Lucent Technologies BCS Products Security Handbook Addendum

							BCS Products 
Security Handbook Addendum  585-025-600ADD  Issue 1
May 1999
Securing Remote Lucent Technologies Systems 
1-5 Securing DEFINITY Systems (Release 7.2 and Later) with Access Security 
1
Administering Access Security Gateway
Use the following  p roc ed ure to administer Ac c ess Sec urity Gateway.
1. On the System Parameters Customer Op tion form, d o the following :
NOTE:
Only Luc ent Tec hnolog ies tec hnic ians c an ac c ess this form.
nSet the G3 Version
 field to V6
 or later configuration.
nSet the Access Security Gateway (ASG)
 field  to y
.
2. On the Login Ad ministration form, d o the following :
nOn p ag e 1 of this form, set the Access Security Gateway 
field  
to y
.
nOn p ag e 2, c omp lete one of these two op tions for the Sec ret Key 
field :
— If you are using  a system-g enerated  sec ret key, set the 
System Generated Secret Key
 field  to y
 
OR
— If you are using a self-defined secret key, enter your unique 
secret key in the Secret Key
 field.
NOTE:
All other field s on p ag e 2 of the Log in Ad ministration form are 
op tional.
3. On the Sec urity Related  System Parameters form, set the req uired  
ACCESS SECURITY GATEWAY PARAMETERS
 fields to y
.
4. When you have c omp leted  all entries on these forms, press 
En t e r to save 
your c hang es.
Logging in via Access Security Gateway 
(Session Establishment)
Use the following  p roc ed ure to log  in to the system via the Ac c ess Sec urity 
Gateway interfac e:
NOTE:
The numb ers shown as c halleng es and resp onses in the p roc ed ures b elow 
are for examp le p urp oses only. They will not b e the numb ers you ac tually 
use or see on your ASG Key. 
						

							BCS Products 
Security Handbook Addendum  585-025-600ADD  Issue 1
May 1999
Securing Remote Lucent Technologies Systems 
1-6 Securing DEFINITY Systems (Release 7.2 and Later) with Access Security 
1
1. Connec t to the DEFINITY ECS system ad ministration/maintenanc e p ort.
The system resp onds with the log in p romp t.
2. At the promp t, type your valid  log in ID and  p ress 
Re t u r n .
The system verifies the log in ID and  transmits the CHALLENGE in the form 
of a 7-d ig it numb er, for instanc e,
 5551234
.
3. Turn on your ASG Key, p ress the b utton lab eled  
Re d in ord er to enter 
Authentic ation Mod e, typ e your PIN numb er, and  p ress 
En te r.
The ASG Key resp ond s with a c hallenge p romp t.
4. On the ASG Key, at the c halleng e p romp t, typ e the 7-d ig it c halleng e 
numb er you see on your PC (leave out the “ -” , for instanc e, 5552739) and  
p ress 
En t e r.
Th e  ASG  K e y  g e n e ra t e s  a  RESPON SE n u m b e r (f o r in s t a n c e  999-6713
).
5. On the PC, at the Resp onse p romp t, typ e the resp onse numb er g enerated  
b y the ASG Key (leave out the “ -” , for instanc e, 9996713) and  p ress 
Retur n.
DEFINITY ECS verifies the resp onse. If c orrec t, DEFINITY log s you on. If 
the resp onse is inc orrec t, return to Step  1. 
NOTE:
Only three log in/c halleng e/resp onse attemp ts are p ermitted . If the user is 
not authentic ated  after the third  resp onse, the user sees the messag e 
“ INVALID LOGIN”  and  the session will b e terminated . If this happ ens, see 
the ap p rop riate maintenanc e b ook for your system (R6r, R6vs/si, or R6c si).
Maintaining Login IDs
Temporarily Disabling Access Security 
Gateway Access for Login
To temp orarily d isab le Ac c ess Sec urity Gateway, for instanc e, while users are on 
vac ation or travel:
1. At the p rompt, typ e change login xxxx 
(xxx =  alphanumeric  log in ID) and  
p ress 
Re t u r n to log  into the Log in Ad ministration form.
2. On p ag e 2 of the Log in Ad ministration form, set the Blocked 
field  to y
.
NOTE:
Setting  the Blocked 
field  to y
 d oes not remove the log in from the 
system, b ut 
temp orarily d isab les the log in.
3. When c omp leted , p ress 
Retur n to save your c hang es. 
						

