Monthly Archives: October 2015

How to deploy barracuda Web Application firewall on Azure

Azure

  1 WAF virtual Appliance functionality

       1.1 Barracuda Web Application Firewall – Overview

          The Barracuda Web Application Firewall blocks an ever-expanding list of sophisticated web-based intrusions and attacks that target applications hosted on web servers and in the cloud. The Barracuda Web Application Firewall scans all inbound web traffic to block attacks, and inspects the HTTP responses from the configured back-end servers for Data Loss Prevention (DLP). The integrated access control engine enables administrators to create granular access control policies for Authentication, Authorization & Accounting (AAA) without requiring application changes. The onboard L4/L7 Load Balancing capabilities enable organizations to add back-end servers quickly to scale deployments as they grow. Its application acceleration capabilities like SSL Offloading, caching, compression, and connection pooling ensure faster application delivery of the web application content

       1.2 Key Future

  • Protection from common, high-visibility attacks – SQL injection, Cross Site Scripting, Command injection, CSRF,XML attacks, Antivirus Protection, Adaptive Profiling
  • Protection from attacks based on session state – Session Hijacking, Cookie Tampering, Clickjacking Brute Force Attack Prevention
  • Application denial of service (DoS) protection – Slow Client Attack, DDoS Prevention using CAPTCHA, IP Reputation Filter
  • Data Theft Protection – Deep inspects all server responses to prevent leakage of sensitive information using provided default patterns (credit card data, social security numbers, etc.) or User Defined Patterns (Custom Patterns).
  • Website Cloaking – Strips identifying banners and version numbers from web server software and provides customizable HTTP error handling to defeat server fingerprinting attacks (suppressing error codes and filtering headers).
  • Access Control – Form and Basic Authentication and Single Sign On with integrations into LDAP, RADIUS, CA SiteMinder, RSA SecurID, Kerberos, SMS Passcode
  • Application Delivery – Load Balancing, Caching and Compression, SSL Offloading, Rate Control
  • Logging, Reporting and Monitoring – Inbuilt reporting module, Web Firewall Logs, Access Logs, Audit Logs, Configuring Syslog

       1.3 Azure Limitations to Barracuda Web Application Firewall

  • Only one VIP address can be use.
  • Only one WAN Port can be used for all incoming and outgoing traffic.
  • VIP Port can be unique like http/https/8080.
  • Barracuda web application firewall can be used as active and active mode in Azure Cloud.

       1.4 Installing the Barracuda Web Application Firewall.

The Barracuda Web Application Firewall is available on Microsoft Azure with   the Bring    Your Own License (BYOL) and Hourly / Metered options. For BYOL, Barracuda offers four models. The table below lists each model, the    corresponding Instance Type to be used in Microsoft Azure, the default CPU and Memory for the instance.

    Barracuda WAF  Instance Type in Azure Default vCPU Default Memory
Level 1 A1 1 1.7 GB
Level 5 A2 2 3.5 GB
Level 10 A3 4 7 GB
Level 15 A4 8 14 GB

If you want to increase the performance of a license that you have already purchased, you can buy additional cores from Barracuda and reconfigure for a larger instance type and Hourly /Metered model and instance Type( on supported instance types, Default vCPU, Default Memory and Hourly pricing)

  1. Log into the Microsoft Azure Management Portal
  2. Click Marketplaceat the bottom of the screen

mkt ppla-1

In the Marketplace window, select Virtual Machines and enter Barracuda Web Application Firewall in the text field.mkt place-2

  1. Mouse over the search result and select Barracuda Web Application Firewall
  2. (BYOLor Hourly/Metered as per your requirement). Read the product overview and click Create.

mkt place-3

On the Create VMpagepic-1

  1. Enter the host name in the wafprd02 field.
  2. Enter a username in the “mind” field. This entry is not used by the Barracuda Web Application Firewall.
  3. Under Authentication Type, choose SSH Public Key or Password (mind@123) based on your selection. Note that this entry will not be used by the Barracuda Web Application Firewall.
  4. Select the PRICING TIER based on your requirement.
  5. In the OPTIONAL CONFIGURATION section, do the following:
    1. AVAILABILITY SET – WAFAVSET.
    2. NETWORK – Customer01

Note:  It is recommended to assign a Static IP address to the Barracuda Web Application Firewall.

