Barracuda Launches Web Application Firewall as a Service

Barracuda is making its Web Application Firewall platform available in a cloud-delivered model that benefits from a new management interface and improved configuration.

Barracuda Networks announced its cloud-delivered Web Application Firewall (WAF) service on May 16, providing organizations with a new approach to managing and deploying application security.

The Barracuda WAF-as-a-Service offering builds on the company’s existing WAF products, which include both physical and virtual appliances. The cloud-delivered version of the WAF, however, offers organizations new ways to manage, deploy and integrate application security into an application delivery stack.

“With the existing WAFs that we had, you would still have to go in—and whether it’s physical or virtual—you would still have to set up the machine, give it an IP address, connect it to the network, manage the policies and deal with failover,” Nitzan Miron, vice president of Product Management for Application Security Services at Barracuda, told eWEEK. “With WAF-as-a-Service, we take all the complexity and do it for customers.”

A WAF is a type of firewall that is purpose-built to help defend against application-layer threats and attacks. WAFs can be used to protect against known vulnerabilities in applications, including input validation and SQL injection types of risks.

Deployment

Organizations set up WAF-as-a-Service by pointing their web server’s DNS records to Barracuda’s IP address, which filters the traffic and then forwards it, Miron said. Barracuda uses Anycast, a network approach that enables one IP address to be located in multiple locations, to route traffic to the closest geographically located Barracuda data center to help decrease latency and improve performance.

While the actual WAF enforcement engine in the new service is the same core technology that Barracuda has been evolving for over a decade, Miron said the management piece has been completely rewritten. The goal of the new management interface is to make it easier for organisations to configure features.

“When you first get started, you go through this very easy wizard, you set up your application, you enable security and you get the default best practices policy,” Miron said. “But then you can go in and you can modify any of the particular features to a very high level of detail.”

Going a step further, Miron noted that Barracuda’s WAF also benefits from the company’s vulnerability remediation service. With that service, organizations can run a scan of their web applications to identify vulnerabilities and then provide specific recommendations for remediation. He added that the remediations can be automatically configured in the WAF.

Miron said Barracuda is also working on predefined templates for common web frameworks to be able to automatically provide the right WAF policies.

APIs

Barracuda is also enabling its WAF-as-a-Service for DevOps with an API that developers can use. The WAF API allows developers to modify behavior of application traffic, Miron said. For example, if a developer is deploying a new system to production, what sometimes happens is as a new copy is deployed, the old copy is destroyed. With the API, Miron said developers can inform the Barracuda WAF to cut over traffic to the new system when it is deployed.

While the new offering is in some respects competitive with what Barracuda already offers, Miron doesn’t expect the new WAF-as-a-Service will cannibalize the company’s existing physical and virtual appliance WAF business.

“We found that customers usually have certain ways they want to do things,” he said. “We don’t see this as a cannibalisation. We’d love to have customers move to WAF-as-a-Service and enjoy the new features that come with the model, but we know some customers will continue to be happy running with what they have.”