Aug 22 2018

Review: The Barracuda Web Application Firewall 460 Offers Affordable Security

This feature-packed sentry sits at the network gateway, scanning all incoming and outgoing traffic to stop threats.

A business’s size offers little protection against network threats today. Hackers will target a small business just as readily as they will a larger organization, and may even see it as a softer target. Anyone, and any endpoint, can find itself the victim of a scattergun-type attack, such as ransomware.

As such, small and medium-sized businesses need the same level of protection as larger businesses, though maintaining such cybersecurity typically falls outside the skill set and budget of most smaller organizations. The Web Application Firewall from Barracuda Networks can help bridge that gap, cost-effectively protecting 10 servers and all the endpoints at a level normally found only in larger, more expensive products.

Placed at the front of the data path, the WAF functions like a reverse proxy, intercepting all traffic and allowing only packets that comply with policy to get through. It includes HTTP/S and FTP validation; form field metadata validation; website cloaking; response control; outbound data theft protection; file upload control; logging, monitoring and reporting; high availability; SSL offloading; authentication and authorization; vulnerability scanner integration; client IP reputation validation; caching and compression; and Lightweight Directory Access Protocol/Research and Development for Image Understanding Systems (LDAP/RADIUS) services. It can even handle load balancing and ­content routing.

Simpler Protection for Small Business Servers

The 460 model can protect five to 10 servers. The WAF models also scale up to enterprise levels if needed. With any of the WAFs, new defensive capabilities are activated by ­spinning up services, a simple process that puts both inbound and outbound traffic into a ­single interface.

WAF automatically applies a default security policy based on best practices whenever a new service is activated. For example, when adding protection for a public- facing app, the default policy limits the number of characters that users can type into each field. Administrators can modify default policies as needed, but the limit ensures that simplicity is the rule when generating new protections.


The free Barracuda Vulnerability Manager is also available for the WAF suite of tools. WAF can scan new applications for vulnerabilities and then create rules to block them from the firewall, without changing any code.

While tinkering with either the Vulnerability Manager or the core rules can improve security, there is little need for most SMBs to do so. If they do choose to explore the WAF’s advanced protections, the interface makes it very easy, configuring and expanding protection as needed.

Businesses Get Defense Against DDoS Attacks

Distributed denial of service attacks, which overload a website with so much junk data that real users can’t get through, are particularly hard on SMBs because lost revenue from a downed website can be crushing over time.

DDoS attacks don’t require an attacker to actually penetrate a network’s defenses. Thus, they can be launched by a low-skilled hacker, or even a third party that a malicious actor hires. Some plug-and-play tools can launch basic DDoS attacks using known compromised clients and servers.

As such, having DDoS protection, even against a low-level attack, makes sense for any SMB. Even if an attacker can’t fully bring down a website, making it slow and difficult to use can have the same negative effect on users and businesses.

The WAF protects against the two main types of DDoS attacks that threaten businesses: web-based and application-based. To counter web-based attacks, the WAF must connect to the Barracuda traffic-scrubbing service, which requires an extra license but allows the WAF to forward suspected DDoS traffic through the service and then block the overloading requests.

We tested the WAF’s ability to fight more advanced, application-layer DDoS attacks by sending more than 5,000 strings of junk data into the name field on a web form every second. Meanwhile, we attempted to use the form like a valid user, and we were never inconvenienced by the ongoing attack — service never dropped.

Log files confirmed that the WAF caught the illegal traffic and blocked it because either the junk strings were too long or the user attempted to fill out the form too quickly. It broke the WAF’s programmed rules and was dropped. From the valid user’s point of view, nothing was wrong. Because there was no disruption, administrators could take their time responding to the attack, confident that the WAF could handle it — which it did for more than an hour, when the testing ended.

Most firewalls don’t have the level and variety of cybersecurity modules present in the Barracuda Web Application Firewall 460. Of those that include extra features, DDoS is rarely one of them. Its inclusion rounds out the protection offered by Barracuda, enabling it to provide many cybersecurity defenses for SMBs.

The Barracuda Web Application Firewall 460

Back-End Servers Protected: Five to 10
Maximum Traffic Throughput: 50Mbps
Maximum HTTP Traffic Scanned: 15,000 HTTP transactions per second
Maximum Secure Traffic Scanned: 4,000 SSL transactions per second
Dimensions: 16.8x14x1.7 inches (with stand)
Weight: 11.9 pounds


Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT