Home
>
Lucent Technologies
>
Communications System
>
Lucent Technologies BCS Products Security Handbook Instructions Manual
Lucent Technologies BCS Products Security Handbook Instructions Manual
Have a look at the manual Lucent Technologies BCS Products Security Handbook Instructions Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 413 Lucent Technologies manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Security Risks Page 2-11 Security Goals Tables 2 Prevent unauthorized outgoing calls (continued)Restrict phones from making outbound callsAttendant- Controlled voice terminals (G2 and System 85 only)Place phones in attendant- controlled group Limit outgoing calls FRLs Restrict tie trunk usage Deny access to AAR/ARS/WCR Authorization codesSet to maximum length Set FRL on COR Limit calling permissionsCOS (G2 and System 85 only)Set COS restrictions COR (G1, G3, and System 75 only)Set FRL Set calling party restrictions or outward restrictions Set COR to COR restrictions Require account code before callsForced entry of account codeSet account code length Administer as required Create time-dependent limits on access to route patternsAlternate FRL (G2 and G3r only)Set lowest value possible Suppress dial tone after ARS/WCR feature access codeSuppress dial tone Turn off ARS/WCR dial tone Screen all AAR/ARS callsWorld Class Routing (G2.2 and G3 only)Administer all capabilities Table 2-1. Security Goals: DEFINITY ECS, DEFINITY Communications Systems, System 75 and System 85 — Continued Security Goal Method Security Tool Steps
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Security Risks Page 2-12 Security Goals Tables 2 1. Methods are listed in decreasing order of importance, relative to security. 2. Basic transfer with Transfer Restriction = Digits allows access to dial tone.Prevent exit from Voice Messaging SystemLimit calling permissionsCOR (G1, G3, and System 75 only)Set low FRL Set calling party restrictions or outward restrictions Set COR to COR restrictions COS (G2 and System 85 only)Set calling party restrictions Restrict outgoing toll callsToll Analysis (G1, G3, and System 75 only)Identify toll areas to be restricted Prevent Transfer to Dial Tone 1 (for AUDIX, DEFINITY AUDIX, and Lucent Technologies I NTUITY Voice Mail Systems only)Station RestrictionsTurn off transfer feature Enhanced Transfer (G1 Issue 5.0, G2, G3, System 75 R1V3 Issue 2.0 and later, and System 85 R2V4 and later)Set Transfer Type= “Enhanced” (only for Lucent Technologies PBX switches) Basic Transfer Set Transfer Restriction= “Subscribers” 2 Prevent exit from Automated Attendant ServiceLimit calling permissionsCOR (G1, G3, and System 75 only)Set low FRL Set calling party restrictions or outward restrictions Set COR to COR restrictions COS (G2 and System 85 only)Set COS restrictions Limit exit to outgoing trunksFRL Set lowest possible value Restrict outgoing toll callsToll Analysis (G1, G3, and System 75 only)Identify toll areas to be restricted Table 2-1. Security Goals: DEFINITY ECS, DEFINITY Communications Systems, System 75 and System 85 — Continued Security Goal Method Security Tool Steps
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Security Risks Page 2-13 Security Goals Tables 2 Table 2-2. Security Goals: MERLIN II, MERLIN LEGEND, MERLIN Plus, and System 25 Communications Systems Security Goal Method Security Tool Steps Protect Remote Access featureLimit access Barrier codes Set max length Authorization codes (MERLIN LEGEND Communications System R3 only)Set max length Turn off Remote Access when not neededRemote Access administrationDeactivate feature Prevent unauthorized outgoing callsLimit calling permissionsSwitch dial restrictionsSet outward/toll restrictions Set allowed/ disallowed lists Limit access to ARS route patternsFacility Restriction Level (System 25 and MERLIN LEGEND Communications System only)Set lowest possible value Ensure the integrity of assigned call restrictions on loop start facilitiesAutomatic Call Restriction Reset (MERLIN Plus Communications System only)Activate feature Turn off Remote Access when not neededRemote Access Administration (System 25 and MERLIN LEGEND Communications System only)Deactivate feature Deactivate feature (MERLIN Plus Communications System R2 only)Program feature button Remote Access Administration (MERLIN II Communications System only)Deactivate feature from administration
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Security Risks Page 2-14 Security Goals Tables 2 Protect Remote System ProgrammingRequire password to access system programmingSystem Programming password (MERLIN LEGEND Communications System and System 25 only)Set password Protect Remote Call ForwardingSet limit for how long a forwarded call can lastAutomatic Timeout (MERLIN Plus Communications System R2 only)Administer a time limit Turn off remote call forwarding when not neededDeactivate feature (MERLIN Plus Communications System R2 only)Turn off feature from administration Drop outgoing line at end of callGround Start Facilities (MERLIN LEGEND Communications System and System 25 only)Install/administer ground start facilities Prevent exit from Voice Messaging SystemLimit calling permissionsSwitch Dial Restrictions (System 25, MERLIN II, and MERLIN LEGEND Communications Systems only)Set outward/toll restrictions Set allowed/ disallowed lists FRLs (System 25 and MERLIN LEGEND Communications Systems only)Set lowest possible value Restrict transfer to registered subscribers onlyTransfer Restrictions (MERLIN MAIL R3 Voice Messaging System only)Choose the Transfer to Subscribers Only option Table 2-2. Security Goals: MERLIN II, MERLIN LEGEND, MERLIN Plus, and System 25 Communications Systems — Continued Security Goal Method Security Tool Steps
