Web Application Firewall


Comprehensive Security for Critical Applications

With hundreds of lines of code to check – and vulnerabilities often subtle and hard to find – a serious data breach is often the first sign that a web application has problems. Having secured thousands of production applications against more than 11 billion attacks since 2008, the Barracuda Web Application Firewall is the ideal solution for organizations looking to protect web applications from data breaches and defacement. With the Barracuda Web Application Firewall, administrators do not need to wait for clean code or even know how an application works to secure their applications. Organizations can ensure robust security with a Barracuda Web Application Firewall hardware or virtual appliance, deployed either on-premises or in the cloud.

Provides Constant Protection from Evolving Threats

The Barracuda Web Application Firewall provides superior protection against data loss, application-layer DDoS, and known and previously unknown zero day application-layer attack modalities. As new types of threats emerge, the Barracuda Web Application Firewall will acquire new capabilities to block them. These definitions are automatically updated and will “virtually patch” automatically on units in the field, ensuring the highest security posture for critical applications at all times. This greatly reduces the time between vulnerability disclosure and vulnerability patching.

Granular Identity and Access Management

The Barracuda Web Application Firewall has strong authentication and access control capabilities that ensure security and privacy by restricting access to sensitive applications or data to authorized users. Integrated Identity Access and Management pre-authenticates on the perimeter before access is allowed to critical web applications. User Access Control can be offloaded from multiple applications on a single consolidated device. Detailed audit logging provides clear visibility into user activity across all protected applications.

Intuitive Administration & Management

With over 90% of customers deploying active protection in less than a week, the Barracuda Web Application Firewall is designed to provide instant security. Integrations with best-of-breed security tools ensure easy deployments into existing environments while providing granular logging, alerting, and reporting for management, compliance, or early warning detection. It can be deployed in High Availability clusters to provide redundancy and seamless failover capabilities in response to outages thereby ensuring maximum application uptime.

Scalable Security for Public & Private Clouds

Today, cloud computing has become a “must-have” to a majority of the enterprise IT community, for reasons ranging from economic gains to technology benefits. But one of the major concerns carrying over from traditional IT—data and application security—has not changed, and requires the same diligence in the cloud as with on-premises solutions. Fortunately, the Barracuda Web Application Firewall can be readily plugged into private cloud environments as well as third-party cloud platforms like Microsoft Azure or Amazon Web Services.

Application Attack and DDoS Protection

The Barracuda Web Application Firewall provides robust security against targeted and automated attacks. OWASP Top 10 attacks like SQL Injections and Cross-Site Scripting (XSS) are automatically identified and logged. Administrators have the ability to set granular controls on response, allowing them to block, throttle, redirect, or perform a number of other actions.

Advanced DDoS protection capabilities allow administrators to distinguish real users from botnets through the use of heuristic fingerprinting and IP reputation, thereby allowing them to block, throttle, or challenge suspicious traffic. It is the only product in the industry to offer integrated IP reputation intelligence that combines real-time situational insights and historical intelligence to secure against application DDoS using a variety of risk assessment techniques such as application-centric thresholds, protocol checks, session integrity, active and passive client challenges, historical client reputation blacklists, geo-location, and anomalous idle-time detection.

Adaptive Profiling

Adaptive profiling enables administrators to build positive security profiles of their applications by sampling web traffic from trusted hosts. Once enabled, the positive security profiles allow administrators to enforce granular whitelist rules on sensitive parts of the application. This greatly reduces the risk of attacks and helps prevent zero-day vulnerabilities by restricting input only to inputs that meet strict standards.

Server Cloaking

Often the first step of any targeted attack is to probe public-facing applications to find out details about the underlying servers, databases, and operating systems. Cloaking prevents attack reconnaissance of protected applications by suppressing server banners, error messages, HTTP headers, return codes, debug information, or backend IP addresses from leaking to a potential attacker. Without any details of the underlying infrastructure, it is much more difficult to target attacks, thereby reducing the risk of breach.

