Barracuda Intrusion Detection and Prevention System

Document Sample
Barracuda Intrusion Detection and Prevention System Powered By Docstoc
					Barracuda Intrusion Detection and Prevention System


  Providing complete and comprehensive real-time network protection                                               RELEASE 2
  Today’s networks are constantly under attack by an ever growing number of emerging exploits and
  attackers using advanced evasion techniques which can be used by the bad guys to trick traditional
  firewalls and Intrusion Prevention systems in order to gain access to the corporate network and its
  critical data. The Barracuda NG Firewall inline Intrusion Detection and Prevention System (IDS/IPS) is
  tightly integrated in the firewall architecture and can strongly enhance network security by providing
  complete and comprehensive real-time network protection against a broad range of network threats,
  vulnerabilities, exploits and exposures. In addition the Barracuda IDS/IPS keeps spyware and worms
  out of the corporate network in order to prevent fraud and to maintain strict privacy. By constantly
  monitoring network and system activities for malicious or suspicious behavior, the Barracuda NG
  Firewall can react in real-time to block and prevent such activities.


  Strong and robust protection against a multitude of threats and exploits
  The Barracuda NG Firewall provides easy to use and immediate out-of-the box protection against a
  vast number of exploits and vulnerabilities in operating systems, applications and databases thus
  preventing network attacks such as:

  •	 SQL Injections

  •	 Arbitrary Code Executions

  •	 Access Control Attempts and Privilege Escalations

  •	 Cross Site Scripting

  •	 Buffer Overflows

  •	 Denial of Service (DoS) and Distributed Denial of Service (DDos) Attacks

  •	 Directory Traversal Attempts

  •	 Probing and Scanning Attempts

  •	 Backdoor Attacks, Trojans, Rootkits, Viruses, Worms and Spywares


  Identifying advanced IPS evasion and obfuscation techniques
  By providing various additional attack and threat protection features such as packet anomaly protection,
  TCP stream reassembly, IP- and RPC defragmentation as well as URL- and HTML decoding the Barracuda
  NG Firewall is able to identify and to block advanced evasion attempts and obfuscation techniques
  which are widely used by attackers to circumvent and trick traditional signature based intrusion
  prevention systems.
  •	 Packet Anomaly Protection: Packet anomaly protection carries out several network level sanity
     checks on the received packets. The checks include identifying malformed packets by checking the
     IP checksum, proper length encoding or misused IP options. In addition, packets with illegal source IP
     addresses or time-to-live (TTL) settings, and source routed packets are eliminated.
  •	 IP Fragmentation Protection: IP fragments received by the Barracuda NG Firewall are reassembled to
     proper packets by way of defragmentation. No fragments are directly forwarded thereby protecting
     against fragmentation attacks such as fragment overlaps or interleaved duplicate packets on
     destination systems.




                                                                                                              1
Barracuda Intrusion Detection and Prevention System


  •	 TCP Stream Reassembly: The Barracuda NG Firewall provides support for TCP stream reassembly
     (SRA). In general, TCP streams are broken into TCP segments that are encapsulated into IP packets. By
     manipulating the way a TCP stream is segmented, it is possible to evade detection, e.g. by overwriting
     a portion of a previous segment within a stream with new data in a subsequent segment. This method
     allows attackers to hide or obfuscate network attacks. The firewall engine receives the segments in a
     TCP conversation, buffers them and reassembles the segments into a correct stream by e.g. checking
     for segment overlaps, interleaved duplicate segments, invalid TCP checksums, and so forth. In addition,
     TCP sequence number manipulations an additional check of the TCP sequence number is performed,
     thus protecting against injections of manipulated or replayed packets into a forwarded TCP stream.
     After the TCP stream has been reassembled the firewall engine passes the reassembled stream to the
     IPS engine for inspection.

  •	 RPC Defragmentation: Attackers may transmit a single request fragmented over a hundred actual
     requests containing small fragments of the malicious payload, thus tricking any traditional signature
     based IPS. At the same time, an attacker could transmit both, the BIND and the request fragments, in
     one large TCP segment, thus circumventing any signatures which are using simple size checks. The
     Barracuda NG Firewall reassembles all RPC request and checks for malicious payload, thus providing
     solid protection against RPC related exploits and attacks.

  •	 FTP Evasion Protection: The IPS engine is able to avert FTP exploits where attackers are trying to hide
     their attacks by inserting additional spaces or TELNET escape sequences in FTP sessions.

