No connection to server. Showing local offline copy of page.
Santa Clara County ARES®/RACES

Agency Network Connection

This page is relevant for packet stations in a served agency facility with centrally managed IT infrastructure.

Network connections between the radio room PCs and the served agency’s network can be valuable for several purposes:

  • Radio room PC access to the Internet to download application software, device drivers, tools, and documentation
  • Radio room PC access to agency shared servers used by emergency room personnel to store forms, messages, emergency plans, etc.
  • Radio room PC access to agency networked printers
  • Agency domain controller access to the radio room PCs

Keep the network architecture as simple as possible, while still delivering the required connectivity and security to meet the served agency’s communications needs. It should be simple enough that anyone with a basic background in Internet routing and security should be able to make repairs and replace components under the pressure of a communications emergency. Documentation of the network architecture, including IP address and port assignments, should be printed out and available at the station, and stored electronically in a convenient location. Configuration files for all network devices should be backed up to a convenient location.

Computer networks are routinely attacked by malicious software trying to steal or destroy information. The first and most important defense is that no network should trust another more than necessary. The served agency’s network should not trust the radio room PCs/network, or vice versa.

Firewalls are used to prevent undesired traffic between networks. At a minimum, enable a software firewall on each radio room PC (e.g., the built-in Windows Defender Firewall). This can help protect each PC from other PCs on the LAN.

Network connections between the radio station PCs/network and the served agency’s network will be protected by a firewall controlled by the agency’s IT department. Never connect any PCs or networks to the agency network without approval from the agency’s IT department.

If the station has multiple PCs, or if operators sometimes bring their own PCs, the station should also have a hardware firewall to protect the PCs in the radio room from each other (and from the served agency’s network). This ensures that the same security policies are applied to all PCs in the station, even if the PCs are replaced or misconfigured.

The hardware firewall should allow any outbound connection from the radio room except for the following ports, which should be blocked:

  • TCP/UDP 135 - Remote Procedure Call (RPC)
  • TCP/UDP 137 - NetBIOS Name Service
  • TCP/UDP 138 - NetBIOS Datagram Service
  • TCP/UDP 139 - NetBIOS Session Service
  • TCP/UDP 445 - Windows Networking (Active Directory, SMB, …)

The hardware firewall should block all inbound connections to the radio room.