Skip to content

Page300

Fundamental Firewall Designs

Firewall design has evolved over the years, from simple and flat designs such as dual-homed host and screened host, to layered designs such as the screened subnet. While these terms are no longer commonly used, and flat designs have faded from use, it is important to understand fundamental firewall design. This evolution has incorporated network defense-in-depth, leading to the use of DMZ and more secure networks.

Bastion Hosts

A bastion host is any host placed on the Internet that is not protected by another device (such as a firewall). Bastion hosts must protect themselves, and be hardened to withstand attack. Bastion hosts usually provide a specific service, and all other services should be disabled.

Dual-Homed Host

A dual-homed host has two network interfaces: one connected to a trusted network and the other connected to an untrusted network, such as the Internet. The dual-homed host does not route: a user wishing to access the trusted network from the Internet, as shown in Fig. 8.8, would log into the dual-homed host first, and then access the trusted network from there. This design was more common before the advent of modern firewalls in the 1990s, and is still sometimes used to access legacy networks.

FIG. 8.8 Dual-homed host.

Screened Host Architecture

Screened host architecture is an older flat network design using one router to filter external traffic to and from a bastion host via an access control list (ACL). The bastion host can reach other internal resources, but the router ACL forbids direct internal/external connectivity, as shown in Fig. 8.9.

FIG. 8.9 Screened host network.

The difference between dual-homed host and screened host design is that screened host uses a screening router, which filters Internet traffic to other internal systems. Screened host network design does not employ network defense-in-depth: a failure of the bastion host puts the entire trusted network at risk. Screened subnet architecture evolved as a result, using network defense-in-depth via the use of DMZ networks.