BNCIC400a-c (Barracuda / Firewall)
Features & Benefits:
Advanced Threat Detection
While traditional solutions usually detect network threats after they have breached the network, by sending log notifications to the administrator, the Barracuda Advanced Threat Detection (ATD) implements full system emulation, which provides deep visibility into malware behavior. Files are checked against a cryptographic hash database that is constantly updated. In case the file is unknown, it is emulated in a virtual sandbox where malicious behavior can be discovered.
The Barracuda ATD offers Administrators granular, file-type-based control including automatic quarantine and blacklisting features to maintain the highest level of protection for an organization’s network.
Application Control 2.0
The Barracuda NextGen Firewall provides a powerful and extremely reliable detection and classification of more than 1,200 applications and sub-applications by combining Deep Packet Inspection (DPI) and behavioral traffic analysis – no matter if the protocols are using advanced obfuscation, port hopping techniques, or encryption. It allows the creation of dynamic application policies and facilitates establishing and enforcing acceptable access and use policies for users and groups by application, application category, location, and time of day. Administrators can now:
Deep Application Context
The deep application context analysis allows for deeper inspection of the application data stream by continually evaluating the actual intention of applications and the respective users. By this means administrators can gain detailed insight into what a specific application was used for or if a user was trying to circumvent the corporate application usage policy.
Personalized Application Control
On top of the 1,400+ applications that are delivered out of the box and constantly updated, the Barracuda NextGen Firewall provides a way to easily create user-defined application definitions for best-in-class application control customized and tailored to an organization’s specific needs.
User Identity Awareness
Different network users may need different bandwidth-use rules. Most often, access to certain network resources is limited to certain users or user groups. Preferential allocation of more bandwidth to certain users or user groups and a limitation of available bandwidth for others is a common requirement. It requires the network device to know what user an IP actually belongs to. Barracuda NextGen Firewalls are fully user-identity aware by linking a user to one or several IP addresses. Any role assignments that result from identity and device posture checks communicated to the firewall by our health agents can be used within the firewall to facilitate role-based access control (RBAC). Barracuda NextGen Firewalls support authentication of users and enforcement of user-aware firewall rules, web filter settings, and Application Control 2.0 using Active Directory, NTLM, MS CHAP, RADIUS, RSA SecurID, LDAP/LDAPS, TACACS+, as well as authentication with x.509 certificates.
The Barracuda NG Report Creator is a free tool that allows administrators to collect and consolidate traffic and application usage statistics from multiple Barracuda NextGen Firewall units and to create easy-to-read reports in pdf format. Report tasks can be scheduled at various times during the day or week and distributed automatically via email. Besides predefined out-of-the-box reports such as Top Applications, Top Blocked URL Categories and Websites, Top Users by Bandwidth, as well as activity reports for specific users, the reporting engine provides customizable granular reports on user activity, activities during last day/week/month, etc.
Intrusion Detection and Prevention
The Barracuda NextGen Firewall Intrusion Detection and Prevention System (IDS/IPS) strongly enhances network security by providing complete and comprehensive real-time network protection against a broad range of network threats, vulnerabilities, exploits, and exposures in operating systems, applications, and databases preventing network attacks such as:
SQL injections and arbitrary code executions
Access control attempts and privilege escalations
Cross-Site Scripting and buffer overflows
Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks
Directory traversal and probing and scanning attempts
Backdoor attacks, Trojans, rootkits, viruses, worms, and spyware
By providing advanced attack and threat protection features such as stream segmentation and packet anomaly protection, TCP split handshake protection, IP and RPC defragmentation, FTP evasion protection, as well as URL and HTML decoding, the Barracuda NextGen Firewall is able to identify and block advanced evasion attempts and obfuscation techniques that are used by attackers to circumvent and trick traditional intrusion prevention systems.
As part of the Barracuda Energize Updates subscription, automatic signature updates are delivered on a regular schedule or on an emergency basis to ensure that the Barracuda NextGen Firewall is constantly up-to-date. If the firewall unit is centrally managed, the pattern updates are conveniently distributed by the Barracuda NextGen Control Center.
