How Firewalls Work
A firewall shields an internal network from the Internet for security reasons. The network works normally with servers providing normal services.
In order to access the Internet from inside a firewall, all data must go through an internal screening router, which can be called a “choke router.” The router examines all packets of data, and looks at their headers to find information such as their source and destination. The router takes that information and decides whether to allow or disallow certain packets to be sent or received through the firewall. The system administrator can set up the firewall to block all packets, except for e-mail, or to block packets coming from certain suspicious places on the Internet.
A “bastion host” in the firewall is the point of contact for incoming requests from the Internet. The bastion host is heavily protected with many security features. Computers in the network cannot be contacted directly, since the bastion host is the only point of contact, making the network very secure. The bastion host can also be set up as a proxy server, which processes outgoing requests from inside the network meaning computers cannot have direct contact with the Internet.
The bastion host is not in the network itself. Instead, it is placed in a perimeter network in the firewall, in order to shield the network from the Internet even better. If the bastion host was in the network itself, a hacker could access every computer in the network. Since the bastion host is isolated, a hacker would not be able to reach the internal network, even if he did break in.
An “external screening router,” or “access router,” screens packet between the perimeter network and the Internet. This protects the network even further because it screens packet the same way the internal router does. This means that the network would still be safe if the internal router failed. It could even screen packets more thoroughly than the internal router, in order to protect the bastion host.