Barracuda Web Application Firewall Advanced Security Features - WAF02 Lab Guide Official training material for Barracuda certified trainings and Autorized Training Centers. Edition 2018 Revision 1.1 campus.barracuda.com campus@barracuda.com
Barracuda Networks Inc., June 7, 2018. The information contained within this document is confidential and proprietary to Barracuda Networks Inc. No portion of this document may be copied, distributed, publicized or used for other than internal documentary purposes without the written consent of an official representative of Barracuda Networks Inc. All specifications are subject to change without notice. Barracuda Networks Inc. assumes no responsibility for any inaccuracies in this document. Barracuda Networks Inc. reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
Advanced Security Lab Guide 1.1 Connect To Environment 5 1.1.1 Lab Instructions 5 1.1.2 Step-by-Step Guide 5 1.2 Creating Allow/Deny URL ACLs 9 1.2.1 Lab Instructions 9 1.2.2 Step-by-Step Guide 9 1.3 Adaptive Profiling 11 1.3.1 Lab Instructions 11 1.3.2 Step-by-Step Guide 11
Student Guide Barracuda WAF - Advanced Security Features Lab Connect To Environment 5 1.1 Connect To Environment 1.1.1 Lab Instructions In this Lab you will connect to your enviroment. 1.1.2 Step-by-Step Guide Connecting to the environment bastion host 1. Open an RDP client 2. Connect to the hostname and port provided by the trainer using the format hostname:port 3. Accept/ignore any certificate validation warnings 4. Use the following credentials to login into the system: a. Username: student b. Password: CudaL3arner! Connecting to the environment Admin Client 5. In the bastion host open the Microsoft RDP client located in the Windows taskbar 6. Enter the <Admin Client IP Address> 7. Use the following credentials to login into the system: a. Username: student b. Password: campuspass Connecting to the environment AttackClient 8. In the bastion host, open an additional RDP connection: a. Right click on the Microsoft RDP client b. Click Remote Desktop Connection 9. Enter the <Attack Client IP Address> 10. Use the following credentials to login into the system: a. Username: student b. Password: campuspass
Student Guide Barracuda WAF - Advanced Security Features Lab Creating Allow/Deny URL ACLs 7 1.2 Creating Allow/Deny URL ACLs 1.2.1 Lab Instructions In this lab, you will explore how to use extended matching rules to allow and deny requests based on various characteristics. You will be using extended matching rules to enhance security for the Badstore website. Understand the role of extended matching rules in the Barracuda Web Application Firewall. Create allow and deny rules for certain types of requests and test them. Apply a recommended policy fix from the Barracuda Web Application Firewall log. 1.2.2 Step-by-Step Guide Create a service 1. Navigate to BASIC > Services. 2. Create a new service with the following settings: Service Name: badstore Type: HTTP Virtual IP Address: <VIP1> Port: 80 Real Servers: <Badstore IP> Create Group: No Service Groups: default 3. Click Add Block all requests to the Badstore website 4. In the WAF web interface, go to BASICS > Services and make sure that your Badstore service has its mode set to Active. 5. Go to WEBSITES > Allow/Deny. 6. Next to the Badstore service, click Add. The Create ACL window opens. 7. Create an ACL rule with the following settings: Name: DenyAll Enable URL ACL: Yes Action: Deny and Log 8. Click Save. The DenyAll rule is listed under the Badstore service. 9. On the Attack Client, in firefox_dev, try to navigate to: http://www.bigfishinc.org Now, regardless of which portion of the site that you try to access, you are greeted with a cryptic error message that has no useful information. However, restricting all access to the website is not very useful. Create some more rules that will allow only specific URLs to be accessible. Allow a subset of paths to be accessed 1. In the WAF web interface, go to WEBSITES > Allow/Deny. 2. In the Badstore service, create a rule that lets users access only CGI scripts. Name: CGI URL Match:/*.cgi
