It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Web Application Firewall

Deploy and Secure an Internet Facing Application with the Barracuda Web Application Firewall in Amazon Web Services

  • Last updated on

In this lab, you will deploy an unsecure web application into Amazon Web Services (AWS), and then secure the application using the Barracuda Web Application Firewall. To create the environment, you will deploy a Virtual Private Cloud, Internet Gateway and NAT Gateway to provide for the virtual networking. Then a Barracuda Web Application Firewall and an Ubuntu server with Apache, PHP, MySQL and the Damn Vulnerable Web Application (DVWA), installed.

DVWA is a PHP/MySQL web application that is vulnerable attack. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment. More information can be found on the DVWA site.

Once this infrastructure is built you create an Elastic Load Balancer in AWS that will direct traffic from the Internet to the Barracuda Web Application Firewall (both management and web). Next you will configure a Barracuda Web Application Firewall (WAF) to provide the service of the Damn Vulnerable Web Application (DVWA). After this is created you will connect to the DVWA web application and run the attacks to see how they are logged in the Barracuda Web Application Firewall.

These detailed step-by-step instructions will guide you through the lab.

Scenarios

  • Deploy and configure an AWS Virtual Private Cloud.
  • Provision and configure the Barracuda Web Application Firewall.
  • Deploy and configure the DVWA application.
  • Simulate attacks on the site using the DVWA application and capture the attacks being launched, configure policies and run reports from the WAF.

Requirements

  • Amazon Web Services subscription
  • Valid contact details to complete the Barracuda Web Application Firewall trial registration

The following is a diagram of the deployment that will be completed at the end of this hands-on lab.

worddav8ff9fb17da705b0ef2a20c131f8e9f19.png

Exercise 1: Environment Setup

In this exercise, you will use an AWS Console to implement the infrastructure that will be leveraged for the rest of the exercises. This includes creating the Virtual Private Cloud (VPC), provisioning the Barracuda Web Application Firewall, the Elastic Load Balancer (ELB), and the Ubuntu server which will host the DVWA application.

Task 1: Create the Networking Infrastructure using an AWS Console
  1. Go to the AWS portal https://console.aws.amazon.com/. After entering your credentials, the AWS Dashboard will display.
  2. Click through Console > Networking & Content Delivery > VPC.
    worddavfc437f774a01573bedf0f2893e11e4d5.png
  3. Next, click Start VPC Wizard.
    worddavef956a67c35bf222190858f39cdc7c99.png
  4. On Step 1: Select a VPC Configuration, click Select.
    worddavf3e0620c66c3b3404f1db222a1b0ae8a.png
  5. Complete the Step 2: VPC with a Single Public Subnet screen using the following details and then click Create VPC.
    • IPv4 CIDR block – 10.0.0.0/16
    • VPC name – BarracudaWAFLab
    • Availability Zone – us-east-1a
    • Subnet name – www
    worddavc3882903a899cd3ad4695a5a8a9418d7.png
  6. Next, click Subnets and review the subnet that was created by the wizard.
    worddav0ee9b48178251895c53a8b3ba32bccc7.png
    worddavc6973ffb21d925fc33817897ed135680.png
  7. Right click on the subnet, and then click Modify auto-assign IP settings. The Modify auto-assign IP settings screen opens.
    worddav38490ab292a8ecf4c9488642034df800.png
  8. Check the box for Enable auto-assign public IPv4 address and then click Save.
    worddav74a33011f21a721717c3b1a5549b79ab.png
  9. From the Subnet screen, click Create Subnet to create a new subnet.
    worddav466ee782638a0e11d4245e95e07f0267.png
  10. Complete the Create Subnet screen using the following details, then click Yes Create:
    • Name tag apps
    • Availability Zone – us-east-1a
    • IPv4 CIDR block10.0.1.0/24
    worddave0dc9f82b83eb199d8c637f8a8907da4.png
  11. On the Subnets page, review both the www and apps subnets.
  12. From the VPC Dashboard, click Internet Gateways and review how this was created by the wizard. Make sure that the State shows attached.
    worddav56be5cfe1ca9af6ca41cd10ca73ec16b.png
    worddav7b733c09535ad20966652462f3dea4c4.png
  13. Next, click Route Tables to review how the routing has been configured.
    worddav53be39c2c01954dc36b34adc64d991dd.png
  14. Notice that the www subnet has been configured to associate the Internet bound route 0.0.0.0/0 to the Internet Gateway.
    worddavd5e033d00901e2466facf74cb0da7845.png
  15. From the AWS console, click VPC under the Networking and Content Delivery, then click NAT Gateways.
    worddav17eae58f122d14e789d9177da436b119.png
  16. Click Create a NAT Gateway.
    worddavd3e4ae226e330d5510be22682e54353c.png