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Security Risks Page 2-15 Security Goals Tables 2 Prevent unauthorized use of facilitiesLimit access to ARS route patternsFRLs Set lowest possible value Restrict who can use outcallingCOS (MERLIN MAIL, MERLIN MAIL-ML, and MERLIN MAIL R3 Voice Messaging Systems only)Select a COS that does not permit outcalling Prevent theft of information via Voice Messaging SystemAssign secure passwordsPasswords Encourage users to select non-trivial, maximum-length passwords Administer minimum password lengthPasswords (MERLIN MAIL R3 Voice Messaging System only)Administer a minimum password length of at least 6 digits Set number of consecutive unsuccessful login attempts before mailbox is lockedSecurity Violation Notification (MERLIN MAIL R3 Voice Messaging System only)Use the Mailbox Lock or Warning Message option, set to a low threshold Table 2-2. Security Goals: MERLIN II, MERLIN LEGEND, MERLIN Plus, and System 25 Communications Systems — Continued Security Goal Method Security Tool Steps
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Security Risks Page 2-16 Security Goals Tables 2 1. The risk of toll fraud applies only if the Remote Administration Unit (RAU) is installed with the PARTNER II or PARTNER Plus Communications System. Table 2-3. Security Goals: PARTNER II and PARTNER Plus Communications Systems Security Goal Method Security Tool Steps Protect Remote Access1Do not use unattended modeAttended mode (RAU)None (Attended mode is system default) Prevent exit from Voice Messaging SystemRestrict who can dial outSwitch Dial RestrictionsUse line access restrictions, outgoing call restrictions, allowed lists, and disallowed lists Prevent theft of information via Voice Messaging SystemAssign secure passwordsPasswords (PARTNER Plus Communications System R3.1 and later, and PARTNER II Communications System R3 and later)Encourage users to select non-trivial, maximum-length passwords Administer minimum password lengthPasswords (MERLIN MAIL R3 Voice Messaging System only)Administer a minimum password length of at least 6 digits Restrict who can use outcallingCOS Select a COS that does not permit outcalling Set number of consecutive unsuccessful login attempts before mailbox is lockedSecurity Violation Notification (MERLIN MAIL R3 Voice Messaging System only)Use the Mailbox Lock or Warning Message option, set to a low threshold Prevent unauthorized use of facilitiesRestrict who can dial outSwitch Dial RestrictionsUse line access restrictions, outgoing call restrictions, allowed lists, and disallowed lists; assign to VMS hunt group extensions
Large Business Communications Systems Page 3-1 3 BCS Products Security Handbook 555-025-600 Issue 6 December 1997 3 3Large Business Communications Systems This chapter provides information on protecting the following: nDEFINITY ECS Release 5 and later nDEFINITY Communications Systems nSystem 75 nSystem 85 The first section of this chapter, ‘‘ Keeping Unauthorized Third Parties from Entering the System’’ details the major ways third parties enter the system and tells how to keep them from doing so. The second section, ‘‘ Tools that Restrict Unauthorized Outgoing Calls’’details features within the system that prevent unauthorized egress from the system. The third section, ‘‘ Security Measures’’ tells how to use the tools described in the preceding section. The final section, ‘‘ Detecting Toll Fraud’’ details methods for monitoring the system and determining the effectiveness of the security measures you implemented. Other chapters detail additional security measures to protect your equipment: nChapter 5 contains security measures to protect the attached voice messaging system. For general security measures, refer to ‘‘ Protecting Voice Messaging Systems’’ on page 5-2. For product-specific security measures, refer to ‘‘ DEFINITY ECS, DEFINITY Communications Systems, System75, and System85’’ on page 5-4. nChapter 6 contains security measures to protect the Automated Attendant feature of your communications system. See ‘‘ DEFINITY ECS, DEFINITY Communications Systems, System75, and System85’’ on page 6-1. nAppendix D provides instructions for administering the features of the DEFINITY G3V3 and later (which includes DEFINITY ECS), specifically designed to provide protection from toll fraud.