Tested: Barracuda firewall X201
Stonewalled
In the beginning, Barracuda produced appliances to combat spam. By the time the spam wave reached its peak, their devices had become so successful that they started to expand their product portfolio. Today, the manufacturer has various firewalls and web filters as well as storage and backup products in its delivery program. Recently, the established Barracuda NG Firewall was joined by a new product line that is aimed primarily at small and medium-sized companies: the Barracuda firewall.
In our lab, we tested the smallest device in the new firewall series; it comes in two versions. The X200 [1] is the smallest firewall with four Gigabit Ethernet ports (Figure 1). The ADMIN team tested the X201 version, which also has a WLAN interface. The smallest firewall has an external power supply, whereas the larger devices – X300, X400, and X600 – are designed for rack installation and have a built-in power supply [2]. The models also differ in terms of performance: The X200/201 promises 1Gbps firewall throughput and 200Mbps for VPNs. For the top-of-the-range X600 model, these are 5Gbps and 700Mbps for VPNs.
An optional accessory available for all Barracuda firewalls is a 3G USB modem, which was developed by the manufacturer itself and can handle UMTS, HSDPA, and HSUPA up to 7.2Mbps. Administrators can also control the firewall by text message in an emergency (e.g., to reboot). The 3G modem costs about US$ 200.
Because the new Barracuda firewall series also targets companies that do not employ specially trained firewall or network professionals, the manufacturer tries to make the configuration easier for administrators. For this purpose, the X201 offers a preconfigured firewall bridge between ports 1 and 3. To allow admins to easily isolate their workstation from the network, they can plug the cable into port 1 and connect the PC with the firewall via the supplied Ethernet cable.
Bridge Mode
Thanks to the bridge, the computer is still connected to the LAN and Internet. Now, however, the web interface of the firewall is accessible via the private address 192.168.200.200. Thanks to a VGA port and two USB ports, you can also connect a keyboard and monitor to the firewall. Only basic functions are available in the graphical terminal interface, and only the web interface offers the full configuration scope.
Whether access is gained via the web or terminal, the default login name and password are both admin . After logging in, you get to see the web interface, with the menu items at the top (Figure 2). If you hover the mouse over one of them, a submenu pops up. The organization of items is not always logical, and you first need to understand what is happening before you continue. Although a Routing entry can be found below Network , the current routes are actually found in Basic | Active Routes (see the box "Enhancement Release 6.1").
Enhancement Release 6.1
Barracuda Firewall version 6.1 is an enhancement release over version 6.0 that will add new features, such as an integrated SSL-VPN (all models X200 and up) and support for high-availability clustering, as well as additional usability improvements. These enhancements readily incorporate the feedback from this article, such as relocation of the active routing table into the Network | Routing tab or support for network change activation from anywhere in the user interface regardless of the current product activation state. More importantly, several powerful setup wizards were added that guide the user through the initial setup process, including DHCP or WiFi Access Point setup (models X101/201). Version 6.1 will be available from mid-August on and can be viewed as a live demo now http://3. Also note that version 6.1 will add support for two new appliances – the Barracuda Firewall X100 and X101 (WiFi) – positioned as entry-level models below the tested X200 model.
The manufacturer has preconfigured port 2 to connect the firewall to an uplink that uses DHCP to assign an address. The setting can, of course, be changed by the user. However, doing so is not easy: The bridge configuration prevents correct routing because of a route to the 0.0.0.0 network. To get rid of this route, the user has to go to Network | IP configuration and change the management network mask to 255.255.255.0, for example.
At the same time, however, you must change the settings of the workstation connected on port 1 and assign an address from the 192.168.200.0 network. In our lab, we talked to Barracuda support to discover this solution; the support people were competent and helpful. In principle, the firewall also supports reverse tunneling, which you can use to log in to the device; however, this approach works only if you have an Internet connection.
Cut
One feature that proved particularly annoying during the setup and troubleshooting was that the user is not allowed to make many adjustments to the firewall if it is not enabled through a connection to the Barracuda site. Troubleshooting the connection to the Internet is a pain if you need precisely this connection. From a customer perspective, it is difficult to see why a device that you have paid for in full is restricted in terms of its capabilities. It's really annoying when the firewall prompts you to click on a link to effect a change, only to refuse to do so with a message of "This operation is not permitted until this Barracuda firewall is activated."
Firewall and Router
After successfully overcoming these hurdles, you can look forward to a firewall that comes with many features. These features include standard filters at IP and port level, as well as application-specific filters that inspect the packet contents. For example, admins can block access to Facebook, Skype, or P2P networks if the corporate policy so dictates.
Additionally, the firewall provides many functions that are typically handled by routers, such as connecting to the Internet via a backup line (e.g., via the 3G modem or DSL with PPPoE). This functionality is convenient, for example, for linking with branch offices; you only need an additional firewall that can also encrypt the connection via a IPsec VPN. Quality-of-service, as implemented by the firewall, ensures that important services have priority on fallback connections with less bandwidth. The X201 model we tested can also be used as a wireless access point; besides WPA-PSK, it can use WPA-RADIUS for authentication. The firewall can even provide a captive portal that first presents users with a website. The firewall also supports address translation via DNAT and SNAT.
If you operate a web server on your local network, you can use Barracuda firewall to set up a DMZ (demilitarized zone) for this purpose. The firewall then regulates the traffic from the Internet and from the intranet to the DMZ separately. To run the web server on port 8080, for example, the firewall can use port translation to shift incoming requests to a different port.
Buy ADMIN Magazine
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Most Popular
Support Our Work
ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.