Barracuda WAF Review

The Barracuda Web Application Firewall is offered with a dazzling range of implementation options. On the one hand, the menu of options offered by Barracuda should enable it to attract every type and size of business to its services. On the other hand, all those choices can take a lot of time to work through and could put people off even considering Barracuda.

The short explanation of the Barracuda Web Application Firewall is that it offers strong protection for webservers and can be delivered in any format that anyone could ever ask for. Before examining the Barracuda Web Application Firewall in detail, let’s look at what this category of cybersecurity service needs to do and how it can be implemented.

What is a web application firewall?

Websites are hosted on a server. This is a big computer and it needs to have a physical connection to an internet gateway. The administrative processes that make a website available to everyone in the world are performed by a bundle of services that is also called a “server.” This software package is called a “webserver” and the physical computer, which is a server, is often referred to as a “webserver” is to host a website.

Web Application Firewalls (WAFs) protect that software bundle webserver. This is why they are called web application firewalls. Indirectly, they also protect the physical server because hacker software can overload processors on a physical server and cause it to hang or overheat.

Types of attacks that hackers can perform include the use of damaging software that disables standard processes hijacks and replaces them, causes them to get tied up with superfluous requests, or just shuts down key processes at will. Hackers can use this disrupting software as cover to enable them to break into the webserver, cause havoc, hijack resources, or get access to the physical server to steal data.

There are many ways into a webserver, including the input fields on web pages. Hackers might try to tamper with the TLS security system to disable transport encryption or masquerade as an important authority, company, or individual to trick the system into allowing access. Hackers can explore a network looking for weak points and abandoned user accounts that can be broken into.

Where to install a web application firewall

A firewall should be placed at the entry point to a network. The idea is to block the entrance to the network and check all the traffic coming in to stop malware and hackers while allowing genuine transactions through. Cybersecurity software that operates within a network is not referred to as a firewall – this is anti-malware, endpoint protection, or intrusion detection.

Firewalls can be pushed even further away from the network and be placed on another computer somewhere else in the world. This is called an edge service. In this format, the firewall is configured as a proxy.

In this format, the DNS records for a protected website get altered so that all requests for a page on the site get directed to the proxy server, which then asks the real host for the code and passes it on. This configuration means that no computer in the world can actually get at the real webserver – all communication has to be made with a connection to the proxy server. A benefit of having a cloud-based WAF is that it is provided on the Software-as-a-Service (SaaS) model, including the dashboard, processors, and storage space to support the WAF. Barracuda offers this configuration for its Web Application Firewall. It also has a managed service package that can include technicians and experts to monitor and adjust the WAF for a customer that has no in-house expertise.

Many businesses feel that outsourcing the management of all internet connections to a third-party is a risk and they would rather have the web application server on their own premises and completely under their control.

It is better for a firewall to be on a separate device from the actual webserver because there are many tricks that hackers can perform to overload a physical webserver without needing to get any malware on it. So, many web application firewalls are delivered as an appliance. This has the firewall software already loaded on it and provides the processing power and storage space that the software needs. That device does not perform any other task. It is connected directly to the gateway, with all incoming traffic flowing through it. Barracuda offers its Web Application Firewall as an appliance.

Some companies already have a lot of spare servers and they don’t want to buy a specific piece of hardware just for the firewall. They just want the firewall software to load onto one of their own servers. Barracuda supplies this option, too.

The Barracuda Web Application Firewall software package is more than just a program that loads on the server. A hacker might find a new way to get down to the operating system and bypass the firewall. So, Barracuda delivers its firewall as a virtual appliance. This means that it has all of the operating system included. So, there is no way that a hacker can break out of the firewall environment.

About Barracuda Networks

Barracuda Networks was founded in 2003 and is headquartered in Campbell, California – part of Silicon Valley. The company has its research lab based in Ann Arbor, Michigan. Barracuda Networks’ first product was a spam and virus firewall. The company first released its Web Application Firewall in 2008.

The company has continued development, creating a long list of security software and in 2013, it floated stock on the New York Stock Exchange. In 2018, Barracuda Networks was bought up by Thoma Bravo, a private investment group that specializes in technology. Other properties of Thoma Bravo include SolarWinds, the infrastructure monitoring provider, Sophos, an anti-virus and firewall producer, and Imperva, a major rival to Barracuda Networks.

Barracuda Web Application Firewall overview

The Barracuda Web Application Firewall is available as a SaaS system, as a private cloud platform, as an appliance, and as a virtual appliance software package. This WAF is a package of protection services for websites and the servers that deliver them.

Barracuda WAF

The Web Application Firewall offers the following services:

  • System hardening
  • Data loss prevention
  • Hacker identification
  • User authentication
  • Transport security
  • Security automation

The Barracuda Web application firewall is able to coordinate with other security services, such as SIEM systems to strengthen general network security as well as the security of the webserver.

Barracuda Web Application Firewall details

The Barracuda Web Application firewall follows the OWASP Top 10 threats and guards against them by looking for signatures in packets that arrive at the gateway. It also tracks user behavior to spot hacker activity.

