|The bastion host constitutes a second security device that is significantly more difficult to subvert than a router.
|Server (Web and FTP)
|Incoming traffic is filtered through the external packet filtering router and then through the bastion host prior to arriving at the Web or FTPservers.
|Packet filtering router (internal)
|The internal packet filtering router is also configured so that traffic flows only to or from the bastion host. It serves as a third line ofdefense, preventing IP spoofing and source routing. In addition, internal users cannot access the Internet without going through the bastionhost.
|The internal network is effectively invisible to the Internet, because all packets going out and coming in go directly to the DMZ, not to yournetwork.
| DMZ (Demilitarized zone)
|All publicly accessible devices, including modem pools and other resources are placed inside this zone. All packets going into and out of theinternal network must pass through the DMZ. To access your network, a hacker must subvert three separate devices without being detected.