The Barracuda Web Application Firewall supports Online Certificate Status Protocol (OCSP) to determine updated status of a digital certificate. While Certificate Revocation Lists (CRLs) provide certificate status which is updated periodically, OCSP provides more recently updated revocation status information for certificates. A central OCSP server is configured to collect and update CRLs from the different Certificate Authority (CA) servers. OCSP server (also know as OCSP responder) is a trusted Certificate Authority (CA) server. When OCSP is enabled, the Barracuda Web
Note In order for a certificate to be allowed via an Allow Rule, ensure that Allow Rules also exist for all Certificates in its chain. If the Certificate itself matches an Allow Rule, but it's intermediate or Trusted Certificate does not match any rule, then the request will be denied.
User Access Control 119 certificates. SSL connections from the clients are allowed or denied based on the status of the client certificate presented to the Barracuda Web Application Firewall.
Functioning of OCSP Validation
When a user attempts to access a server, an OCSP status request for the user certificate is sent to an OCSP responder (central OCSP server). The OCSP responder receives the request and validates whether the request contains information required to identify the certificate. The OCSP responder returns a signed response message indicating the status of the certificate as follows:
• "GOOD" indicates a positive response that the certificate is not revoked.
• "REVOKED" indicates that the certificate has been revoked.
• "UNKNOWN" indicates that the responder has no information about the requested certificate.
In case of any error or failure, the responder may return an unsigned message indicating the failed communication, logged under System Logs. Errors could occur because of a malformed request, an internal error, or an unauthorized request.
Configuring OCSP Validation
Detailed instructions for configuring a service to enforce client certificate validation using OCSP are available in ACCESS CONTROL > Client Certificates online help.
Note
Enforce Client Certificate should be Yes for a service on the BASIC > Services page for Barracuda Web Application Firewall to perform client certificate authentication using OCSP.
Keys and Certificates 121
Chapter 13 Keys and Certificates
This chapter provides an introduction to the Public Key Infrastructure (PKI) technology, including a system overview of how the Barracuda Web Application Firewall uses PKI encryption to protect traffic:
Overview ... 122 SSL Implementation and Configuration... 123 Certificates... 124
Overview
The Barracuda Web Application Firewall implements Secure Socket Layer (SSL) encryption using PKI objects. Besides encrypting transmitted data and this technology allows authentication of sender and receiver and is the most effective way to securely send confidential information over the Internet.
The Barracuda Web Application Firewall allows you to use SSL encryption between a client and the Barracuda Web Application Firewall, and/or between the Barracuda Web Application Firewall and Web servers. To implement SSL, the Barracuda Web Application Firewall allows the creation or upload of Public Key Infrastructure (PKI) objects like keys and certificates.
PKI technology allows secure exchange of data over the Internet using key pairs for authentication and encryption. This type of cryptography starts with the creation of two keys: a public key known by everyone, and a private key known only by its owner. This key pair is used to encrypt and decrypt messages sent by an owner. The public key allows initiation of a secure communication. The private portion of the key pair confirms the owner’s identity.
In an SSL transmission between a client and a server, the client requests a secure connection, and the server responds with a certificate, identifying the certificate authority (CA) and the server’s public encryption key. This allows the client to verify the server identity. If satisfied with the authenticity of the server, the client sends a test transmission which can only be decrypted with the private key of the server. This transmission allows both parties to generate encryption and decryption for the impending transaction. In addition, a server may require the client to authenticate itself by providing a certificate, and refuse to communicate with clients who fail to do so.
The Barracuda Web Application Firewall acts as a server on the front-end (Internet facing), receiving client requests. On the back end, the Barracuda Web Application Firewall acts as a client to the Web servers, forwarding safe requests to the servers. In each case, data can be secured using SSL, providing end-to-end secure data for requests and responses.
The Barracuda Web Application Firewall allows Certificates obtained from a trusted CA to be uploaded, or can create of a self-signed certificate to implement SSL.
PKI protects data sent over the Internet in the following ways:
• Authentication - An issued digital certificate that is given to a user, organization, or Web site validates the identity of an entity and then allows access to the Web site.
• Privacy - A certificate protects data from being intercepted during transmission.
• Integrity - A “signed” digital certificate ensures that the message or document has not been manipulated or corrupted during transmission.
• Authorization - Before certificates, authorization required users to give an ID and password.
Certificates guarantee the authenticity of each user, thus providing a level of authorization.
Digital certificates created using the Barracuda Web Application Firewall are of the standard X.509 format and are considered self-signed.
Caution A compromised private key is a security threat! If a private key is exposed, then the public key can be easily derived. However, a private key cannot be derived from an exposed public key. A digital certificate is derived from a key pair. It is an attachment to a sent message used for security. The certificate helps verify the identity of the user that sent the message and provides the receiver the means to decode the message. The most widely used standard for digital certificates is X.509.
Keys and Certificates 123