As illustrated in Figure 11.3, a screened host firewall configuration basically consists of a screening router that interconnects the intranet to the Internet, and a bastion host that is logically situated on the intranet. Contrary to the bastion host of a dual-homed firewall, the bastion host of a screened host firewall is single-homed, meaning that it has only one network interface that interconnects it with an internal network segment (i.e., a network segment that is part of the intranet).
Figure 11.3: A simple configuration of a screened host firewall.
In a screened host firewall configuration, the screening router has to make sure that IP packets destined for intranet systems are first sent to an appropriate application gateway on the bastion host. If a specific TCP/IP application protocol is assumed to be "secure," the screening router also can be configured to bypass the bastion host and to send the corresponding IP packets directly to the destination system. For very obvious reasons, this possibly increases flexibility but also decreases security.
Similar to the dual-homed firewall configuration, the bastion host and its application gateways can also be replicated an arbitrary number of times in the screened host firewall configuration. In fact, this is likely to be the preferred configuration, as different application gateways are typically running on different hosts (all of them representing bastion hosts for the applications they serve as a gateway).
In summary, the screened host firewall configuration is very simple and straightforward. As compared with the dual-homed firewall configuration, it is more flexible but also potentially less secure. This is because the bastion host can be bypassed (by configuring the screening router that interconnects the intranet and the Internet accordingly). Due to the dual-homed nature of the bastion host, this is not possible in the dual-homed firewall configuration.
Team-Fly |