							BCS Products 
Security Handbook Addendum  585-025-600ADD  Issue 1
May 1999
Securing Remote Lucent Technologies Systems 
1-7 Securing DEFINITY Systems (Release 7.2 and Later) with Access Security 
1
Restarting Temporarily Disabled Access 
Security Gateway Access for Login
1. At the p rompt, typ e change login xxxx 
(xxx =  alphanumeric  log in ID) and  
p ress 
Re t u r n to log  into the Log in Ad ministration form.
2. On p ag e 2 of the Log in Ad ministration form, set the Blocked 
field  to n
.
3. When c omp leted , p ress 
Return to save your c hang es.
Maintaining the Access Security Gateway History
Log
The Ac c ess Sec urity Gateway History Log  log s all session estab lishment and  
rejec tion events assoc iated  with users ac c essing  the system administration and  
maintenanc e interfac e throug h ASG. This log  emulates the information p rovid ed 
in the DEFINITY History Log , b ut also c ontains information on whether the 
session was ac c ep ted  or rejec ted  by ASG, and  if rejec ted , the reason for the 
rejec tion.
This form is ac c essib le only if the G3 Version
 field on the System-Parameters 
Customer-Op tions form is V6
 or g reater and  the Access Security Gateway 
(ASG) 
field  on the form is y
.
Loss of an ASG Key
If a user loses their ASG Key, he/she must notify the system ad ministrator 
immed iately. The ad ministrator, in turn, must do the following :
nMod ify any log ins assoc iated  with the lost ASG Key. See the Access 
Sec urity Gateway Key User’s Guid e 
for information on c hang ing  your PIN.
nIf the log in is no long er valid , at the p rompt, typ e remove login xxxx 
(xxx =  alphanumeric  log in ID) and  press 
Retur n to remove the invalid  login 
from the system.
nTo keep the same log in, c hang e the Sec ret Key assoc iated  with the log in 
to a new value.
nUsing  the new sec ret key value, re-key devic es that g enerate resp onses 
and  interac t with the log in. 
						

							BCS Products 
Security Handbook Addendum  585-025-600ADD  Issue 1
May 1999
Securing Remote Lucent Technologies Systems 
1-8 Securing DEFINITY Systems (Release 7.2 and Later) with Access Security 
1
Interactions of ASG
nCustomer Ac cess INADS Port
If ac c ess to the INADS port is disab led on a system-wid e b asis, 
ad ministering  ac c ess to the SYSAM-RMT or INADS port, throug h the 
Ac c ess Sec urity Gateway feature, d oes not overrid e the INADS p ort 
restric tion. Administration d oes not p rohib it assig nment of Ac c ess Sec urity 
G a t e w a y t o  t h e  SYSAM -RM T o r  I N A D S p o r t .  H o w e v e r ,  in  a  c o n f i g u r a t i o n  
where this method  of ac c ess is b loc ked , you will b e d enied  ac c ess to the 
sy s t e m  t h ro u g h  t h e  SYSA M - RM T o r  I N AD S p o r t  e v e n  if  yo u  a t t e m p t  t o  
ac c ess the p ort using  a valid  Ac c ess Sec urity Gateway log in ID.
If ac c ess to the INADS port has b een d isab led  on a log in basis, 
ad ministering  ac c ess to the SYSAM-RMT or INADS port, via the Ac c ess 
Sec urity Gateway feature, will not overrid e the INADS p ort restric tion.
nLog in Ad ministration
The standard user interface for DEFINITY ECS login administration has not 
b een mod ified  b y Ac c ess Sec urity Gateway. Also, the stand ard DEFINITY 
ECS login user interface is maintained in cases where Acc ess Security 
Gateway parameters have not b een ad ministered  for the log in.
nSec urity Violation Notific ation (SVN)
Ac c ess Sec urity Gateway does not sup p ort an interfac e to the SVN 
feature. Session rejec tion events d o not ap p ear in the monitor 
sec urity-violations log in rep ort and  referral c alls are not sp awned  in the 
event that the numb er of rejec ted Ac c ess Sec urity Gateway sessions 
exc eed s the threshold /time interval c riteria imp osed  b y the SVN feature.
nSec urity Measurements
Ac c ess Sec urity Gateway session estab lishment or rejec t events d o not 
inc rement the Suc c essful Log ins, Invalid  Attemp ts, Invalid  IDs, Forc ed  
Disc onnec ts, Log in Sec urity Violations or Trivial Attemp ts c ounters 
maintained  for the list measurements sec urity-violations d etail report. 
Ad d itionally, log in sp ec ific  information maintained by the measurements 
sec urity-violations summary rep ort d oes not inc lud e Ac c ess Sec urity 
Gateway related  d ata. 
						

