Home > Lucent Technologies > Communications System > Lucent Technologies BCS Products Security Handbook Instructions Manual

Lucent Technologies BCS Products Security Handbook Instructions Manual

    Download as PDF Print this page Share this page

    Have a look at the manual Lucent Technologies BCS Products Security Handbook Instructions Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 413 Lucent Technologies manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Large Business Communications Systems 
    Page 3-55 Detecting Toll Fraud 
    3
    nFor Remote Access, enter the number of attempts allowed before a 
    violation occurs in the Barrier Code Threshold field, and enter the time 
    interval in hours or minutes for tracking the number of attempts.
    nFor logins, enter the number of login attempts before a violation occurs in 
    the Login Threshold field and the time interval in hours or minutes for 
    tracking the number of attempts. To register as a violation, there must be 
    three invalid login attempts (resulting in a forced disconnect) within the 
    assigned time interval.
    NOTE:
    If you set the Barrier Code Threshold to 1, any unsuccessful first 
    attempt by authorized users to enter the barrier code will cause a 
    violation. A suggestion is to set the threshold to allow three attempts 
    within five minutes to allow for mistakes made by authorized users.
    nIn the Feature Button Assignment field, enter rsvn-call for the Remote 
    Access Security Violation Notification button and lsvn-call for the Login 
    Security Violation Notification button. The feature activation buttons do not 
    have to reside on the referral destination station. They can be administered 
    on any station. However, they must be activated before referral calls are 
    sent to the referral destination.
    NOTE:
    For DEFINITY G3V3 and later releases, which includes DEFINITY ECS, 
    these buttons are called “lsvn-halt,” and “rsvn-halt.” A new button, 
    “asvn-halt,” lights the associated status lamp for the assigned station. 
    The buttons operate the opposite way from DEFINITY G1 and G3 
    pre-V3 buttons; if activated, the calls are not placed.
    In addition to those SVN features already discussed (SVN Authorization Code 
    Violation Notification, SVN Referral Call With Announcement, and the 
    new/renamed Referral Call Buttons), DEFINITY G3V3 and later releases offer the 
    following SVN features: 
    nSVN Remote Access Violation Notification with Remote Access Kill After 
    “n” Attempts
    This feature disables the Remote Access feature following a Remote 
    Access security violation. Any attempt to use the Remote Access feature 
    once it has been disabled will fail even if a correct barrier code or barrier 
    code/authorization code combination is supplied until the feature is 
    re-enabled.
    nSVN Login Violation Notification with Login Kill After “n” Attempts
    This feature “locks” a valid login ID following a login security violation 
    involving that login ID. Any attempt to use a login ID disabled following a 
    login security violation will fail even if the correct login ID/password 
    combination is supplied until the disabled login ID is re-enabled. 
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Large Business Communications Systems 
    Page 3-56 Detecting Toll Fraud 
    3
    DEFINITY G3V4 offers an additional feature: 
    nThe status remote access command provides information on the state of 
    remote access. Valid states are 
    enabled, disabled, svn-disabled, or 
    not-administered. Valid barrier code states include active and expired.
    For information on administering these parts of the Security Violation Notification 
    Feature, see Appendix D.
    Security Violations Measurement Report
    This report identifies invalid login attempts and the entry of invalid barrier codes. It 
    monitors the administration, maintenance, and Remote Access ports. A login 
    violation is reported when a forced disconnect occurs (after three invalid 
    attempts). Review the report daily to track invalid attempts to log in or to enter 
    barrier codes, both of which may indicate hacker activity.
    For DEFINITY ECS and DEFINITY G1, G3, and System 75:
    nUse list measurements security-violations to obtain this report, which is 
    updated hourly.
    For DEFINITY G1 and System 75, only counts for invalid login attempts 
    and invalid Remote Access attempts are provided.
    For DEFINITY ECS and DEFINITY G3, the report is divided into two sub-reports, 
    a Summary report and a Detail report. The Security Violations Summary Report 
    has the following fields:
    NOTE:
    The report header lists the switch name, date and time the report was 
    requested.
    — Counted Since: The time at which the counts on the report were last 
    cleared and started accumulating again, or when the system was 
    initialized.
    — Barrier Codes: The total number of times a user entered a valid or invalid 
    remote access barrier code, and the number of resulting security violations. 
    Barrier Codes are used with remote access trunks.
    — Station Security Code Origination/Total: The number of calls originating 
    from either stations or trunks that generated valid or invalid station security 
    codes, the total number of such calls, and the number of resulting security 
    violations.
