Implementing a packet filter between the Internet and your network can add a layer of security. You use a packet filter, such as a screening router, to control the ports and Internet Protocol (IP) addresses to which external systems can connect. However, if an intruder is able to get past the router, your network is open to attack.
To minimize this risk, many organizations implement a perimeter network. This is a network that is connected to the Internet through an external screening router and to the internal network through an interior screening router. Computers that are connected to the perimeter network have limited access to both the Internet and the internal network. This can be a convenient architecture if multiple servers require direct Internet access.
This configuration provides three levels of defense. If the external router and a bastion host on the perimeter network are compromised, the attacker does not gain unlimited access to your internal network because the internal router is controlling access.