A screened subnet is a protective method used in computer networks that have both public and private areas. These systems separate public and private functions into two distinct areas. The local intranet contains the network’s private computers and systems, while the subnet has all the public functions like webservers or public file storage. When information comes from the Internet, the router determines which section of the system it has access to and sends it off accordingly. This is in contrast to a typical network where there is only the intranet on one side of the router and the Internet on the other.
In a standard network, a local intranet connects to a router, which directs information outwards to the full Internet. Either within the router or connected to the router is a firewall that protects the intranet from outside interference. With a screened subnet, there is a third portion that is accessible through the router, but not connected directly to the local intranet, that allows access via the Internet. This third section is typically in a demilitarized zone (DMZ), a networking term that means it is not fully protected by the network’s security.
One of the basic distinctions in a screened subnet is the difference between private and public systems. A private system contains personal computers, workstations, gaming consoles and other things used by the owners of the network. The public section contains access points that are used by people outside of the network. Common uses for outside connections would be hosting a webpage or file server.
The public areas of the network are fully accessible and visible from the Internet, while the private information is not. Typically, this is accomplished through the use of a three-port firewall or router. One port connects to the Internet and is used by all incoming and outgoing traffic. The second connects only to the public portions of the system while the third connects only to the private.
The use of a screened subnet is basically a security feature for the network. In a typical outside attack, the router and firewall would be probed for weakness. Should one be found, the intruder would enter the network and have full access to the intranet. With the use of a screened subnet, the intruder would be most likely to find the public access points and invade the public section only. When a DMZ is in effect, the public protections are much weaker, making it even more likely that that section of the system would be attacked and the private section would be left alone.