What is our primary use case?
We have a web application on AWS, and we wanted just one minimum utility firewall to take care of one site with limited traffic. It is an internal website that is used by less than 200,000 employees. To protect that site, we use Barracuda WAF.
The internal website and the firewall were deployed only last year. We are running it on a minimal configuration, and no extensive changes were made. We will be making changes to the configuration periodically based on the requisites.
What is most valuable?
I like its ability to identify known attacks, including DDOS attacks. It's valuable because software must be able to stop known attacks. Application attacks are evolving all the time. When it comes to software-as-a-service, we need to have software that knows about all the latest attacks. It should also protect against major unknown attacks.
The main part is preventing unknown OS attacks and providing a blacklist of IP addresses. This vast service allows us to check for those blacklisted IPs and prevent traffic from those IPs.
What needs improvement?
We found it a bit slow when accessing it through the web browser. The URL also exposed the user name and the hashed password. When I log into my Barracuda WAF user portal, I could see the username and the hashed password on the URL itself. So, it is not very secure, and it is important to take that off.
I would like to have a threat radar that is updated on their security database. I would like to see if their IP is getting updated and the data detection notifications are the same as in the server.
For how long have I used the solution?
I have used Barracuda WAF-as-a-Service over the last 18 months.
What do I think about the stability of the solution?
We did not see any issues with the performance.
How are customer service and technical support?
Technical support was good, and they respond very well.
On a scale from one to ten, I would give Barracuda technical support an eight.
Which solution did I use previously and why did I switch?
We used to use the Alert Logic web application firewall, but that was for a different client. In AlertLogic, there was not much transparency to see the different types of attacks. We couldn't do any customization for the website. We used to create profiles under which we would mention the different types of attacks. But if I wanted to make any custom changes on one website, I would have to make that in a profile and reflect it on all the other profiles. But with Barracuda, I can customize the changes on the website level.
How was the initial setup?
The initial setup was straightforward and took us less than four hours to install and deploy. Our environment is in AWS, and they had the package installed and available in the AWS marketplace. We discussed the throughput of our website and what would be the appropriate appliance and the instance that we would need to implement to download the software package.
It is like a multilayer website view, but we had only one entry point for the internet traffic. Just one instance of WAF was enough at that time, but we will be extending it to two availability zones.
We don't have to do maintenance because the signatures get updated periodically, and Barracuda does all the upgrades for us. We could look for support from the customer team to manage those maintenance activities.
What about the implementation team?
The Barracuda team helped us. Our administration team is very small, and it's just a two-member team.
What other advice do I have?
I would recommend Barracuda WAF to potential customers.
On a scale from one to ten, I would give Barracuda WAF-as-a-Service an eight.
Which deployment model are you using for this solution?
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Amazon Web Services (AWS)