    The Create a NAT Gateway window opens.
  17. Select the www Subnet, then click Create a New EIP.
    worddava72156f7881ad224db891558193b4958.png
  18. Once this is completed click Create a NAT Gateway.
    worddav9c62d25dcfe1006122e4e6d4127d0ee0.png
    worddavfa5b3001366ba64a43e47959f15b440a.png
  19. Next, click Route Tables to review how the routing has been configured.
    worddavfabb225af2887635303226347311b06f.png
  20. Locate the second route table that was created, but currently has 0 subnets associated.
  21. Click this Route Table and select Routes. Notice how currently this is only a route for local traffic in the CIDR range of 10.0.0.0/16. This means there is no route to the Internet.
    worddavfda046b87d9435dd1d85a2178973487b.png
  22. Click Edit, to make changes to the route table:
    1. Click Add Another Route.
    2. As the Destination, select 0.0.0.0/0.
    3. As the Target, select the NAT gateway.
    4. Click Save.
    worddav86cfaa03094bd67249a73727daa2a66a.png
  23. Click the Subnet Associations tab, and select Edit.
    worddav4a4166fe965f49c8582ba1b3d0a2b053.png
  24. Now, check the box for the apps subnet to associate this route table with the apps subnet.
    worddav345ae2557ce23d9d82b548b42acc7e67.png
    Now the private servers on the apps subnet will use the NAT gateway for their Internet bound traffic.
Task 2: Provision the Barracuda WAF using the AWS Marketplace
  1. Sign-in to the AWS Console.
  2. On the right-hand side of the console under AWS Marketplace, click the Learn more link.
    worddave1115815535e08269ca9562e00d17287.png
  3. In the AWS Marketplace search box, type Barracuda Web Application Firewall and then click on the magnifying glass.
    worddav4c94ba01377cc2bb0db8fa84470e821b.png
  4. Several Barracuda Networks products will be returned by this search. Choose the Barracuda Web Application Firewall (WAF) – PAYG.
    worddavf33bd941cb6dd8c2b3610fcc17ab9fef.png
  5. Once the WAF page loads, click Continue.
    worddav115bf6fbce5b3ffc6b45210ab945b993.png
  6. Complete the Launch wizard using the following settings:
    • Type – 1-Click Launch
    • Software Pricing – Hourly / m3. medium
      worddavc8a73c0a6dc2ecc61871dd8e05d8094c.png
    • Version – accept the latest version.
    • Region – US East (N. Virginia)
    • EC2 Instance Type – m3.medium
    • VPC Settings – Select the VPC and www subnet (10.0.0.0/24).
      worddav0e79554be9acac8d0ab0137c92109d2b.png
    • Security Group – Select Create new based on seller settings.
      worddavb574a53d521fcd02c5015370cbe52ba0.png
    • Key Pair – Select or Create a New Key
  7. After verifying the selections, click Launch with 1-click.
    worddav1f562f6082f27918d96a1d1f45eb7314.png
  8. Next on the AWS Marketplace Product Support Connection screen, click Share your contact details.
    worddav35ea34227343c70c5b22625024a4731b.png
  9. Complete the Barracuda Networks Support Form and click Register & Close.
    worddav1048f46a178d51364417112dba4e669d.png
  10. After completing the registration, the following page will appear from which the WAF was launched:
    worddav4a0e31f4a5866d565a8eb87a5745b9cc.png
  11. Click on the EC2 Console link in the green message about the deployment of the Barracuda Web Application Firewall. Once it is deployed the instance will show it is Running.
    worddav89f42efb2cae6be3a263c6b51aea462c.png

    Don't continue on to the next step until the Barracuda WAF instance is in the running state as in the screen shot above.