Denial of Service (DoS) and Distributed Denial of Service (DDoS) Protection
In today’s world of omnipresent botnets, one of the main tasks of perimeter protection is to ensure ongoing availability of the network for legitimate requests and to detect and repel malicious denial of service attacks. With TCP SYN Flood Protection, the Barracuda NextGen Firewall effectively functions as a generic TCP proxy, forwarding only legitimate TCP traffic to the inside of the network. Additionally, the Barracuda NextGen Firewall allows the definition of a rate limit that is applied to the maximum number of sessions per source address to be handled by the firewall. Packets arriving at a rate faster than allowed will simply be dropped. In a massive DDoS attack, the attackers may simply aim for saturating the link by transmitting vast numbers of UDP packets. The integrated environmental monitoring feature of the Barracuda NextGen Firewall diagnoses such conditions by link and target address monitoring. Once the response of a remote target address to regular ICMP probing fails, the system can be configured to activate different routes and uplinks (for example backup line, ISDN, xDSL). Using this feature, traffic will be unimpeded across unaffected lines and crucial site-to-site and site-to-Internet connectivity remains operational.
The Barracuda Web Filter enables highly granular, real-time visibility into online activity, broken down by individual users and applications, letting administrators create and enforce effective Internet content and access policies. It protects user productivity, blocks malware downloads and other web-based threats, and enables compliance by blocking access to unwanted websites and servers, providing an important additional layer of security alongside application control.
Barracuda NG Malware Protection shields the internal network from malicious content by scanning web content (HTTP and HTTPs), email (SMTP, POP3), and file transfers (FTP) via two fully integrated antivirus engines. Malware protection is based on regular signature updates as well as advanced heuristics to detect malware or other potentially unwanted programs even before signatures are available. Barracuda NG Malware Protection covers viruses, worms, trojans, malicious java applets, and programs using known exploits on PDF, picture and office documents, macro viruses, and many more, even when using stealth or morphing techniques for obfuscation.
Application-Based Link Selection
The combination of next-generation security and adaptive WAN routing allows the Barracuda NextGen Firewall to dynamically assign available bandwidth for several links not only based on protocol, user, location, and content, but also based on applications, application categories and web filter categories. This keeps expensive, highly available lines free for business and mission-critical applications, while significantly reducing response times and freeing up additional bandwidth.
Traffic Shaping and Quality of Service
Limited network resources make bandwidth prioritization a necessity. The Barracuda NextGen Firewall provides strong Quality of Service (QoS) that lets the administrator apply quality aspects and service guarantees to selected traffic flows within the WAN. QoS is often used to prioritize the network traffic of applications that are critical and must not be affected by the network traffic of other applications. The Barracuda NextGen Firewall provides a large set of QoS techniques, such as traffic shaping, traffic prioritization, and bandwidth partitioning, which assigns a bandwidth limit to certain types of traffic. To select traffic for different priority classes, the available real-time traffic analysis can be used to identify whether network traffic was sent by business-critical applications or by potentially unwanted applications.
Failover and Link Balancing
To ensure the best and most cost-efficient connectivity, the Barracuda NextGen Firewall provides a wide range of built-in uplink options such as unlimited leased lines, up to four xDSL uplinks, etc. By eliminating the need to purchase additional devices for link balancing, security conscious customers will have access to a WAN connection that never goes down, even if one or two of the existing WAN uplinks are severed. Further, traffic intelligence mechanisms make sure the next defined uplink is activated on the fly and all traffic is rerouted to make full use of the remaining lines. In the event that backup lines provide less bandwidth, intelligent traffic shaping automatically prioritizes business-critical applications, networks, or distinct endpoints.
The Barracuda NextGen Firewall can significantly enhance the WAN performance of distributed network environments by improving availability, performance, and response time of business-critical applications by lowering throughput and transmission delays, affecting time-sensitive decisions and enterprise profitability. The next-generation networking concept of the Barracuda NextGen Firewall provides a set of powerful features to efficiently reduce and offset the negative effects of high line latencies and response times. By implementing enterprise-grade WAN acceleration features such as data deduplication, traffic compression, and protocol optimization, the Barracuda NextGen Firewall can significantly improve site-to-site WAN traffic and increase productivity by accelerating the delivery of business applications – at no extra charge. WAN traffic can be effectively compressed up to 95 percent, significantly reducing the bandwidth needed at remote locations while increasing network responsiveness.
Besides VMware, KVM, and XenServer, the Barracuda NextGen Firewall is fully compatible for use in Windows Azure for establishing site-to-site and/or client-to-site connections to Azure and creating a DMZ in Azure to implement an additional high-security layer.