    1. STORAGE ACCOUNT – Select an existing storage account or create a storage account
    2. ENDPOINTS – By default, port 8000 (TCP) and port 443 (TCP) will be opened as endpoints to access the web interface of the Barracuda Web Application Firewall.  Configure additional endpoints which you want to use for creating services on the Barracuda Web Application Firewall.
    3. EXTENSIONS – Do not add any extension, as the Barracuda Web Application Firewall does not support extensions.
  1. Select a group in RESOURCE GROUP.
  2. Choose the subscription for the instance and click Create.mkt place-4mkt place-5

Note: it will take 15-20 mints for installed the WAF in Azure Virtual network and deploy the secondary wafprd03 same as wafprd02.

        1.5 Set up a High Availability Environment with the Barracuda Web Application Firewall

  1. Install each system and ensure that each Barracuda Web Application Firewall is running the same firmware version. Each Barracuda Web Application Firewall in a cluster must have the same model number and firmware version.
  2. Make a backup of each Barracuda Web Application Firewall configuration.
  3. No processes should be running on any virtual machine when you link them together. To be sure, go to the ADVANCED > Task Manager page of each Barracuda Web Application Firewall and verify that no processes are running.
  4. From the ADVANCED > High Availability page of wafprd02, enter a Cluster Shared Secret password (“admin”), and click Save.
  5. From the ADVANCED > High Availability page of wafprd03, do the following:
    1. Enter the same Cluster Shared Secret password (“admin”), and click Save. Both units in a cluster must have the same Cluster Shared Secret to communicate with each other.
    2. In the Clustered Systems section, enter the WAN IP address of wafprdo02 (10.135.0.8), and click Join ClusterMake sure that the join cluster task is not cancelled when the join is in progress.
  6. On each Barracuda Web Application Firewall, refresh the ADVANCED > High Availability page, and verify the following:
    1. Each system’s Hostname, serial number and WAN IP address appears in the Clustered Systems list.
    2. The identity of the system (Self or Peer) displays in the Type field.
    3. The Status is green for all virtual machines in the cluster.

Wafprd02

pic-3

Wafprd03

pic-4

Cluster Status in both WAFsCLUSTER STATUS

       1.6 Set up Load Balancing on the First Barracuda Web Application Firewall Instance

  1. Log into the Microsoft Azure Portal.
  2. On the Microsoft Azure Home page, click Browse and select Virtual Machines.
  3. In the Essentials section, click All Settings, and select Load balanced sets.
  4. On the Load balanced sets page, click Join and specify values for the following fields in theJoin a load balanced set page:
  5. Set the Load balanced set type to Public
  6. Endpoint Name: HTTP
  7. Private Port: Enter the internal port that should listen to traffic on the endpoint. Example: 80.
  8. Click LOAD-BALANCED-SET Configure required settings, and select create a load balanced set.
  9. On the Create a load balanced setpage, specify values for the following fields:
  10. Name: Enter a name for the load-balanced set. Example: HTTP
  11. Protocol: Select TCP from the list.
  12. Public Port: Enter the port number of the service you are load balancing. Example: Port 80 for HTTP traffic.
  13. Set Floating IP to Disabled.
  14. Select the Protocol to be used for probing, enter values for PortInterval (seconds) and Number of retries as required, and click OK.END POINT

       1.7 Add Other Barracuda Web Application Firewall Instances to the Load-Balanced Set

After you create the load-balanced set for wafprd02, add other Barracuda Web Application Firewall virtual machines to the set. Example: wafprd03

  1. Log into the Microsoft Azure Portal.
  2. On the Microsoft Azure Home page, click Browse and select Virtual Machines.
  3. On the Virtual Machines page, select wafprd03.
  4. In the Essentials section, click All Settings, and select Load balanced sets.
  5. On the Load balanced sets page, click Add and specify values for the following fields in the Join a load balanced set page:
    1. Set the Load balanced set type to Public.
    2. Click LOAD-BALANCED-SET Configure required settings.
  6. On the Choose a load balanced set page, select the load balanced set you created in step 6under Step 3. Set Up Load Balancing on the First Barracuda Web Application Firewall Instance.
  1. Under Join a load balanced set, you will see the load balanced set associated with the wafprd03
  2. Click OKto add the wafprd03 instance to the load balanced set.
  3. Repeat the process to add more Barracuda Web Application Firewall virtual machines to the load-balanced set and different ports like Https.END POINT

       1.8 Creating Services

   Creating an HTTP Service: An HTTP service is a controlled entry point for an HTTP web application on the server. To create an HTTP service, select HTTP as the type of service.Rules added to the Service allow content-aware processing decisions for Web traffic coming into that Service. Rules can use HTTP request headers to make load balancing and caching policy decisions. To add a content rule to a Service:Services

pic-4

  1.  From the BASIC > Services page in the Services section find the Service to which you want to add a content rule.
  2. Click Rule next to the Service. The Add Content Rule window appears.
  3. Specify values for the following fields:
    1. Rule Group Name – Name to identify this rule group “PROD-SC-DUR01″
    2. Status – Set to On to make this rule group part of the rule match.
    3. Host Match – “/*”
    4. Extended Match – Not required
    5. Extended Match Sequence – Not Required
  4. Click Add.pic-5

