Home
>
Lucent Technologies
>
Communications System
>
Lucent Technologies BCS Products Security Handbook Instructions Manual
Lucent Technologies BCS Products Security Handbook Instructions Manual
Have a look at the manual Lucent Technologies BCS Products Security Handbook Instructions Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 413 Lucent Technologies manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Large Business Communications Systems Page 3-55 Detecting Toll Fraud 3 nFor Remote Access, enter the number of attempts allowed before a violation occurs in the Barrier Code Threshold field, and enter the time interval in hours or minutes for tracking the number of attempts. nFor logins, enter the number of login attempts before a violation occurs in the Login Threshold field and the time interval in hours or minutes for tracking the number of attempts. To register as a violation, there must be three invalid login attempts (resulting in a forced disconnect) within the assigned time interval. NOTE: If you set the Barrier Code Threshold to 1, any unsuccessful first attempt by authorized users to enter the barrier code will cause a violation. A suggestion is to set the threshold to allow three attempts within five minutes to allow for mistakes made by authorized users. nIn the Feature Button Assignment field, enter rsvn-call for the Remote Access Security Violation Notification button and lsvn-call for the Login Security Violation Notification button. The feature activation buttons do not have to reside on the referral destination station. They can be administered on any station. However, they must be activated before referral calls are sent to the referral destination. NOTE: For DEFINITY G3V3 and later releases, which includes DEFINITY ECS, these buttons are called “lsvn-halt,” and “rsvn-halt.” A new button, “asvn-halt,” lights the associated status lamp for the assigned station. The buttons operate the opposite way from DEFINITY G1 and G3 pre-V3 buttons; if activated, the calls are not placed. In addition to those SVN features already discussed (SVN Authorization Code Violation Notification, SVN Referral Call With Announcement, and the new/renamed Referral Call Buttons), DEFINITY G3V3 and later releases offer the following SVN features: nSVN Remote Access Violation Notification with Remote Access Kill After “n” Attempts This feature disables the Remote Access feature following a Remote Access security violation. Any attempt to use the Remote Access feature once it has been disabled will fail even if a correct barrier code or barrier code/authorization code combination is supplied until the feature is re-enabled. nSVN Login Violation Notification with Login Kill After “n” Attempts This feature “locks” a valid login ID following a login security violation involving that login ID. Any attempt to use a login ID disabled following a login security violation will fail even if the correct login ID/password combination is supplied until the disabled login ID is re-enabled.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Large Business Communications Systems Page 3-56 Detecting Toll Fraud 3 DEFINITY G3V4 offers an additional feature: nThe status remote access command provides information on the state of remote access. Valid states are enabled, disabled, svn-disabled, or not-administered. Valid barrier code states include active and expired. For information on administering these parts of the Security Violation Notification Feature, see Appendix D. Security Violations Measurement Report This report identifies invalid login attempts and the entry of invalid barrier codes. It monitors the administration, maintenance, and Remote Access ports. A login violation is reported when a forced disconnect occurs (after three invalid attempts). Review the report daily to track invalid attempts to log in or to enter barrier codes, both of which may indicate hacker activity. For DEFINITY ECS and DEFINITY G1, G3, and System 75: nUse list measurements security-violations to obtain this report, which is updated hourly. For DEFINITY G1 and System 75, only counts for invalid login attempts and invalid Remote Access attempts are provided. For DEFINITY ECS and DEFINITY G3, the report is divided into two sub-reports, a Summary report and a Detail report. The Security Violations Summary Report has the following fields: NOTE: The report header lists the switch name, date and time the report was requested. — Counted Since: The time at which the counts on the report were last cleared and started accumulating again, or when the system was initialized. — Barrier Codes: The total number of times a user entered a valid or invalid remote access barrier code, and the number of resulting security violations. Barrier Codes are used with remote access trunks. — Station Security Code Origination/Total: The number of calls originating from either stations or trunks that generated valid or invalid station security codes, the total number of such calls, and the number of resulting security violations. — Authorization Codes: The number of calls that generated valid or invalid authorization codes, the total number of such call, and the number of resulting security violations. Calls are monitored based on the following origination types. nStation
