-
Screening
Routers
-
In addition to the usual routing function, a screening router decides whether
or not to forward a packet.
Example:
| Rule |
Source Address |
Source Port |
Destination Address |
Destination Port |
Protocol and Flags |
Action |
Comments |
| 1 |
121.3.4.105 |
* (any port) |
*.*.*.* (any host) |
* (any port) |
* (any protocol) |
Block |
Block any access to any local host from a specific foreign host |
| 2 |
123.4.5.67 |
20 |
*.*.*.* |
* |
TCP |
Permit |
Allow access to ftp server (123.4.5.67) from any host |
Note - this is not a good, secure rule set
Some examples of rules that might be implemented in a screening router:
-
Block all source routed packets (susceptible to spoofing)
-
Block any packet from the outside that claims an address that belongs on
the inside
-
Allow access from outside only to mail and dns
-
Bastion Host
-
A specific host is used to intercept packets entering or leaving a network.
Host includes proxy versions of services to remove the security burden
from hosts on the network. In general, a bastion host is a particularly
strong point of defense.
-
Dual Homed
Gateway (A bastion host)
-
System placed on both the private network and the Internet. No connections
area permitted between hosts on the private network and any place in the
Internet.
Different from a screening router in that it can look at any part
of any packet that reaches it. It can also be programmed to keep logs,
issue alarms, or do anything else deemed helpful in enforcing security.
-
Screened
Host Gateway
-
Combination of Screening Router and Bastion Host. Screening router blocks
all traffic, except to the bastion host. There may be restrictions on the
traffic that is allowed to pass through to the bastion host.
-
Screened
Subnet
-
Screening router restricts traffic except to the particular subnet. A bastion
host on that subnet reviews all traffic and determines what traffic can
enter the protected network.