Barracuda Web Application Firewall Advanced Security Features - WAF02

Similar documents
Barracuda Web Application Firewall Foundation - WAF01. Lab Guide

Lab Guide. Barracuda NextGen Firewall F-Series Microsoft Azure - NGF0501

PLEASE KEEP IN MIND THERE ARE TWO WAYS TO UPDATE A STUDENT S ATTENDANCE STATUS:

Configuring Remote Access using the RDS Gateway

Specialty Contractor User Manual. Table of Contents. Specialty Contractor User Manual Version 1 11/16/15

Click Studios. Passwordstate. Remote Session Launcher. Installation Instructions

Lab - Remote Desktop in Windows 8

Configuring the CSS for Device Management

How to Configure Authentication and Access Control (AAA)

Configuring User Defined Patterns

RNDC / NDC MicroStrategy Supplier Web Troubleshooting Guide

Using SpringPeople Virtual Labs

Checklist for Testing of Web Application

F5 Azure Cloud Try User Guide. F5 Networks, Inc. Rev. September 2016

Release Notes Version 7.8

Lab - Remote Desktop in Windows 7 and Vista

IDENTITY MANAGEMENT & SINGLE SIGN-ON (SSO) HELP GUIDE UPDATED JUNE 2018

EASYLABEL Net Print Server

VISIONTRACKER FREQUENTLY ASKED QUESTIONS FAQ

Help Document Series: Connecting to your Exchange mailbox via Outlook from off-campus

3) Click the Screen Sharing option and click connect to establish the session

VI. Corente Services Client

Oracle isupplier. Supplier User Guide

Barracuda SSL VPN Integration

Client Certificate Authentication Guide. June 28, 2018 Version 9.4

A Prime Contractor s Guide to Prolog Converge. Topic: How to Submit a RFI online

Kaseya 2. Installation guide. Version R8. English

Contents Overview... 2 Part I Connecting to the VPN via Windows OS Accessing the Site with the View Client Installing...

ZENworks 2017 Update 2 Endpoint Security Agent Reference. February 2018

Deltek Touch Expense for Ajera. Touch 1.0 Technical Installation Guide

User Manual for Academic Information Management System

Ektron Advanced. Learning Objectives. Getting Started

A Consultant s Guide to Prolog Converge. Topic: How to Answer a RFI online

Configuring and Managing WAAS Legacy Print Services

VMware AirWatch Certificate Authentication for Cisco IPSec VPN

Manual UCSFwpa Configuration for Windows 7

User Guide Online Backup

Penetration Testing. James Walden Northern Kentucky University

Practice Labs User Guide

3.1 Getting Software and Certificates

MultiSite Manager. User Guide

Sophos UTM Web Application Firewall For: Microsoft Exchange Services

ACL Compliance Director Tutorial

SonicOS Enhanced Release Notes

User s Quick Start Guide

ADMINISTRATOR S GUIDE

vcenter CapacityIQ Installation Guide

Agility 2018 Hands-on Lab Guide. VDI the F5 Way. F5 Networks, Inc.

Lab - Share Resources in Windows

Aspera Connect Windows XP, 2003, Vista, 2008, 7. Document Version: 1

HealthStream Connect Administrator User Guide

VII. Corente Services SSL Client

How to Configure Guest Access with the Ticketing System

Remote Desktop How to guide

Webthority can provide single sign-on to web applications using one of the following authentication methods:

umapps Using umapps 6/14/2017 Brought to you by: umtech & The Center for Teaching & Learning

Administering Workspace ONE in VMware Identity Manager Services with AirWatch. VMware AirWatch 9.1.1

Parallels Remote Application Server

DSS User Guide. End User Guide. - i -

BROWSER-BASED SUPPORT CONSOLE USER S GUIDE. 31 January 2017

Unified CCX Administration Web Interface

Microsoft Exchange Server 2007 and 2010 Operations

Unified CCX Administration Web Interface

CounterACT User Directory Plugin

Agent and Agent Browser. Updated Friday, January 26, Autotask Corporation

Barracuda Networks NG Firewall 7.0.0

Administrator s Guide for the Polycom Video Control Application (VCA)

SafeNet Authentication Manager

271 Waverley Oaks Rd. Telephone: Suite 206 Waltham, MA USA

New World ERP-eSuite

Farin Foresight/Insight RemoteApp Access Document last updated: 2/7/2017

Microsoft Labs Online

DEPLOYMENT GUIDE Version 1.1. Deploying the BIG-IP Access Policy Manager with IBM, Oracle, and Microsoft

Balabit s Privileged Session Management and Remote Desktop Protocol Scenarios

UP L12: Still on SEP 11? Let us show you how to simplify migration to SEP.

