SCCo ARES/RACES Network: Network Considerations

Summary

A high-level summary is presented here in quick, bulleted form. More details are provided below.

Connectivity
- Via the Service-Agency's Network
  - Allow radio station LAN devices to initiate outbound connections to the Internet
  - If the agency has a shared server for emergency management, such as a place to store forms, messages, status, etc., and if the agency's emergency manage procedures call for amateur radio operators to be able to access those assets, then consider allowing access from the radio station LAN.
  - All other connectivity from the radio station LAN to the agency's network should be dropped.
- Via the SCCo RACES Network
  - Install a firewall between the SCCo RACES network and the agency's radio station LAN.
  - Allow radio station LAN devices to initiate outbound connections to the SCCo RACES network, the agency's network, and the Internet
  - Create a "DMZ" LAN for any servers that the radio station may offer as shared resources to the rest of the SCCo RACES network.
  - Only allow connections into the DMZ LAN from the local radio station LAN and from authorized subscribers to the SCCo RACES network.
  - Drop all other inbound traffic.
Configuration
- Keep it simple so it can be repaired or replaced by any competent IP network engineer.
- Document IP address assignments and provide connectivity diagrams. Keep paper copies as well as soft copies.
- Backup all network device configurations to a reliable and accessible location.

Connectivity

Diagrams

Basic Network Connectivity Diagrams
- These diagram shows high-level, basic connectivity between the agency radio station LAN, the agency's network firewall, and the Santa Clara County RACES network.

Via the Service-Agency's Network

Internet Access

Radio station PCs need access to the Internet to download applications software (such as our own packet software), printer and other device drivers, and other tools and documentation.

Limited (if any) Agency Network Access

The agency may wish to allow it's own Windows Domain Controllers and other management servers to access the radio station's PCs
The agency may wish to allow the radio station's PCs to access shared servers used by emergency management personnel to store forms, messages, emergency plans, and other emergency management content.

Block Everything Else

The agency firewall should not allow any other traffic to/from the radio station LAN

Via the SCCo RACES Network

Use a Firewall

Each radio room LAN should be protected by its own firewall, configured by the local RACES team
For details, see our web page: Firewall Considerations for Data Stations

Internet Access

All subscribers to the SCCo RACES network can use the network to access the Internet through the multiple, redundant Internet connections.
The SCCo RACES network does not allow inbound connections from the Internet to any subscriber networks.

Intranet Access

All subscribers to the SCCo RACES network can use the network to access servers and services provided by SCCo RACES (packet BBS, e-mail, etc.) or other subscribers.
The local RACES firewall can be configured to allow inbound connections from the SCCo RACES network to the local radio station DMZ.

Agency Network Access

The agency will control access TO its network via its own firewall rules.
The local RACES firewall can also be configured to block or allow certain access FROM the agency network.

De-Militarized Zone (DMZ) [optional]

Any servers that the local RACES team wishes to make available to the served agency or other agencies connected to the SCCo RACES network should be on a separate LAN, commonly called a "Demilitarized Zone" or DMZ.
The local RACES firewall should be configured with specific rules to allow inbound connections to those servers only from those authorized to use them.

Block Everything Else

The agency firewall should not allow any other traffic to/from the radio station LAN.

Configuration

Keep it Simple

In an emergency, what works (and what can be most easily repaired) are networks with topologies that have the fewest points of failure and the least complex configurations. So, keep the network architecture as simple as possible, while still delivering the required connectivity and security to meet the served-agency's communications needs.

Goal: The network architecture should be simple enough that anyone with a basic background in Internet routing and security should be able to make repairs and replace components under the pressure of a communications emergency.

Documentation

All network configurations should be documented to show connectivity and IP address and port assignments.
Store soft copies of the network diagrams and IP assignments in location that is convenient and accessible to the local RACES team.
Store the a hard/paper copy of the most recent version of network diagrams and IP assignments with the station so it can be accessed easily.

Configuration Backups

Configuration files for all network devices should be backed up to a convenient and accessible location.
In the event of a component failure, it should be possible to quickly restore connectivity by uploading the backup configuration to a replacement device of the same or compatible type.

Web Site Home Page

This page was last updated on 03-Oct-2019

Network Considerations for Data Stations