No connection to server. Showing local offline copy of page.
Santa Clara County ARES®/RACES

TCP/IP Subscriber Firewall Configuration

Subscriber firewall configurations vary, depending on the firewall vendor and the subscriber’s specific network configuration requirements. The following general configuration will work for most subscribers and can be adjusted as needed.

Interfaces

  • Handoff Subnet (interface facing the SCCo ARES/RACES network)
    • IP address: a.b.c.241
    • Network Mask: 255.255.255.240
    • Default gateway: see “Routing” discussion below
  • Other Interfaces
    • Consult your primary network contact

Routing

The IP address of the SCCo ARES/RACES network gateway will be the last address in each subscriber network: a.b.c.254. How routes and default gateways are configured depends on whether or not the subscriber’s network connects to other networks.

  • If the subscriber has no other network connection
    • Configure a default route/gateway:
      • Destination: 0.0.0.0/0 (mask 0.0.0.0)
      • Next Hop Gateway: a.b.c.254
      • Metric: 1 (or whatever fits the subscriber’s routing scheme)
  • If the subscriber has other network connections (such as a city network which may or may not also connect to the Internet)
    • Configure routes to the SCCo ARES/RACES core network
      • Destination: See SCCo ARES/RACES Core Network address ranges
      • Next Hop Gateway: a.b.c.254
      • Metric: 1 (or whatever fits the subscriber’s routing scheme)
    • Configure a route to the SCCo ARES/RACES Access and Subscriber Networks
      • Destination: See Access and Subscriber Network address range
      • Next Hop Gateway: a.b.c.254
      • Metric: 1 (or whatever fits the subscriber’s routing scheme)
    • If the SCCo ARES/RACES network will be used as a path to the Internet, configure a default route
      • Destination: 0.0.0.0/0 (mask 0.0.0.0)
      • Next Hop Gateway: a.b.c.254
      • Metric: Depends on the subscriber’s routing scheme. Consult the subscriber’s network administrator.
    • Distribute these routes to other routers in the subscriber network using the subscriber’s chosen internal routing protocol

Domain Name System (DNS)

  • The subscriber firewall is typically configured with a primary and secondary DNS server.
  • The firewall may then act as a local DNS proxy or a caching server for your local LANs. Or, it may pass along the primary and secondary DNS addresses as part of the information distributed by DHCP.
  • The subscriber primary network contact will be provided the best/closest DNS servers to use for resolving hostnames within the SCCo ARES/RACES network and the Internet.

Network Address Translation (NAT)

All traffic entering the SCCo ARES/RACES network will be filtered to ensure that the source IP address is within the subscriber’s assigned IP address range (a.b.c.0/24 = 255 addresses). If the subscriber network uses only addresses from its assigned address range , then nothing more has to be done. But if the subscriber connects its own city-wide network, and if that network uses different addresses, and if hosts on that network need to communicate with the SCCo ARES/RACES network, then NAT must be used so that the source addresses on all packets entering the SCCo ARES/RACES network are from within the subscriber’s assigned IP address range. Two NAT methods that can be used for such a situation are either Masquerade NAT (with optional Destination NAT) or Source and Destination NAT.

  • Masquerade NAT
    • This is the most commonly used solution and it is available on even the most simple consumer firewalls.
    • The firewall sets the source address of all traffic exiting the firewall (heading into the SCCo ARES/RACES network) to the same IP address as the firewall’s external address (the firewall’s interface on the handoff subnet). The firewall keeps track of the different traffic streams and reverses the process for responses coming back.
    • Destination NAT
      • Subscribers may wish to make services within their networks available to other subscribers. For example, the subscriber may have a file server or web server or VoIP server that they wish to share with users from other cities connected to the SCCo ARES/RACES network. If so, Destination NAT can be configured on the subscriber firewall to map IP addresses and/or UDP/TCP port numbers to specific hosts.
  • Source and Destination NAT
    • This method is a bit more complicated to set up and may not be available on cheaper consumer firewalls. But it makes use of your services easier for users outside your network. The advantage is that users can access specific hosts using unique IP addresses.
    • Source NAT (for traffic from the subscriber network to the SCCo Network).
      • The subscriber configures firewall rules to convert the source address of specific hosts to unique IP address in the handoff subnet.
    • Destination NAT (for traffic from the SCCo Network to the subscriber network).
      • The subscriber configures firewall rules to convert specific destination address in the handoff subnet to the actual address of specific hosts in the subscriber’s network.

The subscriber must not use NAT (or any other means) to allow traffic from other cities/agencies or the Internet to reach the SCCo ARES/RACES network.

Traffic Filtering

The SCCo ARES/RACES network will drop all attempts to make a new connection from the external, commercial Internet to subscriber nets. (Replies to sessions initiated from subscribers to the Internet are allowed.) This prevents a large percentage of attacks. But each subscriber is responsible for its own network security. In a similar manner, subscribers should filter inbound traffic to their network to protect against intrusion. The following general recommendations are provided as a framework to help network management get started. Each subscriber should consult with someone that is knowledgeable about network security and firewall configuration. (Note: the order of the rules below is important.)

  • Allow any outbound connection except for the following ports, which should be blocked:

    • TCP/UDP 135 - Remote Procedure Call (RPC)
    • TCP/UDP 137 - NetBIOS Name Service
    • TCP/UDP 138 - NetBIOS Datagram Service
    • TCP/UDP 139 - NetBIOS Session Service
    • TCP/UDP 445 - Windows Networking (Active Directory, SMB, …)
  • Configure a default policy of “drop” for all traffic into your network from the handoff network interface
    • Anything you don’t specifically allow will be dropped
  • Allow “established” connections
    • These are replies coming from sessions initiated outbound by your users
  • If you wish to allow addresses in the SCCo ARES/RACES core network to initiate connections to addresses in your network (such as to help you with diagnostics and troubleshooting):
    • Allow “new” connections from source addresses in the SCCo ARES/RACES core network address ranges
    • You may also wish to filter the destination address to restrict those connections to specific hosts on your network
    • You may also wish to filter the destination UDP/TCP port to restrict those connections to certain allowed protocols.
  • If you wish to allow other subscribers to the SCCo ARES/RACES county network to access services on your network:
    • Allow “new” connections from source addresses in the Access and Subscriber Networks address range
    • You may want to also filter the destination address to restrict those connections to specific hosts on your network
    • You may also wish to filter the destination UDP/TCP port to restrict certain to certain allowed protocols
  • To test your filters, you can use the handoff subnet (see above) to test from outside your firewall. You can also ask others on the TCP/IP email discussion group to try to connect to your server(s).

Anti-X, IPS

  • Anti-SPAM, Anti-virus, anti-malware, anti-… and other intrusion prevention mechanisms should be enabled, if they are available features in your firewall
  • This is important whether or not you enable inbound connections to your network.
  • Other than the Internet itself, the biggest security threat is from the various personal PCs that individuals may bring from home and plug into their city’s ARES/RACES network and from users click on dangerous links. Better firewalls have advanced features to block malicious activity on the fly.