First page Back Continue Last page Summary Graphics

DMZ Between Bastion and Choke


The bastion is the first line of defense.
For performance, the bastion would be little more than a filtering router, basically a packet-filtering firewall.

The Choke firewall isolates the private LAN from the semi-public servers in the DMZ. With the bastion performing the frontline filtering, the choke might perform the higher cost stateful inspection of application-level proxying.

Servers in the DMZ are typically dedicated servers hosting a single service. Each host has it's own, very simple, very specific firewalls, and possibly server-specific stateful inspection or related firewall or intrusion detection functionality, as well.

This is the definition of “bastion” Zwicky, Cooper and Chapman are using in their 2000 edition of their book, “Building Internet Firewalls”.