Santa Clara County ARES/RACES
Home Operations Data Training and Events Reference Info. FAQ

Firewall Considerations for Data Stations

Summary    |     Details

Summary

A high-level summary is presented here in quick, bulleted form.  More details are provided below.

 

Details

Extra Vigilance is Required

For people who don't regularly deal with network security, the information on this page may sound a bit scary. It should. There are bad people out there. In fact, there are entire professional organizations and even governments that spend all day long working on ways to exploit computer networks to steal information and destroy what others have worked hard to create. These dangers have existed since the first computer networks existed. But as more and more people connect to network, the potential for security holes increases, making the potential gain to be achieved by criminals even greater. So the threat has never been greater.

Network connections at an EOC, DOC, hospital, shelter or other location can be of great value. But if they are not properly secured, they can do much more damage than a personal/home Internet connection. Multiple amateur radio operators may plug into the radio room LAN. Malicious software could have infected a machine elsewhere and can then be transfered from computer to computer on the LAN or through the simple act of sharing as USB flash drive.

Never connect any PCs or networks to the city/agency network without the approval of the city/agency IT organization. Any connection between the LAN in the ARES/RACES radio room and the rest of the city's/agency's network should be managed by the city/agency IT organization and will typically be controlled by strict firewall policies.

 

Make No Assumptions

The SCCo ARES/RACES network uses multi-level, state-of-the-art firewalls and intrusion prevention mechanisms to protect itself and its services from bad actors and malicious software. These security mechanisms are applied to both the connections between the network and the Internet and the connections between the network and subscribers.

Subscribers to the SCCo ARES/RACES network benefit from those protection mechanisms. But configuration mistakes can happen. Software bugs can and do occur. And new, previously unknown attacks can be launched. So, prudent networking professionals would never rely on the security provided by another group. The safest course of action is to make no assumptions about upstream security and to treat the connection to the SCCo ARES/RACES network as if it were a "raw" Internet connection.

 

Software Firewalls

 

Hardware Firewalls

 

Protocol and Port Numbers

Outbound (from your radio room to the SCCo ARES/RACES Network)

  • Subscriber firewalls are usually configured to allow any outbound connection. This prevents you from having to make adjustments to the firewall each time a new service is offered on the network.
  • For added safety, the following ports should be blocked from making outbound connections to prevent malicious code from trying to make outbound connections
    • TCP/UDP 135 - Remote Procedure Call (RPC)
    • TCP/UDP 137 - NetBIOS Name Service
    • TCP/UDP 138 - NetBIOS Datagram Service
    • TCP/UDP 139 - NetBIOS Session Service
    • TCP/UDP 445 - Windows Networking (Active Directory, SMB, ...)

Inbound (from the SCCo ARES/RACES network to your radio room)

  • In most cases, it is best to block all inbound connections.
  • If you are hosting an server at your site which you want to be accessed by others on the SCCo ARES/RACES network, then only allow inbound connections to the IP address, protocol and port number used by the server.
  • Incoming connections should also be filtered by source address. For example, you could restrict access to only allow connections from other SCCo ARES/RACES network users. Or you could restrict the source addresses to only allow connections from other locations of your city/agency.

 


Web Site Home Page

This page was last updated on 07-Jul-2018