Internet Facing Hosts
■ Hosts or servers that accept inbound connections from the internet
■ Example
● Web server on a screen subne
Screen Subnet
■ A segment isolated from the private network by firewalls
■ Set up to accept connections from the internet over designated ports
■ Purpose
● Keeps forward-facing servers out of the internal network
■ Security
● Semi-trusted zone
○ Invisible to the outside network except for forward-facing servers
Content of Screen Subnet
■ Internet facing servers like email, web servers
■ Communication servers, proxy servers, and remote access servers
■ Public services or extranet capabilities
■ Security Measures
● Harden devices in the screen subnet
● Use intrusion detection systems
● Consider all devices in the screen subnet as untrusted
● Protect against pivoting attacks from the screen subnet to the internal network
■ Bastion Host
● A host or server in the screen subnet that is not configured with services that run on the local network
● Example
○ Email server
○ Web server
○ Remote access server
Jumpbox
■ A hardened server that provides access to other hosts within the screen subnet
■ Purpose
● Control access to the screen subnet from the internal network
■ Security
● Should be heavily hardened and protected
■ Management of Jumpbox
● Can be a physical PC or a virtual machine
● Should have only the minimum required software
● Fully hardened and secured to protect against unauthorized access