As organizations have adopted virtualization for their server infrastructures, there has been a corresponding trend to extend the benefits of virtualization to the security layer. Barracuda’s award-winning security solutions are available as virtual appliances to help organizations.
Barracuda NextGen Firewall virtual appliances are complete solutions, eliminating the need for installing, configuring, and integrating disparate operating systems, databases, system management, and application software. In addition, Barracuda virtual appliances come “locked down” from a security perspective, built from the ground up on the Barracuda OS, a hardened Linux operating kernel and optimized to run seamlessly within virtualized environments.
Besides VMware, KVM, and XenServer, the Barracuda NextGen Firewall is fully compatible for use in Amazon Elastic Compute Cloud (EC2).
As organizations have adopted virtualization for their server infrastructures, there has been a corresponding trend to extend the benefits of virtualization to the security layer. Barracuda’s award-winning security solutions are available as virtual appliances.
Barracuda NextGen Firewall virtual appliances are complete solutions, eliminating the need for installing, configuring and integrating disparate operating systems, databases, system management, and application software. In addition, Barracuda Networks virtual appliances come “locked down” from a security perspective, built from the ground up on the Barracuda OS, a hardened Linux operating kernel and optimized to run seamlessly within virtualization environments.
BYOD (Bring Your Own Device)
The influx of private computing devices, from smartphones to laptops and tablets, into the workplace may help increase productivity, flexibility, and convenience. However, BYOD adds new security challenges and risks, such as enabling and controlling access, as well as preventing data loss. The Barracuda NextGen Firewall provides strong capabilities to give users the full advantage of their devices while reducing possible risks to the business. Unwanted applications can be blocked, LAN segmentation can protect sensitive data, and network access control can check the health state of each device connecting to the corporate network.
Secure Remote Access
The Barracuda NextGen Firewall incorporates advanced site-to-site and client-to-site VPN capabilities, using both SSL and IPsec protocols to ensure remote users can easily and securely access network resources without complex client configuration and management. Every Barracuda NextGen Firewall unit supports an unlimited number of VPN clients at no extra cost. The Barracuda VPN client also provides the ability to enforce Windows Security Center settings on client machines running Windows. This allows administrators to centrally enforce the usage of Windows Security settings on PCs. The enforced policies can include enabling the Microsoft Network Firewall, Windows Updates, Windows Virus Protection, Windows Spyware Protection, and Internet Security Settings.
Barracuda VPN Clients are available for Microsoft Windows, Mac OS, and various Linux systems.
Network Access Control
The optional Barracuda NextGen Firewall SSL VPN and NAC subscription adds a customizable and easy-to-use portal-based SSL VPN as well as sophisticated Network Access Control (NAC) functionality.
The Barracuda Network Access Client, when used with the Barracuda NextGen Firewall, provides centrally managed Network Access Control (NAC) and an advanced personal firewall. This allows enforcement of minimum Windows client security prerequisites before being allowed access to the network or access to a quarantine network. Security posture can be specified according to available Windows patch level, availability of antivirus and/or anti-spyware, and user ID. Access restrictions are enforced locally on the client by the centrally managed personal Windows firewall as well as at the gateway. Using existing Barracuda NextGen Firewall appliances, Barracuda Networks offers a ready-to-use Network Access Control framework without expensive investments into the basic network infrastructure. All Barracuda Network Access Clients as well as all Barracuda NextGen Firewall units acting as policy servers can be administered, monitored, and reviewed from a single Barracuda NextGen Control Center.
Managing the security issues in a widely distributed enterprise network can be painful and extremely time-consuming. Managing a system may take only 15 minutes per day. But having 20 firewall systems in place results in five hours per day – just to manage the existing system. With the Barracuda NextGen Control Center, managing mulitple Barracuda NextGen Firewalls takes the same amount of time as managing one.
Create pre-configured templates for easy-rollout.
Have all information about the enterprise security deployment available in real time.
Create reports of either one or all Barracuda NextGen Firewalls.
Scalable Barracuda NextGen Firewalls offer companies sustainable investment protection. Energize Updates automatically provide the latest firmware and threat definitions to keep the appliance up to date. With a maintained Instant Replacement subscription, organizations receive a new appliance with the latest specs every four years.