Table of Contents
- Description
- Types
- Setup - The basics of getting started with cudawaf
- Usage - Configuration options and additional functionality
- Reference - An under-the-hood peek at what the module is doing and how
Description
With the Barracuda Web Application Firewall, administrators do not need to wait for clean code or even know how an application works to secure their applications. Organizations can ensure robust security with a Barracuda Web Application Firewall hardware or virtual appliance, deployed either on-premises or in the cloud. This module enables management of the Barracuda Web Application Firewall using Puppet..
About the Resource Types
The following features can be configured using this module:
Service
A Virtual Service is a combination of a Virtual IP (VIP) address and a TCP port, which listens and directs the traffic to the intended Service. The resource type for this feature is "cudawaf_service".
Server
A server object can be used to configure the networking information of the back-end server to be hosted on the Barracuda Web Application Firewall. Multiple real servers can be added and configured to load balance the incoming traffic for a Service. The resource type for this feature is "cudawaf_server".
Certificates
A signed certificate is a digital identity document that enables both server and client to authenticate each other. Certificates are used with HTTPS protocol to encrypt secure information transmitted over the internet. A certificate can be generated or procured from a third party Certificate Authority (CA). The resource type for this feature is "cudawaf_certificate". Generated certificates can be self-signed or signed by a trusted third-party CA. A certificate contains information such as user name, expiration date, a unique serial number assigned to the certificate by a trusted CA, the public key, and the name of the CA that issued the certificate.
Cloud-control
A comprehensive cloud-based service that enables administrators to monitor and configure multiple Barracuda Networks products from a single console. The resource type for this feature is "cudawaf_cloudcontrol".
Rule Group Server
A rule group server object can be used to configure the networking information of the back-end server to be hosted on the Barracuda Web Application Firewall. Multiple real servers can be added and configured to load balance the incoming traffic for a rule group. The resource type for this feature is “cudawaf_rule_group_server”.
Rule Group
Rules are used to configure content-aware switching over incoming web traffic. Rules help analyze an HTTP request headers to make load balancing and caching policy decisions. The resource type for this feature is “cudawaf_rule_group”.
Security Policy
A Security Policy determines what action to take when one or more of the rules match the request. All security policies are global and can be shared among multiple Services configured on the Barracuda Web Application Firewall. The resource type for this feature is “cudawaf_security_policy".
The detailed documentation on each of these REST API end points can be found here : Barracuda Web Application REST API v3
Setup
Pre-Requisites
The following components are necessary to use this module:
- A server running as a Puppet master.
- A Puppet agent running as a Puppet Device proxy to the Barracuda WAF.
- A Barracuda Web Application Firewall running the firmware version v9.1 or above
Configuration on the Puppet Master
Install the following gems:
-
Typhoeus
-
Rest-Client v 1.8.0 Rest client needs dependencies to be installed, most likely gcc and gcc-c++ follow the instructions below:
Install gcc and gcc-c++ :
On CentOS:
yum install gcc, gcc-c++
To install the gem files:
Using the puppetserver gem binary (required):
/opt/puppetlabs/bin/puppetserver gem install typhoeus -v 1.3.0
/opt/puppetlabs/bin/puppetserver gem install rest-client -v 1.8.0
Using the Puppet agent gem binary (required)
/opt/puppetlabs/puppet/bin/gem insall typhoeus -v 1.3.0
/opt/puppetlabs/puppet/bin/gem install rest-client -v 1.8.0
Elevating the Permissions for the gemspec files
In some cases, external dependencies can cause errors such as "Error in retreiving resource statement". Increasing read and execute permissions to the gemspec on the master can help solve this problem.
Default Location of the gemspec files:
/opt/puppetlabs/puppet/lib/ruby/gems/2.0.1/specifications
To change permissions:
chmod 777 rest-client-1.8.0.gemspec
chmod 777 typhoeus-1.*
Please note: After you are changing permissions, please remember to restart the puppetserver daemon.
/opt/puppetlabs/bin/puppetserver stop
/opt/puppetlabs/bin/puppetserver start
Handling dependencies on the agent:
The best way to handle these is to use the 'Package' resource and run the puppet agent command on the target node. Sample manifest of the Package resource:
package { 'typhoeus' :
ensure => present,
provider => 'puppet_gem',
}
package { 'rest-client' :
ensure => '1.8.0',
provider => 'puppet_gem',
}
To install the module
puppet module install barracuda-cudawaf
To install in a specific environment
puppet module install barracuda-cudawaf --environment=<env-name>
Installing the gem files on the Puppet Agent:
/opt/puppetlabs/puppet/bin/gem install rest-client -v 1.8.0
/opt/puppetlabs/puppet/bin/gem install typhoeus
Puppet Device
To use the module, first configure a Puppet agent that is able to run puppet device
.
This agent will be used to act as a "proxy system" for the puppet device
subcommand.
