Home > Lucent Technologies > Communications System > Lucent Technologies BCS Products Security Handbook Instructions Manual

Lucent Technologies BCS Products Security Handbook Instructions Manual

    Download as PDF Print this page Share this page

    Have a look at the manual Lucent Technologies BCS Products Security Handbook Instructions Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 413 Lucent Technologies manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Small Business Communications Systems 
    Page 4-21 System 25 
    4
    However, unauthorized persons could disrupt your business by altering your 
    system programming. In addition, they could activate features (such as Remote 
    Access) that would permit them to make long distance calls through your system.
    The following security measures assist you in managing the Remote System 
    Administration feature to help prevent unauthorized use.
    Security Tips
    nThe System Administration capability of the system is protected by a 
    password. Passwords can be up to eight characters in length and can be 
    alpha or numeric and include the pound sign (#). See ‘‘
    Administration / 
    Maintenance Access’’ on page 2-4 and ‘‘General Security Measures’’ on 
    page 2-7 for secure password procedures. See Appendix E for information 
    on how to change passwords.
    nIf you have a special telephone line connected to your system for Remote 
    System Administration, do one of the following: 
    — Unplug the line when it is not being used.
    — Install a switch in the line to turn it off when it is not being used.
    — Install a security device, such as Lucent Technologies’ Remote Port 
    Security Device. (See Appendix G for more information.)
    nProtect your Remote System Administration telephone number and 
    password. Only give them to people who need to know them, and impress 
    upon these people the need to keep the telephone number and password 
    secret.
    nIf your Remote System Administration feature requires that someone in 
    your office transfer the caller to the Remote System Administration 
    extension, impress upon your employees the importance of transferring 
    only authorized individuals to that extension. 
    						
