Screened Subnet Architecture refers to setup a firewall (or two firewalls) in a way that there is a separate subnet dedicated for network di-militarized zone (DMZ). The traffic comes from external Internet can only get to the DMZ whereas internal users can access the DMZ only before their traffic going to reach Internet.

Bastion Hosts are hosted in the DMZ. Those hosts are designed to serve external visitors who would like to request services from the network owners. HTTP, FTP and SMTP services are common services provided by Bastion Hosts in DMZ. Since Bastion hosts are aimed at supporting external users’ access, they have to be built against possible Internet attacks.

DMZ is setup in the security concept of layered defending. External hackers, even though they can potentially hack those Bastion hosts in success, they still need to figure out the way to get into the internal networks. This extra layer adds difficulty because all external servers are in DMZ. Hackers are unlikely have any direct access to any hosts in the internal network.

To setup DMZ, the most direct way is to use two firewalls with two network interfaces each. One Firewall is connected to internal network and the other one connected to external Internet. These two firewalls are then joined together using their remaining interface to form a subnet called DMZ.

Another solution is to use a Firewall with three network interfaces. One interface is connected to Internet, the other one to internal network and the last one to a DMZ subnet. In this way, we can configurate the firewall rule to operate the DMZ as a middle network between external and internal network.