BNGIFSC1a (Barracuda / Firewall)
Simplifying Machine-to-Machine Connectivity
The S-Series is designed for companies that need to securely and cost-effectively connect large numbers of remote devices like Automated Teller Machines (ATMs), point-of-sale kiosks, wind power stations, networked industrial machines or even very small offices. Managing and protecting network traffic among these remote machines is often a logistical nightmare involving managing many different firewalls, VPN software and routing steps.
Flexible Deployment Options
In order to be able to deploy Barracuda NextGen Firewall S-Series even to a wide variety of use cases and remote locations the SC1 appliance comes with a choice of uplinks and even automated failover in case one uplink fails. Besides the typical wired uplinks using DHCP or Static IP, the integrated wireless Access Point functionality can be reversed to access the WAN via existing wireless networks. For even more deployment flexibility the SC1 is even available with an optional 3G modem.
Easy and Affordable Scalability to Thousands of Devices
Instead of having all S-Series appliances establish a VPN connection to the primary Firewall/VPN gateway and potentially bog down corporate traffic Barracuda designed the Secure Access Concentrator (SAC). The Secure Access Connector is “stackable” and optimized to handle VPN tunnel termination, routing and offload Application enforcement, intrusion protection (IPS) and Content Security tasks for thousands of remote locations.
Full Next Generation Security Levels
The encrypted connection between the SC1 appliance and the Secure Access Connector (SAC) is established with the Barracuda Networks proprietary enhanced IPsec protocol called TINA, which is more resilient and performant than most competitive VPN solutions without giving up on any security aspects. Every SAC can maintain an encrypted connection to thousands of remote SC1 appliances, while literally dozens of Secure Access Connectors can be remote controlled by the Barracuda NextGen Control Center. Full next generation protection is available at customer-friendly priced options for unlimited users per Secure Access Connector gateway deployed. Advanced Threat Protection via sandboxing and detonation in the cloud is available.
Next Generation Security – Secure Connector 1 (SC1)
The SC1 is a secure connectivity device providing zone-based firewalling, Wi-Fi, and full VPN connectivity for connecting large number of remote devices or micro offices and centrally backhauling all network traffic.
While the device does not perform advanced functions like application detection, IPS, antivirus, or URL filtering on the box itself this can still be done centrally at the Secure Access Concentrators, larger offices, headquarters, or datacenter where the devices connect to.
Due to the limitations that come with standard IPsec connections, Barracuda Networks has created several powerful extensions to standard IPsec tunnel management. This core of the Barracuda S-Series VPN engine is called TINA (Transport Independent Network Architecture). The TINA protocol allows the use of TCP, UDP, and ESP for high speed VPN connections, which improves the VPN connectivity substantially by adding:
Endpoint-to-Endpoint (not network-to-network) connectivity
Multiple physical transport paths for a logical tunnel
HTTPS and SOCKS4/5 proxy compatibility
Dynamic Address Support
Tunnel heartbeat monitoring
Advanced Threat Detection
While traditional solutions usually detect network threats after they have breached the network by sending log notifications to the administrator, the Barracuda Advanced Threat Detection (ATD) implements full system emulation, providing deep visibility into malware behavior. Files are checked against a cryptographic hash database that is constantly updated. In case the file is unknown, it is emulated in a virtual sandbox where malicious behavior can be discovered. The Barracuda ATD offers Administrators granular, file-type-based control including automatic quarantine and blacklisting features to maintain the highest level of protection for an organizations network.
Intrusion Detection and Protection
The Intrusion Detection and Prevention System (IDS/IPS) of the S-Series strongly enhances network security by providing complete and comprehensive real-time network protection against a broad range of network threats, vulnerabilities, exploits, and exposures in operating systems, applications, and databases preventing network attacks such as:
SQL injections and arbitrary code executions
Access control attempts and privilege escalations
Cross-Site Scripting and buffer overflows
Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks
Directory traversal and probing and scanning attempts
Backdoor attacks, Trojans, rootkits, viruses, worms, and spyware
Barracuda NextGen Firewall S-Series Secure Access Concentrators provides advanced attack and threat protection features such as: Stream segmentation and packet anomaly protection, TCP split handshake protection, IP and RPC defragmentation, FTP evasion protection, URL and HTML decoding. As a result, the Barracuda NextGen Firewall S-Series is able to identify and block advanced evasion attempts and obfuscation techniques that are used by attackers to circumvent and trick traditional intrusion prevention systems. As part of the Barracuda Energize Updates subscription, automatic signature updates are delivered on a regular schedule or on an emergency basis to ensure that the Barracuda NextGen Firewall S-Series is constantly up-to-date. If the firewall unit is centrally managed, the updates are conveniently distributed by the Barracuda S-Series Control Center.
Denial of Service (DoS) and Distributed Denial of Service (DDoS) Protection
In todays world of omnipresent botnets, one of the main tasks of perimeter protection is to ensure ongoing availability of the network for legitimate requests and to detect and repel malicious denial of service attacks. With TCP SYN Flood Protection, the Barracuda NextGen Firewall S-Series effectively functions as a generic TCP proxy, forwarding only legitimate TCP traffic to the inside of the network.
Configuring and maintaining configurations of security appliances can be a complicated and time-consuming task. To ease administrators lifes, the S-Series uses a new template based editor, called SCA Editor. Templates can be created at the various organizational levels supported by the respective NextGen Control Center version (Global, range or cluster level). Once a template is changed all SC1 appliances linked to this template are automatically updated within seconds.