    							Voice Messaging Systems 
    Page 5-1  
    5
    BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    5
    5Voice Messaging Systems
    The information in this chapter helps prevent unauthorized users from finding 
    pathways through the voice messaging system and out of the switch. This chapter 
    presents each communications system, and the voice mail systems it may host.
    nDEFINITY ECS (page 5-4)
    nDEFINITY Communications Systems (page 5-4)
    nMERLIN II Communications System (page 5-33)
    nMERLIN LEGEND Communications System (page 5-36)
    nPARTNER II Communications System (page 5-48)
    nPARTNER Plus Communications System (page 5-50)
    nSystem 25 (page 5-52)
    nSystem 75 (page 5-4)
    nSystem 85 (page 5-4)
    NOTE:
    The tools and measures in this chapter fall into two categories; those that 
    are implemented in the switch, and those that are implemented in the voice 
    messaging adjunct. It is recommended that security measures related to 
    voice adjuncts be implemented in both the switch and the voice adjunct. If 
    you are using a non-Lucent Technologies adjunct with a Lucent 
    Technologies switch, the switch security measures described here should 
    be implemented as well as adjunct security measures described in the 
    adjunct documentation supplied by the non-Lucent Technologies vendor. 
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Voice Messaging Systems 
    Page 5-2 Protecting Voice Messaging Systems 
    5
    Protecting Voice Messaging Systems
    Voice messaging toll fraud has risen dramatically in recent years. Now more than 
    ever, it is imperative that you take steps to secure your communications systems. 
    Callers into the voice messaging/auto attendant system may transfer to an 
    outgoing trunk if adequate security measures are not implemented (see Figure 
    5-1).
    In addition, mailboxes associated with voice messaging systems can facilitate toll 
    fraud or industrial espionage if they are accessible to unauthorized users.
    Figure 5-1. Call Transfer Through the PBX
    Criminals attempt to transfer to the following codes:
    nARS Dial Access Codes (most likely the digit “9”)
    nTrunk Access Codes (TACs)
    nTrunk Verification Codes, Facility Test Call Access Codes, or Data 
    Origination Codes
    All security restrictions that prevent transfer to these codes should be 
    implemented. The only tool a criminal needs to breach an inadequately secured 
    CO
    DID
    800
    SDNVoice
    Messaging
    Auto
    Attendant
    PBX 
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Voice Messaging Systems 
    Page 5-3 Protecting Voice Messaging Systems 
    5
    system is a touch tone telephone. With the advent of cellular phones, hackers 
    have yet another means of accessing voice mailboxes. If a user calls the voice 
    mail system from a cellular phone and inputs his or her password, the voice 
    mailbox becomes vulnerable to toll fraud. Since cellular phones can be monitored, 
    a hacker can obtain the password and access the voice mailbox. Tell users not to 
    enter passwords on a cellular phone.
    Security Tips
    nRestrict transfers back to the host PBX, by not allowing transfers, by using 
    Enhanced Call Transfer, or by allowing Transfer to Subscriber Only.
    nWhen password protection into voice mailboxes is offered, it is 
    recommended that you use the maximum length password where feasible.
    nDeactivate unassigned voice mailboxes. When an employee leaves the 
    company, remove the voice mailbox.
    nDo not create voice mailboxes before they are needed.
    nEstablish your password as soon as your voice mail system extension is 
    assigned. This ensures that only YOU will have access to your mailbox not 
    anyone who enters your extension number and #. (The use of only the “#” 
    indicates the lack of a password. This fact is well-known by telephone 
    hackers.)
    nNever have your greeting state that you will accept third party billed calls. A 
    greeting like this allows unauthorized individuals to charge calls to your 
    company. If you call someone at your company and get a greeting like this, 
    point out the vulnerability to the person and recommend that they change 
    the greeting immediately.
    nNever use obvious or trivial passwords, such as your phone extension, 
    room number, employee identification number, social security number, or 
    easily guessed numeric combinations (for example, 999999). See 
    ‘‘
    Administration / Maintenance Access’’ on page 2-4 and ‘‘General Security 
    Measures’’ on page 2-7 for secure password guidelines.
    nChange adjunct default passwords immediately; never skip the password 
    entry. Hackers find out defaults.
    nLock out consecutive unsuccessful attempts to enter a voice mailbox.
    nDiscourage the practice of writing down passwords, storing them, or 
    sharing them with others. If a password needs to be written down, keep it in 
    a secure place and never discard it while it is active.
    nNever program passwords onto auto dial buttons.
    nIf you receive any strange messages on the voice mail system, if your 
    greeting has been changed, or if for any reason you suspect that your 
    voice mail system facilities are being used by someone else, contact 
    Lucent Technologies Network Corporate Security. 
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Voice Messaging Systems 
    Page 5-4 DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 
    5
    nContact your central office to verify that your carrier provides “reliable 
    disconnect” for your host PBX or switch. “Reliable disconnect” is 
