100% found this document useful (1 vote)
1K views15 pages

Barracuda Web Application Firewall - Foundation

The document discusses various aspects of the "Negative Security" model in a WAF configuration: - Everything is blocked by default unless explicitly allowed. - Only specific patterns are blocked, while everything else is allowed. - A strict relationship is established between the web application and WAF configuration.

Uploaded by

Niven Maharjan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
100% found this document useful (1 vote)
1K views15 pages

Barracuda Web Application Firewall - Foundation

The document discusses various aspects of the "Negative Security" model in a WAF configuration: - Everything is blocked by default unless explicitly allowed. - Only specific patterns are blocked, while everything else is allowed. - A strict relationship is established between the web application and WAF configuration.

Uploaded by

Niven Maharjan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 15

In the 'Negative Security' model...

...the WAF configuration is only changed during the initial setup.


...everything is blocked unless explicitly allowed.
...only specific patterns are blocked. Everything else is allowed.
...a very strict relationship is established between a web application and the WAF
configuration.

A security policy can be assigned to only one service. Additional security


policies must be created if more services are added into the system.

False
True

If you want to create signed certificates with Let's Encrypt...


Mark all correct answers.

... the domain of the service must be reachable at port 443.


... the service must be in active mode.
... the domain of the service must be reachable at port 80.
... the service must be in passive mode.

What are the two operating modes available in the WAF physical appliances?
Mark all correct answers.

Forward Proxy
Reverse Proxy
Bridge-Path
Bridge Proxy

Which of the following are NOT sub-policies?


Mark all correct answers.

Brute Force Protection


Request Limits
URL Encryption
Response Limits
Parameter Profiles
URL Normalization

Logs can be exported to...


Mark all correct answers.

...Microsoft Windows System Events.


...the Microsoft Azure Event Hub.
...Syslog servers.
...AMQP(S) servers.
...up to five different log servers.

Trusted Hosts can be used in which of the following cases?

To define which users or groups are allowed to log in during the authentication
process.
To bypass traffic around the WAF
To exempt specific traffic from security checks.

When the Encryption Tamper Proof mode is enabled, legitimate cookies might
be blocked if the Max Cookie Value Length limit, specified in the Request
Limits, is not changed accordingly.

True

Bot mitigation policies can be used...


Mark all correct answers.
...to enforce limits in HTTP headers.
...to limit the amount of total requests to a specific part of a web application.
...to enable credential stuffing protection.
...to enforce limits in the TCP window size.

If you want to protect your logins against credential stuffing, you require an
ABP license.

True

What is the purpose of Exception Profiling?


To automatically mitigate vulnerabilities found in a web application protected by the
WAF.
To create a database of authorized users.
To fine-tune security policies associated with a service using a heuristic-based
strategy.
To fine-tune security policies associated with a service using pre-configured pattern
levels.

In the 'Positive Security' model...


Mark all correct answers.
...the WAF configuration is only changed during the initial setup.
...everything is blocked unless explicitly allowed.
...changes to the web application not reflected in the WAF configuration might lead
to false positives.
...only specific patterns are blocked. Everything else is allowed.

Clustering is initiated using which interface?

MANAGEMENT
LAN
WAN
br0

What happens when you accept the suggestion of the "Fix button" of the Web
Firewall logs?
Mark all correct answers.
Multiple services might be affected by the triggered configuration change.
The configuration of the WAF is changed according to the suggestion.
Changes to the WAF configuration will be applied but have to be confirmed within 24
hours.
The associated security policy is copied, and changes will be applied to the copy.

By using the WAF Access Control feature, Audit logs can be used to track the
activity of users logged into the web application.

True
False

Changing the system time zone requires a system reboot only if services are
configured.
False

What is Brute Force protection?


Mark all correct answers.
It specifies the amount of successful login attempts from a single IP address.
It prevents attackers from forcefully breaking into the web application.
It limits the maximum number of requests either from all sources or from a single IP
address to a specific part of a web application within a configured interval.
It is used to prevent SQL injection attacks.

The Compression feature compresses...

....all content in HTTP requests for a specific service or content rule.


...only the configured content types in HTTP responses for a specific service or
content rule.
...all content in HTTP responses for a specific service or content rule.
...only the configured file types in HTTP requests for a specific service or content
rule.

Extended Match rules can only be used in Bot mitigation policies.

False

Changing a service mode from passive to active is sufficient to activate Data


Theft Protection.

False, a Bot mitigation policy is needed to activate this feature.


False, an allow/deny rule is needed to activate this feature.
True, but the patterns must be enabled in the Libraries and View Internal Pattern
pages.

Trusted hosts can be defined using:

IP addresses / networks.
LDAP information (users, groups, domains).
LDAP information (users, groups).
Local users and groups.
URL Normalization...

...corrects any transmission errors from the backend servers.


...must be enabled in the security policy in order to use it.
...is only applied in HTTP requests.
...can be used to filter ambiguous FTP commands.

What is the correct process for creating Content Rules?

