Firewall Architectures  What are they? + Differences ▷ 2020

Around 1988, it developed the first firewall of history and, to this day, these remain a critical component in the IT architecture to protect information. Since, its main objective is to control the flow of traffic and safeguard the data within the computers.

In this sense, there are currently several types of firewalls and, due to the needs of users, they have managed to expand their capacities to a great extent. Considering that, your employment it will depend on the complexity and importance of the networks or resources to be preserved.

For this reason, it is essential to know each of the firewall architectures out there, in order to understand its operation and select the most appropriate. In addition to, determine how each is different.

What is a firewall architecture and what is it for?

In principle, a firewall also known as “Firewall”, can be defined as a system that enforces a certain access control policy between two networks. Thus, it works as a kind of wall in the form of hardware or software, to allow managing and / or filtering all incoming and outgoing traffic between two networks or computers on the same network. That is why, these are those systems used to separate a machine or subnet from the rest, as far as security is concerned.

That way, allows to preserve the security and privacy of usersApart from being useful for safeguarding a home or business network, keep any information safe and avoid intrusions from third parties.

Now, a firewall architecture or topology consists of those physical and logical representations around the positioning of computational assets. Therefore, it is a building that, through its design and planning, serves to design the structure of the network in question. With which, it will approve or deny the traffic of the appropriate elements, once channeled.

What are all the existing firewall architectures and how are they different?

While it is true, there are several firewall or firewall architectures, today. Either from the simplest that only uses a selection router, even the most complex of all that are based on proxies, perimeter networks and various selection routers. Therefore, each user must choose the type of firewall architecture, according to the economic availability of the organization and the security requirements that are determined.

Next, we mention and detail each of these types of interest:

Packet filtering firewall


It is a firewall architecture that is only based on take advantage of the ability of some routers to perform selective routing and thus, restrict or admit the transit of packages through access control lists based on some particularities. Either, the source and destination IP addresses, the source and destination ports, the input and output interfaces of the router or the protocol in general.

Therefore, it is a typology that, specifically, is responsible for making processing decisions based on network addresses, ports, interfaces or protocols. In addition, they are characterized by not keeping any state information or doing any internal investigation of the traffic. The reason why, they are very fast firewalls, since there is not much logic in reference to the decisions they make.

In this sense, its main drawback is that do not have any sophisticated monitoring system. Therefore, it is considered one of the most insecure types of firewalls, considering that the administrator will not be able to verify if your privacy has been compromised. Since, these will proceed to forward any traffic that is distributed in an approved port and, therefore, malicious traffic could exist.

Dual-Homed Host Architecture

Dual-Homed Host Architecture

As the name implies, it refers to a host that It has two network cards and each of them connects to a different network. In that sense, it is made up of simple machines Unix what are called “Two-base hosts” and since you are equipped with two cards, one will be connected to the internal network to be protected and another to the external network, basically.

Therefore, It is a system that must execute at least one proxy application for each of the services that want to pass through the firewall.. In addition to this, it is necessary to deactivate the routing function so that external systems can view the host through one of the cards, while internal systems will go through the other card to fulfill that there is no type of traffic that does not pass through the firewall or wall.

Traffic between the internal and external network is completely blocked. Thanks to this, they are firewall architectures that provide a very high level of control, since any external source packet will be indicative of some type of existing security breach. Another of its advantages, lies in its simplicity because they only require a computer. But, as the routing feature will remain disabled, its disadvantage is that it must be treated by a service in the host itself.

Screened host


It is defined as a firewall model in which the connection between the two networks it is generated through a router that is exclusively configured to block all existing traffic between the external network, like all hosts on the internal network, except a single bastion. Well, the latter is the one where all the necessary software is installed to implement the firewall effectively.

Consequently, it is an architecture that bind a screening router to a bastion hostSince the screening router is located between the latter and the external network, while the bastion host is located within the internal network. Whereby, refers to the only internal network system accessible from the external network and thus, any external regime that tries to enter the internal systems, you must connect to the bastion host compulsorily.

From this system, the level of security that this firewall topology guarantees is much olderas it goes one step further by combining a router with a bastion host and, in effect, the main level of privacy comes from packet filtering. Thus, the router will take care of distilling the packets that may be considered a threat to the security of the internal network, by accepting communication with a small number of services, exclusively.

Screened subset

Screened subset

Without a doubt, it is cataloged as the most secure and reliable firewall architecture there, so far. In it, a network known as “Demilitarized zone” or “perimeter network” which will remain located between the two networks to be connected. Thus, it will be linked with these last two through two routers and thanks to that, decreases the effects of a successful attack on the bastion host.

In this sense, focuses on trying to isolate the bastion machine which is generally the main target for most cybercriminals. In view of the fact that, its architecture allows to enclose said element within a perimeter network that makes intruder cannot find full access to the safeguarded subnet. Reason why, as it is the safest typology of all, it also is characterized by being the most complex.

For its part, this complexity is due to the fact that it makes use of two routers (called exterior and interior) that are linked to the demilitarized zone. That way, you have to ensure that the Outside router restricts unwanted traffic in both directions and the same is true for inside router.

However, it can also present problems around non-compliance with the security policy (thanks to the fact that reliable services pass directly without entering the bastion) and, in addition, it is difficult to establish and verify the filter rules on the routers (precisely where most of the security resides).

What is the difference between them?

Finally, to conclude, it is worth noting what is the main similarity that exists between each and every one of the firewall architectures. Which, is based on the security they provide to their usersmainly due to its own nature and configuration.

Next, we detail this aspect in the following table:

Firewall typology
Security level
Level of complexity

Packet filtering
Low Minimum

Dual-Homed Host
Medium Regular

Screened host
High Regular

Screened subset
Very high Maximum

If you have any questions, leave them in the comments, we will answer you as soon as possible, and it will also be of great help to more members of the community. Thank you! 😉

You may be interested:

Rate this post

Leave a Comment