    — Authorization Codes: The number of calls that generated valid or invalid 
    authorization codes, the total number of such call, and the number of 
    resulting security violations. Calls are monitored based on the following 
    origination types.
    nStation 
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Large Business Communications Systems 
    Page 3-57 Detecting Toll Fraud 
    3
    nTrunk (other than remote access)
    nRemote Access
    nAttendant
    — Port Type: The type of port used by the measured login process. If 
    break-ins are occurring at this level, the offender may have access to your 
    system administration. With DEFINITY Release 5r, port types can be:
    nSYSAM-LCL (SYSAM Local Port)
    nSYSAM-RMT (SYSAM Remote Port)
    nMAINT
    nSYS-PORT (System Ports)
    — Total: Measurements totaled for all the above port types.
    — Successful Logins: The total number of successful logins into SM (that is, 
    the login ID and the password submitted were valid) for the given port type.
    — Invalid Login Attempts: The total number of login attempts where the 
    attempting party submitted an invalid login ID or password while accessing 
    the given port type.
    — Invalid Login IDs: The total number of unsuccessful login attempts where 
    the attempting party submitted an invalid login while accessing the given 
    port type.
    — Login Forced Disconnects: The total number of login processes that were 
    disconnected automatically by the switch because the threshold for 
    consecutive invalid login attempts had been exceeded for the given port 
    type. The threshold is three attempts.
    — Login Security Violations: The total number of login security violations for 
    the given port type. As with barrier code attempts, the user can define the 
    meaning of a security violation by setting two parameters administratively:
    nThe number of unsuccessful logins
    nThe time interval
    — Login Trivial Attempts: The total number of times a user connected to the 
    system and gave no input to the login sequence.
    The Security Violations Detail Report provides system management login data per 
    login identification. It relates only to system administration. This report has the 
    following fields:
    — Login ID: The login identification submitted by the person attempting to 
    login. Login IDs include the valid system login IDs.
    — Port Type: The type of port where login attempts were made. DEFINITY 
    Release 5r has the following ports:
    nYSAM-LCL (SYSAM Local Port)
    nSYSAM-RMT (SYSAM Remote Port) 
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Large Business Communications Systems 
    Page 3-58 Detecting Toll Fraud 
    3
    nMAIN
    nSYS-PORT (System Ports)
    nMGR1
    nINADS (The Initialization and Administration System port)
    nEPN (The EPN maintenance EIA port)
    nNET
    — Successful Logins: The total number of times a login was used 
    successfully to log into the system for the given port type.
    — Invalid Passwords: The total number of login attempts where the 
    attempting person submitted an invalid password for the given port type 
    and login ID.
    For DEFINITY ECS and DEFINITY G3:
    nUse monitor security-violations for a real-time report of invalid attempts 
    to log in, either through system administration or through remote access 
    using invalid barrier codes. For G3V3 and later, the monitor 
    security-violations command has been split into three separate 
    commands:
    monitor security-violations 
    — 
    — 
    — 
    The four resulting Security Violations Measurement Reports provide 
    current status information for invalid DEFINITY ECS and DEFINITY 
    Generic 3 Management Applications (G3-MA) login attempts, Remote 
    Access (barrier code) attempts, and Authorization Code attempts.
    The report titles are as follows:
    1. Login Violations Status Report
    2. Remote Access (barrier code) Violations Status Report
    3. Authorization Code Violations Status Report
    4. Station Security Code Violations Report
    NOTE:
    The data displayed by these reports is updated every 30 seconds. 
    Sixteen entries are maintained for each type of violation in the 
    security status reports. The oldest information is overwritten by the 
    new entries at each 30 second update.
    The Login Violations Status report has the following fields:
    — Date: The day that the invalid attempt occurred 
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Large Business Communications Systems 
    Page 3-59 Detecting Toll Fraud 
    3
    — Time: The time the invalid attempt occurred 
    — Login: The invalid login that was entered as part of the login violation 
    attempt. An invalid password may cause a security violation. If a 
    valid login causes a security violation by entering an incorrect 
    password, the Security Violation Status report lists the login.
    — Port: The port on which the failed login session was attempted
    The following abbreviations are used for DEFINITY G3i:
    nMGR1: The dedicated Management terminal connection (the 
    EIA connection to the Maintenance board)
    nNET-N: The network controller dialup ports
    nEPN: The EPN maintenance EIA port
    nINADS: The INADS (Initialization and Administration System) 
    port
    nEIA: Other EIA ports
    The following abbreviations are used for DEFINITY G3r:
    nSYSAM-LCL: Local administration to Manager 1
    nSYSAM-RMT: Dial up port on SYSAM board, typically used 
    by services for remote maintenance, and used by the switch 
    to call out with alarm information.
    nSYS-PORT: System ports accessed through TDM bus.
    nMAINT: Ports on expansion port networks maintenance 
    boards, used as a local connection for on-site maintenance.
    nEXT: The extension assigned to the network controller board 
    on which the failed login session was attempted. This is 
    present only if the invalid login attempt occurred when 
    accessing the system via a network controller channel.
