A Proposed Configuration for the Screened Subnet Firewall Architecture
Prof. Dr. Alaa AL-Hamami*
Soukaena Hassan Hashem**
Abstract:
The Internet has openness nature. So, sensitive Internet sites must be protected.
The famous protection method is the firewall system. Instead of build the firewall
on a single router or gateway, it is possible to use more complex configurations to
enhance the security of the site. This paper concentrate on one particular aspect of
providing Internet site security by using the screened subnet firewall architecture as
a hardware configuration to the protected site. It can be modified to control the
direct and dialup connections. This configuration will be supported with two
separator servers one for normal authorized users and another for secure authorized
users.
Keywords:
Internet, Firewall, Router, Subnet, Servers.
1- Introduction:
Data communications networks have become an infrastructure resource for
businesses, corporations, government agencies, and academic institutions. However
new technologies introduce new threats, and networking not only puts corporate
resources, plans and data at risk, but ultimately the company’s reputation and
potential survival [1].
A firewall is critical part of the security of any Internet site. Basically, a
firewall improves the security of a site by limiting the access of that site to an
absolute minimum. It is important to know that although a firewall does not solve
all Internet security problems, no Internet site should be without a firewall. Firewall
may give different level of security and are considered to be of different types and
different configuration [2].
* Department of Computer Science of Al-Rafidian University College.
** Department of Computer Science and
Information System of the
University Of Technology.
1
2- Background
Firewall technology in TCP/IP internetworking provides a mechanism to help
enforce access policies on communication traffic entering and leaving networks.
Now we declare both firewall types and firewall configurations to give clear picture
on the proposed work [3].
2.1 Firewall mechanisms:
The common types of the firewalls according to the levels of TCP/IP and OSI
stacks are:
a-
Network Level Firewall (Packet Filtering Firewall):
A packet filtering is an access control mechanism for network traffic. Instead of
processing or forwarding all packets that leave and arrive on the node’s
network adapters, the packet filters consults its access control rules before
handling each packet [4,5]. Work at the network layer of TCP/IP stack and OSI
stack in the same principle [6]. A filter is a program that, in general examines the
IP addresses (source and destination addresses), ports numbers, protocol type ,
and service type fields of every incoming specified access control mechanism [6,7].
b-
Application Level Firewall ( Application Proxy):
These firewalls work a bit differently from packet filtering firewalls.
Application gateway firewalls are software-based when a remote user from the
void contacts a network running an application gateway, the gateway blocks the
remote connection. Instead of passing the connection along, the gateway examines
various fields in the request, if these meet a set of predefined rules, the gateway
create abridge between the remote host and the internal host (in common called
proxy) [6,7].
c-
Circuit Level Firewall ( Circuit Proxy):
A circuit level gateway firewall is a generic proxy that does not know the
specifies of the application but performs a more generic set of capabilities [4].
Circuit level gateways work at transport layer of TCP/IP stack and OSI stack in
same principle. The circuit level firewalls monitor TCP three handshaking in the
TCP connection (session) between packets to determine whether a requested
session is legitimate [8].
2
d-
Stateful Multilayer Inspection Firewall:
Stateful firewall combine the aspects of the other three types of firewalls. They
filter packets at the network layer, determine whether session packets are legitimate
and evaluate contents of packets at the application layer. So, this firewall examines
all TCP/IP layers and OSI layers in same principle to either accept or reject the
requested communication [8].
2.2 Firewall configurations:
The common configurations of the firewalls are:
a- Screened Host Firewall, Single-Homed Bastion Architecture:
This firewall configuration consists of two systems packet filtering router and a
bastion host as shown in figure (1).
Bastion Host
Internet
Packet Filtering Router
Private network hosts
Information Server
Figure (1) Screened Host Firewall, Single-Homed (Bastion).
Bastion Host sits between the Internet and the internal site. The Internet can talk
to the bastion host. The Internal site can talk to the bastion host. However, the
Internet and internal site cannot talk directly to each other [3]. This configuration
implements authentication and proxy functions [3]. Also afford flexibility in
providing direct Internet access. For example public information web server, for
whom a high level of security is not required [9].
b- Screened Host Firewall, Dual-Homed bastion Architecture:
Dual homed bastion is a bastion hosts configuration to support two network
interfaces one faces in toward the secure site and one faces out toward the Internet.
As shown in figure (2) [4].
3
Bastion host
Internet
Packet filtering Router
Private network hosts
Information Server
Figure (2) Screened Host Firewall, Dual-Homed bastion.
This configuration implements authentication and proxy functions [3]. Also
afford flexibility in providing direct Internet access. For example public information
web server, for whom a high level of security is not required. And it has physical
configuration prevent direct flow through router between the Internet and other host
on private network if the packet filter router is completely compromised [9].
c- Screened-Subnet Firewall Architecture:
Screened-subnet configuration has two packet filtering routers are used, one
between the bastion host and the Internet and one between the bastion host and the
internal network [9]. As shown in figure (3).