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Large Business Communications Systems Page 3-2 Keeping Unauthorized Third Parties from Entering the System 3 Keeping Unauthorized Third Parties from Entering the System How Third Parties Enter the System The major ways in which unauthorized third parties gain entry into the system are as follows: nRemote Access nRemote Maintenance Port nVectors nTransfers from adjunct systems, including voice mail systems, call prompters, and voice response systems. Protecting the Remote Access Feature Remote Access, or Direct Inward System Access (DISA), allows callers to call into the PBX from a remote location (for example, a satellite office or while traveling) and use the system facilities to make calls. When properly secured, the Remote Access feature is both cost-efficient and convenient. However, every security measure has an offsetting level of inconvenience for the user. These inconveniences must be weighed against the possible risk of toll fraud. Security Tips nEvaluate the necessity for Remote Access. If this feature is not vital to your organization, consider deactivating the feature. If you need the feature, use as many of the security measures presented in this chapter as you can. nUse a unpublished telephone number for this feature. Professional hackers scan telephone directories for local numbers and 800 numbers used for Remote Access. Keeping your Remote Access number out of the phone book helps prevent it from getting into the wrong hands. Avoid administering a night service destination to Remote Access on any published number. nKeep an authorized user list and reevaluate it on a need-to-have basis. nIf possible, administer Remote Access (DEFINITY ECS, DEFINITY G1, G3, and System 75) so no dial-tone prompt is supplied for entry of the Authorization Code. No dial tone after a Remote Access call is connected discourages most hackers who listen for dial tone or use modems to detect dial tone. nRestrict the bands or area code sets when you offer Remote Access on an 800 number. If all your authorized users are on the east coast, for example, do not provide trunks that allow calling in from San Francisco.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Large Business Communications Systems Page 3-3 Keeping Unauthorized Third Parties from Entering the System 3 nRequire maximum length barrier codes and authorization codes. For System 75 R1V1 and R1V2, require the entry of a barrier code. For System 85 and releases of DEFINITY G2.1 and G2.2 prior to 3.0, require either a barrier code or an authorization code. For DEFINITY G2 and System 85, require the entry of 11 digits (4-digit barrier code and 7-digit authorization code). For DEFINITY G1, G2.2 Issue 3.0 and later, DEFINITY G3, DEFINITY ECS, and System 75 R1V3, require the entry of 14 digits (a 7-digit barrier code and a 7-digit authorization code) before users can gain access to the feature. nDo not assign barrier codes or authorization codes in sequential order. Assign random number barrier codes and authorization codes to users so if a hacker deciphers one code, it will not lead to the next code. nSince most toll fraud happens after hours and on week-ends, restrict the hours that Remote Access is available. Disabling/Removing Remote Access For the “n” versions of DEFINITY G1, G2.2 Issue 3.0 and later, DEFINITY G3, DEFINITY ECS, System 85 R2V4n, and System 75 R1V3, as an additional step to ensure system security, the Remote Access feature may be “permanently” disabled if there is no current or anticipated need for it. Permanent removal protects against unauthorized remote access usage even if criminals break into the maintenance port. Once Remote Access is permanently disabled, however, it will require Lucent Technologies maintenance personnel intervention to reactivate the feature. See your Account Representative for information on the North American Dialing Plan, and on the “n” upgrade. See Appendix C for procedures to permanently disable the Remote Access feature. Tools to Protect Remote Access You can help prevent unauthorized users from gaining access to the PBX system by using the following tools. (See Table 3-1.)
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Large Business Communications Systems Page 3-4 Keeping Unauthorized Third Parties from Entering the System 3 *For ASAI, see the applicable product feature description. Barrier Codes Figure 3-1 illustrates how barrier codes and/or authorization codes can provide added security for Remote Access calls. Refer to this flowchart as necessary throughout the sections on Barrier Codes and Authorization Codes. Table 3-1. Security Tools for Remote Access Security Tool Switch Page # Barrier Code All3-4 Authorization Code DEFINITY ECS, DEFINITY G1, G2, G3, System 85, and System 75 (R1V3)3-7 Feature Access Code AdministrationAll3-8 Trunk Administration All3-8 Remote Access Dial Tone DEFINITY ECS, DEFINITY G1, G2, G3, System 85, and System 75 (R1V3)3-8 Night Service All3-8 Call Vectoring DEFINITY ECS and DEFINITY G33-9 Call Prompting/ASAI* DEFINITY ECS and DEFINITY G2 and G33-9 Barrier Code Aging/Access LimitsDEFINITY G3V3 and later including DEFINITY ECS3-61 Security Violation Notification (SVN)DEFINITY ECS and DEFINITY G33-53 Status Remote Access CommandDEFINITY G3V4 and later including DEFINITY ECS3-10 Logoff Screen Enhancements DEFINITY G3V4 and later including DEFINITY ECS3-10