Screened subnet

A screened subnet is an essential concept for e-commerce or any entity that has a presence in the World Wide Web or is using electronic payment systems or other network services because of the prevalence of hackers, advanced persistent threats, computer worms, botnets, and other threats to networked information systems.

By separating the firewall system into two separate component routers it achieves greater potential throughput by reducing the computational load of each router.

A screened subnet or DMZ can also be achieved by a single firewall device with three network interfaces.

It appears that the term demilitarized zone (DMZ) was popularized as a sales and marketing term sometime after the development of screened routers and firewalls.

[6][7][8] The screened subnet firewall is more secure because an intruder must traverse two filtered routes to reach the internal network.

The architecture of a screened subnet: a screened router separates the external network (Internet) from the bastion hosts in the DMZ, and another screened router defines the internal network.
Diagram of a screened subnet using dual firewall devices.
Diagram of a screened subnet using a single firewall device.