    The Remote Access Violations Status Report has the following fields:
    — Date: The day that the invalid attempt occurred
    — Time: The time the invalid attempt occurred
    — TG No: The trunk group number associated with the trunk where the 
    authorization code attempt terminated
    — Mbr: The trunk group member number associated with the trunk 
    where the authorization code attempt terminated
    — Ext: The extension used to interface with the Remote Access 
    feature
    — Barrier Code: The incorrect barrier code that resulted in the invalid 
    access attempt (G3V3 and later)
    In DEFINITY G3V3 and later, the Authorization Code Violations Status 
    report has the following fields: 
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Large Business Communications Systems 
    Page 3-60 Detecting Toll Fraud 
    3
    — Date: The day that the violation occurred
    — Time: The time the violation occurred
    — Originator: The type of resource originating the call that generated 
    the invalid authorization code access attempt. Originator types 
    include:
    nStation
    nTrunk (other than a trunk assigned to a Remote Access trunk 
    group)
    nRemote Access (when the invalid authorization code is 
    associated with an attempt to invoke the Remote Access 
    feature)
    nAttendant
    — Auth Code: The invalid authorization code entered
    — TG No: The trunk group number associated with the trunk where the 
    remote access attempt terminated. It appears only when an 
    authorization code is used to access a trunk.
    — Mbr: The trunk group member number associated with the trunk 
    where the Remote Access attempt terminated. It appears only when 
    an authorization code is used to access a trunk.
    — Barrier Code: The incorrect barrier code that resulted in the invalid 
    access attempt. It appears only when an authorization code is 
    entered to invoke Remote Access.
    — Ext: The extension associated with the station or attendant 
    originating the call. It appears only when an authorization code is 
    entered from a station or attendant console.
    The Station Security Code Violations Report has the following fields:
    — Date: The date that the attempt occurred
    — Time: The time that the attempt occurred
    — TG No: The trunk group number associated with the trunk where the 
    attempt originated
    — Mbr: The trunk group member number associated with the trunk where the 
    attempt originated
    — Port/Ext: The port or extension associated with the station or attendant 
    originating the call.
    — FAC: The feature access code dialed that required a station security code.
    — Dialed Digits: The digits that the caller dialed when making this invalid 
    attempt. This may help you to judge whether the caller was actually trying 
    to break in to the system, or a legitimate user that made a mistake in the 
    feature code entry. 
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Large Business Communications Systems 
    Page 3-61 Detecting Toll Fraud 
    3
    Remote Access Barrier Code Aging/Access Limits 
    (DEFINITY G3V3 and Later)
    For DEFINITY G3V3 and later, including DEFINITY ECS, Remote Access Barrier 
    Code Aging allows the system administrator to specify both the time interval a 
    barrier code is valid, and/or the number of times a barrier code can be used to 
    access the Remote Access feature.
    A barrier code will automatically expire if an expiration date or number of access 
    attempts has exceeded the limits set by the switch administrator. If both a time 
    interval and access limits are administered for an access code, the barrier code 
    expires when one of the conditions is satisfied. If an expiration date is assigned, a 
    warning message will be displayed on the system copyright screen seven days 
    prior to the expiration date, indicating that the barrier code is due to expire. The 
    system administer may modify the expiration date to extend the time interval if 
    needed. Once the administered expiration date is reached or the number of 
    accesses is exceeded, the barrier code no longer provides access to the Remote 
    Access feature, and intercept treatment is applied to the call.
    Expiration dates and access limits are assigned on a per barrier code basis. 
    There are 10 possible barrier codes, 4 to 7 digits long. If there are more than 10 
    users of the Remote Access feature, the codes must be shared.
    NOTE:
    For upgrades, default expiration dates are automatically assigned to barrier 
    codes (one day from the current date and one access). It is strongly 
    recommended that customers modify these parameters. If they do not, when 
    the barrier codes expire, the remote access feature will no longer function.
    When a barrier code is no longer needed it should be removed from the system. 
    Barrier codes should be safeguarded by the user and stored in a secure place by 
    the switch administrator. See Appendix D for information on administering Barrier 
    Code Aging.
    Recent Change History Report (DEFINITY ECS 
    and DEFINITY G1 and G3 only)
    The latest administration changes are automatically tracked for DEFINITY ECS 
    and DEFINITY G1 and G3. For each administration change that occurs, the 
    system records the date, time, port, login, and type of change that was made.
    For DEFINITY ECS and DEFINITY G1 and G3:
    nTo review the report, enter list history. Check for unauthorized changes to 
    security-related features discussed in this handbook. 
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Large Business Communications Systems 
    Page 3-62 Detecting Toll Fraud 
    3
    NOTE:
    Since the amount of space available for storing this information is limited, 
    you should print the entire output of the list history command immediately 
    upon suspicion of toll fraud.
