previous | start | next

More Complex Firewall Configurations

A more common structure nowadays uses a de-militarised zone (DMZ) between the internal LAN and the Internet, thus:
Firewall, DMZ and bastion host structure
Both of the routers in this diagram are configured as packet filtering firewalls.
 
The DMZ is also called a "stub network". Note that the DMZ is, of necessity, a separate subnet.
 
There are many options for the level of filtering in the routers, and for the functionality of the bastion host. These are examined in the next slides.
 

previous | start | next