Educause Security Discussion mailing list archives
Re: WAF
From: Jason Edelstein <jasone () UCHICAGO EDU>
Date: Tue, 6 Aug 2019 18:06:30 -0500
We do not ubiquitously use WAFs for precisely that quoted reason. We have an IPS and classical firewall, though they aren't analogous, of course.
Most I've seen are temperamental, hard to maintain or costly, and generally are a tier removed from where we believe the biggest risks are. If we just patch Oracle stuff harder, we don't need to introduce another potentially brittle link in the infrastructure. Our general stance is that a WAF is gold plating for most parts of our security program - especially when a lot of our major systems are cloud-based and vendors have their own security programs.
Cheers, -je On 8/6/19 12:51 PM, David Eilken wrote:
(or possibly no worth the cost to maintain)?
********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- WAF David Eilken (Aug 06)
- Re: WAF Jason Edelstein (Aug 06)