Barracuda Networks now sells its web application firewall (WAF) as a cloud-delivered, managed service.
The security vendor previously offered the WAF as a hardware device, a virtual appliance, or a public-cloud appliance in Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform. Barracuda’s virtual appliance WAF is the No. 1 deployed security solution across all three public clouds, said Nitzan Miron, vice president of product management and application security services at Barracuda.
The new cloud-delivered version makes it easier to deploy, but gives customers the same ability to set customized policies that they expect from on-premises WAFs, Miron added.
“It’s the best of both worlds,” he said. “It’s easy to set up. In a couple minutes you get your applications secured, and you don’t have to upgrade the software or ever replace hardware. And with cloud-based WAFs, they usually have very limited ability to customize. With WAF-as-a-service, we are bringing the power of the on-premises WAF to a cloud-delivered, as-a-service WAF.”
Incapsula, Akamai, and Cloudflare all offer cloud-based WAF services that compete with Barracuda’s new service. “And they all share this same kind of disadvantage,” Miron said. “They can be very easily deployed, but they give you very limited ability to customize the rules and tailor them to what you need.”
What’s a WAF?
A web application firewall protects public and internal web applications deployed on premises and in the cloud. Companies deploy WAFs in front of servers to protect applications and APIs against external and internal attacks.
Barracuda’s is deployed as a reverse proxy, and in addition to monitoring all access to web applications, it also does SSL offloading, load balancing, content caching, and authentication and access control, Miron said.
Barracuda’s WAF protects against OWASP Top 10 most critical web application security risks, bots, distributed denial of service (DDoS) attacks, and other advanced zero-day threats. It does this by integrating with Barracuda’s real-time threat intelligence network. And when this global threat network identifies a new threat or vulnerability, the WAF can patch the vulnerability and block the threat.
Growing Market — And Attack Surface
This is important because web applications are among the most commonly breached and the least secured, Miron said, citing Verizon’s annual data breach report. Published last month, the report found web applications had the most breaches in 2017, at 21 percent of all reported breaches. For comparison, the No. 2 and No. 3 breach “patterns” were miscellaneous errors (16 percent) and “everything else” (15 percent).
The WAF market is growing, according to Gartner, which says cloud-based WAF services are driving adoption. By 2020, stand-alone WAF hardware appliances will represent less than 20 percent of new WAF deployments, down from 40 percent today, the analyst group says. And by 2020, more than 50 percent of public-facing web applications will be protected by cloud-based WAF service platforms, combining CDN, DDoS protection, bot mitigation and WAF, up from less than 20 percent today.