Santa Clara County ARES/RACES
Home Operations Data Training & Events Reference FAQ

TCP/IP Subscriber Configuration Information

Overview    |    Addressing    |    Host    |    Firewall    |    DNS    |    Equipment    |    Resources    |    Support

 

Overview

This page contains the information that subscriber network managers will need to plan and configure their connection to the SCCo ARES/RACES network. The configuration model is analgous to a commercial ISP connection with static addresses. But more flexibility is provided to allow for each agency's unique networking needs.

This configuration page assumes basic TCP/IP knowledge such as subnetting and static routing. Connectivity to the SCCo ARES/RACES network is best managed by someone with TCP/IP knowledge. If you need help, consult our TCP/IP user group.

 

Network Addressing

SCCo ARES/RACES Network Addresses

The following network address ranges are reserved for the SCCo ARES/RACES Data Network. If you are using private IP address space within your local network, be sure to use addresses other than the ones below.

Subscriber Networks

 

Subscriber Host Configuration

Subscribers are STRONGLY encouraged to install their own firewall between their network and the SCCo ARES/RACES network. While we endevour to maintain high security within the SCCo ARES/RACES network, configuration mistakes and software bugs can occur. And new types of threats will always emerge in the future. Subcribers should take charge of their own security by installing and managing their own firewall (see the next section).

That said, subscribers that choose to place hosts directly on the handoff subnet can either configure them statically or use DHCP provided by the SCCo ARES/RACES gateway.

Static Configuration

DHCP Configuration

 

Subscriber Firewall Configuration

Subscriber firewall configurations vary, depending on the firewall vendor and the subscriber's specific network configuration requirements. The following general configuration will work for most subscribers and can be adjusted as needed.

Interfaces:

Routing:

The IP address of the SCCo ARES/RACES network gateway will be the last address in each subscriber network: a.b.c.254. How routes and default gateways are configured depends on whether or not the subscriber's network connects to other networks.

 

Domain Name System (DNS):

 

Network Address Translation (NAT):

All traffic entering the SCCo ARES/RACES network will be filtered by source IP address. All traffic inbound to the SCCo ARES/RACES network from the subscriber network will need to be NAT'ed so that the source addresses are within the subscriber's assigned IP address range. Subscribers that need to use addresses outside of their assigned IP address range can configure either Masquerade NAT (with optional Destination NAT) or Source and Destination NAT.

 

Traffic Filtering

The SCCo ARES/RACES network will drop all attempts to make a new connection from the external, commercial Internet to subscriber nets. (Replies to sessions initiated from subscribers to the Internet are allowed.) This prevents a large percentage of attacks. But each subscriber is responsible for its own network security. In a similar manner, subscribers should filter inbound traffic to their network to protect against intrusion. The following general recommendations are provided as a framework to help network management get started. Each subscriber should consult with someone that is knowledgeable about network security and firewall configuration. (Note: the order of the rules below is important.)

 

Anti-X, IPS

 

DNS Service

If you wish to have specific hostnames published in the SCCo ARES/RACES network domain name service (DNS) servers ...

 

Equipment and Software

Firewall

 

Ethernet Switch

Power

Physical Security

 

Resources

Diagrams (coming soon)

  • Small network (insecure)
  • Small network
  • Medium network
  • Large network

Standards and Best Practices

Tools

 

Support

User Group

A discussion/e-mail group is available for SCCo ARES/RACES members interested in TCP/IP networking.

To Join: Visit our Discussion Groups page to learn how to subscribe to our main Announce group. Once approved, you can subscribe to the TCPIP group.

 


If you have Packet Information that you would like to have included here,
please contact the Webmaster, Phil Henderson

Web Site Home Page

This page was last updated 29-Jan-2019