We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda SSL VPN

How can I protect my Barracuda SSL VPN from BEAST attacks?

  • Type: Knowledgebase
  • Date changed: 6 years ago
Solution #00005773

Scope:
This solution applies to the Barracuda SSL VPN, all firmware versions.

Answer:
Background on BEAST attacks:

A few requirements must be met to successfully apply this attack against web browsers.

Requirement 1: The attacker must be able to eavesdrop on network connections made from the victim's browser.
Requirement 2: The attack must be able to insert JavaScript into the victim's browser.
Requirement 3: The attacker must be able to send HTTPS requests at will.
Requirement 4: After listening in on the request, the attack must be able to append more data to the very same request
  • There are several methods for eavesdropping (one example is open Wi-Fi networks), thus Requirement 1 can be met.
  • Requirement 2 can be met in several ways. For example, the client may visit an evil site that serves the JavaScript, or the JavaScript can be served in an advertisement.
  • Requirement 3 is met, as the attacker can create requests via the attack script.
  • However, Requirement 4 is not met in the Opera web browser, but it looks like it can be with other browsers.

What can be done to protect my SSL VPN?
Until all web browsers support TLS1.1 or TLS1.2 by default (which isn’t vulnerable to this attack), the only option is to change the SSL Ciphers that the Barracuda SSL VPN uses.

The vulnerability lies in any ciphers that use CBC (chain block cipher), so the fix is to only use Ciphers that use RC4 instead.

Log on to the SSL VPN as ssladmin and navigate to Advanced > Configuration.
In the Supported Ciphers list, remove all from the list of Selected Ciphers, then from the Available Ciphers list add the following 

Ciphers: 
  • SSL_RSA_WITH_RC4_128_MD5
  • SSL_RSA_WITH_RC4_128_SHA
  • TLS_KRB5_WITH_RC4_128_MD5
  • TLS_KRB5_WITH_RC4_128_SHA
You may opt to not add the MD5 ones if you with. Save the changes, which should prompt for a restart of the SSL VPN. 

Link to This Page:
https://campus.barracuda.com/solution/50160000000IcFrAAK