Santa Clara County ARES/RACES
Home Operations Data > Intranet Training & Events Reference FAQ

Intranet Access Service Description

Overview   |   Functionality   |   Security

 

Overview

The SCCo ARES/RACES network provides a standard TCP/IP transport service to access services and other resource that reside on or are connected to the network. The network provides redundant, high availability connectivity between several hub locations and is designed to be available "when all else fails". Access to the network is via TCP/IP over WiFi Part 15 connections, which may, in turn, be connected to WiFi/Mesh or other networks managed within the city or agency.

Intranet services are developed and managed by individual cities and agencies and are made available to others through connections to the county ARES/RACES network. But the service is not in any way dependent on the Internet.

 

Functionality

Two-way Intranet Connectivity

A high speed connection to the SCCo ARES/RACES network allows two-way communications (with some restrictions noted below) between any two points in the network. This includes connections between subscribers and the services offered in the SCCo ARES/RACES core network (Packet BBS, E-mail, etc.). It also includes connections between subscribers and the services offered by other subscribers to the network.

This flexibility is important for communications during emergencies. We want to allow legitimate servers to be established when and where needed, without the need to find a county network administrator to enable connections between subscribers. And during severe situations, it may be difficult to reach all systems that need to be updated.

This flexibility is not without risk. Each subscriber to the network should place a firewall on their connection to block any inbound traffic to their site (or outbound, if desired) that they don't want to allow.

 

Blocked Ports

Malicious users (or malicious software which has been unknowingly installed on an unsuspecting user's machine) can use certain protocols for malicious purposes. These protocols are vulnerable because they are intended for use only within an Enterprise. To help protect all uses of the network, these TCP/UDP ports are blocked at the interface between the city/agency and the SCCo ARES/RACES network.

  • 135 - Remote Procedure Call (RPC)
  • 137 - NetBIOS Name Service
  • 138 - NetBIOS Datagram Service
  • 139 - NetBIOS Session Service
  • 445 - Windows Networking (Active Directory, SMB, ...)

For more details about these port numbers, see:

 

Recursive DNS Service

The Domain Name System (DNS) provides an scalable way for a client to discover the IP address of a fully qualified domain name, and vice versa. For example, we might type "http://amateur-radio-is-the-best.org" into a web browser and the DNS resolver on our PC converts the name into an IP address when can then be used to communicate with the server.

The SCCo ARES/RACES network provides recursive DNS service for intranet hostnames/addresses. Stations that connect to the network using TCP/IP can configure two DNS servers which will resolve both internal and external DNS queries. If the client uses DHCP, the servers will be automatically configured in the client workstation. The service uses a combination of several authoritative servers and a distributed set of caching servers for scalability and security. Please note that only the assigned DNS servers can be used. Requests to other servers will be blocked to prevent various types of network attacks.

 

DNS Listing

City/agency ARES/RACES groups that wish to make their services available to internal SCCo intranet users can have their servers listed in the intranet DNS. This allows intranet users of the SCCo ARES/RACES network to connect to the server by name, rather than having to remember the IP address.

The fully-qualified domain names will be formatted as follows:

hostname.tla.scc-ares-races.net

where:

  • hostname is assigned by the city/agency
  • tla is the standard three-letter abbreviation for the city/agency. This is the same abbreviation used in the Packet BBS service

Example: Supposed the fictitious City of Xanadu (abbreviation = XND) creates an internal web site that they wish to make available to all SCCo intranet users. Their hostname is "www". So, the fully qualified domain name (FQDN) would be: www.xnd.scc-ares-races.net.

Hostnames to be published in the SCCo intranet DNS must comply with RFCs 952 and 1123, including the following criteria:

  • 63 characters or less (but shorter is better for users).
  • Consists of letters (a-z), digits (0-9), minus sign (-) and period (.).
  • No distinction is made between upper and lower case. For ease of editing the DNS configuration files, we stick to lower-case.
  • The first character must be either a letter or a digit.
  • The last character must not be a minus sign or period.

Delegation of DNS for sub-domains of scc-ares-races.net is not currently supported. The anticipated number of intranet servers and the frequency of change is likely to be too small to justify the added effort. If the number of intranet servers and frequency of changes grows, then delegation of sub-domains may be revisited.

 

Rate Limiting

Weighted rate limiting is applied to traffic outbound from the subscriber to the SCCo ARES/RACES network. This helps to protect the service from a compromised client and ensures all users have similar access performance.

 

Suspension/Termination

Intranet access connections may be suspended/disabled or terminated for failure to adhere to the Acceptable Use Policy. When malicious behavior is detected, we take the approach of "disable first and diagnose as time permits". Hopefully, and with the careful attention to security by all subscribers, that will never happen. But if it does happen at a particular subscriber site, we need to protect the network and other subscribers as quickly as possible.

 

Security

The SCCo ARES/RACES network is operated with state-of-the-art security. Multiple levels and types of security mechanisms are designed to protect the network itself and the SCCo ARES/RACES servers. The network also offers some protection for subscriber connections, such as the port restrictions mentioned above. But protection of a subscriber's network is ultimately the subscriber's responsibility. Some of those mechanisms are described below.

 

Firewall

Each subscriber should install a firewall between their network and the connection to the SCCo ARES/RACES network. In some cases, such as at city/agency EOCs and DOCs, this may be provided and managed by the city/agency IT organization. If not, then the city/agency ARES/RACES group needs to install and maintain a firewall.

 

Physical Access

Subscribers need to carefully control who can physically access the network. Conspicuously label all connections so it's clear which network they apply to. Unsuspecting EOC/DOC users should be prevented from plugging into the wrong Ethernet by mistake. And potentially malicious actors should be prevented from accessing our network.

 

Passwords

Use unique passwords for each server. Choose passwords of sufficient length and complexity that they are not easy to guess. NEVER share your password with anyone else for any reason!

 

Anti-X (Anti-SPAM, Anti-Virus, Anti-...)

The network incorporates multiple levels of threat detection and prevention to block SPAM, viruses and other intrusions. Methods include signature-based, reputation-based, content-based, and heuristic analysis mechanisms. But, no system is 100% impenetrable. So, all client machines attached to the network should include anti-X software.

NEVER click on links in e-mails unless you are certain about the validity of the e-mail. Can you ever be certain? Probably not!

 


If you have E-mail Networking Information that you would like to have included here,
please contact the Webmaster, Phil Henderson

Web Site Home Page

This page was last updated 28-Nov-2018