Create a new Content Rule in the Content Rules pool. Assign it to the service. Add
the backend servers.
Add the Content Rule to the service. Add the backend servers to the rule.
Create a new Content Rule in the Bot mitigation policies. Add the backend servers to
the rule.
Create a new Content Rule in the Allow/Deny rules. Add the backend servers to the
rule.

When protecting cookies, why can't Temper Proof mode, set to 'Encrypted',
always be used?

Because not all browsers can decrypt encrypted cookies.


Because this feature is not available on all models.
Because web applications might need to access the information stored inside
cookies.
Because the technology is fairly new, so old browsers cannot process encrypted
cookies.

The HTTP POST request generated by a user attempting to log into a


protected web application is blocked by the WAF. In which of the following is
this request logged?

Attack logs
Audit logs
Web Firewall logs
Network Firewall logs
System logs
Access logs

In which sub-policy is the 'Maximum Upload File Size' configured?

In the FTP sub-policy.


In Request Limits.
Nowhere. The WAF does not regulate file uploads.
In Parameter Protection.
In Global ACLs.

The Barracuda WAF is licensed by the number of web applications protected.

False
True

A newly created service has the following security policy associated to it:

New services do not have any security policies by default.


Passive
Custom
Default
Active

What is 'Sequential Match' in the rule evaluation order?


Mark all correct answers.
It is used to evaluate Host and URL matches according to its sequence number.
It is used to evaluate only extended match rules using their sequence number,
starting from a low number (1) to a high number (1000).
It is used after hierarchical matching when multiple matches occur in the Host
Header and URL Path fields.

The WAF active mode...


Mark all correct answers.
...can be configured as a global setting for all services.
...logs traffic that triggers security violations.
...blocks traffic that triggers security violations.
...allows traffic even if it triggers security violations.

When the active/active high availability deployment is used...

All Vsites are active on both units, but using different VIPs.
Different Vsites are active on different units.
All Vsites are active on both units.
What happens when a second real server is added to a service?

The WAF puts the new server in sticky mode, and after 10 seconds it starts load
balancing the traffic using the least request scheduling policy.
The WAF starts load balancing the traffic using the least request scheduling policy.
The WAF starts load balancing the traffic using the round robin scheduling policy.
The WAF puts the new server in maintenance mode, and after 10 seconds it starts
load balancing the traffic using the least request scheduling policy.

The default Bot mitigation policy created automatically for each service cannot
be removed.

False

What happens if multi-domain authentication is enabled and the user does not
specify the domain before the username?

The WAF will deny the authentication attempt (LDAP injection attack).
The WAF will prompt the user with the list of configured domains.
The user will be authenticated against the default configured domain.
The WAF will use the 'Best match' policy to find which domain the user belongs to.

The supported authentication methods for credential stuffing / spraying are:


Mark all correct answers.
JSON / AJAX request
HTML form
HTTP basic authentication
NTML

In the Bridge-Path deployment...


Mark all correct answers.
...the LAN interface must face the Internet.
...the WAN and LAN interfaces must be connected to two separate network
segments.
...Real Servers can keep their existing IP addresses.

Access logs are disabled by default and must be enabled on the Service
Configuration page.
False (its enabled by defult)

In which sub-policy is the 'Max Query Length' configured?

URL Encryption
URL Limits
Request Limits
URL Normalization
URL Protection

Client Fingerprints are enabled by default...

... but can be disabled at the server.


... but can be disabled at the service.
... and cannot be disabled.
... but can be disabled at the libraries.

Antivirus signatures are updated even if the Energize Updates license has
expired.

False

In the One-Arm Proxy deployment...


Mark all correct answers.
...a WAN and a LAN interface are used.
...only the WAN interface is used for traffic.
...backend servers could be reached directly, bypassing the WAF.

What services are provided by the WAF's Access Control feature?

Authentication, authorization, and accounting.


Authentication, authorization, and auditing.
Authentication and authorization.
Authentication and credential stuffing protection.

When Cookie Security is enabled and the Tamper Proof mode is set to
'Signed', the WAF sends the following to the client:
Mark all correct answers.
The encrypted cookies.
The plain-text cookies.
The signed cookies.
A cookie hash that is used verify whether the cookie has changed.

Select all the requirements for deploying the WAF in high availability.
Mark all correct answers.
Both systems must have the same 'Cluster Shared Secret'.
Both systems must have the same hostname.
Both systems must be of the same model.
Both systems must run the same firmware version.
Both systems must have at least one service configured.

What logs are available in the Barracuda WAF?


Mark all correct answers.

Web Firewall logs


Network Firewall logs
System logs
Audit logs
Access logs

Which of the following are NOT sub-policies?

Mark all correct answers.

Brute Force Protection


Request Limits
URL Encryption
Response Limits
Parameter Profiles
URL Normalization

What information is found in the Web Firewall logs?


Mark all correct answers.
All requests and responses.
HTTP requests and responses that generated a security violation.
The IP address of the client that generated the security violation.
The action that was taken to prevent the attack.

Data saved by the caching functionality is stored in the...

