Home > Lucent Technologies > Communications System > Lucent Technologies BCS Products Security Handbook Instructions Manual

Lucent Technologies BCS Products Security Handbook Instructions Manual

    Download as PDF Print this page Share this page

    Have a look at the manual Lucent Technologies BCS Products Security Handbook Instructions Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 413 Lucent Technologies manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Small Business Communications Systems 
    Page 4-11 MERLIN LEGEND Communications System 
    4
    The following table gives examples of how to allow and disallow calls via star 
    codes and Disallowed Lists.
    Default Disallowed List
    By default, Disallowed List #7 contains the following entries, which are frequently 
    associated with toll fraud:
    n0
    n10
    n11
    n976
    n1809
    n1700
    n1900
    n1ppp976 (where each p represents any digit)
    n*
    This list is automatically assigned to any port that is programmed as a VMI port.
    The system manager should assign Disallowed List #7 to any extension that does 
    not require access to the numbers in the list. Table 4-2. Allowing and Disallowing Calls via Star Codes and Disallowed 
    Lists
    Objective Solution
    Disallow calls preceded by 
    *67, but allow all other calls.Enter *67 as a Disallowed List entry.
    Disallow calls preceded by all 
    star codes, but allow all other 
    calls.Enter * as a Disallowed List entry.
    Disallow calls preceded by 
    either *67 or *69, but allow all 
    other calls.Enter *67 as a Disallowed List entry, and 
    enter *69 as a separate Disallowed List 
    entry.
    Disallow calls preceded by 
    *67, calls to 900 numbers, and 
    calls to directory assistance 
    (411), but allow all other calls.Enter *67, 900, and 411 as separate 
    Disallowed List entries. 
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Small Business Communications Systems 
    Page 4-12 MERLIN LEGEND Communications System 
    4
    Assigning a Second Dial Tone Timer
    A second dial tone timer can be assigned to lines and trunks to help prevent toll 
    fraud.
    NOTE:
    This timer can be used with star codes, which are discussed earlier in this 
    chapter.
    If the timer is assigned, and if the user dials a certain set of digits, the CO provides 
    a second dial tone to prompt the user to enter more digits. This ensures that digits 
    are dialed only when the CO is ready to receive more digits from the caller. 
    Therefore, the risk of toll fraud or of the call being routed incorrectly is reduced.
    Setting Facility Restriction Levels
    Facility Restriction Levels (FRLs) can help prevent toll fraud. Some FRLs are 
    already set to a default value before the product is shipped to the customer. Other 
    FRLs can be set by the customer.
    Security Defaults and Tips
    The following list identifies features and components that can be restricted by 
    FRLs, identifies the corresponding FRL, and discusses how the FRLs affect these 
    features and components.
    nVoice Mail Integrated (VMI) Ports
    The default FRL for VMI ports is now 0. This restricts all outcalling. (Refer 
    to Form 7d, “Group Calling.”)
    nDefault Local Route Table
    The default FRL for the Default Local Route Table is now 2. No adjustment 
    to the route FRL is required. (Refer to Table 18 on Planning Form 3g, “ARS 
    Default and Special Numbers Table.”)
    nAutomatic Route Selection (ARS)
    The customer receives the product with ARS activated and with all 
    extensions set to FRL 3. This allows all international calling. To prevent toll 
    fraud, set the ARS FRL to the appropriate value in the following list.
    — 0 (restriction to inside calls only)
    — 2 (restriction to local calls only)
    — 3 (restriction to domestic long distance)
    NOTE:
    This restriction does not include area code 809, which is part 
    of the North American Numbering Plan (NANP). 
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Small Business Communications Systems 
    Page 4-13 MERLIN LEGEND Communications System 
    4
    — 4 (international calling)
    NOTE:
    In Release 3.1 and later systems, default local and default toll tables 
    are factory-assigned an FRL of 2. This simplifies the task of 
    restricting extensions; the FRL for an extension merely needs to be 
    changed from the default of 3.
