Screened Subnet Firewall

The screened subnet firewall is a variation of the dual-homed gateway and screened host firewalls. It can be used to locate each component of the firewall on a separate system, thereby achieving greater throughput and flexibility, although at some cost to simplicity. But, each component system of the firewall needs to implement only a specific task, making the systems less complex to configure.

In figure , two routers are used to create an inner, screened subnet. This subnet (sometimes referred to in other literature as the ``DMZ'') houses the application gateway, however it could also house information servers, modem pools, and other systems that require carefully-controlled access. The router shown as the connection point to the Internet would route traffic according to the following rules:

• application traffic from the application gateway to Internet systems gets routed,
• e-mail traffic from the e-mail server to Internet sites gets routed,
• application traffic from Internet sites to the application gateway gets routed,
• e-mail traffic from Internet sites to the e-mail server gets routed,
• ftp, gopher, etc., traffic from Internet sites to the information server gets routed, and
• all other traffic gets rejected.

The outer router restricts Internet access to specific systems on the screened subnet, and blocks all other traffic to the Internet originating from systems that should not be originating connections (such as the modem pool, the information server, and site systems). The router would be used as well to block packets such as NFS, NIS, or any other vulnerable protocols that do not need to pass to or from hosts on the screened subnet.

The inner router passes traffic to and from systems on the screened subnet according to the following rules:

• application traffic from the application gateway to site systems gets routed,
• e-mail traffic from the e-mail server to site systems gets routed,
• application traffic to the application gateway from site systems get routed,
• e-mail traffic from site systems to the e-mail server gets routed,
• ftp, gopher, etc., traffic from site systems to the information server gets routed,
• all other traffic gets rejected.

  
Figure: Screened Subnet Firewall with Additional Systems.

Thus, no site system is directly reachable from the Internet and vice versa, as with the dual-homed gateway firewall. A big difference, though, is that the routers are used to direct traffic to specific systems, thereby eliminating the need for the application gateway to be dual-homed. Greater throughput can be achieved, then, if a router is used as the gateway to the protected subnet. Consequently, the screened subnet firewall may be more appropriate for sites with large amounts of traffic or sites that need very high-speed traffic.

The two routers provide redundancy in that an attacker would have to subvert both routers to reach site systems directly. The application gateway, e-mail server, and information server could be set up such that they would be the only systems ``known'' from the Internet; no other system name need be known or used in a DNS database that would be accessible to outside systems. The application gateway can house advanced authentication software to authenticate all inbound connections. It is, obviously, more involved to configure, however the use of separate systems for application gateways and packet filters keeps the configuration more simple and manageable.

The screened subnet firewall, like the screened host firewall, can be made more flexible by permitting certain ``trusted'' services to pass between the Internet and the site systems. However, this flexibility may open the door to exceptions to the policy, thus weakening the effect of the firewall. In many ways, the dual-homed gateway firewall is more desireable because the policy cannot be weakened (because the dual-homed gateway cannot pass services for which there is no proxy). However, where throughput and flexibility are important, the screened subnet firewall may be more preferable.

As an alternative to passing services directly between the Internet and site systems, one could locate the systems that need these services directly on the screened subnet. For example, a site that does not permit X Windows or NFS traffic between Internet and site systems, but needs to anyway, could locate the systems that need the access on the screened subnet. The systems could still maintain access to site systems by connecting to the application gateway and reconfiguring the inner router as necessary. This is not a perfect solution, but an option for sites that require a high degree of security.

There are two disadvantages to the screened subnet firewall. First, the firewall can be made to pass ``trusted'' services around the application gateway(s), thereby subverting the policy. This is true also with the screened host firewall, however the screened subnet firewall provides a location to house systems that need direct access to those services. With the screened host firewall, the ``trusted'' services that get passed around the application gateway end up being in contact with site systems. The second disadvantage is that more emphasis is placed on the routers for providing security. As noted, packet filtering routers are sometimes quite complex to configure and mistakes could open the entire site to security holes.

[Ran93] and [Ches94] provide more details on screened subnet firewalls.