Barracuda NG Firewall Secure Connectivity
Growth in cloud computing capabilities and services has driven more data into places where traditional IT security measures cannot reach; specifically, data centers not owned by your corporate IT group. The Barracuda NG Firewall provides centralized management and highly secure, encrypted traffic to, from, and within Microsoft Azure deployments.
For an optimum Azure deployment, it is crucial to initiate the deployment in a highly secure and reliable way. Deploying a Barracuda NG Firewall in Microsoft Azure provides comprehensive, secure connectivity capabilities, starting with high-performance TINA VPN tunnels for site- to-site and client-to-site connections. Deployment includes robust WAN optimization features to maintain the highest quality of service possible.
Integrated Next-Generation Security
The Barracuda NG Firewall is designed and built from the ground up to provide comprehensive, next-generation firewall capabilities. Based on application visibility, user-identity awareness, intrusion prevention, and centralized management, the Barracuda NG Firewall is the ideal solution for today’s dynamic enterprises that are adding Microsoft Azure into their company network.
Users of the Barracuda NG Firewall benefit from the same single-pane-of-glass central management that is used in on-premises deployments. It enables users to manage the secure VPN connections, to, from, and within Microsoft Azure, and the NG Firewall itself.
- Stateful packet inspection and forwarding
- Full user-identity awareness
- Intrusion Detection and Prevention System (IDS/IPS)
- Application control and granular application enforcement
- Interception and decryption of SSL/TLS encrypted applications
- Denial of Service protection (DoS /DDoS)
- Spoofing and flooding protection
- ARP spoofing and trashing protection
- DNS reputation filtering
- TCP stream reassembly
- Transparent proxying (TCP)
- NAT (SNAT,DNAT), PAT
- Dynamic rules / timer triggers
- Single object-oriented rule set for routing, bridging, and routed bridging
- Virtual rule test environment
- Antivirus and URL filtering right in the firewall engine
How can I stop spam from getting through my Email Security Gateway?
If you are receiving any spam through the Email Security Gateway, there are a number of additional measures you can take to maximize the Email Security Gateway’s spam-blocking effectiveness.
- You may need to adjust your spam scoring rules. If your block score, quarantine score, or tag score are set too high, the Barracuda may not be blocking all that it should. To check and see whether lowering a spam score is warranted, filter the message log (on the Basic > Message Log page) using the Score in Range (x,y)filter. If you are considering lowering your block score from 5 to 4, you might use that filter with the following pattern: 4,5. This will display emails that score between a 4 and a 5, so you will be able to tell whether lowering this particular score will affect legitimate messages that score in this range.Also, you should make sure that the Email Security Gateway is using the proper spam scoring values. On the Email Security Gateway 400 and above, each domain is configured with its own spam scoring values and you may need to edit each individual domain’s values under the Domains tab. An individual domain’s spam scoring values are used instead of the global values (if they differ). On the Email Security Gateway 600, each user may set his or her own spam scoring values if each user has a quarantine account and the administrator has enabled that per-user feature. An individual user’s spam scoring values are used instead of the domain and global values (if they differ).
- Make sure your Energize Updates are up-to-date and configured to update hourly on the Advanced > Energize Updates page. A team of security engineers at Barracuda Central continuously monitors the Internet for trends in spam and virus attacks. As they detect trends, Energize Updates are created and distributed to all Email Security Gateways, which are automatically updated with new spam rules, spam algorithms, and virus definitions. If you don’t take advantage of these updates, your Barracuda will not be fully able to block the newest types of spam messages.
- Check your current firmware version against the latest general release on the Advanced > Firmware Update page. You may need to update your firmware to the latest version; new firmware releases often include feature enhancements and bug fixes that further improve spam blocking effectiveness.
- Make sure the Email Security Gateway has not been mistakenly configured to whitelist either untrusted senders or recipients that want spam scanning. Whitelisting one of your domains as a recipient domain will effectively disable spam scanning for that domain. While whitelisted messages will be displayed as whitelisted on the Basic > Message Log page, you should also check the Block/Accept > Sender Domain Block/Accept, Block/Accept > Email Sender Block/Accept, and Block/Accept > Email Recipient Block/Accept pages to make sure you are not unknowingly whitelisting either sources of spam or users that want spam protection.
