A screened subnet (also known as a "triple-homed firewall") is a network architecture that uses a single firewall with three network interfaces.

• Interface 1 is the public interface and connects to the Internet.
• Interface 2 connects to a DMZ (demilitarized zone) to which hosted public services are attached.
• Interface 3 connects to an intranet for access to and from internal networks.

Even if the firewall itself is compromised, access to the intranet should not be available, as long as the firewall has been properly configured.

The purpose of the screened subnet architecture is to isolate the DMZ and its publicly-accessible resources from the intranet, thereby focusing external attention and any possible attack on that subnet. The architecture also separates the intranet and DMZ networks, making it more difficult to attack the intranet itself. When a properly configured firewall is combined with the use of private IP addresses on one or both of these subnets, attack becomes that much more difficult.

05 Feb 2008