    sometimes referred to as a forward disconnect or disconnect supervision. It 
    guarantees that the central office will not return a dial tone after the called 
    party hangs up. If the central office does not provide reliable disconnect 
    and a calling party stays on the line, the central office will return a dial tone 
    at the conclusion of the call. This permits the caller to place another call as 
    if it were being placed from your company.
    nContact your voice messaging system supplier. There may be additional 
    measures you can take to prevent unauthorized users from transferring 
    through voice mail to outgoing trunks.
    DEFINITY ECS, DEFINITY 
    Communications Systems, System 75, 
    and System 85
    The voice messaging products that work with these systems are listed below:
    nAUDIX Voice Mail System — The AUDIX Voice Mail System is a system 
    that is external to the DEFINITY ECS and DEFINITY Communications 
    Systems and connected to the switch by station lines and data links. (See 
    ‘‘
    Protecting the AUDIX, DEFINITY AUDIX, and Lucent Technologies 
    INTUITY Voice Mail Systems’’ on page 5-15.)
    nAUDIX Voice Power System — The AUDIX Voice Power System includes 
    AUDIX Voice Power (VP), AUDIX VP Lodging, and AUDIX VP Auto 
    Attendant. (See ‘‘
    Protecting the AUDIX Voice Power System’’ on page 
    5-28.)
    nCONVERSANT Voice Information System. (See ‘‘Protecting the 
    CONVERSANT Voice Information System’’ on page 5-31.)
    nDEFINITY AUDIX System — The DEFINITY AUDIX System is a system 
    comprised of circuit packs resident in the switch. (See ‘‘
    Protecting the 
    AUDIX, DEFINITY AUDIX, and Lucent Technologies INTUITY Voice Mail 
    Systems’’ on page 5-15.)
    nLucent Technologies INTUITY AUDIX System — The Lucent Technologies 
    I
    NTUITY System includes both the INTUITY Voice Messaging System and 
    the I
    NTUITY Intro Voice Response System. (See ‘‘Protecting the AUDIX, 
    DEFINITY AUDIX, and Lucent Technologies INTUITY Voice Mail Systems’’ 
    on page 5-15.)
    Also see ‘‘Related Documentation’’ in the ‘‘About This Document’’ section for a list 
    of manuals on these products. 
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Voice Messaging Systems 
    Page 5-5 DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 
    5
    Tools that Prevent Unauthorized Calls
    You can help prevent unauthorized callers who enter the voice messaging system 
    from obtaining an outgoing facility by using the security tools shown in Table 5-1
    .
    Facility Restriction Levels
    The switch treats all the PBX ports used by voice mail systems as stations. 
    Therefore, each voice mail port can be assigned a COR/COS with an FRL 
    associated with the COR/COS. FRLs provide eight different levels of restrictions 
    for AAR/ARS/WCR calls. They are used in combination with calling permissions 
    and routing patterns and/or preferences to determine where calls can be made. 
    FRLs range from 0 to 7, with each number representing a different level of 
    restriction (or no restrictions at all).
    The FRL is used for the AAR/ARS/WCR feature to determine call access to an 
    outgoing trunk group. Outgoing call routing is determined by a comparison of the 
    FRLs in the AAR/ARS/WCR routing pattern to the FRL associated with the 
    COR/COS of the call originator.
    The higher the FRL number, the greater the calling privileges. For example, if a 
    station is not permitted to make outside calls, assign it an FRL value of 0. Then  Table 5-1. DEFINITY ECS, DEFINITY Communications Systems, System 75, and 
    System 85 Voice Mail Security Tools
    Security Tool Switch Page #
    Enhanced Call Transfer 
    (see ‘‘
    Protecting the 
    AUDIX, DEFINITY 
    AUDIX, and Lucent 
    Technologies INTUITY 
    Voice Mail Systems’’)DEFINITY G1 (Issue 
    5.0), G2, G3, DEFINITY 
    ECS, System 75 R1V3 
    (Issue 2.0), System 85 
    R2V45-15
    Facility Restriction 
    Levels*All5-5
    Station-to-Trunk 
    Restrictions*All5-6
    Class of Restriction DEFINITY G1, G3, 
    DEFINITY ECS, and 
    System 755-6
    Class of Service DEFINITY G2 and 
    System 855-6
    Toll Analysis DEFINITY G1, G2, G3, 
    DEFINITY ECS, and 
    System 855-7 
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Voice Messaging Systems 
    Page 5-6 DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 
    5
    ensure that the FRLs on the trunk group preferences in the routing patterns are 
    1or higher.
    For example, when voice mail ports are assigned to a COR with an FRL of 0, 
    outside calls are disallowed. If this is too restrictive because the outcalling feature 
    is being used, the voice mail ports can be assigned to a COR with an FRL that is 
    low enough to limit calls to the calling area needed.
    NOTE:
    Voice messaging ports that are outward restricted via COR cannot use 
    AAR/ARS/WCR trunks. Therefore, the FRL level doesn’t matter since FRLs 
    are not checked.
    Station-to-Trunk Restrictions
    Station-to-Trunk Restrictions can be assigned to disallow stations from dialing 
    specific outside trunks. By implementing these restrictions, callers cannot transfer 
    out of voice mail to an outside facility using Trunk Access Codes.
    For G2 and System 85, if TACs are necessary for certain users to allow direct dial 
    access to specific facilities, such as tie trunks, use the Miscellaneous Trunk 
    Restriction feature to deny access to others. For those stations and all 
    trunk-originated calls, always use ARS/AAR/WCR for outside calling.
    NOTE:
    Allowing TAC access to tie trunks on your switch may give the caller access 
    to the Trunk Verification feature on the next switch, or the outgoing trunks 
