First page Back Continue Last page Summary Graphics

Screened Subnet Architecture


The screened-subnet architecture insulates the bastion host from both the Internet and the internal network by placing filtering routers between both its external and internal interfaces.

Again, formally, the packet filtering is done by separate devices, rather than by the bastion host itself. The idea is that if the bastion host is compromised, the internal filtering router still protects the internal network.

With the screened-host architecture, the internal network is left unprotected if the bastion host should fall to an attack.