The Barracuda Load Balancer ADC associates security policies with HTTP, HTTPS, and Instant SSL services. A security policy has preset configured security settings which apply to any associated virtual service. Security policies are shareable, so after a policy is created, it can be assigned to more than one virtual service. The security policy rules specify inspection criteria for input or output data, identifying malicious or vulnerable data. Security policies include mostly negative and some positive elements. For most websites, security policies sufficiently implement good web application security.
Default and Preconfigured Security Policies
When a virtual service is created, it is associated with the default security policy and log levels. The Barracuda Load Balancer ADC includes the following preconfigured security policies:
- Default
- Oracle
- OWA
- OWA2010
- OWA2013
- Sharepoint
- Sharepoint2013
Security Policy Configuration
When needed, the security policy associated with the virtual service can be changed or refined. Security policies define matching criteria to compare to requests, and rules for matching requests. All security policies are global, that is, they can be shared by multiple Services configured on the Barracuda Load Balancer ADC.
When a virtual service needs refined security settings, the provided security policies can be adjusted, or customized policies can be created. To create a customized security policy, see Steps to Create a New Policy. Each policy is a collection of nine sub-policies. Modify the following sub-policies by editing the corresponding sub-policy page. The sub-policies include:
- Request Limits
- Cookie Security
- URL Protection
- Parameter Protection
- Cloaking
- Data Theft Protection
- URL Normalization
- Global ACLs
- Action Policy
Create a Policy
To create a policy:
- Go to the SECURITY > Security Policies page.
- Click New Security Policy.
- In the New Security Policy window, enter a name for the policy and click Create. The policy is created with default settings, that you can edit in the main pane of the page.
Edit a Policy
To edit a configured policy:
- Go to the SECURITY > Security Policies page.
- In the left pane, click the policy name.
- In the main pane of the page, edit the policy settings.
- After you finish editing the policy, click Save Changes.