Screened Subnet Firewall
Screened Subnet Firewall Definition
A screened subnet firewall is a security setup that creates a buffer zone between the internet and a private network. This buffer, often called a demilitarized zone (DMZ) or perimeter network, holds public-facing servers, like web, mail, or transfer servers. This lets people use these public services without giving them access to the entire network.
How a Screened Subnet Works
A screened subnet separates the network into three parts: the internet, the perimeter network, and the private network. One or two firewalls control the traffic between these areas. Public-facing servers sit inside the perimeter network, where outside users can reach them. However, the firewall blocks them from moving to the internal network.
If an attacker compromises a public server, the firewall limits the damage by containing the breach in the DMZ. Meanwhile, the private network (where sensitive data and business systems are) stays secure behind another firewall layer.
Screened Subnet vs DMZ
A screened subnet firewall is a type of DMZ setup. While all screened subnets are DMZs, not all DMZs use screened subnet designs. The table below shows how they differ.
| Screened Subnet Firewall | DMZ | |
| Design | Uses one or two firewalls to separate the internet, DMZ, and private network. | Any isolated network zone between the internet and private network. |
| Function | Adds a buffer zone and filters traffic through firewalls. | Provides a space for public-facing servers separate from private networks. |
| Common use | Hosts web, mail, or file transfer servers with firewall filtering. | Hosts public servers or services in a network zone, separate from the private LAN. |
| Scope | One method of creating a DMZ. | Can be built in different ways, including a screened subnet. |
Where Are Screened Subnet Firewalls Used?
- Web servers: Host websites that people can reach from the internet while stopping unauthorized access to the internal network.
- Mail servers: Manage email traffic without exposing internal systems.
- File transfer servers: Let people exchange files without opening the private network.
- Enterprise networks: Keep public services separate from sensitive business data and other internal apps.
Read More
FAQ
Not exactly. A screened subnet is one way to build a DMZ. Although all screened subnet firewalls are DMZs, a DMZ can also use other designs, such as two separate firewalls.
No. You can set up a screened subnet with a three-legged firewall (one firewall that has three zones), including the internet, perimeter network, and private network. Using two firewalls can add another layer of security for filtering and monitoring traffic, but it isn’t required.
The firewall filters traffic between the internet, the perimeter network, and the private network. For example, it lets outsiders reach a web server within the perimeter network, but blocks them from accessing databases in the private network.
45-Day Money-Back Guarantee