How does screened-host firewall architecture differ from screened-subnet firewall architecture?

68.How does screened-host firewall architecture differ from screened-subnet firewall architecture? Whichoffers more security for the information assets that remain on the trusted network?

Get answer to your question and much more

69.What is a DMZ? Is this really a good name for the function that this type of subnet performs?

Get answer to your question and much more

70.What is RADIUS? What advantage does it have over TACACS?

Get answer to your question and much more

a.How do screened host architectures for firewalls differ from screened subnet firewallarchitectures? Which of these offers more security for the information assets that remain onthe trusted network?

Get answer to your question and much more

Upload your study docs or become a

Course Hero member to access this document

End of preview. Want to read all 2 pages?

Upload your study docs or become a

Course Hero member to access this document

Professor

Ms Cynthia Cudjoe

Tags

Computer network, screened subnet firewall

The Distinctions Between Screened Host, Screened Subnet and DMZ Perimeter Security Architectures

Screen Host:

The screened host firewall s a more flexible firewall than the dual-homed gateway firewall, however the flexibility is achieved with some cost to security. The screened host firewall is often appropriate for sites that need more flexibility than that provided by the dual-homed gateway firewall.

The screened host firewall combines a packet-filtering router with an application gateway located on the protected subnet side of the router.gif The application gateway needs only one network interface. The application gateway's proxy services would pass TELNET, FTP, and other services for which proxies exist, to site systems. The router filters or screens inherently dangerous protocols from reaching the application gateway and site systems. It rejects (or accepts) application traffic according to the following rules:

1. Application traffic from Internet sites to the application gateway gets routed,

2. All other traffic from Internet sites gets rejected, and

3. The router rejects any application traffic originating from the inside unless it came from the application gateway.

The application gateway needs only one network interface and does not require a separate subnet between the application gateway and the router. This permits the firewall to be made more flexible but perhaps less secure by permitting the router to pass certain trusted services ``around'' the application gateway and directly to site systems. The trusted services might be those for which proxy services don't exist, and might be trusted in the sense that the risk of using the services has been considered and found acceptable. For example, less-risky services such as NTP could be permitted to pass through the router to site systems. If the site systems require DNS access to Internet systems, DNS could be permitted to site systems. In this configuration, the firewall could implement a mixture of the two design policies, the proportions of which depend on how many and what types of services are routed directly to site systems.

The additional flexibility of the screened host firewall is cause for two concerns. First, there are now two systems, the router and the application gateway, that need to be configured carefully. As noted before, packet filtering router rules can be complex to configure, difficult to test, and prone to mistakes that lead to holes through the router.

Whereas a dual-homed host architecture provides services from a host that's attached to multiple networks (but has routing turned off), a screened host architecture provides services from a host that's attached to only the internal network, using a separate router. In this architecture, the primary security is provided by packet filtering. (For example, packet filtering is what prevents people from going around proxy servers to make direct connections.)

Figure 6-3 shows a simple version of a screened host architecture. The bastion host sits on the internal network. The packet filtering on the screening router is set up in such a way that the bastion host is the only system on the internal network that hosts on the Internet can open connections to (for example, to deliver incoming email). Even then, only certain types of connections are allowed. Any external system trying to access internal systems or services will have to connect to this host. The bastion host thus needs to maintain a high level of host security.

Figure 6-3. Screened host architecture

The packet filtering configuration in the screening router may do one of the following:

• Allow other internal hosts to open connections to hosts on the Internet for certain services (allowing those services via packet filtering, as discussed in Chapter 8, "Packet Filtering")
• Disallow all connections from internal hosts (forcing those hosts to use proxy services via the bastion host, as discussed in Chapter 9, "Proxy Systems")

Because this architecture allows packets to move from the Internet to the internal networks, it may seem more risky than a dual-homed host architecture, which is designed so that no external packet can reach the internal network. In practice, however, the dual-homed host architecture is also prone to failures that let packets actually cross from the external network to the internal network. (Because this type of failure is completely unexpected, there are unlikely to be protections against attacks of this kind.) Furthermore, it's easier to defend a router than it is to defend a host. For most purposes, the screened host architecture provides both better security and better usability than the dual-homed host architecture.

Compared to other architectures, however, such as the screened subnet architecture, there are some disadvantages to the screened host architecture. The major one is that if an attacker manages to break in to the bastion host, nothing is left in the way of network security between the bastion host and the rest of the internal hosts. The router also presents a single point of failure; if the router is compromised, the entire network is available to an attacker. For this reason, the screened subnet architecture, discussed next, has become increasingly popular.

Because the bastion host is a single point of failure, it is inappropriate to run high-risk services like web servers on it. You need to provide the same level of protection to it that you would provide to a dual-homed host that was the sole firewall for your site.

6.2.1. Appropriate Uses

A screened host architecture is appropriate when:

• Few connections are coming from the Internet (in particular, it is not an appropriate architecture if the screened host is a public web server).
• The network being protected has a relatively high level of host security.

How does screened host architecture for firewall differ from screened subnet firewall architecture?

What is the difference between a screened host and a screened subnet?

What is screened host firewall architecture?

What is a screened subnet architecture?