Bastion Host
Internet
Private
Network
Inside Router
Outside Router
Information Server
Figure (3) screened-Subnet firewall.
It is possible to have multiple hosts in the isolated network (were bastion host
sit), also called Demilitarize Zone or DMZ. This can alleviate performance problem
[4]. Screened subnet firewall configuration now has three level of defense to thwart
intruder, the outside router advertises only the existence of the screened subnet to
the Internet; therefore, the internal network is invisible to the Internet. Also
similarity, the inside router advertises only the screened subnet to the internal
network; therefore, the systems on the inside network cannot construct direct routes
to the Internet [9,2].
4
3- The Proposed Hardware Configuration:
The proposed hardware configuration is depend on the screened subnet firewall
configuration with some essential modifications.
As we know most of the Internet sites connected to the Internet by routers. The
protected site seems as any site connected to the Internet by router called external
router, also has a bastion host supported with modem, information server, and
another router called internal router, and last has
behind the internal router. As shown in figure (4).
secure server that hidden
Bastion host
Internet
Internal Router
External Router
Secure Serve
Information Server
Modem
Figure (4) The proposed architecture for the protected site
Each part of the proposed configuration has a specific role as declared in the
following points:
External Router:
The external router response to connect the protected site with the Internet, so
the external router controls all the direct connections deals with the site.
Bastion Host:
Bastion host represents the basic element in any proposed protection system for
the Internet site, because it response to connect the protected site with the Internet
by the modems, so the bastion host controls all the dial up connections deal with the
site. By using this proposed configuration all the packets even were secure
authorized packets to secure server or normal authorized packets to normal users
communicates with the protected site by the Bastion host address (advertise
address). Also the packets out from the secure server or normal server communicate
to the Internet by the Bastion host address. Even these incoming and outgoing
packets were by direct or dial up connections.
5
Information Server:
The information server response to provide public information for normal
authorized users.
Internal Router:
The internal router response to connect the Internet site with the secure server
hidden behind it.
Secure Server:
The secure server response to provide secure and sensitive information for
secure authorized users. Remember that no one know the address of the secure
server only the administrator of the site.
4-
The Proposed Security Policy For The Proposed Configuration:
The proposed policy is classify the packets deals with any proposed protected
system on the proposed hardware configuration to either Blocked, Normal and
Secure packets. This classification depends on many elements determined by the
proposed protection system for general the classification depends on the source and
destination addresses.
Normal packets:
These packets deal with normal information server and represent any incoming
packet try to pass the protected site has any source address unless the address of the
secure authorized site whose have the permission to access the secure server, and
the address of the unauthorized sites whose have no permission to access the sites
.It is also any outgoing packet try to out from the protected site that have any
destination address unless the address of the secure authorized site whose have the
permission to access the secure server, and the address of the unauthorized sites
whose have no permission to access the sites.
Secure Packets:
These packets deals with the secure server and represent any incoming packet
try to pass the protected site has source address of secure authorized site whose
have the permission to access the secure server. It is also any outgoing packet try to
out from the protected site that have destination address of the secure authorized site
whose have the permission to access the secure server.
6
Blocked Packets:
These packets have no permissions to deal with the site and represent any
incoming packet try to pass the protected site has source address of the
unauthorized sites whose have no permission to access the sites .It is also any
outgoing packet try to out from the protected site that have any destination address
of the unauthorized sites whose have no permission to access the sites.
The proposed security policy represented by multilevel of protection for both
secure server and information server. This proposed policy applied for all incoming
and outgoing packets related to the protected site. As declared in the following
algorithm:
Input : incoming or outgoing packet .
Output: decide the multilevel of the packet.
Step1 : detect the packet related to information server or to secure server and the
type of the connection.
If the packet related to secure server and the connection was direct.
Then the multilevel are external router, bastion host, internal router, and
secure server.
Else
If the packet related to secure server and the connection was dial up.
Then the multilevel are bastion host, internal router, and secure server.
Else
If the packet related to information server and the connection was direct.
Then the multilevel are external router, bastion host, and information
server.
Else
If the packet related to information server and the connection was dial up.
Then the multilevel are the bastion host, and information server.
Step2 : Exit.
5- Results:
Now we would display the intruder behavior on each one of the firewall
configurations and the intruder’s fails in the proposed hardware configuration.

The intruder with screened host firewall, single homed configuration:
This configuration relies on two separator security devices: the router and
bastion host. If either of these fail, the network exposed. If the packet filtering
7
router completely compromised, by the intruder the traffic could flow directly
through the router between the intruder and other hosts on private network.

