Extra Vigilance is Required
For people who don't regularly deal with network security, the information on this page may sound a bit scary. It should. There are bad people out there. In fact, there are entire professional organizations and even governments that spend all day long working on ways to exploit computer networks to steal information and destroy what others have worked hard to create. These dangers have existed since the first computer networks existed. But as more and more people connect to network, the potential for security holes increases, making the potential gain to be achieved by criminals even greater. So the threat has never been greater.
Network connections at an EOC, DOC, hospital, shelter or other location can be of great value. But if they are not properly secured, they can do much more damage than a personal/home Internet connection. Multiple amateur radio operators may plug into the radio room LAN. Malicious software could have infected a machine elsewhere and can then be transfered from computer to computer on the LAN or through the simple act of sharing as USB flash drive.
Never connect any PCs or networks to the city/agency network without the approval of the city/agency IT organization. Any connection between the LAN in the ARES/RACES radio room and the rest of the city's/agency's network should be managed by the city/agency IT organization and will typically be controlled by strict firewall policies.
Make No Assumptions
The SCCo ARES/RACES network uses multi-level, state-of-the-art firewalls and intrusion prevention mechanisms to protect itself and its services from bad actors and malicious software. These security mechanisms are applied to both the connections between the network and the Internet and the connections between the network and subscribers.
Subscribers to the SCCo ARES/RACES network benefit from those protection mechanisms. But configuration mistakes can happen. Software bugs can and do occur. And new, previously unknown attacks can be launched. So, prudent networking professionals would never rely on the security provided by another group. The safest course of action is to make no assumptions about upstream security and to treat the connection to the SCCo ARES/RACES network as if it were a "raw" Internet connection.
Software Firewalls
- At a minimum, enable the software firewall on each PC, even if there is also a hardware firewall in place
- Windows PCs come with built-in firewall software. In Windows 10 it's called Windows Defender Firewall.
- Your own personal preferences or the policies of your agency may require a different software firewall solution.
- Either way, make sure that the software firewall is enable for each PC on the network. This can help protect each PC from other PCs on the LAN.
- Relying only on PC-based software firewalls is generally NOT a good idea for a radio room LAN, especially in an EOC or DOC.
- Since the PCs are not usually on all the time, the firewall software is usually not up-to-date. When the PC is booted, it can be subjected to attacks that have already been accounted for by the firewall vendor in software updates that have not yet been applied to the PC.
- Each PC ends up with different firewall rules, making it nearly impossible to know what is allowed or not.
Hardware Firewalls
- For multiple PC configurations, such as a radio room LAN, a separate hardware firewall between the radio room LAN and the SCCo ARES/RACES network is strongly recommended.
- If a LAN containing several PCs will be connected to the network, a hardware firewall can help protect them all with the same security policies.
- If the PC(s) to be used at the station may change over time, such as if each operator brings his/her own PC, then a hardware firewall that stays in place can ensure that the same policies are applied, regardless of the settings on a given PC.
- A connection between the radio room LAN and the city/agency network should only be made through a city/agency-controlled firewall
Protocol and Port Numbers
Outbound (from your radio room to the SCCo ARES/RACES Network)
- Subscriber firewalls are usually configured to allow any outbound connection. This prevents you from having to make adjustments to the firewall each time a new service is offered on the network.
- For added safety, the following ports should be blocked from making outbound connections to prevent malicious code from trying to make outbound connections
- TCP/UDP 135 - Remote Procedure Call (RPC)
- TCP/UDP 137 - NetBIOS Name Service
- TCP/UDP 138 - NetBIOS Datagram Service
- TCP/UDP 139 - NetBIOS Session Service
- TCP/UDP 445 - Windows Networking (Active Directory, SMB, ...)
Inbound (from the SCCo ARES/RACES network to your radio room)
- In most cases, it is best to block all inbound connections.
- If you are hosting an server at your site which you want to be accessed by others on the SCCo ARES/RACES network, then only allow inbound connections to the IP address, protocol and port number used by the server.
- Incoming connections should also be filtered by source address. For example, you could restrict access to only allow connections from other SCCo ARES/RACES network users. Or you could restrict the source addresses to only allow connections from other locations of your city/agency.