							BCS Products 
Security Handbook Addendum  585-025-600ADD  Issue 1
May 1999
Securing Remote Lucent Technologies Systems 
1-9 Securing INTUITY AUDIX Ports (Release 5.0 and Later) with ASG 
1
Securing INTUITY AUDIX Ports
(Release 5.0 and Later) with ASG
Ac c ess Sec urity Gateway also p rovid es up -to-d ate authentic ation for the Intuity 
AUDIX system logins. For Intuity Release 5.0, ASG p rotec tion is availab le for 
remote dial-up logins only.
ASG protects Intuity AUDIX systems by challenging each potential dial-up 
session user. If an ASG log in ID is estab lished  for a p artic ular user (suc h as sa, 
whic h refers to a log in for the “ system ad ministrator,”  or vm, whic h refers to the 
login of the “ voic e messag ing ad ministrator” ), the ASG layer of protec tion is in 
p lac e for anyone who attemp ts to log  in as that user. If an ASG log in ID is not 
estab lished  for a p artic ular user, the user log s in to the system with the UNIX 
system p assword . 
NOTE:
Information ab out ASG with Intuity and  p roc ed ures for ad ministering  and  
using  ASG c an b e found  on the Intuity Messag ing  Solutions Release 5.0 
d oc umentation CD. There, d o a searc h within the ind ex for “ Ac c ess 
Sec urity Gateway (ASG).”
In ord er to resp ond  to the ASG c halleng e, the user must have a hand -held  d evic e 
c alled  the ASG Key. The ASG Key must b e set with an enc ryp tion key number 
that matc hes that of the user’s ASG enc ryption key numb er in the Intuity AUDIX 
system. For more information ab out the ASG Key, see the 
ASG Key User Guid e, 
585-212-012.
Use the following  p roc ed ures for log g ing  in with ASG, maintaining  Log in IDs, and  
setting  and  resolving  violation warning s.
Logging In With ASG
When you b egin a remote session with an Intuity AUDIX system that is 
ASG-ac tivated , the system promp ts you with a c halleng e. To log  in to a system 
that has ASG ac tivated  for your log in:
1. At the login:
 p romp t, enter your log in ID.
The terminal sc reen d isp lays the following  messag e:
Challeng e: xxxxxxx
Resp onse:
2. Press ENTER ( ) on the ASG Key to start the ASG Key.
The ASG Key d isp lays the following  messag e:
PI N :
3. On the ASG Key, typ e your PIN and  p ress ENTER ( ). 
						

							BCS Products 
Security Handbook Addendum  585-025-600ADD  Issue 1
May 1999
Securing Remote Lucent Technologies Systems 
1-10 Securing INTUITY AUDIX Ports (Release 5.0 and Later) with ASG 
1
4. On the ASG Key, typ e the c halleng e number that is d isp layed  on the 
terminal sc reen, and  p ress ENTER ( ).
The ASG Key d isp lays the uniq ue, 7-d ig it resp onse numb er that 
c orresp ond s to the c hallenge numb er you entered . The c halleng e and  
resp onse numbers are valid  for this session only.
5. On the terminal sc reen, at the Response: 
promp t, enter the resp onse 
numb er that is d isp layed  on the ASG Key.
NOTE:
If the authentic ation p roc ess is suc c essful, the system d isp lays the Luc ent 
INTUITY Main Menu for the sa log in OR the AUDIX Command  Promp t 
Sc reen for the vm log in.
If the authentic ation p roc ess fails, the system makes an entry in the system 
History Log and  d isp lays the following  messag e: INVALID LOGIN.
Maintaining Login IDs
Onc e you estab lish an ASG log in for a sp ec ific  Intuity AUDIX log in user, sa or vm, 
anyone who attemp ts remote ac c ess to your system with the p rotec ted  log in is 
p rompted  for the c halleng e resp onse numb er.
Adding an ASG Login 
You must be logged in as sa to add an ASG login for sa or vm. To add a new ASG 
login to your system:
1. At the Luc ent INTUITY Main Menu, selec t ASG Security 
Administration
 and  then selec t ASG Security Login 
Administration.
The system displays the ASG Sec urity Login Administration Window.
2. Complete the following field s:
nLogin ID:
 
(In this field  typ e either sa or vm.)
nAccess Via ASG Blocked?
 
(Set this field  to N whic h ind ic ates that the Log in ID should  have full 
acc ess privileges.) 
						

