Screened Subnet

---

• to configure a perimeter network, must enabled security configurations on:
  • external interface
  • internal interface
• multiple ways of implementing as physical or virtual

A screened subnet is a segment isolated from the rest of a private network by one or more firewalls that accepts connections from the Internet over designated ports.

• aka perimeter network
• acts as a neutral zone
  • separates public-facing servers from sensitive internal network resources
• uses two firewalls placed on either side of the perimeter network zone
  • screening firewall
    • restricts traffic on the external/public interface
    • allows permitted traffic to the hosts in the perimeter zone subnet
  • internal firewall
    • filters communications between hosts in the perimeter hosts on the LAN
    • called choke firewall
    • choke point is a purposefully narrow gateway that facilitates better access control and easier monitoring

• can also create screened subnet with one router/firewall and three (or more) network interfaces
  • called triple homed
  • one interface is public
  • other interface is the perimeter subnet
  • third interface connects to LAN
  • routing and filtering rules determine what forwarding is allowed between interfaces
  • can achieve the same configuration as a screened subnet

Info

• Various types of Internet-facing zones or hosts are also popularly referred to as a demilitarized zone (DMZ).
• does not accurately describe the purpose or configuration of a perimeter network
• Hosts in a perimeter network remain fully managed by a private organization
• Filtered public access is permitted, but there is no “demilitarization” in the sense of making the zone in any way neutral or jointly operated