A BH works on layer 7.. Traffic flows from the Internet through a firewall (layer 3/4 filtering) to a BH. The BH filters on layer 7 and basicly proxies the requests to the web-, mail- or ftpserver. A firewall prevents access from the DMZ (BH) to the internal network. The BH is a hardened server that uses proxies. If your BH gets 0wn3d you're screwed anyway.. So you need to make sure it's sufficiently hardened..