      1.9 How to Add a Real Server

  1.  From the BASIC > Services page in the Services section, identify the Service to which you want to add a real server.
  2. Click the Server option next to the Service to add the server. The Add Real Server window appears.
  3. Specify values for the following:
    1. Server Name – Enter a name to identify this server.”SC-PRDCD01” & ”SC-PRDCD02”
    2. IP Version – Select the Internet Protocol Version from the drop-down list.” IP4/IPV6”
    3. IP Address – Enter the IP address of the server.” 10.135.2.4 “ “10.135.2.5”
    4. Port – Enter the port number of the server. *80”
    5. Backup Server – Set to Yes if you want this server to be used when all other servers fail, or are out of service.
    6. Weight – Set the load balancing weight for the server.
  4. Click Add.pic-6pic-7

      1.10 Backing up and restoring your System Configuration

 The ADVANCED > Backup page lets you backup and restore the configuration of your Barracuda Webpic-8

Application Firewall. You should backup your system on a regular basis in case you need to restore this information on a replacement Barracuda Web Application Firewall or in the event your current system data becomes corrupt.

If you are restoring a backup file on a new Barracuda Web Application Firewall that is not configured, you need to assign your new system an IP address and DNS information.

      1.11 Updating the Firmware of your Barracuda Web Application Firewall 

The ADVANCED > Firmware Update page allows you to manually update the firmware version of the system or revert to a previous version. The only time you should revert back to an old firmware version is if you recently downloaded a new version that is causing unexpected problems. In this case,call Barracuda Networks Technical Support before reverting back to a previous firmware version.

If you have the latest firmware version already installed, the Download Now button will be disabled.

 1.12 Updating the Attack, Virus and Security Definitions 

The ADVANCED > Energize Updates page allows you to manually update the attack, virus and Security definition, as well as change the interval at which the Barracuda Web Application Firewall Checks for updates. Energize Updates provide the Barracuda Web Application Firewall with the latest Definitions.

Recommend that the Automatically Update setting be set to Hourly so you’re Barracuda Web Application Firewall receives the latest definitions as soon as new threats are identified by Barracuda Central.

The following table describes the common fields for Attack, Virus and Security Definition Updates.

Click Save Changes after making any changes

Field Description
Current Installed Version Starts the Barracuda Web Application Firewall in the normal (default) mode. This option is automatically selected if no other option is specified within the first three (3) seconds of the splash screen appearing
Latest General Release Displays the latest version that is available. If the current version running on the Barracuda Web Application Firewall is not the latest, click Update to download the latest version.The Update button is disabled if the system already has the latest version.
Previously Installed Version Displays the previously installed version that was running on the system. To go back to this version of the definitions, click Revert
Automatically Update Determines the frequency at which the Barracuda Web Application Firewall checks for updates. To disable automatic updates, select Off.Hourly updates occur at the beginning of each hour. Daily updates occur at 12:20am (twenty after midnight) based on the system time
zone. The recommended setting is Hourly.
  1. Click download Option

Initial IOS is 7.9.0.021 and upgrade to 7.9.10.010

pic-9

  1. Click Apply Now buttonPIC-14
  2. Rebootingpic-11PIC-15
  3. After 15-20 mints, login into WAF device and check device in cluster or not.pic-12
  1. Check current IOS is upgrade or notpic-13
  2. Check traffic is load balancing or not and active and active.
  3. Same procedure for the other WAF and followed same steps also.

How to address dynamic routing issue in Azure with ASA

Azure

When we are trying to build the tunnel from Azure to cisco  ASA with dynamic routing (IKEV1 & IKEV2) , tunnel is not coming up later found that ASA does n`t support azure dynamic routing(IKEV2 doesn`t support ASA 8.0)  and looked at couple of options viz express route and installing virtual firewall etc..

Here are supported links..

http://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/118743-configure-asa-00.html –> 8.4 and above supports IKE v2

Finally we have come up with different approach to fix this…

Created to two VNET`s,  one VNET used for creating dynamic routing gateway and build the VPN tunnel`s on supported vendors(checkpoint and juniper ) .

Second VNET used to create static gateway and build the tunnel between Azure and enabled communication between VNET`s over public IP~s with restrictions.