System hardening

The WAF examines the contents of incoming traffic, including the responses typed into the input fields in a web page. These input fields offer hackers a route to damage web applications through strategies called SQL injection and cross-site scripting (XSS). Web pages are constructed with many service libraries, such as XML and JSON. These are called Application Programming Interfaces (APIs) and they can offer a way for hackers to manipulate a webserver.

Mobile apps also offer a route for hackers because the connections to them can often be poorly authenticated, allowing a clever programmer to imitate an app in order to gain unauthorized access. The Barracuda Web Application Firewall closes off all of these system weak points.

Data loss prevention

Not only does all incoming traffic pass through the WAF, so does outgoing traffic. This enables the WAF to examine contents to look for unauthorized data leaks either through the willing or unwitting activity of genuine users or through the intrusion of outsiders. This service can be specifically tailored to assist in PCI DSS compliance.

Hacker identification

Hackers can spoof their source IP addresses at will and also channel their activities through other computers. So, there isn’t much point in blacklisting IP addresses. Instead, the WAF uses a fingerprinting technique that identifies a particular hacker operating through different identities. The hacker might be simultaneously working as a site visitor and a company user account holder. So, all transactions are examined to look for an attack strategy.

User authentication

The WAF is able to protect applications that are developed commercially for remote access by outsiders as well as in-house applications. It implements whitelisting to completely block anyone from a non-trusted location from getting anywhere near access to these applications.

The Barracuda Reputational Database operates a blacklisting reference service to block access to well-known hacker locations. Geo-IP blocking can even ban access to entire countries known to be hotbeds of hacker activity.

Transport security

Barracuda operates two types of internet protection. The first is server cloaking, which makes it impossible for inbound connection requests to test ports and applications for availability. It also filters out any identifiers that a webserver might accidentally send back, such as identifiers in error messages or HTTP headers.

The service also integrates load balancing and caching to prevent traffic volumes from impairing the availability of the primary webserver.

Security automation

Barracuda Web Application firewall is able to share information with other system security services, ensuring that the system is able to contribute to the successful execution of SIEM security systems and other network and endpoint protection services.

DDoS protection

As well as protecting the webserver from malware, it blocks traffic assaults such as DDoS attacks and other automated and bot-based bombardments. This is an add-on service, called Barracuda Active DDoS Prevention.

Barracuda Pros & Cons


  • The interface is easy to use and scales well when monitoring multiple networks and wide-scale access rules
  • Features a built-in IDS to help alert to port scans and other pre-attack events
  • Ideal for more complex networks – great for enterprises
  • The NexGen Admin dashboard is highly customizable and offers many different ways to report and visualize firewall insights


  • Suited more for enterprises, many features can be too much for smaller networks
  • No free trial must manually request an evaluation version from their sales team

Alternatives to Barracuda Web Application Firewall

The Barracuda is a competent and comprehensive security system for webservers and it is available in every possible configuration. However, there is no harm in assessing several WAFs before deciding on which service to implement. There are other very good web application firewalls available on the market.

There are many issues to take into account when assessing a web application firewall to see if it is a good fit for your business. You can get more information on the factors to look out for in the Buyer’s Guide to the Best WAFs. If you don’t have time to read another article, you can read through the list of recommended web application firewalls described below.

Here is our list of the ten best alternatives to the Barracuda Web Application Firewall:

  1. AppTrana Managed Web Application Firewall   A web application firewall, a CDN, and a vulnerability scanner delivered as edge services from the cloud. The package includes the services of all the technicians and experts needed to manage the security system.
  2. Fortinet FortiWeb A web application firewall accompanied by a load balancer, and an SSL off-loader all pre-installed on a network appliance.
  3. F5 Essential App Protect – A cloud-based web application firewall that is also available for onsite installation as the appliance-based F5 Web Application Firewall.
  4. NGINX App Protect A version of F5 Essential App Protect that integrates into the Nginx Plus webserver and installs onsite or on any cloud platform.
  5. MS Azure Web Application Firewall A web application firewall service available from the Microsoft Azure cloud-server platform. It can protect a webserver, not just web applications hosted on Azure.
  6. Imperva Cloud WAF A SaaS web application firewall that also offers protection against data loss events to comply with PCI DSS. A managed service option is also available.
  7. Sucuri Website Firewall This cloud-based proxy firewall service is available in a number of plans. The WAF is bundled with other important edge services, including a site accelerator, DDoS protection, anti-malware, and a vulnerability scanner.
  8. Citrix Netscaler Application Firewall A web application firewall offered as an appliance or as a SaaS system. This security bundle also includes a load balancer.
  9. Radware AppWall A web application firewall delivered as a network appliance that uses signature-based strategies and also models visitor behavior.

Barracuda WAF FAQs

How do you factory reset Barracuda WAF?

You can clear the configuration of the Barracuda WAF and restore factory settings. This function is available in the Administrator panel by going to ADVANCED > System Configuration > Configuration Tools and then selecting Clear Configuration.

Where do the export logs go in Barracuda WAF?

The Barracuda WAF will export logs to a location that you specify. You can define five servers for log export destinations. You set this function up by looking in the Administrator dashboard and going to ADVANCED > Export Logs.

How do you add own cert to Barracuda WAF?

You can upload your own security certificate into the Barracuda WAF system. You do this in the Administrator dashboard by going to BASIC > Certificates. Fill in the details in the screen and then click on Upload Now.