Problem solve Get help with specific problems with your technologies, process and projects.

Choosing the right firewall topology: Bastion host, screened subnet or dual firewalls

An overview of the three most common firewall topologies, including diagrams of a bastion host, screened subnet and dual firewall architectures.

When developing a perimeter protection strategy for an organization, one of the most common questions is "Where...

should I place firewalls for maximum effectiveness?" In this tip, we'll take a look at the three basic options and analyze the scenarios best suited for each case.

Before we get started, please note that this tip deals with firewall placement only. Anyone building a perimeter protection strategy should plan to implement a defense-in-depth approach that utilizes multiple security devices including firewalls, border routers with packet filtering and intrusion-detection systems.

Option 1: Bastion host

The first and most basic option is the use of a bastion host. In this scenario (shown in figure 1 below), the firewall is placed between the Internet and the protected network. It filters all traffic entering or leaving the network.

Figure 1: Bastion host

The bastion host toplogy is well suited for relatively simple networks (e.g. those that don't offer any public Internet services.) The key factor to keep in mind is that it offers only a single boundary. Once someone manages to penetrate that boundary, they've gained unrestricted (at least from a perimeter protection perspective) access to the protected network. This may be acceptable if you're merely using the firewall to protect a corporate network that is used mainly for surfing the Internet, but is probably not sufficient if you host a Web site or e-mail server.

Option 2: Screened subnet

The second option, the use of a screened subnet, offers additional advantages over the bastion host approach. This architecture uses a single firewall with three network cards (commonly referred to as a triple homed firewall). An example of this topology is shown in figure 2 below.

Figure 2: Screened subnet

The screened subnet provides a solution that allows organizations to offer services securely to Internet users. Any servers that host public services are placed in the Demilitarized Zone (DMZ), which is separated from both the Internet and the trusted network by the firewall. Therefore, if a malicious user does manage to compromise the firewall, he or she does not have access to the Intranet (providing that the firewall is properly configured).

Option 3: Dual firewalls

The most secure (and most expensive) option is to implement a screened subnet using two firewalls. In this case, the DMZ is placed between the two firewalls, as shown in figure 3 below.

Figure 3: Dual firewalls

The use of two firewalls still allows the organization to offer services to Internet users through the use of a DMZ, but provides an added layer of protection. It's very common for security architects to implement this scheme using firewall technology from two different vendors. This provides an added level of security in the event a malicious individual discovers a software-specific exploitable vulnerability.

Higher-end firewalls allow for some variations on these themes as well. While basic firewall models often have a three-interface limit, higher-end firewalls allow a large number of physical and virtual interfaces. For example, the Sidewinder G2 firewall from Secure Computing allows up to 20 physical interfaces. Additional virtual interfaces may be added through the use of VLAN tagging on the physical interfaces. What does this mean to you? With a greater number of interfaces, you can implement many different security zones on your network. For example, you might have the following interface configuration:

  • Zone 1: Internet
  • Zone 2: Restricted workstations
  • Zone 3: General workstations
  • Zone 4: Public DMZ
  • Zone 5: Internal DMZ
  • Zone 6: Core servers

This type of architecture allows you to take any of the three topologies described above and add a tremendous degree of flexibility.

That's a brief primer on firewall architectures. Now that you're familiar with the basic concepts, you should be able to help select an appropriate architecture for use in various situations.


  How to choose a firewall
  Choosing the right firewall topology
  Placing systems in a firewall topology
  Auditing firewall activity



Mike Chapple, CISSP is an IT Security Professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles including the CISSP Prep Guide andInformation Security Illuminated.

This was last published in October 2005

Dig Deeper on Network device security: Appliances, firewalls and switches