Network security

Firewall types and architecture

Nitesh Malviya
February 3, 2021 by
Nitesh Malviya

A firewall is a network security device placed at the perimeter of the corporate network, thus all the packets entering and leaving the network go through the firewall first and appropriate actions are taken based on the network rules configured by the organization.

The firewall is placed at the network level closely with a router for filtering all the network packets as per the rule configured. Thus, architecting a firewall and placing it in the right location in the corporate network architecture is of utmost importance since it controls incoming and outgoing traffic. 

Factors for architecting a firewall

There are many factors that come into consideration for architecting a firewall. The major ones are: 

  1. Organization‘s ability to implement and develop the architecture
  2. The budget allotted by the organization
  3. Objectives of the network 

Learn Network Security Fundamentals

Learn Network Security Fundamentals

Build your skills with seven hands-on courses covering network models and protocols, wireless and mobile security, network security best practices and more.

Firewall architecture implementation

There are four common architectural implementations of firewalls widely in use. They are packet filtering routers, screened host firewalls, dual-homed firewalls and screened subnet firewalls. Let’s understand each one of them in detail.

Packet filtering routers

Most of organizations have a router as the interface to the Internet. This router is placed at the perimeter between the organization‘s internal networks and the internet service provider. These routers can be configured to accept or reject the packets as per the rule of the organization. This is one of the simple and effective ways to lower down the organization‘s risk from the internet. 


The length and the complexity of the rule sets implemented to filter the packets can grow and degrade network performance. Also, it suffers from a lack of auditing and strong authentication mechanisms.

Screened host firewalls

This firewall combines a packet-filtering router with a discrete firewall such as an application proxy server. In this approach, the router screens the packet before entering the internal network and minimizes the traffic and network load on the internal proxy. The application proxy inspects application layer protocol such as HTTP or HTTPS and performs the proxy services. This separate host is called a bastion host and can be a rich target for external attacks, thus it should be thoroughly secured.

The bastion host stores copies of the internal documents, making it a promising target to the attackers. A bastion host is also commonly referred to as the Sacrificial Host.


This configuration requires the attacker to hack and compromise two separate systems, before accessing the internal data. In this way, the bastion host and router protects the data and is more effective and secure implementation.

Dual-homed host firewalls

This architecture is a more complex implementation of screened host firewalls. In this architectural approach, the bastion host accommodates two NICs (Network Interface Cards) in the bastion host configuration. One of the NIC is connected to the external network, and the other one is connected to the internal network thus providing an additional layer of protection. 

This architecture often makes use of Network Address Translation (NATs). NAT is a method of mapping external IP addresses to internal IP addresses, thus forming a barrier to intrusion from external attackers. 

Screened subnet firewalls (with DMZ)

Of all the architecture available, Screened Subnet Firewall is widely used and implemented in corporate networks. Screened Subnet Firewalls as the name suggests make use of DMZ and are a combination of dual-homed gateways and screened host firewalls. 

In a screened subnet firewall setup, the network architecture has three components and the setup is as follows: 

  • 1st component: This component acts as a public interface and connects to the Internet.
  • 2nd component: This component is a middle zone called a demilitarized zone. It acts as a buffer between 1st and 3rd components.
  • 3rd component: The system in this component connects to an intranet or other local architecture.


The use of an additional "layer" and other aspects of the screened subnet firewall makes it a viable choice for many high-traffic or high-speed traffic sites. Screened subnet firewall also helps with throughput and flexibility.


In this article, we have seen the various architecture and implementation of firewalls in a typical network. As per the needs and the requirement, the right architecture must be selected and used to secure the network from external attacks and intrusion.

Learn Network Security Fundamentals

Learn Network Security Fundamentals

Build your skills with seven hands-on courses covering network models and protocols, wireless and mobile security, network security best practices and more.


Nitesh Malviya
Nitesh Malviya

Nitesh Malviya is a Security Consultant. He has prior experience in Web Appsec, Mobile Appsec and VAPT. At present he works on IoT, Radio and Cloud Security and open to explore various domains of CyberSecurity. He can be reached on his personal blog - and Linkedin -