  •	 URL Decoding: By using URL encoding techniques such as escape encoding or path character
     transformation, attackers can convert any URL into a meaningless and harmless string to any intrusion
     prevention system which is only using simple URL matching in their signatures and patterns. The
     Barracuda NG Firewall performs URL decoding thus providing solid protection against any URL
     encoding related attack.

  •	 HTML Decoding and Decompression: Attackers can make use of malicious HTML documents to
     exploit flaws in web browsers in order to install malware such as Trojans or rootkits on client systems
     and the enterprise network. The Barracuda IPS engine is able to detect and block such malicious HTML
     documents even in case attackers are trying to evade detection by employing advanced IPS evasion
     techniques such HTML character encoding (e.g. UTF-16, UTF-32, base64, etc.), chunked encoding or
     compression (GZIP and deflate).

  •	 TCP Split Handshake Protection: The Barracuda NG Firewall provides a technique to block the usage
     of TCP split handshakes. Although the TCP split handshake is a legitimate way to start a TCP connection
     (RFC793), it can also be used by attackers to gain access to the internal network by way of establishing
     a trusted IP connection.


  Denial of Service, Spoofing and Flooding Protection
  In addition to the comprehensive intrusion pattern database and the advanced anti evasion
  countermeasures, the Barracuda NG Firewall offers a wide range of transport layer protection
  mechanisms:
  •	 IP Spoofing Protection
  •	 Portscan and Sniffing Protection
  •	 TCP SYN Flood Protection
  •	 ICMP Flood Protection
  •	 Duplicate local IP detection
  •	 Resource exhaustion protection
  •	 ARP spoofing and trashing protection




                                                                                                                2
Barracuda Intrusion Detection and Prevention System


  Ongoing signature updates
  As part of the Barracuda Energize Update subscription automatic signature updates are delivered
  on a weekly schedule or on an emergency basis in order to ensure that the Barracuda NG Firewall is
  constantly up-to-date and aware of the latest threats, vulnerabilities and exploits, thus ensuring strong
  and robust network protection. In case the firewall is centrally managed, the pattern updates can be
  conveniently distributed by the Barracuda NG Control Center. Currently, the Barracuda NG Firewall
  delivers two optimized out-of-the-box signature sets for its next generation firewall appliances.
  Barracuda NG Firewall models F100, F101, F200, F201, F300 and F301 are using a downsized signature
  set of 1,600 pattern definitions (the majority being client centric) in order to guarantee the best
  performance/protection ratio for branch office deployments. Models F400, F600, F800, F900 as well
  as all virtual appliances (VF25-VF8000) are using the full signature set of +4,000 patterns to provide
  maximum protection against all levels of network attacks, both client and server oriented.


  Signature Customization via Generic Patterns
  The Barracuda NG Firewall allows for the creation of custom signatures for detecting and blocking
  network based attacks such as the internet worms or exploit attempts on the corporate network.
  Customized signatures can conveniently be grouped in profiles and applied to a specific firewall rule.




                                                                                                              3
Barracuda Intrusion Detection and Prevention System


  Threat identification, analysis and remediation
  In case an attack is detected, the Barracuda NG Firewall can drop the offending packets and sessions
  while still allowing all other traffic to pass or just detect and log the intrusion attempt. Depending
  on the severity of the threat highly granular actions can be assigned on a per firewall rule base, thus
  enabling the Barracuda NG Firewall with intuitive and easy to use policy management to allow, block
  or log questionable traffic based on severity, location, user/group, type and application in single pass
  mode. By this means, the Barracuda NG Firewall is not only reducing risk exposure but also providing
  network administrators an effective yet simple tool to protect corporate investments.




         The Barracuda NG Firewall features intuitive, easy to use and granular IDS/IPS policy management capabilities.




                                                                                                                          4
Barracuda Intrusion Detection and Prevention System


  Managing False Positives
  A false positive detection is triggered when legitimate network activity is interpreted and reported by
  the IDS/IPS as suspicious or malicious traffic and by this means as an attack on the corporate network.
  Usually this happens when network activity meets certain criteria that were specified in order to identify
  an attack. With the Barracuda NG Firewall a false positive can be easily addressed by either tuning the
  IPS policy configuration on signature level (disable respective signature in the respective IPS policy) or
  by overriding the signature in the IPS Overrides part of the user interface.




                     False positives can easily be overridden and modified in order to allow certain network
               traffic and to minimize the total amount of false positive hits displayed on the Threat Scan View.




                        The Barracuda Threat Scan displays a detailed and customizable overview of
                           all intrusion events, providing also full application and user visibility.