...SSDs and then moved to the hard disks after the max age is expired.
...RAM.
...hard disks.
...internal MySQL database.

URL Protection...
Mark all correct answers.

...limits the number of cookies that can be present in an HTTP request.


...limits the number of file uploads.
...specifies the allowed methods in HTTP requests headers.
...limits the size of the file uploads.

If you need to match a specific referer or parameter in an HTTP request,


you need to use...

Since the Referer is contained in the IP packet header, the WAF cannot retrieve this
kind of information.
...an Extended Match rule.
...a Host Match rule.
...a URL Match rule.

The unit from which the "Join Cluster" procedure is initiated pushes its
configuration to the other unit.
False
True

What are security policies?

Pre-configured security settings to inspect HTTP requests only.


Pre-configured security settings to inspect HTTP requests and responses.
Standard rules created by the CSO to define what is allowed or not allowed in a
specific company.
Pre-configured security settings that can be associated to any type of service
including FTP and FTPS services.

Security policies...

...include only positive elements.


...include mostly positive and some negative elements.
...include mostly negative and some positive elements.
...include only negative elements.

If you want to protect your logins against credential stuffing, you require an
ABP license.

True
False

Dual authentication is only available...

If LDAP and KERBEROS are used as primary authentication services.


If KERBEROS is used as primary authentication service.
If LDAP is used as primary authentication service.
With the local authentication service.

The WAF configuration can be changed using:


Mark all correct answers.
SSH
The web interface
REST APIs
The local shell access

Untrusted levels in Exception Profiling can be shared between multiple


services.

False. Exception Profiling levels cannot be shared.


True. Additional untrusted levels can be created and assigned to multiple services in
the service configuration.
True. In fact, there are only 3 untrusted levels that can be associated to services.

The predefined security policies...


Mark all correct answers.
...cannot be deleted.
...can be assigned to several services.
...can be customized.

When an 'action' is changed in the global ACLs...

...all services are affected.


...all services sharing the same security policy are affected.
...all security policies are affected.

The WAF virtual appliance can be deployed using the following operating
modes:

Virtual WAF Defense


Bridge-Path
Reverse Proxy
Transparent Layer 2 Bridge

A security policy can be assigned to only one service. Additional security


policies must be created if more services are added into the system.

False
True
What changes should be made in a web application and web servers in order
to use an Instant SSL service?

Two virtual hosts must be created in the web server: one to terminate HTTP
connections and a second to terminate SSL connections.
The web application must accept SSL connections.
Web servers must be configured to accept SSL connections.
Nothing. Communication between clients and the WAF will be in encrypted using
SSL, but the communication between the WAF and the web application will
remain unencrypted HTTP.
The web application code, especially if PHP and ASP are used, must have the iSSL
option enabled.

● 2)
● In the Bridge-Path operating mode

Acts as a Layer 2 transparent bridge– Inspects only the traffic


configured for inspection– All other traffic is bridged– Only
available for hardware models with bypass card– Not available
for VMs

● The WAF configuration can be changed using:


● 32)
● The predefined security policies...

The WebSocket policy can inspect the headers or text payload but not both at
the same time.
True
In the Bridge-Path operating mode...
Mark all correct answers.
...requests and responses are terminated at the WAF.
...backend servers can see the source IP address of the client in the IP packet.
...the WAF only inspects traffic configured for inspection. All other traffic is allowed
by default.

In the Reverse Proxy operating mode...


Mark all correct answers.
...only requests are terminated at the WAF. Responses go directly to the clients
(Direct Server Return).
...requests and responses are terminated at the WAF.
...two different TCP connections are created for the request (Client>WAF and
WAF>Server).
...all traffic is allowed by default.

What do you have to configure to enforce the antivirus scan for file uploads in
some parts of your web applications?

Brute Force Prevention


Bot mitigation policies
Allow/Deny rules
Data Theft policies

What happens if a signed or encrypted cookie is tampered with before it is


sent to the WAF?

The WAF terminates the TCP connection.


The WAF terminates the HTTP session.
If the WAF service mode is set to active, the WAF removes the tampered cookie, but
the request will still be forwarded to the backend servers.

● 4)
● URL Protection...
● 6)
● The WAF configuration can be changed using:
● 17)
● The WebSocket policy can inspect the headers or text payload but not both at the
same time.
● 21)
● The WAF active mode...
● 25)
● The WAF passive mode…

Mark all correct answers.

...can be configured as a global setting for all services.

...blocks traffic that triggers security violations.

...logs traffic that triggers security violations.

...allows traffic even if it triggers security violations.

...does not log traffic that triggers security violations.


● 29)
● The HTTP POST request generated by a user attempting to log into a protected web
application is blocked by the WAF. In which of the following is this request logged?
● 30)
● The Compression feature compresses...
● 42)
● What is 'Sequential Match' in the rule evaluation order?
● 43)
● Which of the following are NOT sub-policies?
● 48)
● What information is found in the Web Firewall logs?
● 50)
● What do you have to configure to enforce the antivirus scan for file uploads in some
parts of your web applications?

You might also like