    For DEFINITY G3V4 with the Intel
    ® processor, the history log has doubled in size 
    to 500 entries, and provides login and logoff entries. This log includes the date, 
    time, port, and login ID associated with the login or logoff.
    Malicious Call Trace
    For DEFINITY G2, G3r, System 85 R2V4, and DEFINITY G3V2 and later 
    releases, Malicious Call Trace (MCT) provides a way for terminal users to notify a 
    predefined set of users that they may be party to a malicious call. These users 
    may then retrieve certain information related to the call and may track the source 
    of the call. The feature also provides a method of generating an audio recording of 
    the call.
    While MCT is especially helpful to those businesses that are prime targets of 
    malicious calls, such as bomb threats, this feature can aid any business in tracing 
    hackers. For this reason, it may be considered as a security tool for businesses 
    that do not normally experience malicious calls.
    Depending on whether the call originates within the system or outside it, the 
    following information is collected and displayed:
    nIf the call originates within the system:
    — If the call is on the same node or DCS subnetwork, the calling 
    number is displayed on the controlling terminal.
    — If an ISDN calling number identification is available on the incoming 
    trunk, then the calling number is displayed.
    nIf the call originates outside the system, the incoming trunk equipment 
    location is displayed. In this case, the customer must call the appropriate 
    connecting switch.
    nThe following is displayed for all calls: called number, activating number, 
    whether the call is active or not, and identification of any additional parties 
    on the call.
    There are several ways to activate the MCT feature. See the 
    DEFINITY ECS 
    Release 5 Feature Description
    , 555-230-204, for more information. 
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Large Business Communications Systems 
    Page 3-63 Detecting Toll Fraud 
    3
    Service Observing
    When toll fraud is suspected, this feature allows an authorized person, such as a 
    security supervisor, to monitor actual calls in progress to establish whether or not 
    an authorized user is on the call. The service observer has the option to listen only 
    or to listen and talk.
    An optional warning tone can be administered (on a per-system basis) to let the 
    calling party and the user whose call is being observed know that a supervisor is 
    observing the call. The warning tone is a 440-Hz tone. A two-second burst of this 
    tone is heard before the supervisor is connected to the call. A half-second burst of 
    this tone is heard every 12 seconds while a call is being observed. The warning 
    tone is heard by all parties on the observed call.
    NOTE:
    The use of service observing may be subject to federal, state, or local laws, 
    rules, or regulations and may be prohibited pursuant to the laws, rules, or 
    regulations or require the consent of one or both of the parties to the 
    conversation. Customers should familiarize themselves with and comply 
    with all applicable laws, rules, and regulations before using this feature.
    For DEFINITY ECS, DEFINITY G1, G3, and System 75:
    nEnter change system-parameters features to display the 
    Features-Related System Parameters screen.
    nEnter y in the Service Observing Warning Tone field.
    nEnter change station to display the Station screen.
    nEnter serv-obsrv in the Feature Button Assignment field.
    nUse change cor to display the Class of Restriction screen.
    nEnter y in the Service Observing field.
    nEnter change station to assign the COR to the station.
    For DEFINITY G2 and System 85:
    NOTE:
    This feature is available only with an ACD split.
    nUse PROC054 WORD2 FIELD8 to assign the Service Observing Custom 
    Calling Button to a multi-appearance terminal.
    For DEFINITY G3V3 and later, which includes DEFINITY ECS, the Observe 
    Remotely (remote service observing) feature allows monitoring of physical, 
    logical, or VDN extensions from external locations. If the remote access feature is 
    used for remote service observing, then use barrier codes to protect remote 
    service observing. 
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Large Business Communications Systems 
    Page 3-64 Detecting Toll Fraud 
    3
    Busy Verification
    When toll fraud is suspected, you can interrupt the call on a specified trunk group 
    or extension number and monitor the call in progress. Callers will hear a long tone 
    to indicate the call is being monitored.
    For DEFINITY ECS, DEFINITY G1, G3, and System 75:
    nEnter change station to display the Station screen for the station that will 
    be assigned the Busy Verification button.
    nIn the Feature Button Assignment field, enter verify.
    nTo activate the feature, press the Verify button and then enter the Trunk 
    Access Code and member number to be monitored.
    For DEFINITY G2 and System 85:
    nAdminister a Busy Verification button on the attendant console.
    nTo activate the feature, press the button and enter the Trunk Access Code 
    and the member number.
    List Call Forwarding Command
    For DEFINITY G3V4 (and later, including the DEFINITY ECS), this command 
    provides the status of stations that have initiated Call Forwarding On Net and Off 
    Net and Call Forwarding Busy/Don’t Answer. The display includes the station 
    initiating the Call Forwarding and the call forwarding destination 
    						
    All Lucent Technologies manuals Comments (0)

    Related Manuals for Lucent Technologies BCS Products Security Handbook Instructions Manual