Home
>
Lucent Technologies
>
Communications System
>
Lucent Technologies BCS Products Security Handbook Instructions Manual
Lucent Technologies BCS Products Security Handbook Instructions Manual
Have a look at the manual Lucent Technologies BCS Products Security Handbook Instructions Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 413 Lucent Technologies manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Small Business Communications Systems Page 4-21 System 25 4 However, unauthorized persons could disrupt your business by altering your system programming. In addition, they could activate features (such as Remote Access) that would permit them to make long distance calls through your system. The following security measures assist you in managing the Remote System Administration feature to help prevent unauthorized use. Security Tips nThe System Administration capability of the system is protected by a password. Passwords can be up to eight characters in length and can be alpha or numeric and include the pound sign (#). See ‘‘ Administration / Maintenance Access’’ on page 2-4 and ‘‘General Security Measures’’ on page 2-7 for secure password procedures. See Appendix E for information on how to change passwords. nIf you have a special telephone line connected to your system for Remote System Administration, do one of the following: — Unplug the line when it is not being used. — Install a switch in the line to turn it off when it is not being used. — Install a security device, such as Lucent Technologies’ Remote Port Security Device. (See Appendix G for more information.) nProtect your Remote System Administration telephone number and password. Only give them to people who need to know them, and impress upon these people the need to keep the telephone number and password secret. nIf your Remote System Administration feature requires that someone in your office transfer the caller to the Remote System Administration extension, impress upon your employees the importance of transferring only authorized individuals to that extension.
Voice Messaging Systems Page 5-1 5 BCS Products Security Handbook 555-025-600 Issue 6 December 1997 5 5Voice Messaging Systems The information in this chapter helps prevent unauthorized users from finding pathways through the voice messaging system and out of the switch. This chapter presents each communications system, and the voice mail systems it may host. nDEFINITY ECS (page 5-4) nDEFINITY Communications Systems (page 5-4) nMERLIN II Communications System (page 5-33) nMERLIN LEGEND Communications System (page 5-36) nPARTNER II Communications System (page 5-48) nPARTNER Plus Communications System (page 5-50) nSystem 25 (page 5-52) nSystem 75 (page 5-4) nSystem 85 (page 5-4) NOTE: The tools and measures in this chapter fall into two categories; those that are implemented in the switch, and those that are implemented in the voice messaging adjunct. It is recommended that security measures related to voice adjuncts be implemented in both the switch and the voice adjunct. If you are using a non-Lucent Technologies adjunct with a Lucent Technologies switch, the switch security measures described here should be implemented as well as adjunct security measures described in the adjunct documentation supplied by the non-Lucent Technologies vendor.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Voice Messaging Systems Page 5-2 Protecting Voice Messaging Systems 5 Protecting Voice Messaging Systems Voice messaging toll fraud has risen dramatically in recent years. Now more than ever, it is imperative that you take steps to secure your communications systems. Callers into the voice messaging/auto attendant system may transfer to an outgoing trunk if adequate security measures are not implemented (see Figure 5-1). In addition, mailboxes associated with voice messaging systems can facilitate toll fraud or industrial espionage if they are accessible to unauthorized users. Figure 5-1. Call Transfer Through the PBX Criminals attempt to transfer to the following codes: nARS Dial Access Codes (most likely the digit “9”) nTrunk Access Codes (TACs) nTrunk Verification Codes, Facility Test Call Access Codes, or Data Origination Codes All security restrictions that prevent transfer to these codes should be implemented. The only tool a criminal needs to breach an inadequately secured CO DID 800 SDNVoice Messaging Auto Attendant PBX
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Voice Messaging Systems Page 5-3 Protecting Voice Messaging Systems 5 system is a touch tone telephone. With the advent of cellular phones, hackers have yet another means of accessing voice mailboxes. If a user calls the voice mail system from a cellular phone and inputs his or her password, the voice mailbox becomes vulnerable to toll fraud. Since cellular phones can be monitored, a hacker can obtain the password and access the voice mailbox. Tell users not to enter passwords on a cellular phone. Security Tips nRestrict transfers back to the host PBX, by not allowing transfers, by using Enhanced Call Transfer, or by allowing Transfer to Subscriber Only. nWhen password protection into voice mailboxes is offered, it is recommended that you use the maximum length password where feasible. nDeactivate unassigned voice mailboxes. When an employee leaves the company, remove the voice mailbox. nDo not create voice mailboxes before they are needed. nEstablish your password as soon as your voice mail system extension is assigned. This ensures that only YOU will have access to your mailbox not anyone who enters your extension number and #. (The use of only the “#” indicates the lack of a password. This fact is well-known by telephone hackers.) nNever have your greeting state that you will accept third party billed calls. A greeting like this allows unauthorized individuals to charge calls to your company. If you call someone at your company and get