You can deploy your Barracuda Web Security Gateway either behind your corporate firewall or in front of your corporate firewall in the DMZ. However, for maximum security, Barracuda Networks recommends deploying the Barracuda Web Security Gateway behind a corporate firewall. See Deployment Options.
Securing Network Access
To secure your Barracuda Web Security Gateway on your network, begin by locking down the user interface ports. Barracuda Networks recommends using the non-standard port 8000 for internal access to the web interface, which is configured on the BASIC > Administration page. From that page you can also further limit access to the web interface by IP address with the Administrator/IP Range setting. If no IP address is specified in this field, all systems are granted access with the correct administrator password.
Integration with External Systems and Services - Security Considerations
The Barracuda Web Security Gateway integrates with other systems and services in your environment, like your LDAP server and mail servers. Barracuda recommends creating separate service accounts for these integration points, rather than personal accounts, and then using the principle of least privilege. This integration strategy is part of an overall security policy. For more information, see Security for Integrating with Other Systems - Best Practices.
As described above, limiting user interface access to HTTPS provides further security and can also be configured on the ADVANCED > Secure Administration page along with the use of SSL certificates. There are three types of SSL certificates to choose from:
- Default (Barracuda Networks)
- Private (self-signed)
- Trusted certificate - a certificate signed by a trusted certificate authority (CA)
For more information about the types of certificates and how to configure them, click Help on the ADVANCED > Secure Administration page.
Limiting Access to the API
The Barracuda set of APIs provides for remote administration and configuration of the Barracuda Web Security Gateway. By using the Barracuda Web Security Gateway APIs, IT administrators can easily manage large blocks of usernames, create local or IP groups, and configure some single global variables. For more information, see.
To limit access to the API, use the Allowed SNMP and API IP/Range setting on the BASIC > Administration page. The IP addresses you enter in that field can also establish an SNMP connection to the system.To secure use of the API, you must also create an API password, which can be entered on the same page.