Internet & Intranet Security
11.3 SCREENED SUBNET FIREWALL CONFIGURATIONS
As illustrated in Figure 11.4, a screened subnet firewall configuration basically consists of a subnet that is screened by a single-homed bastion host. The outer screening router has to make sure that all (or at least most) data pass an application gateway running on a bastion host. Consequently, the bastion host screens the subnet located between the outer and the inner screening router, and this screened subnet is sometimes also referred to as a demilitarized zone (DMZ).[1]
Similar to the other configurations discussed thus far, the bastion host also can be replicated an arbitrary number of times in a screened subnet firewall configuration. A corresponding screened subnet firewall configuration with multiple bastion hosts is illustrated in Figure 11.5. The big advantage of this configuration is that dedicated hosts can be used to provide specific services. The resulting separation of servers and services is an interesting feature from a security point of view.
Note that the two screening routers provide redundancy in that an attacker would have to subvert both routers in order to access intranet systems. Also note that the bastion host and the additional servers on the DMZ could be set up to be the only systems seen from the Internet; no other system name would be known or used in a DNS database that is made accessible to the outside world.
A screened subnet firewall configuration can be made more flexible by permitting certain services to pass around the bastion host and the corresponding application gateways. As an alternative to passing services directly between the intranet and Internet, you may also locate the systems that need these services directly on the screened subnet. In fact, this would be the preferred configuration but is not always possible.
In summary, the screened subnet firewall configuration is flexible and provides a reasonable level of security. As such, it has been a preferred firewall configuration in the past.
[1]The DMZ is named after the strip of no-man's-land between North and South Korea.
Team-Fly |