- Go to the Block/Accept > IP Reputation page and check to see whether the Barracuda IP Reputation option is set to Block. The Barracuda Email Security Gateway leverages data on the network addresses used to send email gathered by Barracuda Central, an advanced 24/7 security operations center that works to continuously monitor and block the latest Internet threats. Combining both the IP and reputation data enables Barracuda Networks to implement countermeasures to mitigate all spam and virus threats. Barracuda Central maintains historical data on IP addresses used in both spam attacks and legitimate email campaigns. Through the Barracuda Reputation System, the Email Security Gateway can make quick and computationally efficient decisions to block or accept email based on a simple lookup of the sender’s IP address against the Barracuda IP Reputation list. Barracuda Networks recommends the use of this feature to maximize your Email Security Gateway’s effectiveness.
- The Email Security Gateway is also compatible with custom external blacklists. If you have any third party blacklists you would like to use, you may enter them under the Custom External RBLs heading on the Block/Accept > IP Reputation page. While adding a few RBLs in this way will ensure the Barracuda Spam Firewall blocks more email, be sure you’re aware of what sorts of IPs are on the lists you configure. Adding too many RBLs may hurt performance and will significantly increase the risk of false positives.
- Use intent blocking. This is configured on the Basic > Spam Checking page. Barracuda Central maintains reputation on spam domains, phishing domains, and Web sites known to host malware. When these domain names are embedded in email message bodies, the Intent Analysis layer of the Email Security Gateway can quickly block email based on a simple database lookup. You should also enable the Realtime Intent Analysis and Multi-Level Intent Analysis options unless they affect performance; these two options may increase the load on the DNS servers specified on the Basic > IP Configuration page.
- Make sure Fingerprint Analysis is enabled and set to Block on the Basic > Spam Checking page. A message “fingerprint” is based on commonly used message components (e.g., an image) across many instances of spam. Fingerprint analysis is an often useful mechanism to block future instances of spam once an early outbreak is identified. Engineers at Barracuda Central work around the clock to identify new spam fingerprints which are then updated on all Email Security Gateways through Barracuda Energize Updates.
- Use recipient verification. Many spammers attack email infrastructures by harvesting email addresses. The Email Security Gateway is able to verify the validity of recipient email addresses through multiple techniques without needing to scan each message, and configuring it to do so will greatly increase efficiency as well as effectiveness.Email Security Gateways are able to perform LDAP and Active Directory recipient verification on all incoming e-mail. This means that a Email Security Gateway is able to block all e-mails addressed to users that don’t exist. To configure LDAP verification, you will need an LDAP or Active Directory server. Once in the Barracuda’s interface, click on the Domains tab and click the Edit LDAP link to the right of a domain to configure LDAP or Active Directory verification for that domain. LDAP must be configured individually for each domain.If no LDAP or Active Directory server has been specified for recipient verification, the Email Security Gateway will automatically attempt recipient verification over SMTP (meaning it will open SMTP connections with the destination mail server and check each recipient address to see whether the mail server will accept it). This is less efficient than LDAP verification, but it is a great option for organizations that don’t maintain an LDAP or Active Directory server. If your mail server is not currently configured to perform SMTP verification, you need only enable it on your mail server. The Email Security Gateway should then automatically begin blocking email addressed to users that don’t exist at your domain.
- Train the Bayesian database by marking messages as Spam and Not Spam in the Barracuda’s Message Log (Basic > Message Log). The Bayesian system can increase or decrease the spam score of a message by up to 5 points in either direction, and the adjustment in score depends on the Bayesian database’s training. The Bayesian database is intended to adjust the spam score of messages that fall near the configured spam scoring thresholds so that they will be correctly classified.
- Go to the Block/Accept > Rate Control page and make sure rate control is enabled and the threshold is set to a reasonably low number (the default value of 50 is recommended). Automated spam software can be used to send large amounts of email to a single email server. To protect the email infrastructure from these flood-based attacks, the Email Security Gateway counts the number of incoming connections from a particular IP address and throttles the connections once the configured threshold is exceeded.
