Understanding Firewall Architectures: Exploring Terminology and Definitions

There are many textbooks that invent their own terminology; as long as you can understand the terms used in the context of the book, that’s OK. For example, your ‘single bastion inline’ is called ‘Internet screening firewall’ elsewhere, and your ‘Single bastion T’ could be called ‘Internet Firewall with a Single DMZ’

(When I use a word, it means just what I choose it to mean—neither more nor less.’)

That being said, there are a number of standard terms.

A host-based or host resident firewall is most of the times a bit of packet filtering by the OS. At best unreliable: we’ve had examples where a server’s ‘host-based firewall’ was completely opened by the upgrade of a software package.

A screening router is a router that filters the IP traffic. Rules should be kept simple. In general (but not always) it is stateless filtering. (https://dullaart.website/acl/index.html for some more info on that).

A screening host is a host that screens/filters the network traffic. You could say that a firewall is a screening host. Some will also say that a proxy is a screening host (though at a higher level of the OSI-stack).

A bastion host is a host through which all traffic must go. Many describe firewalls as bastion hosts, though some use the bastion host only for a host like a web server or proxy. A bastion host is always at least dual-homed: it has an input and an output. Although that may be virtual too.

A multi homed host is a host that has a network adapter in different networks. Like, for example, your bastion hosts.

The T in the architectures is for the optical likeness, but you may have guessed that. When I learned about firewalls (long ago), your ‘double bastion in line’ was called ‘Dual firewall with a T-DMZ’ Inline is also a term that describes how hosts are connected.

Leave a Reply

Your email address will not be published. Required fields are marked *