							BCS Products 
Security Handbook Addendum  585-025-600ADD  Issue 1
May 1999
Securing Remote Lucent Technologies Systems 
1-11 Securing INTUITY AUDIX Ports (Release 5.0 and Later) with ASG 
1
nAuthentication Type?
(In this field typ e PASSKEY whic h ind ic ates that the user must have 
the ASG Key to p rod uc e the uniq ue resp onse numb er d uring  log in.
NOTE:
If you typ e PASSWORD (rather than PASSKEY) in the 
Authentication Type:
 field , the system will use reg ular 
Intuity AUDIX password  p rotec tion.
nSystem Generated Secret?
 
(Set this field  to Y for Yes or N for No. Y ind ic ates that you want the 
system to c reate the sec ret key for this Log in ID. N ind ic ates you 
will provid e the sec ret key numb er in the Secret Key:
 field.)
3. If you typ ed  N in the System Generated Secret?
 field , c omp lete the 
Secret Key:
 field .
(A Sec ret Key is a 20-d ig it string  using only the d ig its 0 throug h 7 in any 
ord er)
4. Press 
F2 (Create) to save the information.
The system d isp lays a c onfirmation messag e and  p rovid es the enc ryption 
key number that must matc h the ASG Key when a user attemp ts to log  in. 
The enc ryp tion key numb er must b e entered  into the ASG Key as Key1 or 
Key2.
5. Press 
EN TER, then p ress F6 (Canc el) twic e to return to the 
Luc ent INTUITY Main Menu.
Blocking or Reinstating Access Privileges 
for an ASG Login
If a user will not need  ac c ess to the system for a long  p eriod  of time, you c an 
b loc k the ASG Log in ID’s ac c ess temp orarily. Perform the following  tasks to b loc k 
or reinstate ac c ess for an ASG Log in.
1. At the Luc ent INTUITY Main Menu, selec t ASG Security 
Administration
 and  then selec t ASG Security Login 
Administration.
The system displays the ASG Sec urity Login Administration Window.
2. Typ e the user’s log in ID in the Login ID:
 field .
3. Set the Access Via ASG Blocked?
 field  to Y if you want to revoke the 
user’s ac c ess to the system OR set this field  to N in the Access Via ASG 
Blocked?
 field  if you want to reinstate the user’s ac c ess to the system.
4. Press 
F3 (Chang e) to save the c hang es.
The system d isp lays a c onfirmation messag e.
5. Press 
EN TER, then p ress F6 (Canc el) twic e to return to the Luc ent 
INTUITY Main Menu. 
						

							BCS Products 
Security Handbook Addendum  585-025-600ADD  Issue 1
May 1999
Securing Remote Lucent Technologies Systems 
1-12 Securing INTUITY AUDIX Ports (Release 5.0 and Later) with ASG 
1
Changing the Encryption Key Number for an
ASG Login
The enc ryp tion key numb er is used  b y the system and b y the ASG Key 
hand -held  d evic e to c reate c hallenge resp onse p airs of numbers. If an 
enc ryp tion key numb er is lost or c omp romised , it must b e c hang ed  in the system 
and  in all assoc iated  ASG Key hand -held  d evic es. To c hang e the enc ryp tion 
numb er.
1. At the Luc ent INTUITY Main Menu, selec t ASG Security 
Administration
 and  then selec t ASG Security Login 
Administration.
The system displays the ASG Sec urity Login Administration Window.
2.Typ e the user’s log in ID in the Login ID:
 field .
3. Set the System Generated Secret? 
field  to Y if you want to want the 
system to g enerate a uniq ue Sec ret Key numb er or set this field  to N if you 
want to enter your own Secret Key number.
4. If the System Generated Secret?
 field  is set to N, c omp lete the 
Secret Key:
 field .
(A Sec ret Key is a 20-d ig it string , using  only the d ig its 0 throug h 7 in any 
ord er.)
5. Press 
F3 (Chang e) to save the c hang es.
The system d isp lays a c onfirmation messag e and  p rovid es the c halleng e 
resp onse number that the user will need to log  in to the system.
6. Press 
EN TER, then p ress F6 (Canc el) twic e to return to the Luc ent Intuity 
Main Menu.
Displaying ASG Login Information
If you need  to c hec k on the status of an ASG log in, p erform the following  tasks to 
d isp lay the ASG Disp lay Sc reen.
1. At the Luc ent INTUITY Main Menu, selec t ASG Security 
Administration
 and  then selec t ASG Security Login 
Administration.
The system displays the ASG Sec urity Login Administration Window.
2. Typ e the user’s log in ID in the Login ID:
 field .
3. Press 
F4  ( D i s p l a y ) to d isp lay information ab out the ASG log in ID.
The system d isp lays the ASG Display Screen.
4. Press 
EN TER, then p ress F6 (Canc el) twic e to return to the Luc ent 
INTUITY Main Menu. 
						