Task 3: Provision the Elastic Load Balancer
  1. In the AWS Console, click on Load Balancers.
    worddav4392991937196367767da9f49a443bff.png
  2. Select Create Load Balancer.
    worddav8df663f652f3bfeea7b570c2f986f700.png
  3. Select the Classic Load Balancer as the type of Elastic Load Balancer, and click Continue.
    worddavbc637f5f6a985a19cc63781930934b0b.png
  4. In Step 1: Define Load Balancer, complete the screen using these inputs.
    • Load Balancer Name – BarracudaWAF-ELB
    • Create LB Inside – Select the VPC that you created for this lab.
    • Subnet – Select the www subnet.
      worddav9b90af958b67e203396d3444c5aa4fff.png
  5. Click Next: Assign Security Groups.
    worddav7730b0256018f225a6019dc8605ba55f.png
  6. Deselect the default security group, and select the new Barracuda Web Application (WAF) security group that was created by the AWS Marketplace deployment of the device.
    worddav01fa4165b21322ddd42b96a5c2fc753a.png
  7. Click Next: Configure Security Settings.
    worddav4281c00b7838301a78bfbd3678157e36.png
  8. Click Next: Configure Health Check.
    worddav82676a9ba0f69f767432784d47dc1045.png
  9. Complete the Step 4: Configure Health Check screen, using the following settings:
    • Ping Protocol – TCP
    • Ping Port – 8000
    • Advanced Details – Accept defaults.
    worddav094d8acd10cb9b8b15e7984f0ee4c041.png
  10. Click Next: Add EC2 Instances.
    worddav98d03457add444c37a8ac95c98d13bbf.png
  11. On the Step 5: Add EC2 Instances screen, click on the instance.
    worddavf6d26255034c21c973d34e9baf6b1354.png
  12. Click Next: Add Tags.
    worddav32673b37633831396fddd414dc952297.png
  13. Click Review and Create.
    worddavaf0bb9d34375cec271fc430c365fc1ff.png
  14. Review Step 7: Review and compare to the ensure that everything is configured properly.
    worddavb83a866e248926edb54b1437a48b2ecb.png
  15. You should then get a message that the BarracudaWAF-ELB was successfully created:
    worddavcadb6f8f2fd8c41a0c23670638c25304.png
  16. In the AWS Console, click the Load Balancers link.
    worddave0545191485f739a556fea4796b2177f.png
  17. On the BarracudaWAF-ELB load balancer that you crated, on the Description tab, locate the DNS name of the load balancer and copy it to a text file. You will use this to connect to later in the lab.
    worddav0898892df695aa5fcf36cddc7aedd90c.png
    worddav6fe33f1c26e691b59c4508d1a8da1f2e.png
  18. Next, click the Instances tab. You may notice that the WAF has yet to be put into service by the ELB. Wait until you see that the Status change to InService. You need to hit the refresh button to see the updates.
    worddavb46c0a86d50b64cba4c6be5b876535b4.png
    worddavd0af9570dfcd46596a813cce5c0fc7cf.png
  19. Click the Instance ID number which will break up details about the BarracudaWAF instance.
    worddav642ca406a92acdb346cac9a16a7f74b5.png
  20. On the Description tab, locate the IPv4 Public IP for the WAF and take note of the address.
    worddav98f426dc282320b7fabeef4a1ea8da8e.png
  21. Open a new tab on your web browser and point it to PUBLIC IP address on the management port of 8000. This will bring you to the home page of the WAF where there will be a licensing agreement displayed.
    worddav89be6be278341951bd0791494b7ff5fe.png

    If the VM has just booted there may be a note that the VM is provisioning. This is normal and takes a few minutes to complete.

