Trusted Hosts
The Barracuda Web Application Firewall allows you to designate trusted hosts by IP address and mask that are not subjected to security checks. Traffic coming from trusted hosts is assumed to be safe. The WEBSITES > Trusted Hosts page allows you to create a trusted hosts group with one or more hosts. Trusted host groups have an associated Trusted Hosts Action so a policy violation from a trusted host results in the Trusted Hosts Action overriding the Action configured for other hosts. You can set the Trusted Hosts Action to the following:
- Allow - All requests pass through, including possible attacks (which are ignored). No logs are generated.
- Passive - All requests pass through, including possible attacks, but logs are generated on the BASIC > Web Firewall Logs page.
- Default - Trusted hosts are treated the same as all other clients.
Steps to Create a Trusted Hosts Group
- Go to the WEBSITES > Trusted Hosts page.
- In the Add New Trusted Host section, specify a name in the Trusted Hosts Group Name field and click Add.
- In the Trusted Hosts section, click Add Host next to the Trusted Host Group that you created. The Create Trusted Host window appears. Specify values for the following:
- Trusted Host Name – Enter a trusted host name to which you want to exempt the security checks. Host names cannot include space characters.
- Version – Select the Internet Protocol version (IPv4 or IPv6) for the trusted host from the drop-down list.
- IP Address – Enter the IP address of the trusted host.
- Mask – Enter the netmask associated with the IP address.
- Click Add.
- If you wish to add multiple hosts to the Trusted Hosts group, repeat Step 3 and Step 4.
Associate a Trusted Hosts Group with a Service
Once a trusted hosts group is created with a set of trusted hosts, you can associate that group to a service and exempt them from security checks or authentication as explained below.
Exempting a Trusted Hosts Group from Security Checks
The following steps bind a trusted hosts group with a service and exempts them from security checks.
- Go to the BASIC > Services page.
- In the Services section, identify the service to which you want to associate the trusted hosts group for exempting security checks.
- Click Edit next to the service. The Service window appears.
- Scroll down to the Basic Security section and set Trusted Hosts Action to Allow or Passive.
- Select the Trusted Hosts Group from the drop-down list.
- Specify values to other parameters as required and click Save.
Exempting a Trusted Hosts Group from Authentication
If you do not wish to require authentication for a set of trusted hosts, associate the trusted hosts group with an authentication policy and set the Trusted Hosts Action to Allow. The Barracuda Web Application Firewall identifies the trusted hosts as allowed users and all of its requests are exempted from authentication.
Steps to Associate a Trusted Host Group with an Authentication Policy
- Go to the ACCESS CONTROL > Authentication page.
- In the Authentication Policies section, identify the service to which you want to associate the trusted host group that you are exempting from authentication.
- Click Edit next to that service. The Edit Authentication Policy window appears.
- In the Edit Authentication Policy window, select the Trusted Hosts Group from the drop-down list to associate it with the policy.
- Set Trusted Hosts Action to Allow to exempt the set of trusted hosts from authentication.
- Specify values to other parameters as required and click Save.
Learning from the Trusted Hosts
When a service is associated with a security policy, all URLs and parameters are matched to that security policy setting. Web applications are dynamic and vary widely, so a one-size-fits-all security strategy might not be adequate across a website. For this reason, it might block some genuine requests that are identified as false positives. You can reduce false positives and fine-tune the security settings for a trusted hosts group using one of the following:
Both assist in development of fine-grained security settings. Exception Profiling uses a heuristics-based strategy to refine web application security settings in response to logged traffic on BASIC > Web Firewall Logs. Adaptive Profiling learns the intricate structure of an application and enforces conformance to it. Detailed security profiles are created by learning from requests and responses served by a particular web application. For more information on how exception profiling works, see Configuring Exception Profiling .
Fine-Tuning Security Settings for a Trusted Hosts Group Using Adaptive Profiling
- Go to the WEBSITES > Adaptive Profiling page.
- Click Edit next to the service to which you want to associate a trusted host group and learn the requests and/or responses from the trusted hosts. The Edit Service Adaptive Profiling window appears.
- Select Trusted from the Request Learning drop-down list if you wish to learn the requests from a trusted host.
- Select Trusted from Response Learning drop-down list if you wish to learn the responses from a trusted host.
- Select Trusted Hosts Group from the drop-down list.
- Specify values to other parameters as required and click Save.
Fine-Tuning Security Settings for a Trusted Hosts Group Using Exception Profiling
- From the WEBSITES > Exception Profiling page, identify the service to which you want to bind the trusted hosts group.
- Click Edit next to that service. The Edit Exception Profiling window appears.
- Select Trusted Hosts Group from the drop-down list.
- Set Learn From Trusted Hosts Group to Yes and click Save.
- The exceptions from trusted hosts are learned using trusted hosts heuristics displayed on the WEBSITES > Exception Heuristics page.
- Select Exception Profiling Level from the drop-down list if you wish to learn from non-trusted hosts as well. The exceptions from non-trusted hosts are learned based on Low, Medium, or High exception profiling settings on WEBSITES > Exception Heuristics.