With the screened subnet architecture, you attach a bastion host (or
hosts) to the perimeter net; this host is the main point of contact for
incoming connections from the outside world; for example:
- For incoming email (SMTP) sessions to deliver
electronic mail to the site
- For incoming FTP connections to the site's
anonymous FTP server
- For incoming domain name service (DNS) queries
about the site
and so on.
Outbound services (from internal clients to servers on the Internet) are
handled in either of these ways:
- Set up packet filtering on both the exterior and
interior routers to allow internal clients to access external servers
- Set up proxy servers to run on the bastion
host (if your firewall uses proxy software) to allow internal clients
to access external servers indirectly. You would also set up packet
filtering to allow the internal clients to talk to the proxy servers
on the bastion host and vice versa, but to prohibit direct
communications between internal clients and the outside world.
In either case, the packet filtering allows the bastion host to
connect to, and accept connections from, hosts on the Internet; which
hosts, and for what services, are dictated by the site's security
Much of what the bastion host does is act as proxy server for
various services, either by running specialized proxy server software
for particular protocols (such as HTTP or
FTP), or by running standard servers for
self-proxying protocols (such as SMTP).
Chapter 5 of our book describes how to secure the bastion host, and
Chapter 8 describes how to configure individual services to work with
The interior router (sometimes called the choke router in firewalls
literature) protects the internal network from both the Internet
and the perimeter net.
The interior router does most of the packet filtering for your
firewall. It allows selected services outbound from the internal net
to the Internet. These services are the services your site can safely
support and safely provide using packet filtering rather than proxies.
(Your site needs to establish its own definition of what "safe" means.
You'll have to consider your own needs, capabilities, and constraints;
there is no one answer for all sites.) The services you allow might
include outgoing Telnet, FTP, WAIS, Archie, Gopher, and others, as
appropriate for your own needs and concerns. (For detailed information
on how you can use packet filtering to control these services, see
Chapter 6 of our book.)