  22. Scroll down to the bottom of the webpage and click Accept.
    worddav05e68e3b0dd60999efe8dd8251687017.png
    worddavaa0caddef66d8abe0ae54b85df7b48ad.png
  23. Once the system starts the login page will appear. Once this page has loaded move on to the next step leaving the tab here.
    worddav419bdf9043d5439fa5a21744120aa244.png
Task 4: Provision Ubuntu Server with the DVWA Application
  1. From the AWS console click Instances, then click Launch Instance.
    worddav885b786336765591e4465fbbd7fd91bc.png
  2. Scroll down and select the Ubuntu Server 14.04 LTS (HVM) AMI to deploy as your Web Server for the DVWA.
    worddav08a6886573bd374304417b01fbc102e3.png
  3. At Step 2: Chose an Instance Type, select t2.small size for the VM. Then click Next: Configure Instance Details.
    worddav4913b582a649bacae834e5e086f9e803.png
  4. On Step 3: Configure Instance Details, complete the screen using these details wherever details are not provided leave the defaults, move on to the next step without clicking Next.
    • Subnet – apps
    • Primary IP – 10.0.1.50
    worddav249294e44f173b816f8861878a4e3fcd.png
  5. Again, on Step 3: Configure Instance Details, scroll down and click the Advanced Details tab. Copy this script text into the User Data box:
    • #!/bin/bash
    • wget https://opsgilityweb.blob.core.windows.net/20170304-barracudawaf/dvwa.sh
    • bash dvwa.sh

      Make sure that when pasting from the work document you could get spacing issues. The script is only 3 lines, so check the spacing or the VM won't provision properly.

  6. Click Next: Add Storage.
    worddav6c5ac430913a6943276fb59a93225409.png
  7. On the Step 4: Add Storage screen, accept the defaults and click Next: Add Tags.
    worddav22e9e2eb906f90274d538cac9fb5c038.png
  8. On the Step 5: Add Tags screen, accept the defaults and click Next: Configure Security Groups.
    worddav4824df566c365f0a584399595df772e3.png
  9. On Step 6: Configure Security Group, name it DVWA, click Add Rule, and add a rule for HTTP Port 80.
    worddavc5dcab64c5e6be0916622eefc27886fc.png
  10. Click Review and Launch.
    worddav320a041b0c3f6e7977a598e46e90901b.png
  11. On Step 7: Review Instance Launch, click Launch.
    worddavfd35f03d3d1af7ff873d57a95db9a0e6.png
  12. Select your AWS key pair, and click Launch Instances.
    worddava5acfe5b2d2476e45470525cd25bcb79.png
  13. After a few minutes (maybe 10), check back on the EC2 Console and now both the WAF and the DVWA server should show as running. You can add names to the instances to make it easier to identify the VMs. The T2.small is the DVWA and the M3.Medium is the WAF.
    worddav06665c890f0295af9f3d707fe2c6e26d.png
Summary:

In this exercise, the AWS Console was to implement the infrastructure that will be leveraged for the rest of the exercises. This included creating the Virtual Private Cloud (VPC), provisioning the Barracuda WAF, the Elastic Load Balancer (ELB), and the Ubuntu server.

Exercise 2: Configure the Barracuda WAF Virtual Appliance and the DVWA Application

In this exercise, the Barracuda WAF Appliance and the DVWA Services will be configured. First the WAF will be configured to connect to the DVWA. Once this is completed then a connection to DVWA server will be made and the configuration will be completed. After this is finished the end to end setup will be complete allowing for simulated attacks in the next exercise.

