Screened-subnet firewall
   HOME

TheInfoList



Click Here for Items Related To - Screened-subnet firewall
OR:
Screened-subnet firewall on:   [Wikipedia]   [Google]   [Amazon]

In
network security Network security consists of the policies, processes and practices adopted to prevent, detect and monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible resources. Network security involves th ...
a screened subnet refers to the use of one or more logical screening routers as a
firewall Firewall may refer to: * Firewall (computing), a technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts * Firewall (construction), a barrier inside a building, designed to limit the spre ...
to define three separate
subnet A subnetwork or subnet is a logical subdivision of an IP network. Updated by RFC 6918. The practice of dividing a network into two or more networks is called subnetting. Computers that belong to the same subnet are addressed with an identical ...
s: an external router (sometimes called an ''access router''), that separates the external network from a perimeter network, and an internal router (sometimes called a ''choke router'') that separates the perimeter network from the internal network. The perimeter network, also called a border network or
demilitarized zone A demilitarized zone (DMZ or DZ) is an area in which treaties or agreements between nations, military powers or contending groups forbid military installations, activities, or personnel. A DZ often lies along an established frontier or bounda ...
(DMZ), is intended for hosting servers (sometimes called
bastion host A bastion host is a special-purpose computer on a network specifically designed and configured to withstand attacks, so named by analogy to the military fortification. The computer generally hosts a single application or process, for example, a p ...
s) that are accessible from or have access to both the internal and external networks. The purpose of a screened subnet or DMZ is to establish a network with heightened security that is situated between an external and presumed hostile network, such as the Internet or an extranet, and an internal network. A screened subnet is an essential concept for
e-commerce E-commerce (electronic commerce) is the activity of electronically buying or selling of products on online services or over the Internet. E-commerce draws on technologies such as mobile commerce, electronic funds transfer, supply chain manag ...
or any entity that has a presence in the
World Wide Web The World Wide Web (WWW), commonly known as the Web, is an information system enabling documents and other web resources to be accessed over the Internet. Documents and downloadable media are made available to the network through web ...
or is using
electronic payment system An e-commerce payment system (or an electronic payment system) facilitates the acceptance of electronic payment for offline transfer, also known as a subcomponent of electronic data interchange (EDI), e-commerce payment systems have become incre ...
s or other network services because of the prevalence of
hacker A hacker is a person skilled in information technology who uses their technical knowledge to achieve a goal or overcome an obstacle, within a computerized system by non-standard means. Though the term ''hacker'' has become associated in popu ...
s,
advanced persistent threat An advanced persistent threat (APT) is a stealthy threat actor, typically a nation state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may ...
s,
computer worm A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it. It wil ...
s,
botnet A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its conn ...
s, and other threats to networked
information system An information system (IS) is a formal, sociotechnical, organizational system designed to collect, process, store, and distribute information. From a sociotechnical perspective, information systems are composed by four components: task, people ...
s.


Physical separation of routers

By separating the firewall system into two separate component routers it achieves greater potential throughput by reducing the computational load of each router. As each component router of the screened subnet firewall needs to implement only one general task, each router has a less complex configuration. A screened subnet or DMZ can also be achieved by a single firewall device with three network interfaces.


Relationship to DMZ

The term
demilitarized zone A demilitarized zone (DMZ or DZ) is an area in which treaties or agreements between nations, military powers or contending groups forbid military installations, activities, or personnel. A DZ often lies along an established frontier or bounda ...
in military context refers to an area in which treaties or agreements between contending groups forbid military installations and activities, often along an established frontier or boundary between two or more military powers or alliances. The similarity to network security is that the screened network (DMZ) has reduced fortifications because it has intended points of ingress from the external network which is presumed to be hostile. It appears that the term demilitarized zone (DMZ) was popularized as a sales and marketing term sometime after the development of screened routers and firewalls. It is often used as a synonym but may have once had a different meaning. :"There are a number of terms that are used, such as bastion hosts, screened subnets, DMZ, or perimeter networks that can be confusing, especially when used together." ... "Another term that may often causes confusion is the DMZ (demilitarized zone), as opposed to a screened subnet. A true DMZ is a network that contains hosts accessible from the internet with only the exterior, or boarder, router between them. These hosts are not protected by a screening router." ... "A screened subnet may also be a collection of hosts on a subnet, but these are located behind a screening router. The term DMZ may be used by a vendor to mean either, so it is best to verify which they mean."


Comparison to screened host firewall / architecture

Whereas the screened subnet firewall employs two screened routers to create three subnets, a screened host firewall employs only one screened router to define two subnets: an external network and an internal network. The screened subnet firewall is more secure because an intruder must traverse two filtered routes to reach the internal network. If the bastion / DMZ host is compromised the intruder must still bypass the second filtered route to reach internal network hosts.


See also

*
DMZ (computing) In computer security, a DMZ or demilitarized zone (sometimes referred to as a perimeter network or screened subnet) is a physical or logical subnetwork that contains and exposes an organization's external-facing services to an untrusted, usuall ...
*
Firewall (networking) In computing, a firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. A firewall typically establishes a barrier between a trusted network and an untrusted n ...
*
Multitier architecture In software engineering, multitier architecture (often referred to as ''n''-tier architecture) is a client–server architecture in which presentation, application processing and data management functions are physically separated. The most wide ...


References

{{DEFAULTSORT:Screened-Subnet Firewall Data security Networking hardware Computer network security