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Large Business Communications Systems Page 3-57 Detecting Toll Fraud 3 nTrunk (other than remote access) nRemote Access nAttendant — Port Type: The type of port used by the measured login process. If break-ins are occurring at this level, the offender may have access to your system administration. With DEFINITY Release 5r, port types can be: nSYSAM-LCL (SYSAM Local Port) nSYSAM-RMT (SYSAM Remote Port) nMAINT nSYS-PORT (System Ports) — Total: Measurements totaled for all the above port types. — Successful Logins: The total number of successful logins into SM (that is, the login ID and the password submitted were valid) for the given port type. — Invalid Login Attempts: The total number of login attempts where the attempting party submitted an invalid login ID or password while accessing the given port type. — Invalid Login IDs: The total number of unsuccessful login attempts where the attempting party submitted an invalid login while accessing the given port type. — Login Forced Disconnects: The total number of login processes that were disconnected automatically by the switch because the threshold for consecutive invalid login attempts had been exceeded for the given port type. The threshold is three attempts. — Login Security Violations: The total number of login security violations for the given port type. As with barrier code attempts, the user can define the meaning of a security violation by setting two parameters administratively: nThe number of unsuccessful logins nThe time interval — Login Trivial Attempts: The total number of times a user connected to the system and gave no input to the login sequence. The Security Violations Detail Report provides system management login data per login identification. It relates only to system administration. This report has the following fields: — Login ID: The login identification submitted by the person attempting to login. Login IDs include the valid system login IDs. — Port Type: The type of port where login attempts were made. DEFINITY Release 5r has the following ports: nYSAM-LCL (SYSAM Local Port) nSYSAM-RMT (SYSAM Remote Port)
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Large Business Communications Systems Page 3-58 Detecting Toll Fraud 3 nMAIN nSYS-PORT (System Ports) nMGR1 nINADS (The Initialization and Administration System port) nEPN (The EPN maintenance EIA port) nNET — Successful Logins: The total number of times a login was used successfully to log into the system for the given port type. — Invalid Passwords: The total number of login attempts where the attempting person submitted an invalid password for the given port type and login ID. For DEFINITY ECS and DEFINITY G3: nUse monitor security-violations for a real-time report of invalid attempts to log in, either through system administration or through remote access using invalid barrier codes. For G3V3 and later, the monitor security-violations command has been split into three separate commands: monitor security-violations — — — The four resulting Security Violations Measurement Reports provide current status information for invalid DEFINITY ECS and DEFINITY Generic 3 Management Applications (G3-MA) login attempts, Remote Access (barrier code) attempts, and Authorization Code attempts. The report titles are as follows: 1. Login Violations Status Report 2. Remote Access (barrier code) Violations Status Report 3. Authorization Code Violations Status Report 4. Station Security Code Violations Report NOTE: The data displayed by these reports is updated every 30 seconds. Sixteen entries are maintained for each type of violation in the security status reports. The oldest information is overwritten by the new entries at each 30 second update. The Login Violations Status report has the following fields: — Date: The day that the invalid attempt occurred
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Large Business Communications Systems Page 3-59 Detecting Toll Fraud 3 — Time: The time the invalid attempt occurred — Login: The invalid login that was entered as part of the login violation attempt. An invalid password may cause a security violation. If a valid login causes a security violation by entering an incorrect password, the Security Violation Status report lists the login. — Port: The port on which the failed login session was attempted The following abbreviations are used for DEFINITY G3i: nMGR1: The dedicated Management terminal connection (the EIA connection to the Maintenance board) nNET-N: The network controller dialup ports nEPN: The EPN maintenance EIA port nINADS: The INADS (Initialization and Administration System) port nEIA: Other EIA ports The following abbreviations are used for DEFINITY G3r: nSYSAM-LCL: Local administration to Manager 1 nSYSAM-RMT: Dial up port on SYSAM board, typically used by services for remote maintenance, and used by the switch to call out with alarm information. nSYS-PORT: System ports accessed through TDM bus. nMAINT: Ports on expansion port networks maintenance boards, used as a local connection for on-site maintenance. nEXT: The extension assigned to the network controller board on which the failed login session was attempted. This is present only if the invalid login attempt occurred when accessing the system via a network controller channel. The Remote Access Violations Status Report has the following fields: — Date: The day that the invalid attempt occurred — Time: The time the invalid attempt occurred — TG No: The trunk group number associated with the trunk where the authorization code attempt terminated — Mbr: The trunk group member number associated with the trunk where the authorization code attempt terminated — Ext: The extension used to interface with the Remote Access feature — Barrier Code: The incorrect barrier code that resulted in the invalid access attempt (G3V3 and later) In DEFINITY G3V3 and later, the Authorization Code Violations Status report has the following fields:
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Large Business Communications Systems Page 3-60 Detecting Toll Fraud 3 — Date: The day that the violation occurred — Time: The time the violation occurred — Originator: The type of resource originating the call that generated the invalid authorization code access attempt. Originator types include: nStation nTrunk (other than a trunk assigned to a Remote Access trunk group) nRemote Access (when the invalid authorization code is associated with an attempt to invoke the Remote Access feature) nAttendant — Auth Code: The invalid authorization code entered — TG No: The trunk group number associated with the trunk where the remote access attempt terminated. It appears only when an authorization code is used to access a trunk. — Mbr: The trunk group member number associated with the trunk where the Remote Access attempt terminated. It appears only when an authorization code is used to access a trunk. — Barrier Code: The incorrect barrier code that resulted in the invalid access attempt. It appears only when an authorization code is entered to invoke Remote Access. — Ext: The extension associated with the station or attendant originating the call. It appears only when an authorization code is entered from a station or attendant console. The Station Security Code Violations Report has the following fields: — Date: The date that the attempt occurred — Time: The time that the attempt occurred — TG No: The trunk group number associated with the trunk where the attempt originated — Mbr: The trunk group member number associated with the trunk where the attempt originated — Port/Ext: The port or extension associated with the station or attendant originating the call. — FAC: The feature access code dialed that required a station security code. — Dialed Digits: The digits that the caller dialed when making this invalid attempt. This may help you to judge whether the caller was actually trying to break in to the system, or a legitimate user that made a mistake in the feature code entry.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Large Business Communications Systems Page 3-61 Detecting Toll Fraud 3 Remote Access Barrier Code Aging/Access Limits (DEFINITY G3V3 and Later) For DEFINITY G3V3 and later, including DEFINITY ECS, Remote Access Barrier Code Aging allows the system administrator to specify both the time interval a barrier code is valid, and/or the number of times a barrier code can be used to access the Remote Access feature. A barrier code will automatically expire if an expiration date or number of access attempts has exceeded the limits set by the switch administrator. If both a time interval and access limits are administered for an access code, the barrier code expires when one of the conditions is satisfied. If an expiration date is assigned, a warning message will be displayed on the system copyright screen seven days prior to the expiration date, indicating that the barrier code is due to expire. The system administer may modify the expiration date to extend the time interval if needed. Once the administered expiration date is reached or the number of accesses is exceeded, the barrier code no longer provides access to the Remote Access feature, and intercept treatment is applied to the call. Expiration dates and access limits are assigned on a per barrier code basis. There are 10 possible barrier codes, 4 to 7 digits long. If there are more than 10 users of the Remote Access feature, the codes must be shared. NOTE: For upgrades, default expiration dates are automatically assigned to barrier codes (one day from the current date and one access). It is strongly recommended that customers modify these parameters. If they do not, when the barrier codes expire, the remote access feature will no longer function. When a barrier code is no longer needed it should be removed from the system. Barrier codes should be safeguarded by the user and stored in a secure place by the switch administrator. See Appendix D for information on administering Barrier Code Aging. Recent Change History Report (DEFINITY ECS and DEFINITY G1 and G3 only) The latest administration changes are automatically tracked for DEFINITY ECS and DEFINITY G1 and G3. For each administration change that occurs, the system records the date, time, port, login, and type of change that was made. For DEFINITY ECS and DEFINITY G1 and G3: nTo review the report, enter list history. Check for unauthorized changes to security-related features discussed in this handbook.