Protection for Mobile Applications, REST APIs and AJAX

Mobile application and REST APIs today rely on JSON (JavaScript Object Notation) to transfer data. However, this opens a whole new attack surface which is often overlooked and hard to secure by traditional scan-testing or pen-testing approaches. The Barracuda Web Application Firewall secures the entire attack surface of mobile applications and REST APIs, filters malicious inputs in requests with JSON payloads, helps ensure API SLAs to partners, and provides anti-pharming protection from rogue consumers. Interactive web applications using JSON with AJAX are similarly protected.

XML Firewall

Applications that rely on XML can now be secured with an XML Firewall capability that secures applications against schema and WSDL poisoning, highly-nested elements, recursive parsing, and other XML-based attacks. This secures communications between client and application or between applications from different systems closing an often overlooked attack vector.

Data Loss Prevention

Deployed as a reverse-proxy, the Barracuda Web Application Firewall inspects all inbound traffic for attacks and outbound traffic for sensitive data. Content such as credit card numbers, U.S. social security numbers, or any other custom patterns can be identified by the Barracuda Web Application Firewall and either blocked or masked without administrator intervention. Best of all, the information is logged and can be used by administrators to find potential leaks.

Iron-clad URL Tamper Prevention via URL Encryption

Attacks on a web-based application often start by analyzing and tampering with its URLs. Barracuda Web Application Firewalls, models 660 and above, come with a unique URL Encryption feature that allows administrators to encrypt URLs before they are sent to clients. The original URLs or the directory structure are never exposed externally to prying eyes. Users of the web applications interact and navigate the site using only encrypted URLs, which are decrypted by the WAF on the way back in. The decryption process immediately identifies URL query or parameter tampering, malicious content injection or blind forceful browsing attacks.


The Barracuda Web Application Firewall is designed to provide easy, cost-effective assistance to help administrators comply with major application-specific requirements like PCI-DSS, HIPAA, FISMA, and SOX. It is certified by a number of third-party testing labs including ICSA Labs as an effective Web Application Firewall solution. The Barracuda Web Application Firewall directly satisfies section 6.6 of PCI-DSS and assists compliance with built-in PCI compliance reports. Its robust identity and access management and data loss prevention (DLP) capabilities ensure privacy of sensitive data. A FIPS 140-2 HSM model ensures that applications it protects meet the highest cryptographic standards.

Integrations: Cavium Networks

Web-Based Identity and Access Management

The Barracuda Web Application Firewall fully integrates Active Directory or any other RADIUS or LDAP-compatible authentication services. Combined with the strong access control capabilities, administrators can provide granular control over which users or groups are able to access specific resources. For securing Kerberos-enabled environments, it can also perform authentication to the protected web application on behalf of the user, including single-sign-on to multiple Kerberos services.

Streamline Identity Federation with Identity Providers, including Azure AD

The Barracuda Web Application Firewall supports the SAML v2 protocol for authentication and web based single sign-on (SSO), which means that it can act as a SAML Service Provider (SP) to SAML-compliant Identity Providers (IdP), saving you from the complexities of implementing SAML on your web servers. This facilitates SSO between the cloud and on-premise web applications as well as interoperability with Azure AD which supports SAML 2.0.

Two-Factor Authentication

The Barracuda Web Application Firewall integrates with a number of two-factor authentication technology including client certificates, SMS PASSCODES, and hardware tokens such as RSA SecurID to provide strong user authentication.

Integrations: SMS PASSCODES, RSA SecurID

Client IP Reputation & User Access Control

Using client source addresses, organizations can control access to web resources. The Barracuda Web Application Firewall can control access based on GeoIP to limit access only to specified regions. It is also integrated with the Barracuda Reputational Database and can identify suspicious IP addresses, bots, TOR networks and other anonymous proxies that are often used by attackers to hide their identity and location. Once an IP address is identified as a risk, administrators have the ability to block, limit, throttle, or issue a CAPTCHA challenge before allowing access.