8 Creating Allow/Deny URL ACLs Barracuda WAF - Advanced Security Features Lab Student Guide Action:Process 3. With firefox_dev, navigate to: http://www.bigfishinc.org/cgi-bin/badstore.cgi As you navigate through the website, some of the page content is displayed, but all images appear to be broken. Test the configuration and tweak it 1. In the WAF web interface, go to BASIC > Web Firewall Log and view the requests. This information should help you craft additional rules that render the website correctly. 2. On the WEBSITES > Allow/Deny page, create rules to allow these types of files: /*.gif /*.js /*.css /*.jpg /*.png NN You can use the copy function to increase efficiency. 3. Try to navigate again to: http://www.bigfishinc.org/cgi-bin/badstore.cgi 4. Now as you navigate through the website, all of the pages should render correctly. Create a rule from a Web Firewall Log entry 1. At the very bottom of the left-hand navigational bar of the Badstore website, click on the Badstore. net Manual v1.2 link. 2. This request is blocked because rules for handling PDFs have not been created yet. As a result, the blanket Deny All rule is applied. 3. In the WAF web interface, go to BASIC > Web Firewall Logs. 4. To examine the request, click Details at the end of the row for the request. The Web Firewall Log Details window opens with information about the request that can be used to modify the behavior of the WAF for this particular service, if necessary. 5. Next to the Web Firewall log entry that blocked the PDF from loading, click Fix. The Policy Fix window opens and displays specific recommendations for fixing the rule. 6. Click Apply Fix. 7. Click Close. 8. In the WAF interface, go to WEBSITES > Allow/Deny. Notice that a new rule allowing the Badstore PDF manual has been added. 9. In the Badstore site, access the Badstore PDF manual. This time, the manual download loads successfully. 10. Try to access the following directories: /backup/ /supplier/ Notice that these attempts at forceful browsing are now blocked by the Barracuda Web Application Firewall. Delete all the manual URL ACLs 1. In the Barracuda Web Application Firewall web interface, go to WEBSITES > Allow/Deny. 2. Delete all the URL ACLs.
Student Guide Barracuda WAF - Advanced Security Features Lab Adaptive Profiling 9 1.3 Adaptive Profiling 1.3.1 Lab Instructions In this lab, you will learn how to use adaptive profiling to automatically create a website profile. You will create a profile describing allowed traffic for the Badstore web application. Then, you will configure the Barracuda Web Application Firewall to suggest policy changes when exceptions to the policy are encountered. Use the Adaptive Profiling module in the Barracuda Web Application Firewall to profile the Badstore website. Fine-tune security policies and profile exceptions. 1.3.2 Step-by-Step Guide Configure Adaptive Profiling 1. In the WAF web interface, go to WEBSITES > Website Profiles. 2. From the Website drop-down menu, select the Badstore service. 3. Click Start Learning. A prompt appears. 4. Click OK. 5. On the Attack Client, close all the Firefox_dev instances. 6. Open firefox_dev and navigate to: http://www.bigfishinc.org 7. This will clear any user session that you currently have on the Badstore website so that you are seen as an unregistered user. 8. Click the first seven links in the left-hand navigational bar. 9. On the Login/Register page, register as a new user and log in. 10. While you are logged in as the new user, click the first seven links in the left-hand navigational bar again. Investigate Response Learning and Hidden Parameter Protection 1. Wait a few minutes and then go to WEBSITES > Website Profiles. The Barracuda Web Application Firewall uses the requests that you submitted by clicking on the page links to construct a profile of the web application. It has learned several URLs and a series of parameters. This is because the Badstore website uses the same URL with different parameter values to generate different pages. 2. In the URL Profiles section, select the check box in front of /cgi-b/badstore.cgi. The Parameter Profiles section populates. 3. Look for the role parameter. It might be found on the second page of the Parameter Profiles section. 4. Note that the role parameter is marked as Read Only. 5. View the HTML source code of the Login/Register page on the Badstore website. The Barracuda Web Application Firewall was also able to extract the parameters of the form. Use the search function to find the role parameter. As you can see, the hidden parameter named Role was extracted from the response and profiled as a parameter for the URL. Since it is a hidden variable, it was marked as read-only because there is no interface for the user to change the value of the variable. 6. Click Stop Learning 7. Click OK. Edit the profile for the HTTP service 1. In the Barracuda Web Application Firewall web interface, go to WEBSITES > Website Profiles. 2. Next to the Start Learning button, click Edit. 3. Confirm that Use Profile is set to Yes, and set Strict Profile Check to Yes. 4. Change the Mode of the Profile to Active.