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Large Business Communications Systems Page 3-62 Detecting Toll Fraud 3 NOTE: Since the amount of space available for storing this information is limited, you should print the entire output of the list history command immediately upon suspicion of toll fraud. For DEFINITY G3V4 with the Intel ® processor, the history log has doubled in size to 500 entries, and provides login and logoff entries. This log includes the date, time, port, and login ID associated with the login or logoff. Malicious Call Trace For DEFINITY G2, G3r, System 85 R2V4, and DEFINITY G3V2 and later releases, Malicious Call Trace (MCT) provides a way for terminal users to notify a predefined set of users that they may be party to a malicious call. These users may then retrieve certain information related to the call and may track the source of the call. The feature also provides a method of generating an audio recording of the call. While MCT is especially helpful to those businesses that are prime targets of malicious calls, such as bomb threats, this feature can aid any business in tracing hackers. For this reason, it may be considered as a security tool for businesses that do not normally experience malicious calls. Depending on whether the call originates within the system or outside it, the following information is collected and displayed: nIf the call originates within the system: — If the call is on the same node or DCS subnetwork, the calling number is displayed on the controlling terminal. — If an ISDN calling number identification is available on the incoming trunk, then the calling number is displayed. nIf the call originates outside the system, the incoming trunk equipment location is displayed. In this case, the customer must call the appropriate connecting switch. nThe following is displayed for all calls: called number, activating number, whether the call is active or not, and identification of any additional parties on the call. There are several ways to activate the MCT feature. See the DEFINITY ECS Release 5 Feature Description , 555-230-204, for more information.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Large Business Communications Systems Page 3-63 Detecting Toll Fraud 3 Service Observing When toll fraud is suspected, this feature allows an authorized person, such as a security supervisor, to monitor actual calls in progress to establish whether or not an authorized user is on the call. The service observer has the option to listen only or to listen and talk. An optional warning tone can be administered (on a per-system basis) to let the calling party and the user whose call is being observed know that a supervisor is observing the call. The warning tone is a 440-Hz tone. A two-second burst of this tone is heard before the supervisor is connected to the call. A half-second burst of this tone is heard every 12 seconds while a call is being observed. The warning tone is heard by all parties on the observed call. NOTE: The use of service observing may be subject to federal, state, or local laws, rules, or regulations and may be prohibited pursuant to the laws, rules, or regulations or require the consent of one or both of the parties to the conversation. Customers should familiarize themselves with and comply with all applicable laws, rules, and regulations before using this feature. For DEFINITY ECS, DEFINITY G1, G3, and System 75: nEnter change system-parameters features to display the Features-Related System Parameters screen. nEnter y in the Service Observing Warning Tone field. nEnter change station to display the Station screen. nEnter serv-obsrv in the Feature Button Assignment field. nUse change cor to display the Class of Restriction screen. nEnter y in the Service Observing field. nEnter change station to assign the COR to the station. For DEFINITY G2 and System 85: NOTE: This feature is available only with an ACD split. nUse PROC054 WORD2 FIELD8 to assign the Service Observing Custom Calling Button to a multi-appearance terminal. For DEFINITY G3V3 and later, which includes DEFINITY ECS, the Observe Remotely (remote service observing) feature allows monitoring of physical, logical, or VDN extensions from external locations. If the remote access feature is used for remote service observing, then use barrier codes to protect remote service observing.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Large Business Communications Systems Page 3-64 Detecting Toll Fraud 3 Busy Verification When toll fraud is suspected, you can interrupt the call on a specified trunk group or extension number and monitor the call in progress. Callers will hear a long tone to indicate the call is being monitored. For DEFINITY ECS, DEFINITY G1, G3, and System 75: nEnter change station to display the Station screen for the station that will be assigned the Busy Verification button. nIn the Feature Button Assignment field, enter verify. nTo activate the feature, press the Verify button and then enter the Trunk Access Code and member number to be monitored. For DEFINITY G2 and System 85: nAdminister a Busy Verification button on the attendant console. nTo activate the feature, press the button and enter the Trunk Access Code and the member number. List Call Forwarding Command For DEFINITY G3V4 (and later, including the DEFINITY ECS), this command provides the status of stations that have initiated Call Forwarding On Net and Off Net and Call Forwarding Busy/Don’t Answer. The display includes the station initiating the Call Forwarding and the call forwarding destination