Reasons Not To Use A WAF
A WAF, or a Web Application Firewall, sounds like a good way to protect your services.
Most companies use WAFs because it’s an easy way to check off an item for certain compliance frameworks.
Here are some reasons why you might want to reconsider using a WAF:
- False Positives and Negatives: You can block legitimate traffic or fail to detect legitimate threats.
- Zero-Days: WAFs can’t detect Zero-Day vulnerabilities.
- Performance Impact: A WAF is like a main in the middle for your traffic that scans its contents. The scanning will increase the latency of your services.
- Microservices Architecture: WAFs are less effective with a microservices architecture due to an increased surface area and the number of custom rules that need to be created and maintained.
If you’re still curious and want to learn more, here’s some additional reading:
- https://www.macchaffee.com/blog/2023/wafs/
- https://security.stackexchange.com/questions/273357/whats-wrong-with-the-use-of-a-waf-web-application-firewall
Join the 80/20 DevOps Newsletter
If you're an engineering leader or developer, you should subscribe to my 80/20 DevOps Newsletter. Give me 1 minute of your day, and I'll teach you essential DevOps skills. I cover topics like Kubernetes, AWS, Infrastructure as Code, and more.
Not sure yet? Check out the archive.
Unsubscribe at any time.