a greeting like this, point out the vulnerability to the person and recommend that they change the greeting immediately. nNever use obvious or trivial passwords, such as your phone extension, room number, employee identification number, social security number, or easily guessed numeric combinations (for example, 999999). See ‘‘ Administration / Maintenance Access’’ on page 2-4 and ‘‘General Security Measures’’ on page 2-7 for secure password guidelines. nChange adjunct default passwords immediately; never skip the password entry. Hackers find out defaults. nLock out consecutive unsuccessful attempts to enter a voice mailbox. nDiscourage the practice of writing down passwords, storing them, or sharing them with others. If a password needs to be written down, keep it in a secure place and never discard it while it is active. nNever program passwords onto auto dial buttons. nIf you receive any strange messages on the voice mail system, if your greeting has been changed, or if for any reason you suspect that your voice mail system facilities are being used by someone else, contact Lucent Technologies Network Corporate Security.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Voice Messaging Systems Page 5-4 DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 5 nContact your central office to verify that your carrier provides “reliable disconnect” for your host PBX or switch. “Reliable disconnect” is sometimes referred to as a forward disconnect or disconnect supervision. It guarantees that the central office will not return a dial tone after the called party hangs up. If the central office does not provide reliable disconnect and a calling party stays on the line, the central office will return a dial tone at the conclusion of the call. This permits the caller to place another call as if it were being placed from your company. nContact your voice messaging system supplier. There may be additional measures you can take to prevent unauthorized users from transferring through voice mail to outgoing trunks. DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 The voice messaging products that work with these systems are listed below: nAUDIX Voice Mail System — The AUDIX Voice Mail System is a system that is external to the DEFINITY ECS and DEFINITY Communications Systems and connected to the switch by station lines and data links. (See ‘‘ Protecting the AUDIX, DEFINITY AUDIX, and Lucent Technologies INTUITY Voice Mail Systems’’ on page 5-15.) nAUDIX Voice Power System — The AUDIX Voice Power System includes AUDIX Voice Power (VP), AUDIX VP Lodging, and AUDIX VP Auto Attendant. (See ‘‘ Protecting the AUDIX Voice Power System’’ on page 5-28.) nCONVERSANT Voice Information System. (See ‘‘Protecting the CONVERSANT Voice Information System’’ on page 5-31.) nDEFINITY AUDIX System — The DEFINITY AUDIX System is a system comprised of circuit packs resident in the switch. (See ‘‘ Protecting the AUDIX, DEFINITY AUDIX, and Lucent Technologies INTUITY Voice Mail Systems’’ on page 5-15.) nLucent Technologies INTUITY AUDIX System — The Lucent Technologies I NTUITY System includes both the INTUITY Voice Messaging System and the I NTUITY Intro Voice Response System. (See ‘‘Protecting the AUDIX, DEFINITY AUDIX, and Lucent Technologies INTUITY Voice Mail Systems’’ on page 5-15.) Also see ‘‘Related Documentation’’ in the ‘‘About This Document’’ section for a list of manuals on these products.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Voice Messaging Systems Page 5-5 DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 5 Tools that Prevent Unauthorized Calls You can help prevent unauthorized callers who enter the voice messaging system from obtaining an outgoing facility by using the security tools shown in Table 5-1 . Facility Restriction Levels The switch treats all the PBX ports used by voice mail systems as stations. Therefore, each voice mail port can be assigned a COR/COS with an FRL associated with the COR/COS. FRLs provide eight different levels of restrictions for AAR/ARS/WCR calls. They are used in combination with calling permissions and routing patterns and/or preferences to determine where calls can be made. FRLs range from 0 to 7, with each number representing a different level of restriction (or no restrictions at all). The FRL is used for the AAR/ARS/WCR feature to determine call access to an outgoing trunk group. Outgoing call routing is determined by a comparison of the FRLs in the AAR/ARS/WCR routing pattern to the FRL associated with the COR/COS of the call originator. The higher the FRL number, the greater the calling privileges. For example, if a station is not permitted to make outside calls, assign it an FRL value of 0. Then Table 5-1. DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 Voice Mail Security Tools Security Tool Switch Page # Enhanced Call Transfer (see ‘‘ Protecting the AUDIX, DEFINITY AUDIX, and Lucent Technologies INTUITY Voice Mail Systems’’)DEFINITY G1 (Issue 5.0), G2, G3, DEFINITY ECS, System 75 R1V3 (Issue 2.0), System 85 R2V45-15 Facility Restriction Levels*All5-5 Station-to-Trunk Restrictions*All5-6 Class of Restriction DEFINITY G1, G3, DEFINITY ECS, and System 755-6 Class of Service DEFINITY G2 and System 855-6 Toll Analysis DEFINITY G1, G2, G3, DEFINITY ECS, and System 855-7