One more thing that  Vnet to Vnet  Latency is less than 10ms ( Azure Public IP address traffic will not traverse through internet ) and it looks like LAN

Step-by-step configuration:

http://blog.kloud.com.au/2014/06/10/microsoft-azure-multi-site-vpn/

For troubleshoot we require PowerShell scripting s/w which can be downloaded from below link

http://www.microsoft.com/en-in/download/details.aspx?id=2560

Here is the troubleshooting commands through PowerShell but before that we have to connect to Azure account with couple of commands.

Add-Azureaccount –> pop`s up the user credentials window there you have to  type the azure account details.

Pre share creation
Set-AzureVNetGatewayKey -VNetName -LocalNetworkSiteName “xxxx” -SharedKey Cisco123

Initiating the traffic from VPN tunnel
Set-AzureVNetGateway -Connect –LocalNetworkSiteName “test” –VNetName “customer01”

PS C:\> Get-AzureVnetConnection -VNetName “test”

ConnectivityState : NotConnected
EgressBytesTransferred : 0
IngressBytesTransferred : 0
LastConnectionEstablished : 1/1/1601 5:30:00 AM
LastEventID : 21601
LastEventMessage : Unable to establish the cross-premise tunnel for site ‘MT-NOC-BLR’. Previous state:
Initializing. Current state: Not Connected.
LastEventTimeStamp : 8/23/2015 12:54:53 PM
LocalNetworkSiteName : test
OperationDescription :
OperationId :
OperationStatus :

http://blogs.technet.com/b/keithmayer/archive/2014/12/18/diagnose-azure-virtual-network-vpn-connectivity-issues-with-powershell.aspx

Duracell - sateesh-jpeg

Even we can configure VPN wit Azure PowerShell script:

<VirtualNetworkConfiguration>
<Dns />
<LocalNetworkSites>
<LocalNetworkSite name=”Site-01″>
<AddressSpace>
<AddressPrefix>10.20.3.0/24</AddressPrefix> —> In azure,localnetworks called as remote networks in networking language.
</AddressSpace>
<VPNGatewayAddress>1.1.1.1</VPNGatewayAddress> —> Site01- VPN Peer IP(Public IP add)
</LocalNetworkSite>
<LocalNetworkSite name=”Site-02>
<AddressSpace>
<AddressPrefix>172.20.3.0/24</AddressPrefix> –> Remote Network
</AddressSpace>
<VPNGatewayAddress>2.2.2.2</VPNGatewayAddress> —> Site02- VPN Peer gateway address (Public Address)
</LocalNetworkSite>
</LocalNetworkSites>
<VirtualNetworkSites>
<VirtualNetworkSite name=”VNET-01″ Location=”South Central US”>
<AddressSpace>
<AddressPrefix>10.10.0.0/21</AddressPrefix> —-> Local Supernet for Site01(Azure end)
</AddressSpace>
<Subnets>
<Subnet name=”mgmtsubnet”> —-> Local Subnet(Azure end)
<AddressPrefix>10.10.1.0/24</AddressPrefix>
</Subnet>
<Subnet name=”proddbsubnet”> —-> Local Subnet (Azure End)
<AddressPrefix>10.10.2.0/24</AddressPrefix>
</Subnet>
<Subnet name=”GatewaySubnet”> —-> VNET-01 VPN Gateway
<AddressPrefix>10.10.4.0/29</AddressPrefix>
</Subnet>
</Subnets>
<Gateway>
</VirtualNetworkSite>
<VirtualNetworkSite name=”VENT-02″ Location=”South Central US”>
<AddressSpace>
<AddressPrefix>172.16.0.0/23</AddressPrefix> —> Local Subpernet for site02(Azure End)
</AddressSpace>
<Subnets>
<Subnet name=”Mgmt-VNET02″>
<AddressPrefix>172.16.0.0/26</AddressPrefix>
</Subnet>
<Subnet name=”GatewaySubnet”>
<AddressPrefix>172.16.0.64/29</AddressPrefix>
</Subnet>
</Subnets>
<Gateway>
<ConnectionsToLocalNetwork> —-> Global Configuration
<LocalNetworkSiteRef name=”Site-01″>
<Connection type=”IPsec” />
</LocalNetworkSiteRef>
<LocalNetworkSiteRef name=”Site-02″>
<Connection type=”IPsec” />
</LocalNetworkSiteRef>
</ConnectionsToLocalNetwork>
</Gateway>
</VirtualNetworkSite>
</VirtualNetworkSites>
</VirtualNetworkConfiguration>
</NetworkConfiguration>