
This is the Title of the Book, eMatter Edition
Copyright © 2007 O’Reilly & Associates, Inc. All rights reserved.
Types of Firewall and DMZ Architectures
|
27
• From the Internet to the internal network
• From the internal network to the Internet
• From the DMZ to the internal network
• From the internal network to the DMZ
This may sound like more administrative overhead than that associated with inter-
nally hosted or firewall-hosted services, but it’s potentially much simpler since the
DMZ can be treated as a single logical entity. In the case of internally hosted ser-
vices, each host must be considered individually (unless all the services are located
on a single IP network whose address is distinguishable from other parts of the inter-
nal network).
A Weak Screened-Subnet Architecture
Other architectures are sometimes used, and Figure 2-3 illustrates one of them. This
version of the screened-subnet architecture made a lot of sense back when routers
were better at coping with high-bandwidth data streams than multihomed hosts
were. However, current best practice is not to rely exclusively on routers in one’s fire-
wall architecture.
Figure 2-3. Screened-subnet DMZ architecture
Firewall
Internet
Packet-filtering router
DMZ switch/hub
("Screened subnet")
Bastion host/s
(Public Svcs.)
Packet-filtering router
Internal networks(s)
DMZ/Public services
Firewall
Internal net