    Protecting Remote Access
    The Remote Access feature allows users to call into the MERLIN LEGEND 
    Communications System from a remote location (for example, a satellite office, or 
    while traveling) and use the system to make calls. However, unauthorized 
    persons might learn the Remote Access telephone number and password, call 
    into the system, and make long distance calls.
    For MERLIN LEGEND R3.1 and later systems, system passwords, called barrier 
    codes, are by default restricted from making outside calls. In MERLIN LEGEND 
    releases prior to Release 3.0, if you do not program specific outward calling 
    restrictions, the user is able to place any call normally dialed from a telephone 
    associated with the system. Such an off-premises network call is originated at, 
    and will be billed from, the system location.
    The MERLIN LEGEND Communications System has 16 barrier codes for use with 
    Remote Access. For systems prior to MERLIN LEGEND R3, barrier codes have a 
    5-digit maximum; for R3 systems and later, barrier codes have an 11-digit 
    maximum. For greater security, always use the maximum available digits when 
    assigning barrier codes.
    Beginning with MERLIN LEGEND R3.0, the following rules on barrier codes have 
    been included in order to prevent telephone toll fraud:
    — The Remote Access default requires a barrier code
    — The barrier code is a flexible-length code ranging from 4 to 11 digits 
    (with a default of 7) and includes the * character. The length is set 
    system-wide.
    — The user is given three attempts to enter the correct barrier code
    The following security measures assist you in managing the Remote Access 
    feature to help prevent unauthorized use.
    Security Tips
    nEvaluate the necessity for Remote Access. If this feature is not vital to your 
    organization, consider not using it or limiting its use. 
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Small Business Communications Systems 
    Page 4-14 MERLIN LEGEND Communications System 
    4
    To turn off Remote Access, do the following:
    1. On the System Administration screen, select Lines and Trunks and 
    then select Remote Access.
    2. Choose Disable Remote Access.
    If you need the feature, use as many of the security measures presented in 
    this section as you can.
    nProgram the Remote Access feature to require the caller to enter a barrier 
    code before the system will allow the caller access. Up to 16 different 
    barrier codes can be programmed, and different restriction levels can be 
    set for each barrier code.
    nFor MERLIN LEGEND R3.0, program the Remote Access feature to enter 
    an authorization code of up to 11 digits. For greater security, always use 
    the maximum available digits when assigning authorization codes.
    nIt is strongly recommended that customers invest in security adjuncts, 
    which typically use one-time passcode algorithms. These security adjuncts 
    discourage hackers. Since a secure use of the Remote Access feature 
    generally offers savings over credit card calling, the break-even period can 
    make the investment in security adjuncts worthwhile. 
    nIf a customer chooses to use the Remote Access feature without a security 
    adjunct, multiple barrier codes should be employed, with one per user if the 
    system permits. The MERLIN LEGEND system permits a maximum of 16 
    barrier codes. The barrier code for each user should not be recorded in a 
    place or manner that may be accessible for an unauthorized user. The 
    code should also not indicate facts about or traits of the user that are easily 
    researched (for example, the user’s birthdate) or discernible (for example, 
    the user’s hobbies, interests, political inclinations, etc.).
    nUse the system’s toll restriction capabilities, to restrict the long distance 
    calling ability of Remote Access users as much as possible, consistent with 
    the needs of your business.
    nBlock out-of-hours calling by manually turning off Remote Access features 
    at an administration telephone whenever appropriate (if Remote Access is 
    dedicated on a port).
    nProtect your Remote Access telephone number and password. Only give 
    them to people who need them, and impress upon those people the need 
    to keep the telephone number and password secret.