10 Adaptive Profiling Barracuda WAF - Advanced Security Features Lab Student Guide 5. Click Save. 6. Select all entries in the URL Profiles section, and then select Lock All Profiles from the More Actions drop-down menu. The mode for all profiles is set to Active. 7. Edit each URL profile by clicking the Edit button next to the profile. For each profile, change Hidden Parameter Protection from Forms & URLs to Forms. 8. Click Save. Navigate to the Badstore website 1. Log into the Attack Client. 2. Close all the Firefox_dev instances. 3. Open Firefox_dev and navigate to: http://www.bigfishinc.org/cgi-bin/badstore.cgi 4. Click the Home link. 5. As an unregistered user, confirm that you can access the website by clicking on the seven links listed in the left-hand frame. Tamper a login request 1. On the Badstore website, go to the Login/Register page. 2. Select ZAP in ProxySwitcher. 3. Open ZAP. 4. Make sure that the Break tab is shown. 5. In ZAP, click the green circle to trap any future requests. The circle turns red. 6. In the Badstore website, fill out the form fields to register a new account, and click Register. The request is trapped in ZAP. 7. Change the Role parameter to A 8. Click the blue Play button to send the register request. The web page opens with an error message that states URL Not Found. 9. In the WAF web interface, go to the BASIC > Web Firewall Logs page and examine the logs. The tampering is registered as an attack because you attempted to change the value of a parameter that was profiled as read-only. 10. Select No Proxy in Proxy.Switcher. Use Adaptive Profiling to prevent forceful browsing 1. On the Badstore website, try to browse to a URL directory that does not have a link on the main page, such as: http://www.bigfishinc.org/backup http://www.bigfishinc.org>/supplier 2. Notice that these attempts at forceful browsing are now blocked by the Barracuda Web Application Firewall. 3. In the Barracuda Web Application Firewall web interface, go to the BASIC > Web Firewall Logs page and find the log entries for these blocked attempts at forced browsing. 4. Notice the error message is No URL Profile. The request was denied because this URL does not have a profile. This is emblematic of the positive security model employed by the Barracuda Web Application Firewall. Configure exception profiling 1. In the WAF web interface, go to WEBSITES > Exception Profiling. 2. In the Exception Profiling section, click Edit for the Badstore service. 3. From the Exception Profiling Level list, select Low. 4. Click Save. 5. Go to WEBSITES > Exception Heuristics. 6. In the Exception Profiling Level section, select Low and click Show Definition.
Student Guide Barracuda WAF - Advanced Security Features Lab Adaptive Profiling 11 7. In the Request Violation Handling section, change the following settings for the Forceful Browsing > No URL Profile Match violation group and type: Setting: Manual Trigger Count: 1 8. Click Save Check the pending recommendations 1. On the Attack Client, in Firefox_dev, navigate to: http://www.bigfishinc.org/supplier/ The request fails. 2. In the WAF web interface, go to WEBSITES > Exception Profiling. 3. Check the Pending Recommendations section. Soon, you should see a pending recommendation to create a URL profile for /supplier/. 4. Select the check box next to the pending recommendation and click Apply Fix. 5. Go to the WEBSITES > Website Profiles page and see that a new URL profile allowing supplier has been added to the list. 6. In Firefox, navigate to: http://www.bigfishinc.org/supplier/ The request is now successful. Delete the website profile 1. Go to the WEBSITES > Profiles page and delete the learned URL ACLs. 2. Switch the Website Profile from Active to Passive.