Show 61 – Securing an Internet-Facing App – Part 2 – Border Routers, Firewalls, IDS/IPS

In show 61, host Ethan Banks is joined again by Mrs. Y, Daniel Powell, Bob Plankers, and Tom Hollingsworth in the second part of a virtual workbench discussion begun in show 56. We recorded this heart-warming, family-friendly episode about securing an Internet-facing application on September 9, 2011. The Packet Pushers eagerly anticipate award nominations for this gripping script expressing the love a network engineer has for his border routers, firewalls, and intrusion prevention devices. Filled with passion, packets, and paradigm shifts, this is the one show that will change the way you see everything. Okay, not really. But we think you’ll like it. We hope. After all, “it depends.”



  • Getting tough with border routers by using hardening guides.
  • We discuss whether it makes sense to filter transit traffic on the border router or not. Or is there a third option?
  • Reputation filters, real-time black hole lists, DNS sinkholes, bogon filters: generally we like them, but maybe they’re not always a good idea? Daniel sounds off.
  • ISP DDoS mitigation services are here to help because they’re big, and you’re small.
  • We talk through common firewall designs.
  • NAT does not make us secure. It just breaks things. And look – Tom’s twitching!
  • Should you use private VLANs in a DMZ? Or is that more work than it’s worth?
  • Where do multiple DMZs make sense? What about multiple firewalls?
  • Mrs. Y in a moment of frustrated despondency proclaims, “We’ve done network security to death. And it’s not working.”
  • Tom breaks down the difference between intrusion detection and intrusion prevention.
  • Some of the actions an IPS can take against detected threats: TCP resets, blackholing, rate shaping.
  • Where you should you place an IDS versus an IPS?
  • Isn’t my firewall with built in IPS functionality good enough?
  • The main evil encountered when deploying an IPS: false positives. Mrs. Y points out, “You drop one thing some VP thinks shouldn’t have been dropped, and you’re disabling everything.”
  • Are IPS signatures the crack cocaine of the security world?
  • Are you staffed to properly maintain an IPS infrastructure, since it’s not a “set it and forget it” appliance? This point gets hammered home with a vengeance.
  • Using an IPS to help your applications survive an attack.
  • Next-gen firewalls mash up L7 inspections with traditional firewall functions. How does this impact firewall performance?
  • We swap war stories about implementing Check Point Smart Defense. We laugh, we cry, we twitch. And mostly, we turn it off.
  • Daniel goes on a happy rant about Check Point’s SmartView Tracker, while Mrs. Y sings the praises of syslog and Splunk. Ethan tries to strike a balance while vendor allegiance rears its ugly head. Poke, poke, poke.
  • We wrap up with a quick reminder to assess the ability of security appliances themselves to withstand attacks.

LMGTFY (because we love you)

Ethan Banks
Ethan Banks, CCIE #20655, has been managing networks for higher ed, government, financials and high tech since 1995. Ethan co-hosts the Packet Pushers Podcast, which has seen over 3M downloads and reaches over 10K listeners. With whatever time is left, Ethan writes for fun & profit, studies for certifications, and enjoys science fiction. @ecbanks
Ethan Banks
Ethan Banks