    nMonitor your SMDR records and/or your Call Accounting System reports 
    regularly for signs of irregular calls. Review these records and reports for 
    the following symptoms of abuse:
    — Short holding times on one trunk group
    — Patterns of authorization code usage (same code used 
    simultaneously or high activity)
    — Calls to international locations not normal for your business 
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Small Business Communications Systems 
    Page 4-15 MERLIN LEGEND Communications System 
    4
    — Calls to suspicious destinations
    — High numbers of “ineffective call attempts” indicating attempts at 
    entering invalid barrier codes or authorization codes
    — Numerous calls to the same number
    — Undefined account codes
    Protecting Remote System Programming
    The Remote System Programming feature allows your system administrator to 
    use System Programming and Maintenance (SPM) software to make changes to 
    your MERLIN LEGEND Communications System programming from another 
    location. The system can be accessed remotely either by dialing into it directly 
    using Remote Access or by dialing the system operator and asking to be 
    transferred to the system’s built-in modem. The feature also may be used, at your 
    request, by Lucent Technologies personnel to do troubleshooting or system 
    maintenance.
    However, unauthorized persons could disrupt your business by altering your 
    system programming. In addition, they could activate features (such as Remote 
    Access) that would permit them to make long distance calls, or they could change 
    restriction levels to allow long distance calls that would otherwise have been 
    blocked.
    The following security measures assist you in managing the Remote System 
    Programming feature to help prevent unauthorized use.
    Security Tips
    nThe System Programming capability of the MERLIN LEGEND 
    Communications System is protected by a password. Passwords can be 
    up to five characters in length and can be alpha or numeric and special 
    characters. See ‘‘
    Administration / Maintenance Access’’ on page 2-4 and 
    ‘‘
    General Security Measures’’ on page 2-7 for secure password guidelines.
    nIf you use Remote Access to do remote system programming on your 
    MERLIN LEGEND Communications System, follow all of the security tips 
    listed for protecting the Remote Access feature.
    — Even if the Remote Access feature is used only for remote system 
    programming, it should be protected by a barrier code.
    — Do not write the Remote Access telephone number or barrier code 
    on the MERLIN LEGEND Communications System, the connecting 
    equipment, or anywhere else in the system room.
    nTrain all employees, especially your system operator, to transfer only 
    authorized callers to the system’s built-in modem for remote programming. 
    Hackers have also been known to use “Social Engineering” to gain transfer 
    to the built-in modem. 
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Small Business Communications Systems 
    Page 4-16 MERLIN Plus Communications System 
    4
    Protecting Remote Call Forwarding
    The Remote Call Forwarding feature allows a customer to forward an incoming 
    call to another off-premises number. However, a caller could stay on the line and 
    receive another dial tone. At this point, the caller could initiate another toll call.
    The following security measures assist you in managing the Remote Call 
    Forwarding feature to help prevent unauthorized use:
    nProvide the Remote Call Forwarding capability only to those people who 
    need it.
    nDo not use this feature with loop-start lines. Due to unreliable disconnects 
    from the carrier’s central office, this feature may allow dial-tone to be 
    re-established and additional calls to be made.
    MERLIN Plus Communications 
    System
    This section provides information on protecting the MERLIN Plus 
    Communications System. 
    Protecting Remote Line Access (R2 only)
    The Remote Line Access feature allows users to call into the MERLIN Plus 
    Communications System from a remote location (for example, a satellite office, or 
    while traveling) and use the system to make calls. However, unauthorized 
    persons might learn the Remote Line Access telephone number and password, 
    call into the system, and make long distance calls.
    The following security measures assist you in managing the Remote Line Access 
    feature to help prevent unauthorized use.
    Security Tips
    nEvaluate the necessity for Remote Line Access. If this feature is not vital to 
    your organization, consider not using it or limiting its use. If you need the 
    feature, use as many of the security measures presented in this section as 
    you can.
    nDisallow all or selected international calls on remote line access ports.
    nAdminister trunk pools for Originated Line Screening to avoid 
    operator-assisted calls from toll-restricted stations.
    nProgram the Remote Line Access feature to require the caller to enter a 
    5-digit password before the system will allow the caller access. The 
    password is comprised of the user’s extension number (first 2 digits) plus 3 
    unique digits. 
