Specifications
3
Firewall Administration System (FAS)
Network Policies
Heads of department in each branch should have full access to the Internet,
but all other staff may only have access via proxy services of the firewall. For
this reason, the internal networks are again divided. The following setup is
agreed for Nuremberg:
A virtual network for heads of department:
192.168.10.0/255.255.255.192
A virtual network for staff:
192.168.10.64/255.255.255.192
192.168.10.128/255.255.255.192
192.168.10.192/255.255.255.192
The networks in Frankfurt and Munich are divided accordingly. This results
in the following:
All hosts with IP addresses 192.168.x.1 to 192.168.x.63 have full
Internet access.
Hosts with IP addresses 192.168.x.64 to 192.168.x.254 have In-
ternet access only via proxy services.
In each branch, a DNS server is set up internally with the IP address
192.168.x.65 to answer all internal DNS requests. The DNS servers of the
various branches are connected to each other via forward.
The internal domains for the respective branches are:
Nuremberg: nbg-example.com
Frankfurt: fam-example.com
Munich: muc-example.com
The Adminhost in each branch is set up in the internal network under the IP
address 192.168.x.254.
The 10 sales representatives have a basic connection to the headquarters in
Nuremberg via the Internet and VPN tunnel. For this, they use winXP or
windowsxxx with SSH-sentinel.
Configuring the Base Setup
Click ‘Base Setup’. The basic configuration of the firewall is done in five
steps:
41SuSE Linux – Firewall on CD2