After a service is created, a basic set of web firewall features are activated automatically using the Barracuda default security policy. The service defaults to a pa ssive mode of enforcement using the default security policy.

Configuring Service Settings

The default configuration options provide a sufficient amount of attack protection from the majority of web attacks. Refinements to the default security policy can be required for different web applications. You can edit basic service settings to tailor attack prevention for a service. To edit service settings, go to the BASIC > Services page, identify the service you want to edit in the Services list, and click Edit next to it. The service window displays the following sections:

• Service

• Basic Security

• SSL

• Load Balancing

Service

Verify the settings displayed are correct. Modify the settings if necessary.

Basic Security

You can modify the basic set of web firewall options in the Basic Security section. Specify values for the following fields:

Modes (Active / Passive) : Additional notes

The Barracuda Web Application Firewall executes the following operations in both active and passive modes if they are configured by the administrator.

• All SSL configurations for the front-end and back-end connections.

• Insertion of JavaScript code for client tracking.

• Submission of traffic data to the cloud layer for analysis if an Advanced Bot Protection license has been purchased and if data submission has not been explicitly turned off.

• Client-side checks for web scraping such as run-time modification of robots.txt, insertion of cooking, and JS file checks.

• Enforcement of CAPTCHA / reCAPTCHA for suspicious clients in App DDoS rules.

• All network-level rules and Network Firewall rules.

• Enforcement of Access Control rules

• Website Translation rules that rewrite content, URLs, and domains in HTTP requests and responses.

• Malformed HTTP requests are not processed and will be denied in the Passive mode.

• Following are the protocol violations that can be observed in the Passive mode :

  • Malformed Version

  • Malformed Request Line

  • Malformed Header Line

  • Invalid or Malformed HTTP Request

  • Malformed Content-Length

  • Pre 1.0 request

  • Multiple Content-Length headers

  • Request containing both Transfer-Encoding and Content-Length headers

  • Parameter parsing failures due to internal parse errors or violation of standards

  • Large JSON key-value pairs that fail our internal memory allocation limits of >256KB

  • Internal memory allocation failures due to large payload of >1M

In addition to the mode being configured at the service, rule group, or specific rule level, the mode is also configured for individual smart signatures. This can be validated in the ADVANCED > View Internal Patterns page.

SSL

See: Configuring SSL for SSL Enabled Services.

Load Balancing

See Configuring Load Balancing for a Service.

You can configure additional security for a service by using URL policies. URL policies allow Anti-Virus protection, Data Theft protection, and Brute Force protection to be enabled or disabled for specific URL spaces.