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Small Business Communications Systems 
    Page 4-17 MERLIN Plus Communications System 
    4
    nUse the system’s toll restriction capabilities to restrict the long distance 
    calling ability of Remote Line Access users as much as possible, 
    consistent with the needs of your business.
    nBlock out-of-hours calling by turning off DXD and Remote Line Access 
    features at an extension 10 telephone whenever possible.
    nProtect your Remote Line Access telephone number and password. Only 
    give them to people who need them, and impress upon these people the 
    need to keep the telephone number and password secret.
    nMonitor your SMDR records and/or your Call Accounting System reports 
    regularly for signs of irregular calls. Review these records and reports for 
    the following symptoms of abuse:
    — Patterns of authorization code usage (same code used 
    simultaneously or high activity)
    — Calls to international locations not normal for your business
    — Calls to suspicious destinations
    — High numbers of “ineffective call attempts” indicating attempts at 
    entering invalid barrier codes or authorization codes
    — Numerous calls to the same number 
    — Undefined account codes
    n Activate “Automatic Call Restriction Reset” (R2 only)
    Protecting Remote Call Forwarding (R2 only)
    For Release 2, the MERLIN Plus Communications System allows a customer to 
    forward an incoming call to another (remotely located) telephone number. 
    However, a caller could stay on the line and receive another dial tone. At this 
    point, the caller could initiate a toll call without any outward call restrictions at all.
    The following security measures assist you in managing the Remote Call 
    Forwarding feature to help prevent unauthorized use.
    nImplement the “Automatic Timeout” feature of the MERLIN Plus 
    Communications System R2 “B” (Remote Call Forwarding feature). 
    Contact the Lucent Technologies National Service Assistance Center 
    (NSAC) at 800 628-2888 to determine if your system has the Automatic 
    Timeout feature as part of the 533B memory module.
    nProvide the Remote Call Forwarding capability only to those who need it. 
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Small Business Communications Systems 
    Page 4-18 PARTNER II Communications System 
    4
    PARTNER II Communications System
    This section provides information on protecting the PARTNER II Communications 
    System. 
    Additional security measures are required to protect adjunct equipment.
    nChapter 5 contains security measures to protect the attached voice 
    messaging system. For general security measures, refer to ‘‘
    Protecting 
    Voice Messaging Systems’’ on page 5-2. For product-specific security 
    measures, refer to ‘‘
    PARTNER II Communications System’’ on page 5-48.
    nChapter 6 contains security measures to protect the Automated Attendant 
    feature of your communications system. See ‘‘
    PARTNER II 
    Communications System’’ on page 6-20.
    The PARTNER II Communications System does not permit trunk-to-trunk 
    transfers, thus reducing the risk of toll fraud. In addition, it allows individual 
    stations to be administered for outward restriction.
    An optional Remote Administration Unit provides remote administration for all 
    releases of the PARTNER II Communications System. Protect the Remote 
    Administration Unit by making sure to assign a password for unattended mode, 
    and once remote administration is not necessary, remove it from unattended 
    mode. Otherwise, a hacker could change the programming remotely.
    PARTNER Plus Communications 
    System
    This section provides information on protecting the PARTNER Plus 
    Communications System. 
    Additional security measures are required to protect adjunct equipment.
    nChapter 5 contains security measures to protect the attached voice 
    messaging system. For general security measures, refer to ‘‘
    Protecting 
    Voice Messaging Systems’’ on page 5-2. For product-specific security 
    measures, refer to ‘‘
    PARTNER Plus Communications System’’ on page 
    5-50.
    nChapter 6 contains security measures to protect the Automated Attendant 
    feature of your communications system. See ‘‘
    PARTNER Plus 
    Communications System’’ on page 6-20.
    The PARTNER Plus Communications System does not permit trunk-to-trunk 
    transfers, thus reducing the risk of toll fraud. In addition, it allows individual 
    stations to be administered for outward restriction.
    An optional Remote Administration Unit provides remote administration for all 
    releases of the PARTNER Plus Communications System. Protect the Remote  
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Small Business Communications Systems 
    Page 4-19 System 25 
    4
    Administration Unit by making sure to assign a password for unattended mode, 
    and once remote administration is not necessary, remove it from unattended 
    mode. Otherwise, a hacker could change the programming remotely.