Create a device.conf file on the Puppet Agent node:
Path and file name:
/etc/puppetlabs/puppet/device.conf
Example "device.conf" file
[waf-1]
type cudawaf
url http://admin:<password>@<ip_address>:8000/
Command to run puppet device:
puppet device -v --user=root
Usage Examples
Create a HTTP service with a Rule Group and Rule group Server, and connect the WAF to the Barracuda Cloud Control
cudawaf_service { 'DemoService2':
ensure => present,
name => 'MyService2',
type => 'HTTP',
ip_address => '10.11.2.2',
port => 8000,
group => 'default',
vsite => 'default',
status => 'On',
address_version => 'IPv4',
comments => 'Demo service',
}
cudawaf_security_policy { 'securitypolicy1':
ensure => present,
name => 'custom',
}
cudawaf_cloudcontrol { 'CloudControl':
ensure => present,
state => 'not_connected',
connect_mode => 'cloud',
username => 'user@domain.com',
password => 'password'
}
cudawaf_rule_group { 'RuleGroup-1':
ensure => present,
name => 'ContentRule1',
service_name => 'MyService2',
url_match => '/testing.html',
host_match => 'www.example.com'
}
cudawaf_rule_group_server { 'RuleGroupServer-1':
ensure => absent,
name => 'rgServer1',
service_name => 'MyService2',
rule_group_name => 'ContentRule1',
identifier => 'Hostname',
hostname => 'barracuda.com'
}
Creating Resources (Additional examples)
The following example manifests can be used to create resources on the Barracuda Web Application Firewall:
To create a HTTP Service:
cudawaf_service { 'WAFSVC-1':
ensure => present,
name => 'WAFSERVICE',
type => 'http',
mask => '255.255.255.255',
ip_address => '10.0.0.1',
port => '80',
group => 'default',
vsite => 'default',
status => 'On',
address_version => 'ipv4',
enable_access_logs => 'Yes',
svcname => 'ProdService',
}
To create a Real server:
cudawaf_server { 'WAFSERVER-2':
ensure => present,
name => 'server2',
identifier=> 'IP Address',
address_version => 'IPv4',
status => 'In Service',
ip_address => '192.168.1.10',
service_name => 'ProdService',
port => '80',
comments => 'Server for ProdService',
}
To Upload a Signed Certificate:
cudawaf_certificate { 'WAFUPLOADSIGNEDCER-1':
ensure => present,
name => 'signedcert1',
signed_certificate => '/home/wafcertificates/root.pem',
allow_private_key_export => 'yes',
type => 'pem',
key =>'/home/wafcertificates/privkey.pem',
assign_associated_key => 'no',
upload => 'signed'
}
To Upload a Trusted Certificate:
cudawaf_certificate { 'WAFUPLOADTRUSTEDCER-1':
ensure => present,
name => 'trustedcert1',
trusted_certificate => '/home/wafcertificates/cer.pem',
upload => 'trusted'
}
To Upload a Intermediary Signed Certificate:
cudawaf_certificate { 'WAFUPLOADINTERMEDIATESIGNEDCER-1':
ensure => present,
name => 'signedcertint1',
signed_certificate => '/home/wafcertificates/root.pem',
intermediary_certificate => '/home/wafcertificates/inter.pem',
allow_private_key_export => 'no',
type => 'pem',
key =>'/home/wafcertificates/privkey.pem',
assign_associated_key => 'no',
upload => 'signed'
}
To Upload a Trusted Server Certificate:
cudawaf_certificate { 'WAFUPLOADTRUSTEDSERVERCER-1':
ensure => present,
name => 'trustedservercert1',
trusted_server_certificate => '/home/wafcertificates/cer.pem',
upload => 'trusted_server'
}
To connect the WAF to Barracuda Cloud Control
cudawaf_cloudcontrol { 'WAFCouldControl-1':
ensure => present,
connect_mode => 'cloud',
state => 'connected',
username => 'testmail@barracuda.com',
password => 'password'
}
Reference - An under-the-hood peek at what the module is doing and how
cudawaf_service
A Virtual Service is a combination of a Virtual IP (VIP) address and a TCP port, which listens and directs the traffic to the intended Service.
Service Parameters
address-version
Specifies the IP Protocol to be used with the service. Must be "IPv4",
status
Specifies if the service should be enabled "On" or disabled "Off"
name
Specifies the name for the service. Must be a valid string
port
Specifies the listening port for the service
comments
Specifies the description for the service
enable-access-logs
Specifies if the service should be created with the access logs enabled i.e "Yes" or disabled i.e "No"
session-timeout
Specifies the session idle timeout. Must be a valid number or 0
app-id
Specifies the app-id for the service
group
Specifies the service group in which the Service is to be created. Must be a group present in the WAF.
vsite
Specifies the vsite object in which the Service will be created.
type
Specifies the type of service to be created. Example: HTTP or HTTPS
dps-enabled
Specifies if the service should have Advanced DdoS Prevention service enabled i.e "Yes" or disabled i.e "No",
ip-address
Specifies the listening ip address for the service
mask
Specifies the subnet mask for the service
cudawaf_server
A server object can be used to configure the networking information of the back-end server to be hosted on the Barracuda Web Application Firewall. Multiple real servers can be added and configured to load balance the incoming traffic for a Service.
