- Home
- Interview Questions
- Firewall
screened host architecture is a lower-security, lower-cost alternative to the screened subnet architecture discussed in the previous sections. The screened host architecture is often used by very small sites that are facing significant cost constraints.
In a screened host architecture, there is no perimeter net, no interior router, and often no bastion host per se. (Obviously, there is a host that the outside world talks to, but this host is often not dedicated solely to that task.) What you have instead is a single router (most analogous to the exterior router in the dual-router screened subnet architecture) and a services host that provides Internet services to internal and external clients (and is often used for other tasks as well).
The router is there to protect and control access to the internal net, and the services host is there to interact with the outside world, much like a bastion host. We call it a services host, rather than a bastion host, because it's often fulfilling many other roles. For example, it's probably the mail server, Usenet news server, and DNS server for the site; it might possibly be a file server, print server, and so on, as well; it might even be the only machine the site has.
In this architecture a firewall consists of Dual-Homed Host machine (machine having two or more IP addresses each for specific physical port). One port of the machine connects to the Local Network and the other port/ports connect to the Internet. The IP datagram forwarding is turned off on the Dual-Homed Host machine, thus there is no direct TCP/IP connection between the Local Network and the Internet.
You permit communication between Local Network and the Internet in either of two ways:
- Users on the Local Network are given accounts on the Dual-Homed Host machine. In order to use Internet services the must rlogin on the Dual-Homed Host machine. The fact that you allow accounts on the machine weakens its security greatly (it now depends on each user and user that have access to it, more correctly it depends on the users' ability to choose "strong" passwords). Once the outsider succeeds to rlogin on the Dual-Homed Host machine he/she can access the entire Local Network.
- Dual-Homed Host runs proxy program for each service you want to permit, thus there is no more need for users to rlogin to the machine in order to access the Internet. They can communicate via proxy software.
The only host that can be accessed and thus attacked from the Internet is the Dual-Homed host machine. Thus it must have much greater level of security than the ordinary host on the Local Network. The excessive logging and auditing of system state must be performed, only secure software and necessary software installed and so on. This architecture is much more secure than the Screening Router Architecture. But still once the Dual-Homed Host is subverted the entire Local Network is vulnerable to attack.
A routing table stores the routes of the various nodes in a network. Nodes can be any electronic device connected to the network. The table is usually stored in a router or the network computer as a database or file. This information helps to found the best possible path. The routing table has at least 3 fields: the destination network id, cost of the path, next hop or address to send the packet.
Routing protocols are used to assist in achieving the basic purpose of routing. They specify the routers the method to communicate with each other. They help the routers select the best possible path between nodes. There are different types of protocols such as link-state routing protocols, path vector protocols and distance vector routing protocols. These protocols prevent routing loops to form or break if formed already. They help to decide preferred routes from a sequence of hop costs.
SNMP or Simple Network Management Protocol is typically used for managing the network. Managing the network includes managing the nodes present in the network. These nodes may be server, routers, bridges and hubs. SNMP agents are used to achieve this. Managing the network is essential because it helps to monitor network performance, detect network faults or failures, audit network usage etc. the SNMP messages like TRAP, GET or SET may be invoked by network elements or network management system.