|Partner Name||Barracuda Networks|
|Product Name||Barracuda Web Application Firewall|
|Version & Platform||x60 Series|
|Product Description||The Barracuda Web Application Firewall protects web applications and web services from malicious attacks, and can also increase the performance and scalability of these applications. The Barracuda Web Application Firewall offers every capability needed to deliver, secure, and manage enterprise web applications from a single appliance through an intuitive, real-time user interface.|
|Product Category||Network Firewalls|
The Barracuda Web Application Firewall protects your website from attackers leveraging protocol or application vulnerabilities to instigate unauthorized access, data theft, denial of service (DoS), or defacement of your website.
The Barracuda Web Application Firewall provides complete protection of web applications and enforces policies for both internal and external data security standards, such as the Payment Card Industry Data Security Standard (PCI DSS). In addition, the Barracuda Web Application Firewall features a number of traffic management capabilities to improve the performance, scalability, and manageability of the most modern and demanding data center infrastructures.
|Partner Integration Overview|
|Authentication Methods Supported||RADIUS|
|RSA SecurID API Version||N/A|
|RSA Authentication Manager Replica Support||N/A|
|Secondary RADIUS Server Support||Yes (1)|
|RSA Authentication Agent Host Type for 7.1||Standard Agent|
|RSA SecurID User Specification||Designated Users|
|RSA SecurID Protection of Administrative Users||No|
|RSA Software Token and RSA SecurID 800 Automation||No|
Authentication Agent Configuration
To facilitate communication between the Barracuda Web Application Firewall and the RSA Authentication Manager / RSA SecurID Appliance, an Authentication Agent Host record must be added to the RSA Authentication Manager database. The Authentication Agent Host record identifies the Barracuda Web Application Firewall within the RSA Authentication Manager database and contains information about communication and encryption. You will also need to configure a RADIUS client.
To create the Agent Host record, you will need the following information:
- IP addresses for all network interfaces
When adding the Agent Host Record, you should configure the Barracuda Web Application Firewall as Standard Agent. RSA Authentication Manager uses this setting to determine how to communicate with the Barracuda Web Application Firewall.
To create the RADIUS client record, you will need the following information:
- IP addresses for all network interfaces
- RADIUS secret
Please refer to the appropriate RSA Security documentation for additional information about creating, modifying, and managing Agent Host and RADIUS client records.
RSA SecurID Files
|RSA SecurID Authentication Files|
|Node Secret (securid)|
Partner Product Configuration
Before You Begin
This section provides instructions for integrating partner products with RSA SecurID Authentication. This document does not necessarily suggest optimum installations or configurations.
You should have a working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should rely on product documentation for all relevant products to properly install the required components.
You should verify all vendor products/components are installed and working before proceeding.
Configuring the Barracuda Web Application Firewall for SecurID Authentication
The following configuration steps enable the Barracuda Web Application Firewall to communicate via RADIUS protocol with the RSA Authentication Manager to authenticate users:
Step 1: Create an HTTP Service on the Barracuda Web Application Firewall
- Log into the Barracuda Web Application Firewall using a supported web browser by navigating to the web interface on port 443 (HTTPS).
- From the BASIC tab, select the Services page.
- In the Add New Service section, select HTTP from the Type list, and fill in other required information. Click Help on the BASIC > Services page for an explanation of other settings on this page.
- Click Add.
Figure 1. Creating a New Service
Step 2: Add the RSA SecurID Server as an Authentication Service on the Barracuda Web Application Firewall
- From the ACCESS CONTROL tab, select the Authentication Services page.
- Select RSA SecurID under the New Authentication Service section. See Figure 2.
- For the Server IP, specify the IP address of the RSA RADIUS server used for authenticating users.
- The Server Port should be the port number of the RSA RADIUS server. The standard port number used for RADIUS is 1812 or 1645.
- Specify appropriate values for other parameters and click Add. For more information, click Help.
Figure 2. Configure the RSA SECURID Authentication Service
Step 3: Associate the RSA SecurID Authentication Service with a Service on the Barracuda Web Application Firewall
- From the ACCESS CONTROL tab, select the Authentication Policies page.
- Under the Authentication Policies section, click Edit Authentication next to the Service requiring RSA SecurID authentication.
- On the Edit Authentication Policy window:
- Set Status to On to enable authentication for the service.
- From the Authentication Service list, select the RSA authentication service created in Step 2: Add the RSA SecurID Server as an Authentication Service on the Barracuda Web Application Firewall.
- Specify values for other parameter(s) as required, and click Save. For more information on how to configure an authentication policy, click the Help button. See Figure 4.
Figure 3. Authentication Page
Figure 4. Configuring Authentication Policy
Step 4: Configure the Authorization Policy for the Service
- From the ACCESS CONTROL tab, select the Authorization Policies page.
- Under Authentication Policies section, click Add Authorization next to the service.
- On the Add Authorization Policy window:
- Policy Name – Enter a name for the authorization policy.
- Set Status to On.
- Specify values for other parameter(s) as required, and click Save. For more information on how to configure an authorization policy, click the Help button.
Figure 5. Configuring Authorization Policy
When there is an attempt to access a protected resource, the Barracuda Web Application Firewall presents a login page to authenticate the user. If URL Match is configured as /*, a login page displays for any request sent to the Service.
Using a supported web browser, navigate to the configured URL for the Barracuda Web Application Firewall. To receive authorization to view the protected resource, a user must authenticate using RSA SecurID. To begin the authentication process, the user must enter a username and password on the Login form.
The user is then presented with a new PIN challenge.
The user is challenged again to confirm the PIN.
When the new PIN is accepted, after entering the new password, the user is successfully authenticated and forwarded along to the configured URL. For more information on how to configure RSA Authentication Manager and to verify the setup, see How to Integrate RSA SecurID with the Barracuda Web Application Firewall .
Certification Checklist for RSA Authentication Manager 7.x