                                                                                                                    5
Barracuda Intrusion Detection and Prevention System


  Features and Capabilities
                                                             F100      F200      F300      F400     F600      F800     F900      Vx
                                                             F101      F201      F301
                                                              150       350       350       1.8      4.7       9.2 4   21.0 4
   Firewall Throughput 1                                                                                                        N/A 3
                                                             Mbps      Mbps      Mbps      Gbps     Gbps      Gbps     Gbps
                                                              33        84        84        490      950      2,850    4,650
   IPS Throughput 1                                                                                                             N/A 3
                                                             Mbps      Mbps      Mbps      Mbps     Mbps      Mbps     Mbps
   Number of threat patterns in library 2                    1,600     1,600     1,600     4,100    4,100     4,100    4,100    4,100
   Packet Anomaly Protection                                   3         3         3         3        3         3        3        3
   Packet Reassembly                                           3         3         3         3        3         3        3        3
   TCP Stream Reassembly                                       3         3         3         3        3         3        3        3
   TCP Checksum Check                                          3         3         3         3        3         3        3        3
   HTML Obfuscation Protection                                 -         -         -         3        3         3        3        3
   UTF-7 character set encoding supported                      -         -         -         3        3         3        3        3
   UTF-16 little-endian encoding supported                     -         -         -         3        3         3        3        3
   UTF-16 big endian encoding supported                        -         -         -         3        3         3        3        3
   UTF-32 little-endian encoding supported                     -         -         -         3        3         3        3        3
   UTF-32 big endian encoding supported                        -         -         -         3        3         3        3        3
   Chunked encoding (random chunk size, fixed chunk size)      -         -         -         3        3         3        3        3
   Deflate Compression (RFC 1951) supported                    -         -         -         3        3         3        3        3
   Gzip Compression (RFC 1952) supported                       -         -         -         3        3         3        3        3
   URL Obfuscation Protection                                  3         3         3         3        3         3        3        3
   Escape Encoding supported                                   3         3         3         3        3         3        3        3
   Microsoft %u Encoding supported                             3         3         3         3        3         3        3        3
   Path Character transformations and expansions supported     3         3         3         3        3         3        3        3
   RPC Fragmentation Protection                                3         3         3         3        3         3        3        3
   MS-RPC (DCE) defragmentation supported (RFC 1151)           3         3         3         3        3         3        3        3
   Sun-RPC (ONC) defragmentation supported (RFC 1151)          3         3         3         3        3         3        3        3
   FTP Evasion Protection                                      3         3         3         3        3         3        3        3
   Detection of inserted spaces in FTP command lines           3         3         3         3        3         3        3        3
   Detection of additional telnet control sequences in FTP    3          3        3         3         3            3    3        3
   commands
   Denial of Service, Spoofing & Flooding Protection
   IP Spoofing Protection                                     3          3        3         3         3            3    3        3
   Portscan Protection                                        3          3        3         3         3            3    3        3
   Sniffing Protection                                        3          3        3         3         3            3    3        3
   SYN/DoS/DDoS Attack Protection                             3          3        3         3         3            3    3        3
   ICMP Flood Ping Protection                                 3          3        3         3         3            3    3        3
   Reverse Routing Path Check                                 3          3        3         3         3            3    3        3

  1 ... Measured with large packets (MTU1500)                        3 ... Depending on hardware
  2 ... as of November 2011                                          4 ... Measured with large packets (MTU9000)
  About Barracuda Networks Inc.
  Barracuda Networks Inc. combines premises-based gateways and software, virtual appliances, cloud
  services, and sophisticated remote support to deliver comprehensive content security, data protection                                           Barracuda Networks
  and application delivery solutions. The company’s expansive product portfolio includes offerings for                                      3175 S. Winchester Boulevard
  protection against email, Web and IM threats as well as products that improve application delivery and                                              Campbell, CA 95008
  network access, message archiving, backup and data protection.                                                                                           United States
  Coca-Cola, FedEx, Harvard University, IBM, L’Oreal, and Europcar are among the more than 150,000
  organizations protecting their IT infrastructures with Barracuda Networks’ range of affordable, easy-to-
                                                                                                                                                        +1 408.342.5400
  deploy and manage solutions. Barracuda Networks is privately held with its International headquarters                                             www.barracuda.com
  in Campbell, Calif. For more information, please visit www.barracudanetworks.com.                                                                  info@barracuda.com

                                                                                                                                        6

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:10
posted:2/5/2013
language:English
pages:6