Integrations: MaxMind

Pre-Built Security Templates

Pre-built security templates and an intuitive web interface provide immediate security without the need for time-consuming tuning or learning how to use a new application. Included out of the box are common application templates including Exchange, SharePoint, Oracle Financials, PHP, and more.

Automate and Scale with a RESTful API

With the advent of cloud-based computing, data centers have become increasingly programmable and DevOps is now a key area of focus in network, compute and security tiers. Barracuda Web Application Firewall comes with a REST API that enables you to configure and monitor the appliance programmatically. The functionality of the device is exposed in Representational State Transfer compliant interfaces which can be exercised via any programming language of your choice. REST API allows you to automate, reduce time-to-market and costs by leveraging economies of scale in a programmable environment.

Custom Templates for Increased Productivity

Managing application security policies across multiple units can quickly become an error-prone hassle. The Barracuda Web Application Firewall features security templates that provide the ability to define baseline security settings to use as a model for security policies. By using templates, you can quickly create security policies designed to safeguard a specific application, web-portal, platform, framework or parts thereof. Templates increase productivity, reduce manual errors and deployment time, and ensure policy compliance.

Vulnerability Scanner Integration

Security organizations often use vulnerability scanners to look for exploitable weaknesses in their applications. Barracuda has the ability to integrate with popular scanners like IBM AppScan and Cenzic Hailstorm to automatically configure an application’s security template to protect against identified issues. All of this is automatically configured using the output of the scanners without any administrator intervention.

Integrations: IBM AppScan, Cenzic Hailstorm

Intuitive, Drill-down Reporting

Powerful graphical reporting provides immediate insight into compliance, threat activity, web traffic and regulatory compliance. More than 50 different pre-defined reports are available, which can be easily customized further, using numerous filter for attack types, traffic, time range, and more.

Generated reports are interactive, with drill-down capability. Reports span PCI compliance, security, audit, web traffic and geo-location analytics. They can be generated on-demand, or scheduled for periodic delivery to multiple recipients over email of FTP.

Comprehensive Logging & Reporting

All client requests, administrator modifications, and firewall actions are logged. This provides a comprehensive audit log for compliance and security policy tuning. Data from the logs are used by the Web Application Firewall to build graphical reports on attacks, web traffic, compliance or a number of other analytical reports. Logs can also be exported to 3rd party analytics suite via Syslog or FTP.

Proactive Risk Monitoring via Customizable Alerts

Scheduling alert notifications for risk monitoring and analysis is an important requirement for proactive security administrators. However, this can quickly become overwhelming with multiple security appliances in the data center. Without any correlation or consolidation, advanced persistent threat (APT) activity can go unnoticed, for example:

To overcome this, the Barracuda Web Application Firewall provides alert consolidation and correlation. Custom notifications can be defined using multiple elements like severity, attack type, application, threshold and frequency (for example, configuring thresholds for SQL Injection frequency on application X and also monitoring forceful browsing for the same application). This ensures that important threat activity does not get drowned in the noise, lowers risk profile and operational costs, and increases productivity. Alert notifications can also be customized for hardware components and individual system modules like Authentication, Admin Activity, SSL, etc.

Automatic Security Updates

Barracuda Web Application Firewalls can be clustered in active / passive or active / active pairs with failover to ensure instant recovery. Security configurations and deployments are automatically synchronized between the clusters, providing instant recovery from any outages.

High Availability Clustering

Barracuda Web Application Firewalls can be clustered in active / passive or active / active pairs with failover to ensure instant recovery. Security configurations and deployments are automatically synchronized between the clusters, providing instant recovery from any outages.