SuperLumin Nemesis. Getting Started Guide. February 2011

Virtual Machine Connection Guide for AWS Labs

DameWare Server. Administrator Guide

Configuring Dynamics GP econnect with Nexonia... 1

Aventail Connect Client with Smart Tunneling

Endian Proxy / Firewall

3. In the upper left hand corner, click the Barracuda logo ( ) then click Settings 4. Select the check box for SPoE as default.

Okta Integration Guide for Web Access Management with F5 BIG-IP

XIA Configuration Server

Avaya Event Processor Release 2.2 Operations, Administration, and Maintenance Interface

Remote Access to the CIS VLab (308)

Protecting SugarCRM with SafeNet Authentication Manager

Step 4 - Choose Your Deployment

Student Website Setup

Locate your Advanced Tools and Applications

Configure WSA to Upload Log Files to CTA System

How to Configure Connection Fallback using Multiple VPN Gateways

PRACTICE-LABS User Guide

Realms and Identity Policies

Using ANM With Virtual Data Centers

BASIC USER TRAINING PROGRAM Module 5: Test Case Development

User Guide. (Network Version) 2008 Certiport, Inc. certiprep 1

User Guide. Version R92. English

TrainingFinder Real-time Affiliate Integrated Network (TRAIN) Administrator Handbook. Version 3.2 (3/26/08) Public Health Foundation

RCR Registry Signup Portal Steps for Signup Updated September 2015

Transcription:

Barracuda Web Application Firewall Advanced Security Features - WAF02 Lab Guide Official training material for Barracuda certified trainings and Autorized Training Centers. Edition 2018 Revision 1.1 campus.barracuda.com campus@barracuda.com

Barracuda Networks Inc., June 7, 2018. The information contained within this document is confidential and proprietary to Barracuda Networks Inc. No portion of this document may be copied, distributed, publicized or used for other than internal documentary purposes without the written consent of an official representative of Barracuda Networks Inc. All specifications are subject to change without notice. Barracuda Networks Inc. assumes no responsibility for any inaccuracies in this document. Barracuda Networks Inc. reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

Advanced Security Lab Guide 1.1 Connect To Environment 5 1.1.1 Lab Instructions 5 1.1.2 Step-by-Step Guide 5 1.2 Creating Allow/Deny URL ACLs 9 1.2.1 Lab Instructions 9 1.2.2 Step-by-Step Guide 9 1.3 Adaptive Profiling 11 1.3.1 Lab Instructions 11 1.3.2 Step-by-Step Guide 11

Student Guide Barracuda WAF - Advanced Security Features Lab Connect To Environment 5 1.1 Connect To Environment 1.1.1 Lab Instructions In this Lab you will connect to your enviroment. 1.1.2 Step-by-Step Guide Connecting to the environment bastion host 1. Open an RDP client 2. Connect to the hostname and port provided by the trainer using the format hostname:port 3. Accept/ignore any certificate validation warnings 4. Use the following credentials to login into the system: a. Username: student b. Password: CudaL3arner! Connecting to the environment Admin Client 5. In the bastion host open the Microsoft RDP client located in the Windows taskbar 6. Enter the <Admin Client IP Address> 7. Use the following credentials to login into the system: a. Username: student b. Password: campuspass Connecting to the environment AttackClient 8. In the bastion host, open an additional RDP connection: a. Right click on the Microsoft RDP client b. Click Remote Desktop Connection 9. Enter the <Attack Client IP Address> 10. Use the following credentials to login into the system: a. Username: student b. Password: campuspass

