• Some users have recently had their accounts hijacked. It seems that the now defunct EVGA forums might have compromised your password there and seems many are using the same PW here. We would suggest you UPDATE YOUR PASSWORD and TURN ON 2FA for your account here to further secure it. None of the compromised accounts had 2FA turned on.
    Once you have enabled 2FA, your account will be updated soon to show a badge, letting other members know that you use 2FA to protect your account. This should be beneficial for everyone that uses FSFT.

Screened Subnet

A Screened Subnet IS NOT a basic firewall that add's security between the Internet and your Private subnet.

A Screened Subnet is a general term for a second private subnet such as a guest network or DMZ.

I don't like this term when talking about DMZ's because segmented network such as Guest networks are treated differently than DMZ's so IMO the term Screened Subnets suits guest networks more appropriately and shouldn't be used when describing DMZ, although its a general term for this type of architecture.

Anyway, enough waffle. If your router has a guest network or DMZ on a different subnet than your regular private subnet, they you have a Screened Subnet.
 
First of all this is not something you are likely to see in consumer toy devices. Typically a screened subnet sits between a router terminating a circuit and a security device like so:

Code: 
Internet
      |
      |
     /30 (typical)
      |
Screen Router
      |
     /30 or larger(typical) - This is the screened subnet. It is between the router and firewall)
      |
      |
   Firewall--- DMZ of whatever size network
      |
      |
 Choke router or internal switch


A choke router would be typical if one were running dynamic routing protocols through but not on the firewall. This is especially true with managed security services. Please note the firewall could have many more, or even less, networks hanging off of it. It does not have be triple homed. It would, of course, need to be minimally dual homed.
 
FlangeMonkey said:
If your router has a guest network or DMZ on a different subnet than your regular private subnet, then you have a Screened Subnet.
Click to expand...

I follow what you're saying.. sort of. I don't really like this term either, because it seems unnecessarily confusing. So a DMZ on a different subnet would be a screened subnet. What is the difference between a network just on a different subnet, and a screened subnet, though?

It's just a different subnet that's located between the internet and your firewall, that acts sort of like a DMZ?

Also.. when talking about DMZ's.. I get confused. a DMZ is supposed to offer security advantages, but I really don't get how? A DMZ leaves a computer more exposed to the internet/external sources than a regular subnet, since usually all ports on the DMZ are open, right? Well, doesn't that make computers in the DMZ more vulnerable? I mean.. isn't it essentially a less secure network, separate from your more-secure private network?

The problem is, I'm working from ALL theory and books here. I need to talk to people about this stuff, or see it in real life, and I'll be able to understand it better. I just don't really have the resources to learn things that easily when it comes to this.. and the internet and Googling information can make it more tough than it is, and can be confusing because of different terms used for different things/concepts, etc.
 
Ask away, people on here are usually helpful. I also hope I don't confuse the matter for you.

netsider said:
What is the difference between a network just on a different subnet, and a screened subnet, though?
Click to expand...

Its the screen part of the term, meaning its secured (or firewalled) between it and other private subnets. You either won't be able to talk to the hosts on a DMZ or have extremely limited access such as port 80 or 443 to specific hosts. A DMZ can be architected in many different ways, such as the one above. But think to the left of a firewall, then you'll understand if you have a core switch, you'll be routing to the firewall to get to the DMZ, which maybe NAT'ed and more advanced in security. As the DMZ needs a switch, there is usually a DMZ VLAN only on Layer 2, so it cannot talk directly to the core, so you'll be going from the LAN up to the firewall and back to the core to get-to the DMZ.

If you have just another VLAN and therefore more subnets it will be from the core and won't involve the firewall in communicating to it.

I think your missing a Core switch that sits behind the firewall. It should give grater understanding of whats going on. If you only have a firewall, which is expected for a small network, then the principles are the same, but more confusing.

Code: 
          Internet
             |
          Firewall  ----- DMZ (VLAN 666)
             |
         Core Switch
        |           |
    VLAN 30        VLAN 5

netsider said:
a DMZ is supposed to offer security advantages, but I really don't get how? A DMZ leaves a computer more exposed to the internet/external sources than a regular subnet, since usually all ports on the DMZ are open, right? Well, doesn't that make computers in the DMZ more vulnerable? I mean.. isn't it essentially a less secure network, separate from your more-secure private network?
Click to expand...

A DMZ is still firewalled. A DMZ's firewall may be configured with less or more security depending on needs. Now it's classified as less secure because its exposed to the internet and hence your normal LAN with important data isn't and therefore makes your LAN more secure. Now if your "exposed to the Internet host" is compromised, the compromiser needs to get to the LAN, which is going to be more difficult.

Hope that helps,
 
Just another note...

think to the left of a firewall, then you'll understand if you have a core switch, you'll be routing to the firewall to get to the DMZ, which maybe NAT'ed and more advanced in security. As the DMZ needs a switch, there is usually a DMZ VLAN only on Layer 2, so it cannot talk directly to the core, so you'll be going from the LAN up to the firewall and back to the core to get-to the DMZ.
Click to expand...

That is if you allow the LAN to talk to the DMZ. As its segmented from the firewall its completely separated from the LAN and keeps the LAN completely secure from communication allowed inbound from the Internet, which via policy will always be the DMZ.
 
You must log in or register to reply here.
Back
Top