The screened host firewall (fig. 
) is a more flexible
firewall than the dual-homed gateway firewall, however the flexibility is
achieved with some cost to security.
The screened host firewall is often appropriate
for sites that need more flexibility than that provided by the
dual-homed gateway firewall.
The screened host firewall
combines a packet-filtering router with an application
gateway located on the protected subnet side of the router.
The application gateway needs only one network interface.
The application gateway's proxy services would pass TELNET,
FTP, and other services for which proxies exist, to site
systems.
The router filters or screens inherently dangerous protocols from
reaching the application gateway and site systems.
It rejects (or accepts) application traffic according to the
following rules:
Figure: Screened Host Firewall.
Unlike the dual-homed gateway firewall, the application gateway needs only one network interface and does not require a separate subnet between the application gateway and the router. This permits the firewall to be made more flexible but perhaps less secure by permitting the router to pass certain trusted services ``around'' the application gateway and directly to site systems. The trusted services might be those for which proxy services don't exist, and might be trusted in the sense that the risk of using the services has been considered and found acceptable. For example, less-risky services such as NTP could be permitted to pass through the router to site systems. If the site systems require DNS access to Internet systems, DNS could be permitted to site systems. In this configuration, the firewall could implement a mixture of the two design policies, the proportions of which depend on how many and what types of services are routed directly to site systems.
The additional flexibility of the screened host firewall is cause for two concerns. First, there are now two systems, the router and the application gateway, that need to be configured carefully. As noted before, packet filtering router rules can be complex to configure, difficult to test, and prone to mistakes that lead to holes through the router. However, since the router needs to limit application traffic only to the application gateway, the ruleset may not be as complex as for a typical site using a packet filtering firewall (which may restrict application traffic to multiple systems).
The second disadvantage is that the flexibility opens up the possibility that the policy can be violated (as with the packet filtering firewall). This is less of a problem than with the dual-homed gateway firewall, since it is technically impossible to pass traffic through the dual-homed gateway unless there is a corresponding proxy service. Again, a strong policy is essential.
[Garf92], [Ran93], and [Ches94] provide more details on screened host firewalls.