First page Back Continue Last page Summary Graphics

Screened Host Architecture


A screened host firewall at it's simplest is identical to the dual-homed architecture.

More formally, the distinction is that the the filtering router and the bastion host are two separate devices. The assumption is that it's more difficult to compromise a packet-filtering router, that runs no services, than it is to compromise a complete host.

The bastion is the only host accessible from remote hosts, and the only local host capable of directly accessing the Internet.

All other local machines connect to the bastion, and the bastion either proxies or NATs connections to remote sites.