Re: WAF

[Jason Edelstein <jasone () UCHICAGO EDU>]

We do not ubiquitously use WAFs for precisely that quoted reason. We 
have an IPS and classical firewall, though they aren't analogous, of course.

Most I've seen are temperamental, hard to maintain or costly, and 
generally are a tier removed from where we believe the biggest risks 
are. If we just patch Oracle stuff harder, we don't need to introduce 
another potentially brittle link in the infrastructure. Our general 
stance is that a WAF is gold plating for most parts of our security 
program - especially when a lot of our major systems are cloud-based and 
vendors have their own security programs.

Cheers,
-je

On 8/6/19 12:51 PM, David Eilken wrote:
> (or possibly no worth the cost to maintain)?



**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community