually sensitive data.

We’ll be sharing this through a story from a previous WAF deployment, and how the stakeholders arrived at Barracuda’s Web Application Protection ecosystem. Before we get on with the technical bits and pieces, we would like to share with you a couple of requirements that usually c-level executives highlight when sharing their thoughts about integrating a new module in their cybersecurity portfolio.

The most common first question our presales team gets is “how easy is it to deploy?”. No IT professional ever wished for a system that requires going back to the drawing board to rewrite complete routes of data because “we must have it”. And this is one of the main motivations for the development of the SaaS market, and the constant competition between vendors to steer towards platform-based offerings with simpler, more intuitive user interfaces.

The second is almost always budgetary. Cybersecurity investments are usually tough to release mainly because the business side is more concerned with probabilities on the long run, not immediate resolutions.

Client story

How Barracuda’s WAFaaS solution saved one of our client businesses in Egypt EGP300K in 1 year

Which brings us to a client we’d like to highlight first. For confidentiality reasons, the name of the client will not be disclosed in this context. But the key information is this; the hardware investment in this project was EGP10MM+ running tens of online-facing applications collecting http(s) forms and is processed in the on-premises datacenter. While the datacenter security strategy was quite vigorous, the data WITHIN the datacenter was 99.9% secure. Naturally, there were still some web vulnerabilities.

On a rainy day, the client was hit with a 22Gbps DDoS attack vectoring a form that fetched sensitive data from the on-prem data center. The catastrophic outcome was a complete halt in the client’s logistics team that used the portal to access their shipments’ details.

From a financial standpoint the business lost almost EGP50,000 in late and rejected delivery penalties. A disaster recovery meeting with the technical team handling the account raised the vitality of adding a Web Application Firewall to the portfolio.

To learn more about the threats scene in the web app security market, it then made sense to start with the OWASP's top 10 threats list. With that in hand, the client had a standardized methodology on how to position the security modules against the common threat. Being a vendor agnostic team, MHE’s solution architects shortlisted three solutions for the client: Barracuda WAF, Fortinet WAF and F5 Advanced WAF.

In terms of performance, the comparison was close and there was no clear dark horse. All three solutions were equally effective in securing against the threats that are keeping the security team up at night, according to the data sheets. Also, our client is in the shipping & logistics business, so the data transactions were usually strings or fields of text that was not bandwidth demanding, so there was no real “stress test” on the engines.

The idea rooted from protecting the web-forms particularly against DDoS attacks to prevent similar incidents from happening again; But while discussing the client’s technology roadmap, MHE’s technical team spotted the need to secure API integrations in a couple of quarters. With that being a future requirement, the whole strategy shifted towards a comprehensive security solution, not just WAF but rather what's referred to as a WAAP solution (Web Application and API Protection).

F5 was a very competitive technical offering from the start despite the hefty budget. However, the administration environment in the client’s IT department was very congested at the time. The objective key result from implementing WAF was to future-proof the system against API and BOT attacks. F5 did that excellently, but it was too complex to operationalize in these two modules, particularly because it required coding skills, and this isn't very practical for small teams to initiate and configure on-the-go.

"F5 was a very competitive technical offering from the start despite the hefty budget, but it required coding skills to configure and operationalize"

During the shortlisting process, demos of the user and admin interfaces were conducted with the client’s team, emulating fractions of the live environment. Barracuda’s cloud-based admin panel showed promising levels of flexibility and visibility, and quickly became a crowd-favorite. Fortinet’s UI seemed suspiciously similar to Barracuda’s, but the tuning and configuration were not as easy. And to everyone’s surprise, it was missing API protection! It had no security module for the file upload form in one of the clients’ apps either. Because of these unmet requirements, it was not the best fit for such a project.

The Cloud Application Protection from Barracuda uses a platform approach with a friendly and intuitive UI. While having multiple elements to fit every operational topology, all variants share the same qualities of visibility and control tools. In fact, Barracuda’s WAF-as-a-Service plan has a promised 10-minute setup time (we’ll share the actual, measured deployment time later in the post” A simple 5-step deployment process where you route all your traffic through Barracuda’s WAFaaS engines before your servers welcome it through open ports.

Barracuda stood out for its ease of deployment and integration with other security modules, besides being user-friendly to monitor and administrate. And as mentioned earlier, it was a crowd favorite.