    System 25
    This section provides information on protecting the System 25.
    Additional security measures are required to protect adjunct equipment.
    nChapter 5 contains security measures to protect the attached voice 
    messaging system. For general security measures, refer to ‘‘
    Protecting 
    Voice Messaging Systems’’ on page 5-2. For product-specific security 
    measures, refer to page 5-52
    .
    nChapter 6 contains security measures to protect the Automated Attendant 
    feature of your communications system. See ‘‘
    PARTNER Plus 
    Communications System’’ on page 6-20.
    System 25 allows trunk-to-trunk transfer capability, increasing the opportunities 
    for toll fraud. However, trunk-to-trunk transfers on loop-start trunks are not allowed 
    unless the switch is administered to allow it. A fast busy signal indicates that the 
    transfer is not allowed. Do not allow trunk-to-trunk transfers on loop start trunks 
    unless there is a business need for it. This may be administered from the system 
    administration menu.
    For R3V3, international calls (or international calls to selected countries) can be 
    disallowed from a toll restricted station, and toll restricted stations can be blocked 
    from using Interexchange Carrier Codes (IXCs) to make domestic or international 
    direct dialed calls. Also, unless a trunk pool is administered for “Originating Line 
    Screening,” toll restricted stations cannot make operator-assisted calls.
    To further reduce the system’s vulnerability to toll fraud, outward restrict the 
    tip/ring port to which the Remote Maintenance Device is connected.
    Protecting Remote Access
    The Remote Access feature allows users to call into System 25 from a remote 
    location (for example, a satellite office, or while traveling) and use the system to 
    make calls. However, unauthorized persons might learn the Remote Access 
    telephone number and password (barrier access code), call into the system, and 
    make long distance calls.
    System 25 allows up to 16 different barrier access codes and one Remote 
    Maintenance barrier access code for use with the Remote Access feature. Except 
    for R3V3, barrier access codes have a 5-digit maximum. R3V3 allows up to 15 
    characters, including the digits 0 to 9, #, and *. Also for R3V3, an alarm is 
    generated at the attendant console if an invalid barrier access code is entered.  
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Small Business Communications Systems 
    Page 4-20 System 25 
    4
    For greater security, always use the maximum available digits when assigning 
    barrier access codes.
    The following security measures assist you in managing the Remote Access 
    feature to help prevent unauthorized use.
    Security Tips
    nEvaluate the necessity for Remote Access. If this feature is not vital to your 
    organization, consider not using it or limiting its use. If you need the 
    feature, use as many of the security measures presented in this section as 
    you can.
    nProgram the Remote Access feature to require the caller to enter a 
    password (barrier access code) before the system will allow the caller 
    access.
    nUse the system’s toll restriction capabilities to restrict the long distance 
    calling ability of Remote Access users as much as possible, consistent with 
    the needs of your business. For example, allow users to make calls only to 
    certain area codes, or do not allow international calls.
    nProtect your Remote Access telephone number and password (barrier 
    access code). Only give them to people who need them, and impress upon 
    these people the need to keep the telephone number and password 
    (barrier access code) secret.
    nMonitor your SMDR records and/or your Call Accounting System reports 
    regularly for signs of irregular calls. Review these records and reports for 
    the following symptoms of abuse:
    — Short holding times on one trunk group
    — Calls to international locations not normal for your business
    — Calls to suspicious destinations
    — High numbers of “ineffective call attempts” indicating attempts at 
    entering invalid barrier codes or authorization codes
    — Numerous calls to the same number 
    — Undefined account codes
    Protecting Remote System Administration
    The Remote System Administration feature allows your telephone system 
    administrator to make changes to your System 25 system programming from 
    another location by dialing into the system. The feature also may be used, at your 
    request, by Lucent Technologies personnel to do troubleshooting or system 
    maintenance. 
    						
    All Lucent Technologies manuals Comments (0)

    Related Manuals for Lucent Technologies BCS Products Security Handbook Instructions Manual