The intruder with screened host firewall, dual homed configuration:
In this configuration the bastion host needs to be as secure as possible
because it is the way an intruder will try to get in from the Internet. So, if any
piece of software allows an intruder in, the entire network is exposed. Again,
an information server or other hosts can be allowed direct communication with
the router if this is in accord with the security policy.

The intruder with screened subnet firewall configuration:
In this configuration the intruder face three related levels of defense to pass
the private network. But also have no control on the dial up connections as in
the previous configuration.

The intruder with the proposed hardware configuration:
The proposed configuration has strong defense against the intruder. because
it control the direct connections by the external router, and control the dial up
connection by bastion host and separate the information on the site on two
separator servers one called information server to contain the public
information and the other called secure server to contain the secure
information. So, the intruder would face difficulties to success its intrusion.
6- Conclusion:
The study shows that, to protect an Internet site by any proposed protection
system at first we must support high level of security for the hardware configuration
of this protected site.
Using firewall screened subnet architecture with the essential changes is very
helpful in increasing the security, because it has multilevel of protection for the
information server and secure server, isolate the secure server from the public
information server, and control the direct and dial up connections to the site.
7- References:
1- Lyles .J .B ., Schuba .C .L .,” A Refrence Model for Firewall Technology and
It’s Implication for Connection Signaling “ , 1996.
2- Goncalves .M ., "Firewalls Complete", the McGraw-Hill Companies, Inc.1997
3- Breedlove .B ., Etal, ” Web Programming Onleash ” , Sams.Net., 1996.
8
4- Escamilla .T ., ”Intrusion Detection Network Security Beyond The Firewall”
, Published by John Wiley, Sons, Inc., 1998.
5- Comer .D .E ., ” Internetworking with TCP/IP Vol I : Principles , Protocols
, and Architecture “, Third Edition , Prentice-Hall, Inc., 2000.
6- Goncalves .M . , Brown .S .A ., ”Check _ Point Firewall -1 Administration
Guide ”, Mc-Graw Hill Companies, Inc., 2000.
7- ZDNet Research center Business and Technology , White Papers , ” Intrusion
Detection -Deploying The Shomiti Century Tap –“, METAS ,
ZCInc.ZDNet, 2001.
8- Vicomsoft Knowledge Share, "Firewall Q & A", 2001, Vicom Technology
Ltd.
http://www.whatis.com/firewall.htm.
http://www.ncsl.nist.gov/nistpubs/800-10/main.html.
http://firewall.com.
http://www.reedbsd.org/handbook/firewalls.html.
http://netsecurity.about.com/library/weakly/aa080299.htm.
http://netsecurity.about.com/library/weakly/aa92299.htm.
http://www.winmag.com/library/1997/0701/cover150.htm.
http://www.infosecuritymag.com/may99/cover.htm.
http://www.spirit.com/cs1/archives.html
9- Stalling . W . , “ Netwok Security Essentials : Application and Standards”,
Prentice-Hall, 2000.
http://www.shore.net/~ws/NetSec.html.
Error list of that book on the
http://www.shore.net/~ws .
9
‫‪A Proposed Configuration For The Screened Subnet‬‬
‫‪Firewall Architecture‬‬
‫أ‪.‬د عالء حسين الحمامي*‬
‫سكينة حسن هاشم**‬
‫الخالصة‪:‬‬
‫االنترنيتتب شتتصكة اذاتتاالة ماة حي‪.‬تتة مفتنحتتة‪ .‬لتتحلا ةتتا المنا ت الحساستتة ع ت شتتصكة‬
‫االنترنيب يجب إ ذكن محميتة‪ .‬اشت ر قترل الحمايتة هتي أنظمتة جتراا النتاا‪ .‬دحترالن متن‬
‫حناء أنظمة جراا النتاا ع ت ( ‪ router‬أد ‪( gateway‬ةقت‪ ,‬متن الممكتن استتخرا‬
‫معمااياة اكثر ذعقيران لتحسين أمنية المنا ‪.‬‬
‫هحا الصحث يركز ع دعم أمنية المن من ختال استتخرا ( ‪screened subnet‬‬
‫‪ ) firewall architecture‬كمعماايتتة ل من ت المتتراد حمايتتتر‪ .‬دذحنيرهتتا ححيتتث‬
‫ذسيطر ع االذااالة المصاشرة داالذااالة حناسطة شتصكة ال ناذت ‪ .‬حاافتاةة إلت ذتنةير‬
‫ختتادمين منفات ين (‪ )two separator servers‬أحتترهما ل مستتتخرمين المختتنلين‬
‫ل نلنج إل المع نماة السرية داآلخر ل مستخرمين المخنلين ل نلنج إل المع نماة العامة‪.‬‬
‫* قسم علم احلاسبات يف كلية الرافدين اجلامعة‪.‬‬
‫** قسم علم احلاسبات و نظم املعلومات يف اجلامعة التكنلوجية‪.‬‬
‫‪10‬‬