Server Parameters
identifier
Specifies if the server identifier should be an ip address i.e "IP Address" or a hostname i.e "hostname"
address-version
Specifies IP Protocol. Must be IPv4
status
Specifies if the real server should be enabled or disabled. Must be set as one of In Service, Out of Service Maintenance, Out of Service Sticky, Out of Service All
name
Specifies the name for the server
ip-address
Specifies the ip address for the server. Must be set if the identifier is set as "IP Address"
hostname
Specifies the hostname for the server. Must be set if the identifier is set as "hostname"
port
Specifies the port number to be bound with the server
comments
Specifies a description for the server
cudawaf_certificate
Signed Certificate Parameters
upload
The certificate file to be uploaded should be specified with the path
name
Specifies the name for the certificate
type
Specifies the type for the certificate. Options are pkcs12 and pem
key_type
Specifies the key type for the certificate being uploaded
signed_certificate
Specifies the signed certificate file
assign_associated_key
Specifies if the uploaded certificate should be associates with a private key that is stored on the WAF system
key
Specifies the private key file
intermediary_certificate
Specifies the intermediary certificate to be used with the signed certificate during the upload
allow_private_key_export
Specifies if the WAF should allow the private key is to be exported when the certificate is exported
password
Specifies the password for the pkcs12 certificate
Trusted Server Certificate Parameters
upload
The certificate file to be uploaded should be specified with the path
name
Specifies the name for the certificate
trusted_server_certificate
Specifies the trusted server certificate file
Trusted CA Certificate Parameters
upload
The certificate file to be uploaded should be specified with the path
name
Specifies the name for the certificate
trusted_certificate
The certificate file to be uploaded should be specified with the path
Self Signed Certificate Parameters
city:
common_name:
country_code:
curve_type:
key_size:
key_type:
name:
organization_name:
organization_unit:
san_certificate[
"DNS:<domain name>,"
"Email:<email address>,"
"URI:<Provide the URI.>",
"IP:<Provide the IP.>"
]
state:
cudawaf_cloudcontrol
Barracuda Cloud Control Parameters
connect_mode
Specifies the mode of connections. Must be "cloud"
password
Specifies the password to be used for the cloud control connection. This should be available before using this resource type.
state
Specifies the state of the connection
username
Specifies the Barracuda Cloud Control username for the connection. This should be available before using this resource type.
cudawaf_security_policy
Security Policy Parameters
name
Specifies the name for the security policy
cudawaf_rule_group
Rule Group Parameters
name
Specifies the name for the rule group
service_name
Specifies the name of the service under which the rule group should be created
app_id
Specifies the app id for the rule group
comments
Specifies any user comments under the rule group created
extended_match
Specifies the extended match to be used with the rule group for matching the incoming request
extended_match_sequence
Specifies the extended match sequence number for the rule
host_match
Specifies the host header match for the rule group
mode
Specifies the security policy mode for the rule group
status
Specifies if the rule group is enabled or disabled
url_match
Specifies the url match for the rule group
web_firewall_policy
Specifies the security policy for the rule group
cudawaf_rule_group_server
Rule Group Server Parameters
name
Specifies the name for the rule group server
identifier
Specifies if the server identifier should be an ip address i.e "IP Address" or a hostname i.e "hostname"
address-version
Specifies IP Protocol. Must be IPv4
status
Specifies if the real server should be enabled or disabled. Must be set as one of In Service, Out of Service Maintenance, Out of Service Sticky, Out of Service All
name
Specifies the name for the server
ip-address
Specifies the ip address for the server. Must be set if the identifier is set as "IP Address"
hostname
Specifies the hostname for the server. Must be set if the identifier is set as "hostname"
port
Specifies the port number to be bound with the server
comments
Specifies a description for the server
rule_group_name
Specifies the name of the rule group under which the server has to be created
service_name
Specifies the name of the service
backup_server
Specifies the ip address of the backup server if the primary server is not reachable
identifier
Specifies the identifier for the server. Mention "IP Address" or "Hostname"
hostname
Specifies the hostname if the identifier is set to Hostname
weight
Specifies the weight for the rule group server
Limitations
This module is intended to be supported on all PE-supported platforms. However, it has been currently tested on Ubuntu/Linux platforms only.
Development
Barracuda modules on the Puppet Forge are open projects, and community contributions are essential for keeping them great. Please follow our guidelines when contributing changes.
For more information, see our module contribution guide.
Contributors
To see who's already involved, see the list of contributors.