Screened Subnet Architecture andFirewalls

A firewall’s function is to act as a gatekeeper, keeping Internet “bad guys” out of your internal network. Setting up an effective firewall requires careful planning.

In my view, the Screened Subnet Architecture is a preferred network setup for firewalls to protect your company’s network while at the same time allowing external visitors to access your public service hosts.

What is Screened Subnet Architecture?

Let’s take a look at how a typical Screened Subnet Architecture is setup:

Screened Subnet Architecture

From this diagram, note that there are two, not one, firewalls in the network structure.The exterior firewall is configured to allow external traffic to access the subnet section (Perimeter Network) where you have put the public service hosts (Bastion Hosts) such as your e-mail server, web server, and/or DNS server, for example. The Screened Subnet is  also called “DM Zone”  (demilitarized zone) or simply “DMZ”.The internal firewall acts a second gatekeeper to keep external visitors from directly coming into your internal corporate network.The subnet section where you have put the service hosts is called “Screened Subnet” or “Perimeter Network,” hence the name “Screened Subnet Architecture” has become used for this type of network architecture.

What is the benefit of using Screened Subnet Architecture for a firewall setup?

The advantage of this setup is that if your external hosts are exploited (as they could be since they are serving many external visitors’ requests and are exposed to a greater risk of being hacked), you still have the interior firewall as the second gatekeeper to defend the attacks of the hacker by the exploited hosts. Or if the exterior firewall has been compromised, then the interior firewall can still fend off the hackers’ possible direct intrusion to the corporate internal network.

There are variations of this network setup that serve similar functions. One variation uses a single firewall with three network interfaces: one for the external Internet connection, another for the Screened Subnet, and a third for the internal network. The firewall is configured to allow external visitors to visit the Screened Subnet only, without the authority to access the internal network interface.

Screened Subnet Architecture with one firewall

This setup, of course, saves the hassle of maintaining two firewalls, making it easier to concentrate on the security maintenance of one single firewall.

However, the disadvantage is that if this only firewall becomes compromised, chances are the attackers can gain access to the internal network by the firewall’s internal interface. This, of course, poses a great security risk to a corporate environment.

Tags:  Exploit Firewall, Firewall Attack, Firewall Hacking, Hacking Firewall