							BCS Products 
Security Handbook Addendum  585-025-600ADD  Issue 1
May 1999
Securing Remote Lucent Technologies Systems 
1-13 Securing INTUITY AUDIX Ports (Release 5.0 and Later) with ASG 
1
Disabling ASG Authentication
If you want to d isc ontinue ASG p rotec tion for a p artic ular log in, c hang e the 
Authentic ation Typ e to 
password. To d isable ASG authentic ation:
1. At the Luc ent Intuity Main Menu, selec t ASG Security 
Administration
 and  then selec t ASG Security Login 
Administration.
The system displays the ASG Sec urity Login Administration Window.
2.Typ e the user’s log in ID in the Login ID:
 field .
3. Typ e PASSWORD in the Authentication Type?
 field.
4. Press 
F3 (Chang e) to save the information.
The system d isp lays a c onfirmation messag e.
5. Press 
EN TER, then p ress F6 (Canc el) twic e to return to the Luc ent 
INTUITY Main Menu.
Setting and Resolving Violation Warnings
ASG trac ks the numb er of unsuc c essful log in attemp ts and  the time between 
unsuc c essful log in attemp ts. If someone exc eed s the allowed  numb er of failed  
login attemp ts, a warning  is ad ded  to the Alarm Log .
Setting Notification Limits
To set alarm p arameters for ASG, follow these step s:
1. At the Luc ent INTUITY Main Menu, selec t ASG Security 
Administration
 and  then selec t ASG Security Violation 
Warning Administration.
The system d isp lays the ASG Sec urity Violation Warning  Ad ministration 
Win d o w.
2. Typ e a new value in the Number of failed login attempts:
 field , if 
needed.
(This numb er c an b e from 1 to 99 whic h ind ic ates the number of times that 
the user c an inc orrec tly typ e the log in information b efore the system 
p lac es an entry in the Alarm Log  and  d isallows further login attemp ts.)
NOTE:
A lower numb er in this field  p rotec ts the system more fully. 
						

							BCS Products 
Security Handbook Addendum  585-025-600ADD  Issue 1
May 1999
Securing Remote Lucent Technologies Systems 
1-14 Lucent Technologies Support 
1
3. Typ e a new value in the Failed login measurement window:
 field, if 
needed.
(This number can be from 1 through 60 which indicates the maximum 
time, in minutes, that may elap se b etween failed  log in attemp ts, b ut still 
have the attemp t c ount as one in a series.)
NOTE:
A hig her value in this field  p rotec ts the system more fully.
4. Press 
F3 (Save) to save the c hang es.
The system d isp lays the following confirmation messag e:
Assignment made 
Press Enter to c ontinue.
5. Press 
EN TER, then p ress F6 (Canc el) twic e to return to the Luc ent 
INTUITY Main Menu.
Resolving ASG Violation Alarms
To resolve an ASG warning , follow these steps:
1. At the Luc ent INTUITY Main Menu, selec t ASG Security 
Administration
 and  then selec t ASG Security Violation 
Warning Administration.
The system d isp lays the ASG Sec urity Violation Warning  Ad ministration 
Win d o w.
2. Set the Resolve existing alarms?
 field  to Y.
(Y ind ic ates that you want to resolve an ac tive ASG alarm.)
3. Press
 F3 (Save) to save the c hang es.
The system d isp lays the following confirmation messag e:
Assignment made 
Press Enter to c ontinue.
3. Press 
EN TER, then p ress F6 (Canc el) twic e to return to the Luc ent 
INTUITY Main Menu.
Lucent Technologies Support
Luc ent Tec hnolog ies provid es RPSD Keys to their maintenanc e c enters to 
ac c ommod ate ac c ess to systems you sec ure with the RPSD Loc k. 
With DEFINITY Release 7.2 and  Intuity Release 5.0, the servic es area of Luc ent 
Tec hnolog ies has b een mod ified  to ac c ommod ate the ASG feature. However, 
note that, unlike the RPSD Loc k feature whic h req uires ac c ess throug h a 
hard ware RPSD key at the servic es site, neg otiating  the system throug h ASG is 
ac c omp lished throug h a software interfac e to the INADS “ c onnec t”  tool. Other 
d esktop  and  lap top tools are also availab le to Luc ent Servic es eng ineers and  
tec hnic ians to ac c ess the Luc ent system via ASG.