The Barracuda Web Application Firewall 460 Offers Affordable Security
A business’ size offers little security against organize dangers today. Programmers will focus on a private venture similarly as promptly as they will a bigger association, and may even consider it to be a milder target. Anybody, and any endpoint, can get itself the casualty of a scattergun-type assault, for example, ransomware.
In that capacity, little and medium-sized organizations require indistinguishable level of insurance from bigger organizations, however keeping up such cybersecurity commonly falls outside the range of abilities and spending plan of most littler associations. The Web Application Firewall from Barracuda Networks can help connect that hole, cost-successfully securing 10 servers and every one of the endpoints at a level regularly discovered just in bigger, more costly items.
Placed at the front of the data path, the WAF functions like a reverse proxy, intercepting all traffic and allowing only packets that comply with policy to get through. It includes HTTP/S and FTP validation; form field metadata validation; website cloaking; response control; outbound data theft protection; file upload control; logging, monitoring and reporting; high availability; SSL offloading; authentication and authorization; vulnerability scanner integration; client IP reputation validation; caching and compression; and Lightweight Directory Access Protocol/Research and Development for Image Understanding Systems (LDAP/RADIUS) services. It can even handle load balancing and content routing.
Simpler Protection for Small Business Servers
The 460 model can protect five to 10 servers. The WAF models also scale up to enterprise levels if needed. With any of the WAFs, new defensive capabilities are activated by spinning up services, a simple process that puts both inbound and outbound traffic into a single interface.
WAF naturally applies a default security strategy in view of best practices at whatever point another administration is initiated. For instance, while including security for an open confronting application, the default strategy restrains the quantity of characters that clients can type into each field. Directors can change default strategies as required, however the point of confinement guarantees that straightforwardness is the manage while creating new insurances.
The free Barracuda Vulnerability Manager is also available for the WAF suite of tools. WAF can scan new applications for vulnerabilities and then create rules to block them from the firewall, without changing any code.
While tinkering with either the Vulnerability Manager or the core rules can improve security, there is little need for most SMBs to do so. If they do choose to explore the WAF’s advanced protections, the interface makes it very easy, configuring and expanding protection as needed.
Businesses Get Defense Against DDoS Attacks
Distributed denial of service attacks, which overload a website with so much junk data that real users can’t get through, are particularly hard on SMBs because lost revenue from a downed website can be crushing over time.
DDoS attacks don’t require an attacker to actually penetrate a network’s defenses. Thus, they can be launched by a low-skilled hacker, or even a third party that a malicious actor hires. Some plug-and-play tools can launch basic DDoS attacks using known compromised clients and servers.
As such, having DDoS protection, even against a low-level attack, makes sense for any SMB. Even if an attacker can’t fully bring down a website, making it slow and difficult to use can have the same negative effect on users and businesses.
The WAF ensures against the two fundamental kinds of DDoS assaults that undermine organizations: electronic and application-based. To counter online assaults, the WAF must interface with the Barracuda activity cleaning administration, which requires an additional permit however enables the WAF to forward presumed DDoS movement through the administration and afterward hinder the over-burdening demands.
We tried the WAF’s capacity to battle further developed, application-layer DDoS assaults by sending in excess of 5,000 strings of garbage information into the name field on a web shape each second. In the interim, we endeavored to utilize the shape like a legitimate client, and we were never troubled by the continuous assault
— service never dropped.
Log files confirmed that the WAF caught the illegal traffic and blocked it because either the junk strings were too long or the user attempted to fill out the form too quickly. It broke the WAF’s programmed rules and was dropped. From the valid user’s point of view, nothing was wrong. Because there was no disruption, administrators could take their time responding to the attack, confident that the WAF could handle it — which it did for more than an hour, when the testing ended.
Most firewalls don’t have the level and variety of cybersecurity modules present in the Barracuda Web Application Firewall 460. Of those that include extra features, DDoS is rarely one of them. Its inclusion rounds out the protection offered by Barracuda, enabling it to provide many cybersecurity defenses for SMBs.