Barracuda Enters the High End WAF market

Barracuda has joined the main stream WAF market by releasing two new models that compete with popular mid-range Imperva and Breach Security models.

Until recently Barracuda, which purchased its WAF product line from NetContinuum 18 months ago, focused on the entry level market selling a WAF for between $5,000 and $15,000. The new models, finally aligning with the industry by being called "a web application firewall" rather than a "web site firewall", are numbered 860 and 960 and sold for $25,000 and $35,000. The models are rated at 600 and 900 Mbps inbound traffic respectively. While WAF performance measurement is far from accurate, rating inbound traffic performance is a good step in the right direction. Many WAF vendors provide performance numbers that include little inbound and a lot of outbound traffic on which little inspection is done.

Barracude lists three new security features in the high-end models:

• Virus checking for uploaded files.
• XML firewall functionality.
• Rate control.

The 1^st one is an important feature for specific niche applications that enable users to upload files. This is a unique feature that it is currently only available in ModSecurity and the Breach Security product line based on ModSecurity. While it is easier to implement virus checking on a gateway rather than on the server after the file was upload, it is  resource intensive and a potential customer should check whether the new appliances can check his own traffic in real time for viruses.

The other new features are less well defined and require more details to fully analyze. A full feature XML firewall is a very powerful and complex beast that is not needed by everyone. Most WAFs that support XML protection offer only a subset specifically addressing detection of attacks within XML payload. If would be sufficient for most if Barracuda offers this entty level XML protection. Like virus checking XML protection might be resource intensive and the device may not work in its rated speed when inspecting XML traffic.

Rate limiting is fast becoming the holy grail for WAFs. It is an area in which WAFs can shine: rate based attacks such as denial of service, brute force or copyright infringement cannot easily be avoided by coding well, and a WAF can offer a unique solution. Vendors such as Breach Security, Applicure and recently Fortinet started offering rate limiting feature but all of them are still partial. It would be interesting to see if Barracuda push the industry another step in this important direction.