Task 1: Configure the WAF Appliance
  1. Move back to the tab that contained the login page or if this has been closed open it backup and connect to the WAF.
  2. Use the following login information:
    • Username – admin
    • Password – Instance ID of your Barracuda WAF Instance in Amazon Web Services.
      worddav38260db66bc34a5a461ac93dd377e7b1.png
      worddav02648564b5f306943cdf8170da8892b4.png
  3. Once logged in, you will be directed to the Dashboard page of the Barracuda Web Application Firewall.
    worddavfd4f36a2306f13e48bcb1d455910dd31.png
  4. Go to BASIC > IP Configuration.
  5. Review the networking configuration and take note of the IP address assigned to the WAF by AWS.
    worddav0d32601525cfd1556f10cf2ddcd1d296.png
  6. Update the Default Host Name barracudawaf which is the name you gave the VM when you provisioned in the AWS Portal.
    worddav2f329f45a10cb4d2eb37431565d077d1.png

    The Host Name is used in reporting, and is displayed in alerts, notifications and messages sent by the Barracuda Web Application Firewall.

  7. Click Save.
    worddav3d026e7bd5b2a2eff2542c6e24546069.png

    An error will be displayed about a Default Domain not configured. For this lab, this can be ignored. In production, the domain should be matched to that of the certificates being used for the SSL configuration.

Task 2: Create a Web Service to Publish the DVWA Application
  1. Log into the Barracuda Networks device.
    • User – admin
    • Password – [InstanceID]
  2. Go to BASIC > Services.
    worddav596254fe45cd52f0c7af1ea3f87ac7ab.png
  3. Go to ADD NEW SERVICE, update the fields, and then click Add.
    • Service Name – DVWA
    • Type – HTTP
    • Virtual IP Address – IP address assigned to the WAF by AWS.
    • Port – 80
    • Real Servers – 10.0.1.50 (This is the address you assigned to the DVWA Server)
    • Create Group – No
    • Service Groups – default
      worddav55bfab4ad0fad9ee83bf1ca1f4a31236.png
  4. After about 15 seconds the firewall will update and the Services pane will now look like below:
    worddavb7fc9dd81930eac922a2c2c6e2f07961.png
  5. Open a new tab on the web browser and point it at the DNS name of the Elastic Load Balancer. This should be in the text file that you saved, or can be found on the ELB in the AWS Console. The DVWA server should load with the traffic flowing through the ELB and if the DVWA folder is on the server then it is installed.

    If for some reason this webpage doesn't load make sure that you have entered the correct IP address for the barracudawaf and the DVWA web server. Another troubleshooting step if the DVWA is not coming up is to review the NAT Gateway configuration. The NAT Gateway must be deployed into the www subnet and the routing table for the apps subnet must point 0.0.0.0/0 to the NAT Gateway instance.

    worddav32ffefc46f79badba2c563f19f523b69.png

Task 3: Configure the Damn Vulnerable Web App
  1. From the connection to the DVWA server through the ELB, click the DVWA link to attach to DVWA and complete its configuration.
    worddavb11cdc19d121485728690174ad4c995e.png
  2. This will load the DVWA web application and bring up the Database Setup page.
    worddavcbb197e3763a53d0f93fc66dcf28e5b1.png
  3. Scroll down and click Create / Reset Database. You will briefly see an update that the database was created and then be redirected to a login page.
    worddavbb6d6f8611b9bf79b92099486ce8f23c.png
  4. Once at the login page use the following login information to test the application.
    • Username – admin
    • Password – password
      worddav1650ad5358e6ced0ab2893cf6c81d454.png
    This will bring you to the home page of the DVWA page. This means that the application has been setup properly.
    worddav794fdceff6675b7800424d37c1ab8cdf.png
  5. Click Logout.
    worddav49dfcd05d8d2830c87de165113c2abcb.png
Summary:

In this exercise, the Barracuda WAF appliance and the DVWA services were configured. The WAF was configured to connect to the DVWA, and then the DVWA application configuration was completed. This completed the necessary steps to allow for an end to end setup allowing for simulated attacks in the next exercise.

Exercise 3: Simulate Attacks and Secure the Environment using the WAF

In this exercise, attacks will be simulated against a website using the DVWA application. Using the tools of the WAF, fixes will be applied to avoid these attacks in the future.

