Stonewalled

In the beginning, Barracuda produced appliances to combat spam. By the time the spam wave reached its peak, their devices had become so successful that they started to expand their product portfolio. Today, the manufacturer has various firewalls and web filters as well as storage and backup products in its delivery program. Recently, the established Barracuda NG Firewall was joined by a new product line that is aimed primarily at small and medium-sized companies: the Barracuda firewall.

In our lab, we tested the smallest device in the new firewall series; it comes in two versions. The X200 [1] is the smallest firewall with four Gigabit Ethernet ports (Figure 1). The ADMIN team tested the X201 version, which also has a WLAN interface. The smallest firewall has an external power supply, whereas the larger devices – X300, X400, and X600 – are designed for rack installation and have a built-in power supply [2]. The models also differ in terms of performance: The X200/201 promises 1Gbps firewall throughput and 200Mbps for VPNs. For the top-of-the-range X600 model, these are 5Gbps and 700Mbps for VPNs.

An optional accessory available for all Barracuda firewalls is a 3G USB modem, which was developed by the manufacturer itself and can handle UMTS, HSDPA, and HSUPA up to 7.2Mbps. Administrators can also control the firewall by text message in an emergency (e.g., to reboot). The 3G modem costs about US$ 200.

Because the new Barracuda firewall series also targets companies that do not employ specially trained firewall or network professionals, the manufacturer tries to make the configuration easier for administrators. For this purpose, the X201 offers a preconfigured firewall bridge between ports 1 and 3. To allow admins to easily isolate their workstation from the network, they can plug the cable into port 1 and connect the PC with the firewall via the supplied Ethernet cable.

Bridge Mode

Thanks to the bridge, the computer is still connected to the LAN and Internet. Now, however, the web interface of the firewall is accessible via the private address 192.168.200.200. Thanks to a VGA port and two USB ports, you can also connect a keyboard and monitor to the firewall. Only basic functions are available in the graphical terminal interface, and only the web interface offers the full configuration scope.

Whether access is gained via the web or terminal, the default login name and password are both admin. After logging in, you get to see the web interface, with the menu items at the top (Figure 2). If you hover the mouse over one of them, a submenu pops up. The organization of items is not always logical, and you first need to understand what is happening before you continue. Although a Routing entry can be found below Network, the current routes are actually found in Basic | Active Routes (see the box "Enhancement Release 6.1").

The manufacturer has preconfigured port 2 to connect the firewall to an uplink that uses DHCP to assign an address. The setting can, of course, be changed by the user. However, doing so is not easy: The bridge configuration prevents correct routing because of a route to the 0.0.0.0 network. To get rid of this route, the user has to go to Network | IP configuration and change the management network mask to 255.255.255.0, for example.

At the same time, however, you must change the settings of the workstation connected on port 1 and assign an address from the 192.168.200.0 network. In our lab, we talked to Barracuda support to discover this solution; the support people were competent and helpful. In principle, the firewall also supports reverse tunneling, which you can use to log in to the device; however, this approach works only if you have an Internet connection.

Cut

One feature that proved particularly annoying during the setup and troubleshooting was that the user is not allowed to make many adjustments to the firewall if it is not enabled through a connection to the Barracuda site. Troubleshooting the connection to the Internet is a pain if you need precisely this connection. From a customer perspective, it is difficult to see why a device that you have paid for in full is restricted in terms of its capabilities. It's really annoying when the firewall prompts you to click on a link to effect a change, only to refuse to do so with a message of "This operation is not permitted until this Barracuda firewall is activated."

Firewall and Router

After successfully overcoming these hurdles, you can look forward to a firewall that comes with many features. These features include standard filters at IP and port level, as well as application-specific filters that inspect the packet contents. For example, admins can block access to Facebook, Skype, or P2P networks if the corporate policy so dictates.

Additionally, the firewall provides many functions that are typically handled by routers, such as connecting to the Internet via a backup line (e.g., via the 3G modem or DSL with PPPoE). This functionality is convenient, for example, for linking with branch offices; you only need an additional firewall that can also encrypt the connection via a IPsec VPN. Quality-of-service, as implemented by the firewall, ensures that important services have priority on fallback connections with less bandwidth. The X201 model we tested can also be used as a wireless access point; besides WPA-PSK, it can use WPA-RADIUS for authentication. The firewall can even provide a captive portal that first presents users with a website. The firewall also supports address translation via DNAT and SNAT.

If you operate a web server on your local network, you can use Barracuda firewall to set up a DMZ (demilitarized zone) for this purpose. The firewall then regulates the traffic from the Internet and from the intranet to the DMZ separately. To run the web server on port 8080, for example, the firewall can use port translation to shift incoming requests to a different port.

In the Cloud

Following the hype, the Barracuda firewall also provides firewall management "in the cloud," so you can configure the device through the manufacturer's website. The web interface is functionally identical to the one on the firewall itself. However, administrators can manage all of their firewalls in a single interface in the Barracuda cloud. A web security module which, for example, outsources malware scans to the Barracuda site is available for an extra charge.

Under the hood of the router is a hardened Linux system; it runs on an Atom processor and uses an Intel SSD for data storage. Software by Austria's Phion, which was acquired by Barracuda, converts the packet filter into an application-level firewall.

In a corporate environment, you can integrate the Barracuda firewall by implementing a number of authentication types and protocols, including Active Directory, NTLM, CHAP, RADIUS, and LDAP(S). On the firewall itself, administrators can install their own certificates.

In terms of cost, the X200 firewall will set you back about US$ 1,499. Energize updates for it cost US$ 360 a year. Instant Replacement and Premium Support are available for US$ 350 a year, and the web security package costs US$ 250. The prices of the larger models start at US$ 1,999 (X300) and range up to US$ 8,999 (X600). Support packages for the larger models are also more costly than for the smaller models.

Conclusions

The Barracuda firewall rounds out the company's NG firewall offerings. The new device is feature-rich and includes many traditional router functions, such as VPNs, load balancing, and traffic shaping. As firewalls, the Barracuda devices go beyond pure packet filtering and can act as application-level firewalls, blocking data packets based on their content.

The new bridge mode for configuring the firewalls, however, confuses rather than helps. Additionally, restricting a firewall's functionality if it is not activated online is something the manufacturer would be better off discontinuing.