Most corporate firewall structures utilise a de-militarised
zone (DMZ, also called a "stub network") between the
internal LAN and the Internet, thus:
Both of the routers in this diagram are configured as packet
filtering firewalls. Note that the DMZ is, of necessity, a separate
subnet. Exercise: why?
There are many options for the level of filtering in the routers,
and for the functionality of the bastion host. These are examined
in the next slides.