Task 1: Command Injection Attack
  1. Open a new tab on your local web browser and navigate to the public IP address of the ELB. The example here is at http://BarracudaWAF-ELB-1474027757.us-east-1.elb.amazonaws.com/DVWA (DVWA is case sensitive). This will load the DVWA application as published via the Barracuda Web Application Firewall.

    If the address to the ELB is entered into the browser, then simply click the DVWA folder to load the application.

  2. The login page of the DVWA website will appear. Use these credentials:
    • Username – admin
    • Password – password
    worddav0f9e84fd32993e5c93b04b6c806d5319.png
  3. The home page for DVWA will appear in the browser window.
    worddavea5dff0af68581ab9634877d9ea475e8.png
  4. Once on the home page click on the Command Injection link. Next, type 8.8.8.8 (this is the Google DNS server IP address), in the Enter an IP address box, and click Submit.
    worddav91253f722774901ecfa23ec001c58b3c.png
    The page will take 10 seconds or so to run and the provide the following output.
    worddav0392b84bb5f701533713ad1aab7799a4.png
  5. Now move back to the browser tab for the WAF and go to BASIC > Web Firewall Logs.
    worddav42908e8e7d181f14eed7cd5c9f69f5b7.png
  6. On the Web Firewall Logs page, update the filter with the following details, and then click Apply Filter.
    • Service IP
    • is equal to
    • IP address of the WAF
    worddav3be06025b5514404be4af4e1ecb3e66d.png
  7. Notice how the WAF has alerted at the attack.

    Highlighting the red arrow will show the severity alert.


    worddav3822110428382fd73ed91c7bf807ec1f.png

  8. Click Save Filter, this will open a new window. Type myfilter into the Filter Name box, and then click Save.
    worddavc9202fd38692192ed4c899ec80da6e05.png
  9. Find the last logged with the attack name OS Command Injection in URL, and click Fix.
    worddave754f06d15b095549f11bf81495a1a58.png
  10. This will open a Policy Fix window. Read the details and then click Apply Fix.
    worddavd0501c5d3bc56d4fd41c47956f1c2de3.png
    The window will update showing that the policy has been updated.
  11. Click Close Window.
    worddav12437c9e962b3caec91aa8a0be9189b9.png
  12. Move back to the DVWA application and again launch the command injection attack by entering 8.8.8.8 in the Ping a Device tool.
  13. Once this is completed move back to the WAF tab and click Apply Filter. Notice that you no longer see the Attack Name OS Command Injection in URL, in the logs.
  14. Go to Basic > Dashboard.
    worddav4e5e7652bda57232826d4dce40ffbc68.png
  15. Once at the Dashboard, scroll down to the Attacks graphs. Change the time to Last Hour. It should then resemble the following showing attacks that you have made against the site.

    You may have to change the time from Last Day to Last Hour to see the results.


    worddavefea08350a1456428358916e1cfac607.png

  16. Move back to the DVWA application in your browser. Click through some of the other attacks. Once this is completed move on to the next task.
Task 2: Using Reporting
  1. On the BarracudaWAF management screen, click Reports.
    worddav305c54e6b6181349ff7062c3ccede8ec.png
  2. In Report Options section, change the Time Frame to Today.
    worddavd338e13fc1aa154ad8c6c10f7a924500.png
  3. Scroll down to the Security section, select the checkbox next to Attacks by Category, and then click Show Report.
    worddav91359f09ff26f5da9976f83b0c81f147.png
  4. The report window will load showing the different attacks. Take the time to review the report.
    worddavff7204555747ef5343b535d579ad2fe5.png
  5. In the drill down section, click on the different areas to better understand the information behind the report. Select Clients or Time.
    worddav4544c714e6ed6b34446e733ae26d40b4.png
  6. Close the report by hitting the X at the top of the window.
  7. Locate the Top Attacked URLs in the Security section, select the checkbox, and then click Show Report.
    worddava57cdb947303c8fad7e8d0a36c3e640a.png
  8. Review the report and mouse over the charts to see the URLs.
    worddav602857c687ba53880235e957fa84a42f.png