Compared to other architectures, however, such as the screened subnet
architecture discussed in the following section, there are some
disadvantages to the screened host architecture. The major one is that
if an attacker manages to break in to the bastion host, there is nothing
left in the way of network security between the bastion host and the
rest of the internal hosts. The router also presents a single point of
failure; if the router is compromised, the entire network is available
to an attacker. For this reason, the screened subnet architecture has
become increasingly popular.
Screened subnet architecture
The screened subnet architecture adds an extra layer of security to the
screened host architecture by adding a perimeter network that further
isolates the internal network from the Internet.
Why do this? By their nature, bastion hosts are the most vulnerable
machines on your network. Despite your best efforts to protect them,
they are the machines most likely to be attacked, because they're the
machines that can be attacked. If, as in a screened host architecture,
your internal network is wide open to attack from your bastion host,
then your bastion host is a very tempting target. There are no other
defenses between it and your other internal machines (besides whatever
host security they may have, which is usually very little). If someone
successfully breaks into the bastion host in a screened host
architecture, he's hit the jackpot.
By isolating the bastion host on a perimeter network, you can reduce the
impact of a break-in on the bastion host. It is no longer an
instantaneous jackpot; it gives an intruder some access, but not all.
With the simplest type of screened subnet architecture, there are two
screening routers, each connected to the perimeter net. One sits
between the perimeter net and the internal network, and the other sits
between the perimeter net and the external network (usually the
Internet). To break into the internal network with this type of
architecture, an attacker would have to get past both
routers. Even if the attacker somehow broke in to the bastion
host, he'd still have to get past the interior router. There is no
single vulnerable point that will compromise the internal network.