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Voice Messaging Systems Page 5-6 DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 5 ensure that the FRLs on the trunk group preferences in the routing patterns are 1or higher. For example, when voice mail ports are assigned to a COR with an FRL of 0, outside calls are disallowed. If this is too restrictive because the outcalling feature is being used, the voice mail ports can be assigned to a COR with an FRL that is low enough to limit calls to the calling area needed. NOTE: Voice messaging ports that are outward restricted via COR cannot use AAR/ARS/WCR trunks. Therefore, the FRL level doesn’t matter since FRLs are not checked. Station-to-Trunk Restrictions Station-to-Trunk Restrictions can be assigned to disallow stations from dialing specific outside trunks. By implementing these restrictions, callers cannot transfer out of voice mail to an outside facility using Trunk Access Codes. For G2 and System 85, if TACs are necessary for certain users to allow direct dial access to specific facilities, such as tie trunks, use the Miscellaneous Trunk Restriction feature to deny access to others. For those stations and all trunk-originated calls, always use ARS/AAR/WCR for outside calling. NOTE: Allowing TAC access to tie trunks on your switch may give the caller access to the Trunk Verification feature on the next switch, or the outgoing trunks through either ARS or TACs. Class of Restriction For DEFINITY ECS, DEFINITY G1, G3, and System 75, each voice port on the voice mail adjunct is considered an extension to the switch and should be assigned its own unique COR. Up to 64 CORs can be defined in the system. For DEFINITY G3rV1, G3i-Global, and G3V2 and later, this has been increased to 96 CORs. The CORs are assigned to stations and trunks to provide or prevent the ability to make specific types of calls, or calls to other specified CORs. For example, a voice mail extension could be assigned to a COR that prohibits any outgoing calls. Class of Service For DEFINITY G2 and System 85, a voice mail port must be assigned a COS. The following COS options relate to voice mail toll fraud prevention: nCall Forward Off-Net: allows a user to call forward outside the switch to non-toll locations. nCall Forward Follow Me: allows a user to forward calls outside the switch when other options are set.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Voice Messaging Systems Page 5-7 DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 5 nMiscellaneous Trunk Restrictions: restricts certain stations from calling certain trunk groups via dial access codes. nOutward Restriction: restricts the user from placing calls over the CO, FX, or WATS trunks using dial access codes to trunks. Outward restriction also restricts the user from placing calls via ARS/WCR. Use ARS/WCR with WCR toll restrictions instead. nToll Restriction: prevents users from placing toll calls over CO, FX, or WATS trunks using dial access codes to trunks. Use ARS/WCR with WCR toll restrictions instead. nWCR Toll Restriction: restricts users from dialing the ARS or WCR Network I Toll Access Code, or from completing a toll call over ARS/WCR. nTerminal-to-Terminal Restrictions: restricts the user from placing or receiving any calls except from and to other stations on the switch. Toll Analysis The Toll Analysis screen allows you to specify the toll calls you want to assign to a restricted call list (for example, 900 numbers) or to an unrestricted call list (for example, an outcalling number to a call pager). Call lists can be specified for CO/FX/WATS, TAC, and ARS calls, but not for tie TAC or AAR calls. Security Measures in the PBX Security measures in the PBX are designed to prevent criminals from placing fraudulent calls once they have accessed the voice messaging system. However, these security measures do not restrict criminals from reaching the voice mail system, such as by dialing a DID station that is forwarded to the voice mail system. Incoming calls to the voice mail system may transfer to outgoing facilities if proper security measures are not implemented. Security steps can be implemented in the PBX and in the voice messaging/auto attendant system. Limit Voice Mail to Internal Calling If outcalling is not activated in the voice mail system, you can restrict voice mail callers from dialing an outside number by making the ports outward restricted. For DEFINITY G1, G3, and System 75: nUse change cor to display the Class of Restriction screen, then create an outward restricted COR by entering outward in the Calling Party Restriction field. nAssign FRL 0. nUse change station to assign the outward restricted COR to the voice mail ports. nUse COR-to-COR restrictions to block voice mail ports from directly accessing the CORs of outgoing trunks. The trunk CORs should be unique.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Voice Messaging Systems Page 5-8 DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 5 For DEFINITY G2 and System 85: nUse PROC010 WORD3 FIELD19 to assign outward restriction to the voice mail ports’ COS. nMake the voice ports Toll Restricted and ARS Toll Restricted, and assign an FRL of 0. Enter no for all Miscellaneous Trunk Restriction Groups (MTRGs). Restrict the Outside Calling Area When you assign the lowest possible FRL to the voice mail ports, you can limit the trunks that are available to callers. FRLs can be assigned to offer a range of calling regions. Choose the one that provides the most restricted calling range that is required. Table 5-2 provides suggested FRL values. NOTE: In Table 5-2, FRLs 1 through 7 include the capabilities of the lower FRLs. For example, FRL 3 allows private network trunk calls and local calls in addition to FX and WATS trunk calls. Verify the route pattern FRLs — no pattern should carry an FRL of 0. For DEFINITY G1, G3, and System 75: nUse change cor for the voice mail ports (versus subscribers) to display the Class of Restriction screen. Table 5-2. Suggested Values for FRLs FRL Suggested Value 0No outgoing (off-switch) calls permitted. 1Allow local calls only; deny 0+ and 1 800 calls. 2Allow local calls, 0+, and 1 800 calls. 3Allow local calls plus calls on FX and WATS trunks. 4Allow calls within the home NPA. 5Allow calls to certain destinations within the continental USA. 6Allow calls throughout the continental USA. 7Allow international calling. Assign attendant console FRL 7. Be aware, however, if Extension Number Portability is used, the originating endpoint is assigned FRL 7.