Application Load Balancing and Monitoring

Barracuda Web Application Firewall supports load balancing of all types of applications. Load balancing ensures that subsequent requests from the same IP address will be routed to the same back-end server as the initial request. This guarantee of persistence requires an awareness of server health so subsequent requests are not routed to a server which is no longer responding. The Barracuda Web Application Firewall can monitor server health by tracking server responses to actual requests and marking the server as out-of-service when errors exceed a user configured threshold. In addition, the Barracuda Web Application Firewall can perform out-of-band health checks, requests created and sent to a server at configured time intervals to verify its health.

Cloud Edition for Microsoft Azure

When migrating data, applications, and/or workloads to the cloud, administrators still need to safely manage both corporate and customer information. In most cases, organizations are still subject to the privacy and compliance directives of their industry, whether HIPAA, SOX, PCI, or others. By integrating the proven application security and data loss prevention capabilities of Barracuda Web Application Firewall (WAF) with Microsoft Azure’s native security features, administrators are in a superior position to deploy secure, reliable, and resilient cloud services in Azure while meeting any regulatory or compliance needs. To find out more about the Barracuda Web Application Firewall on Microsoft Azure, visit us in the Microsoft Azure gallery, download the WAF on Azure whitepaper or visit the Barracuda TechLibrary.

Cloud Edition for Amazon Web Services

The Barracuda Web Application Firewall provides proven application security and Data Loss Prevention for applications deployed on Amazon Web Services. To find out more about the Barracuda Web Application Firewall on Amazon Web Services, visit our AWS Marketplace page or visit the Barracuda TechLibrary.

Models 360 460 660 860 960
Backend Servers 1 – 5 5 – 10 10 – 25 25 – 150 150-300
Throughput 25 Mbps 50 Mbps 200 Mbps 1 Gbps 4 Gbps
HTTP Transactions/Sec. 8,000 15,000 30,000 90,000 180,000
SSL Transactions/Sec. 2,500 4,000 12,000 30,000 50,000
Form Factor 1U Mini Rackmount Chassis 1U Mini Rackmount Chassis 1U Fullsize Rackmount Chassis 2U Fullsize Rackmount Chassis 2U Fullsize Rackmount Chassis
Input Current 1.2 Amps AC 1.3 Amps AC 1.8 Amps AC 4.1 Amps AC 5.4 Amps AC
Copper Ethernet NICs 2 x 10/100 CU w/bypass 2 x 1 GbE w/bypass 2 x 1 GbE w/bypass 2 x 1 GbE (bypass available) 2 x 10 GbE (bypass available)
HTTP/S, FTP Protocol Validation   checked   checked   checked   checked  checked
Form Field Meta Data Validation  checked  checked  checked  checked  checked
Web Site Cloaking   checked   checked   checked   checked  checked
JSON Protection   checked   checked   checked   checked  checked
Response Control   checked   checked   checked   checked  checked
Outbound Data Theft Protection   checked   checked   checked   checked  checked
File Upload Control   checked   checked   checked   checked  checked
Logging, Monitoring and Reporting   checked   checked   checked   checked  checked
High Availability   checked   checked   checked   checked  checked
SSL Offloading   checked   checked   checked   checked  checked
Authentication and Authorization   checked   checked   checked   checked  checked
Vulnerability Scanner Integration   checked   checked   checked   checked  checked
Centralized Management   checked   checked   checked   checked  checked
Client IP Reputation   checked   checked   checked   checked  checked
Network Firewall   checked   checked   checked   checked  checked
High Availability: Active/Passive   checked   checked   checked   checked  checked
Rest API   checked   checked   checked   checked  checked
Caching and Compression   checked   checked   checked  checked
LDAP/RADIUS   checked   checked   checked  checked
Load Balancing   checked   checked   checked  checked
Content Routing   checked   checked   checked  checked
ECC Memory   checked   checked  checked
Adaptive Profiling   checked   checked  checked
AV for File Uploads   checked   checked  checked
XML Firewall   checked   checked  checked
Advanced Routing   checked   checked  checked
URL Encryption   checked   checked  checked
SAML v2 SP Support   checked   checked  checked
2×10 Gigabit Fiber NIC Connections   checked  checked

× Chat with us