Student Guide Barracuda WAF - Advanced Security Features Lab Creating Allow/Deny URL ACLs 7 1.2 Creating Allow/Deny URL ACLs 1.2.1 Lab Instructions In this lab, you will explore how to use extended matching rules to allow and deny requests based on various characteristics. You will be using extended matching rules to enhance security for the Badstore website. Understand the role of extended matching rules in the Barracuda Web Application Firewall. Create allow and deny rules for certain types of requests and test them. Apply a recommended policy fix from the Barracuda Web Application Firewall log. 1.2.2 Step-by-Step Guide Create a service 1. Navigate to BASIC > Services. 2. Create a new service with the following settings: Service Name: badstore Type: HTTP Virtual IP Address: <VIP1> Port: 80 Real Servers: <Badstore IP> Create Group: No Service Groups: default 3. Click Add Block all requests to the Badstore website 4. In the WAF web interface, go to BASICS > Services and make sure that your Badstore service has its mode set to Active. 5. Go to WEBSITES > Allow/Deny. 6. Next to the Badstore service, click Add. The Create ACL window opens. 7. Create an ACL rule with the following settings: Name: DenyAll Enable URL ACL: Yes Action: Deny and Log 8. Click Save. The DenyAll rule is listed under the Badstore service. 9. On the Attack Client, in firefox_dev, try to navigate to: http://www.bigfishinc.org Now, regardless of which portion of the site that you try to access, you are greeted with a cryptic error message that has no useful information. However, restricting all access to the website is not very useful. Create some more rules that will allow only specific URLs to be accessible. Allow a subset of paths to be accessed 1. In the WAF web interface, go to WEBSITES > Allow/Deny. 2. In the Badstore service, create a rule that lets users access only CGI scripts. Name: CGI URL Match:/*.cgi

8 Creating Allow/Deny URL ACLs Barracuda WAF - Advanced Security Features Lab Student Guide Action:Process 3. With firefox_dev, navigate to: http://www.bigfishinc.org/cgi-bin/badstore.cgi As you navigate through the website, some of the page content is displayed, but all images appear to be broken. Test the configuration and tweak it 1. In the WAF web interface, go to BASIC > Web Firewall Log and view the requests. This information should help you craft additional rules that render the website correctly. 2. On the WEBSITES > Allow/Deny page, create rules to allow these types of files: /*.gif /*.js /*.css /*.jpg /*.png NN You can use the copy function to increase efficiency. 3. Try to navigate again to: http://www.bigfishinc.org/cgi-bin/badstore.cgi 4. Now as you navigate through the website, all of the pages should render correctly. Create a rule from a Web Firewall Log entry 1. At the very bottom of the left-hand navigational bar of the Badstore website, click on the Badstore. net Manual v1.2 link. 2. This request is blocked because rules for handling PDFs have not been created yet. As a result, the blanket Deny All rule is applied. 3. In the WAF web interface, go to BASIC > Web Firewall Logs. 4. To examine the request, click Details at the end of the row for the request. The Web Firewall Log Details window opens with information about the request that can be used to modify the behavior of the WAF for this particular service, if necessary. 5. Next to the Web Firewall log entry that blocked the PDF from loading, click Fix. The Policy Fix window opens and displays specific recommendations for fixing the rule. 6. Click Apply Fix. 7. Click Close. 8. In the WAF interface, go to WEBSITES > Allow/Deny. Notice that a new rule allowing the Badstore PDF manual has been added. 9. In the Badstore site, access the Badstore PDF manual. This time, the manual download loads successfully. 10. Try to access the following directories: /backup/ /supplier/ Notice that these attempts at forceful browsing are now blocked by the Barracuda Web Application Firewall. Delete all the manual URL ACLs 1. In the Barracuda Web Application Firewall web interface, go to WEBSITES > Allow/Deny. 2. Delete all the URL ACLs.

Student Guide Barracuda WAF - Advanced Security Features Lab Adaptive Profiling 9 1.3 Adaptive Profiling 1.3.1 Lab Instructions In this lab, you will learn how to use adaptive profiling to automatically create a website profile. You will create a profile describing allowed traffic for the Badstore web application. Then, you will configure the Barracuda Web Application Firewall to suggest policy changes when exceptions to the policy are encountered. Use the Adaptive Profiling module in the Barracuda Web Application Firewall to profile the Badstore website. Fine-tune security policies and profile exceptions. 1.3.2 Step-by-Step Guide Configure Adaptive Profiling 1. In the WAF web interface, go to WEBSITES > Website Profiles. 2. From the Website drop-down menu, select the Badstore service. 3. Click Start Learning. A prompt appears. 4. Click OK. 5. On the Attack Client, close all the Firefox_dev instances. 6. Open firefox_dev and navigate to: http://www.bigfishinc.org 7. This will clear any user session that you currently have on the Badstore website so that you are seen as an unregistered user. 8. Click the first seven links in the left-hand navigational bar. 9. On the Login/Register page, register as a new user and log in. 10. While you are logged in as the new user, click the first seven links in the left-hand navigational bar again. Investigate Response Learning and Hidden Parameter Protection 1. Wait a few minutes and then go to WEBSITES > Website Profiles. The Barracuda Web Application Firewall uses the requests that you submitted by clicking on the page links to construct a profile of the web application. It has learned several URLs and a series of parameters. This is because the Badstore website uses the same URL with different parameter values to generate different pages. 2. In the URL Profiles section, select the check box in front of /cgi-b/badstore.cgi. The Parameter Profiles section populates. 3. Look for the role parameter. It might be found on the second page of the Parameter Profiles section. 4. Note that the role parameter is marked as Read Only. 5. View the HTML source code of the Login/Register page on the Badstore website. The Barracuda Web Application Firewall was also able to extract the parameters of the form. Use the search function to find the role parameter. As you can see, the hidden parameter named Role was extracted from the response and profiled as a parameter for the URL. Since it is a hidden variable, it was marked as read-only because there is no interface for the user to change the value of the variable. 6. Click Stop Learning 7. Click OK. Edit the profile for the HTTP service 1. In the Barracuda Web Application Firewall web interface, go to WEBSITES > Website Profiles. 2. Next to the Start Learning button, click Edit. 3. Confirm that Use Profile is set to Yes, and set Strict Profile Check to Yes. 4. Change the Mode of the Profile to Active.

