Secure Proxy Server  «Prev  Next»

Lesson 3 Determining the number of screened subnets
ObjectiveDefine the number of screened subnets required in the Internet connectivity design.

Determine number of Screened Subnets

One way to restrict access to the Internet is by preventing traffic from passing through the proxy server. This can be done in a variety of ways. In this lesson, we will focus our discussion on the first of these methods which is establishing screened subnets. If you find the term "screened subnets" confusing, you are not alone. A check of the latest Microsoft® TechNet reveals a single entry that mentions the term in a single instance. However, this term is in widespread use in the general networking community, and has been introduced for just about the first time in the Windows 2000 curriculum.


The term more commonly used for screened subnet is a Demilitarized Zone or DMZ. A DMZ subnet is used to place resources that are accessible to Internet users. This reduces the risk to internal network servers because Internet users do not access resources on the internal network, but rather only the DMZ network. The classic example of a DMZ is a subnet placed between the Internet and the internal network. Internet accessible resources are placed on the DMZ subnet, and customized access controls are configured on the edge firewall and the internal firewall.

Traffic is routed from the world wide web, through the DMZ, into a private network

Multihomed Proxy Server

A DMZ can also be created by using a Multihomed Proxy Server. When using a Proxy Server with multiple adapters, you configure packet filtering and access controls in a fashion similar to the firewall configuration. In this case, however, Proxy Server 2.0 acts as both the firewall and a router. Internet requests are routed to the DMZ while all requests from the Internet made to the internal network are dropped by the packet filters.
For an excellent and detailed description on how to create a DMZ with Proxy Server 2.0, go to the Resoruces page to check out PSS Article ID Q191146 via Microsoft® TechNet.

How to determine the need for screened subnets

You will determine the number of screened subnets in a Proxy Server solution based on the security requirements of the organization you are administering. In fact, you will specify a screened subnet for each security requirement. That is, you should first find out which users or applications need access to the resources on the screened subnet. For example, to isolate resources that need to be accessed by all Internet-based users, users in a partner organization, and users within the private network, you would define three screened subnets.
Question: How do you determine the number of screened subnets in a Proxy Server solution?
Answer: You determine the security requirements of your organization.

Multiple interfaces or multiple servers?

You can define multiple screened subnets in a variety of ways:
  1. By using multiple private network interfaces in a Proxy Server
  2. By using multiple proxy servers with a single interface
  3. By using a combination of both

The following table lists the methods for establishing multiple screened subnets, along with the reasons for selecting the different methods.

You should select: If the:
Multiple interfaces System resources of the proxy server are not saturated Organization requires a centralized administration model
Multiple servers Performance for the screened subnet needs to be maximized Organization requires a decentralized administration model

Creating a hierarchy

In designs that require more than one screened subnet created by multiple proxy servers, you place the proxy servers in a hierarchy. This will enable you to delegate the administration of the screened subnets effectively. Once you have decided to create a hierarchy, you should design it as follows:
  1. Specify broad security requirements at the top of the hierarchy, such as the security requirements for an entire organization
  2. Specify stronger security requirements lower in the hierarchy, such as the security requirements for a department or application

In the next lesson, you will learn how to ensure a secure network by using Proxy Server packet filters.