    through either ARS or TACs.
    Class of Restriction
    For DEFINITY ECS, DEFINITY G1, G3, and System 75, each voice port on the 
    voice mail adjunct is considered an extension to the switch and should be 
    assigned its own unique COR. Up to 64 CORs can be defined in the system. For 
    DEFINITY G3rV1, G3i-Global, and G3V2 and later, this has been increased to 96 
    CORs. The CORs are assigned to stations and trunks to provide or prevent the 
    ability to make specific types of calls, or calls to other specified CORs. For 
    example, a voice mail extension could be assigned to a COR that prohibits any 
    outgoing calls.
    Class of Service
    For DEFINITY G2 and System 85, a voice mail port must be assigned a COS. The 
    following COS options relate to voice mail toll fraud prevention:
    nCall Forward Off-Net: allows a user to call forward outside the switch to 
    non-toll locations.
    nCall Forward Follow Me: allows a user to forward calls outside the switch 
    when other options are set. 
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Voice Messaging Systems 
    Page 5-7 DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 
    5
    nMiscellaneous Trunk Restrictions: restricts certain stations from calling 
    certain trunk groups via dial access codes.
    nOutward Restriction: restricts the user from placing calls over the CO, FX, 
    or WATS trunks using dial access codes to trunks. Outward restriction also 
    restricts the user from placing calls via ARS/WCR. Use ARS/WCR with 
    WCR toll restrictions instead.
    nToll Restriction: prevents users from placing toll calls over CO, FX, or 
    WATS trunks using dial access codes to trunks. Use ARS/WCR with WCR 
    toll restrictions instead.
    nWCR Toll Restriction: restricts users from dialing the ARS or WCR Network 
    I Toll Access Code, or from completing a toll call over ARS/WCR.
    nTerminal-to-Terminal Restrictions: restricts the user from placing or 
    receiving any calls except from and to other stations on the switch.
    Toll Analysis
    The Toll Analysis screen allows you to specify the toll calls you want to assign to a 
    restricted call list (for example, 900 numbers) or to an unrestricted call list (for 
    example, an outcalling number to a call pager). Call lists can be specified for 
    CO/FX/WATS, TAC, and ARS calls, but not for tie TAC or AAR calls.
    Security Measures in the PBX
    Security measures in the PBX are designed to prevent criminals from placing 
    fraudulent calls once they have accessed the voice messaging system. However, 
    these security measures do not restrict criminals from reaching the voice mail 
    system, such as by dialing a DID station that is forwarded to the voice mail 
    system. Incoming calls to the voice mail system may transfer to outgoing facilities 
    if proper security measures are not implemented. Security steps can be 
    implemented in the PBX and in the voice messaging/auto attendant system.
    Limit Voice Mail to Internal Calling
    If outcalling is not activated in the voice mail system, you can restrict voice mail 
    callers from dialing an outside number by making the ports outward restricted.
    For DEFINITY G1, G3, and System 75:
    nUse change cor to display the Class of Restriction screen, then create an 
    outward restricted COR by entering outward in the Calling Party 
    Restriction field.
    nAssign FRL 0.
    nUse change station to assign the outward restricted COR to the voice mail 
    ports.
    nUse COR-to-COR restrictions to block voice mail ports from directly 
    accessing the CORs of outgoing trunks. The trunk CORs should be unique. 
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Voice Messaging Systems 
    Page 5-8 DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 
    5
    For DEFINITY G2 and System 85:
    nUse PROC010 WORD3 FIELD19 to assign outward restriction to the voice 
    mail ports’ COS.
    nMake the voice ports Toll Restricted and ARS Toll Restricted, and assign 
    an FRL of 0. Enter no for all Miscellaneous Trunk Restriction Groups 
    (MTRGs).
    Restrict the Outside Calling Area
    When you assign the lowest possible FRL to the voice mail ports, you can limit the 
    trunks that are available to callers. FRLs can be assigned to offer a range of 
    calling regions. Choose the one that provides the most restricted calling range 
    that is required. Table 5-2
     provides suggested FRL values.
     
    NOTE:
    In Table 5-2, FRLs 1 through 7 include the capabilities of the lower FRLs. 
    For example, FRL 3 allows private network trunk calls and local calls in 
    addition to FX and WATS trunk calls. Verify the route pattern FRLs — no 
    pattern should carry an FRL of 0.
    For DEFINITY G1, G3, and System 75:
    nUse change cor for the voice mail ports (versus subscribers) to display the 
    Class of Restriction screen.
    Table 5-2. Suggested Values for FRLs
    FRL Suggested Value
    0No outgoing (off-switch) calls permitted.
    1Allow local calls only; deny 0+ and 1 800 calls.
    2Allow local calls, 0+, and 1 800 calls.
    3Allow local calls plus calls on FX and WATS trunks.
    4Allow calls within the home NPA.
    5Allow calls to certain destinations within the 
    continental USA.
    6Allow calls throughout the continental USA.
    7Allow international calling. Assign attendant console 
    FRL 7. Be aware, however, if Extension Number 
    Portability is used, the originating endpoint is 
    assigned FRL 7. 
    						
    All Lucent Technologies manuals Comments (0)

    Related Manuals for Lucent Technologies BCS Products Security Handbook Instructions Manual