Santa Clara County ARES/RACES
Home Operations Data > Internet Training & Events Reference FAQ

Internet Access Service Description

Overview   |   Functionality   |   Security

 

Overview

The Santa Clara County ARES/RACES network provides a standard TCP/IP transport service for auxiliary access to the commercial Internet. The network provides redundant, high availability connectivity between several hub locations, and is designed to be available "when all else fails". Four of the hub locations have connections to the commercial Internet. Access to the network is via TCP/IP over WiFi Part 15 connections, which may, in turn, be connected to other networks managed within the city or agency.The service is NOT to be used for primary Internet access and does not compete with local Internet service providers.

 

Functionality

Internet Connectivity

A high speed connection to the SCCo ARES/RACES network allows communications (with some restrictions noted below) from any point in the SCCo ARES/RACES network to the Internet. Network traffic to the Internet will be routed through the closest exit. Currently, four Internet connections exist: San Jose, Crystal Peak (Los Gatos), Palo Alto, Frazier Peak (Milpitas).

 

Outbound-Only Connectivity

SCCo ARES/RACES subscribers can initiate two-way connections to Internet servers. But inbound connections initiated from the commercial Internet will be blocked. In other words, cities/agencies with connections to the network can create servers that are accessible within the SCCo ARES/RACES network, but those servers will not be accessible from the Internet. Cities/agencies that need to provide inbound connectivity to their own servers can obtain Internet service from a variety of commercial ISPs in the area.

 

Blocked Ports

Malicious users (or malicious software which has been unknowlingly installed on an unsuspecting user's machine) can use certain protocols for malicious purposes. Some of these protocols are vulnerable because they are intended for use only within an Enterprise. Some protocols can be used to launch SPAM or other types of attacks. To help protect all uses of the network, these TCP/UDP ports are blocked at the interface between the Internet and the SCCo ARES/RACES network..

  • 25 - Simple Mail Transfer Protocol (except for SCCo ARES/RACES mail servers)
  • 53 - Domain Name System (except for SCCo ARES/RACES DNS servers)
  • 135 - Remote Procedure Call (RPC)
  • 137 - NetBIOS Name Service
  • 138 - NetBIOS Datagram Service
  • 139 - NetBIOS Session Service
  • 445 - Windows Networking (Active Directory, SMB, ...)

For more details about these port numbers, see:

 

Recursive DNS Service

The Domain Name System (DNS) provides an scalable way for a client to discover the IP address of a fully qualified domain name, and vice versa. For example, we might type "http://amateur-radio-is-the-best.org" into a web browser and the DNS resolver on our PC converts the name into an IP address, which can then be used to communicate with the server.

The SCCo ARES/RACES network provides recursive DNS service for Internet hostnames/addresses. Stations that connect to the network using TCP/IP can configure two DNS servers which will resolve both internal and external DNS queries. If the client uses DHCP, the servers will be automatically configured in the client workstation. The service uses a combination of several authoritative servers and a distributed set of caching servers for scalability and security. Please note that only the assigned DNS servers can be used. Requests to other servers will be blocked to prevent various types of network attacks.

 

Rate Limiting

Weighted rate limiting is applied to traffic outbound from the subscriber to the SCCo ARES/RACES network. This helps to protect the service from a compromised client and ensures all users have similar access performance.

 

Suspension/Termination

Intranet access connections may be suspended/disabled or terminated for failure to adhere to the Acceptable Use Policy. When malicious behavior is detected, we take the approach of "disable first and diagnose as time permits". Hopefully, and with the careful attention to security by all subscribers, that will never happen. But if it does happen at a particular subscriber site, we need to protect the network and other subscribers as quickly as possible.

 

Security

The SCCo ARES/RACES network is operated with state-of-the-art security. Multiple levels and types of security mechanisms are designed to protect the network itself and the SCCo ARES/RACES servers. The network also offers some protection for subscriber connections, such as the port restrictions mentioned above. But protection of a subscriber's network is ultimately the subscriber's responsibility. Some of those mechanisms are described below.

 

Firewall

Each subscriber should install a firewall between their network and the connection to the SCCo ARES/RACES network. In some cases, such as at city/agency EOCs and DOCs, this may be provided and managed by the city/agency IT organization. If not, then the city/agency ARES/RACES group needs to install and maintain a firewall.

 

Physical Access

Subscribers need to carefully control who can physically access the network. Conspicuously label all connections so it's clear which network they apply to. Unsuspecting EOC/DOC users should be prevented from plugging into the wrong Ethernet by mistake. And potentially malicious actors should be prevented from accessing our network.

 

Passwords

Use unique passwords for each server. Choose passwords of sufficient length and complexity that they are not easy to guess. NEVER share your password with anyone else for any reason!

 

Anti-X (Anti-SPAM, Anti-Virus, Anti-...)

The network incorporates multiple levels of threat detection and prevention to block SPAM, viruses and other intrusions. Methods include signature-based, reputation-based, content-based, and heuristic analysis mechanisms. But, no system is 100% impenetrable. So, all client machines attached to the network should include anti-X software.

NEVER click on links in e-mails unless you are certain about the validity of the e-mail. Can you ever be certain? Probably not!

 


If you have E-mail Networking Information that you would like to have included here,
please contact the Webmaster, Phil Henderson

Web Site Home Page

This page was last updated 25-Jan-2018