10 Adaptive Profiling Barracuda WAF - Advanced Security Features Lab Student Guide 5. Click Save. 6. Select all entries in the URL Profiles section, and then select Lock All Profiles from the More Actions drop-down menu. The mode for all profiles is set to Active. 7. Edit each URL profile by clicking the Edit button next to the profile. For each profile, change Hidden Parameter Protection from Forms & URLs to Forms. 8. Click Save. Navigate to the Badstore website 1. Log into the Attack Client. 2. Close all the Firefox_dev instances. 3. Open Firefox_dev and navigate to: http://www.bigfishinc.org/cgi-bin/badstore.cgi 4. Click the Home link. 5. As an unregistered user, confirm that you can access the website by clicking on the seven links listed in the left-hand frame. Tamper a login request 1. On the Badstore website, go to the Login/Register page. 2. Select ZAP in ProxySwitcher. 3. Open ZAP. 4. Make sure that the Break tab is shown. 5. In ZAP, click the green circle to trap any future requests. The circle turns red. 6. In the Badstore website, fill out the form fields to register a new account, and click Register. The request is trapped in ZAP. 7. Change the Role parameter to A 8. Click the blue Play button to send the register request. The web page opens with an error message that states URL Not Found. 9. In the WAF web interface, go to the BASIC > Web Firewall Logs page and examine the logs. The tampering is registered as an attack because you attempted to change the value of a parameter that was profiled as read-only. 10. Select No Proxy in Proxy.Switcher. Use Adaptive Profiling to prevent forceful browsing 1. On the Badstore website, try to browse to a URL directory that does not have a link on the main page, such as: http://www.bigfishinc.org/backup http://www.bigfishinc.org>/supplier 2. Notice that these attempts at forceful browsing are now blocked by the Barracuda Web Application Firewall. 3. In the Barracuda Web Application Firewall web interface, go to the BASIC > Web Firewall Logs page and find the log entries for these blocked attempts at forced browsing. 4. Notice the error message is No URL Profile. The request was denied because this URL does not have a profile. This is emblematic of the positive security model employed by the Barracuda Web Application Firewall. Configure exception profiling 1. In the WAF web interface, go to WEBSITES > Exception Profiling. 2. In the Exception Profiling section, click Edit for the Badstore service. 3. From the Exception Profiling Level list, select Low. 4. Click Save. 5. Go to WEBSITES > Exception Heuristics. 6. In the Exception Profiling Level section, select Low and click Show Definition.

Student Guide Barracuda WAF - Advanced Security Features Lab Adaptive Profiling 11 7. In the Request Violation Handling section, change the following settings for the Forceful Browsing > No URL Profile Match violation group and type: Setting: Manual Trigger Count: 1 8. Click Save Check the pending recommendations 1. On the Attack Client, in Firefox_dev, navigate to: http://www.bigfishinc.org/supplier/ The request fails. 2. In the WAF web interface, go to WEBSITES > Exception Profiling. 3. Check the Pending Recommendations section. Soon, you should see a pending recommendation to create a URL profile for /supplier/. 4. Select the check box next to the pending recommendation and click Apply Fix. 5. Go to the WEBSITES > Website Profiles page and see that a new URL profile allowing supplier has been added to the list. 6. In Firefox, navigate to: http://www.bigfishinc.org/supplier/ The request is now successful. Delete the website profile 1. Go to the WEBSITES > Profiles page and delete the learned URL ACLs. 2. Switch the Website Profile from Active to Passive.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback