Home > Lucent Technologies > Communications System > Lucent Technologies BCS Products Security Handbook Instructions Manual

Lucent Technologies BCS Products Security Handbook Instructions Manual

    Download as PDF Print this page Share this page

    Have a look at the manual Lucent Technologies BCS Products Security Handbook Instructions Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 413 Lucent Technologies manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Security Risks 
    Page 2-11 Security Goals Tables 
    2
    Prevent 
    unauthorized 
    outgoing calls 
    (continued)Restrict phones 
    from making 
    outbound callsAttendant-
    Controlled
    voice terminals
    (G2 and System 85 
    only)Place phones in 
    attendant- 
    controlled group
    Limit outgoing calls FRLs Restrict tie trunk 
    usage
    Deny access to 
    AAR/ARS/WCR
    Authorization 
    codesSet to maximum 
    length 
    Set FRL on COR
    Limit calling 
    permissionsCOS (G2 and 
    System 85 only)Set COS 
    restrictions
    COR (G1, G3, and 
    System 75 only)Set FRL
    Set calling party 
    restrictions or 
    outward restrictions
    Set COR to COR 
    restrictions
    Require account 
    code before callsForced entry of 
    account codeSet account code 
    length
    Administer as 
    required
    Create 
    time-dependent 
    limits on access to 
    route patternsAlternate FRL (G2 
    and G3r only)Set lowest value 
    possible
    Suppress dial tone 
    after ARS/WCR 
    feature access 
    codeSuppress dial tone Turn off ARS/WCR 
    dial tone
    Screen all 
    AAR/ARS callsWorld Class 
    Routing (G2.2 and 
    G3 only)Administer all 
    capabilities
    Table 2-1. Security Goals: DEFINITY ECS, DEFINITY Communications 
    Systems, System 75 and System 85 — Continued
    Security Goal Method Security Tool Steps 
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Security Risks 
    Page 2-12 Security Goals Tables 
    2
    1. Methods are listed in decreasing order of importance, relative to security.
    2. Basic transfer with Transfer Restriction = Digits allows access to dial tone.Prevent exit from 
    Voice Messaging 
    SystemLimit calling 
    permissionsCOR (G1, G3, and 
    System 75 only)Set low FRL
    Set calling party 
    restrictions or 
    outward restrictions
    Set COR to COR 
    restrictions
    COS (G2 and 
    System 85 only)Set calling party 
    restrictions
    Restrict outgoing 
    toll callsToll Analysis (G1, 
    G3, and System 
    75 only)Identify toll areas to 
    be restricted
    Prevent Transfer 
    to Dial Tone
    1 
    (for AUDIX, 
    DEFINITY AUDIX, 
    and Lucent 
    Technologies 
    I
    NTUITY Voice Mail 
    Systems only)Station
    RestrictionsTurn off transfer 
    feature
    Enhanced 
    Transfer (G1 Issue 
    5.0, G2, G3, 
    System 75 R1V3 
    Issue 2.0 and later, 
    and System 85 
    R2V4 and later)Set Transfer
    Type=
    “Enhanced”
    (only for Lucent 
    Technologies
    PBX switches)
    Basic Transfer Set Transfer
    Restriction=
    “Subscribers”
    2
    Prevent exit from 
    Automated 
    Attendant ServiceLimit calling 
    permissionsCOR (G1, G3, and 
    System 75 only)Set low FRL 
    Set calling party 
    restrictions or 
    outward restrictions
    Set COR to COR 
    restrictions
    COS (G2 and 
    System 85 only)Set COS 
    restrictions
    Limit exit to 
    outgoing trunksFRL Set lowest 
    possible value
    Restrict outgoing 
    toll callsToll Analysis (G1, 
    G3, and System 
    75 only)Identify toll areas to 
    be restricted
    Table 2-1. Security Goals: DEFINITY ECS, DEFINITY Communications 
    Systems, System 75 and System 85 — Continued
    Security Goal Method Security Tool Steps 
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Security Risks 
    Page 2-13 Security Goals Tables 
    2
    Table 2-2. Security Goals: MERLIN II, MERLIN LEGEND, MERLIN Plus, and 
    System 25 Communications Systems
    Security Goal Method Security Tool Steps
    Protect Remote 
    Access featureLimit access Barrier codes Set max length
    Authorization 
    codes (MERLIN 
    LEGEND 
    Communications 
    System R3 only)Set max length
    Turn off Remote 
    Access when not 
    neededRemote Access 
    administrationDeactivate feature
    Prevent 
    unauthorized 
    outgoing callsLimit calling 
    permissionsSwitch dial 
    restrictionsSet outward/toll 
    restrictions
    Set allowed/ 
    disallowed lists 
    Limit access to 
    ARS route patternsFacility Restriction 
    Level (System 25 
    and MERLIN 
    LEGEND 
    Communications 
    System only)Set lowest 
    possible value
    Ensure the 
    integrity of 
    assigned call 
    restrictions on loop 
    start facilitiesAutomatic Call 
    Restriction Reset 
    (MERLIN Plus 
    Communications 
    System only)Activate feature
    Turn off Remote 
    Access when not 
    neededRemote Access 
    Administration 
    (System 25 and 
    MERLIN LEGEND 
    Communications 
    System only)Deactivate feature
    Deactivate feature 
    (MERLIN Plus 
    Communications 
    System R2 only)Program feature 
    button
    Remote Access 
    Administration 
    (MERLIN II 
    Communications 
    System only)Deactivate feature 
    from administration 
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Security Risks 
    Page 2-14 Security Goals Tables 
    2
    Protect Remote 
    System 
    ProgrammingRequire password 
    to access system 
    programmingSystem 
    Programming 
    password 
    (MERLIN 
    LEGEND 
    Communications 
    System and 
    System 25 only)Set password
    Protect Remote 
    Call ForwardingSet limit for how 
    long a forwarded 
    call can lastAutomatic Timeout 
    (MERLIN Plus 
    Communications 
    System R2 only)Administer a time 
    limit
    Turn off remote call 
    forwarding when 
    not neededDeactivate feature 
    (MERLIN Plus 
    Communications 
    System R2 only)Turn off feature 
    from administration
    Drop outgoing line 
    at end of callGround Start 
    Facilities (MERLIN 
    LEGEND 
    Communications 
    System and 
    System 25 only)Install/administer 
    ground start 
    facilities
    Prevent exit from 
    Voice Messaging 
    SystemLimit calling 
    permissionsSwitch Dial 
    Restrictions 
    (System 25, 
    MERLIN II, and 
    MERLIN LEGEND 
    Communications 
    Systems only)Set outward/toll 
    restrictions
    Set allowed/ 
    disallowed lists 
    FRLs (System 25 
    and MERLIN 
    LEGEND 
    Communications 
    Systems only)Set lowest 
    possible value
    Restrict transfer to 
    registered 
    subscribers onlyTransfer 
    Restrictions 
    (MERLIN MAIL R3 
    Voice Messaging 
    System only)Choose the 
    Transfer to 
    Subscribers Only 
    option
    Table 2-2. Security Goals: MERLIN II, MERLIN LEGEND, MERLIN Plus, and 
    System 25 Communications Systems — Continued
    Security Goal Method Security Tool Steps 
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Security Risks 
    Page 2-15 Security Goals Tables 
    2
    Prevent 
    unauthorized use 
    of facilitiesLimit access to 
    ARS route patternsFRLs Set lowest 
    possible value
    Restrict who can 
    use outcallingCOS
    (MERLIN MAIL, 
    MERLIN MAIL-ML, 
    and MERLIN MAIL 
    R3 Voice 
    Messaging 
    Systems only)Select a COS that 
    does not permit 
    outcalling
    Prevent theft of 
    information via 
    Voice Messaging 
    SystemAssign secure 
    passwordsPasswords Encourage users to 
    select non-trivial, 
    maximum-length 
    passwords
    Administer 
    minimum 
    password lengthPasswords 
    (MERLIN MAIL R3 
    Voice Messaging 
    System only)Administer a 
    minimum 
    password length of 
    at least 6 digits
    Set number of 
    consecutive 
    unsuccessful login 
    attempts before 
    mailbox is lockedSecurity Violation 
    Notification 
    (MERLIN MAIL R3 
    Voice Messaging 
    System only)Use the Mailbox 
    Lock or Warning 
    Message option, 
    set to a low 
    threshold
    Table 2-2. Security Goals: MERLIN II, MERLIN LEGEND, MERLIN Plus, and 
    System 25 Communications Systems — Continued
    Security Goal Method Security Tool Steps 
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Security Risks 
    Page 2-16 Security Goals Tables 
    2
    1. The risk of toll fraud applies only if the Remote Administration Unit (RAU) is installed
    with the PARTNER II or PARTNER Plus Communications System.
    Table 2-3. Security Goals: PARTNER II and PARTNER Plus Communications 
    Systems
    Security Goal Method Security Tool Steps
    Protect Remote 
    Access1Do not use 
    unattended modeAttended mode
    (RAU)None (Attended 
    mode is system 
    default)
    Prevent exit from 
    Voice Messaging 
    SystemRestrict who can 
    dial outSwitch Dial 
    RestrictionsUse line access 
    restrictions, 
    outgoing call 
    restrictions, 
    allowed lists, and 
    disallowed lists
    Prevent theft of 
    information via 
    Voice Messaging 
    SystemAssign secure 
    passwordsPasswords 
    (PARTNER Plus 
    Communications 
    System R3.1 and 
    later, and 
    PARTNER II 
    Communications 
    System R3 and 
    later)Encourage users to 
    select non-trivial, 
    maximum-length 
    passwords
    Administer 
    minimum 
    password lengthPasswords 
    (MERLIN MAIL R3 
    Voice Messaging 
    System only)Administer a 
    minimum 
    password length of 
    at least 6 digits
    Restrict who can 
    use outcallingCOS Select a COS that 
    does not permit 
    outcalling
    Set number of 
    consecutive 
    unsuccessful login 
    attempts before 
    mailbox is lockedSecurity Violation 
    Notification 
    (MERLIN MAIL R3 
    Voice Messaging 
    System only)Use the Mailbox 
    Lock or Warning 
    Message option, 
    set to a low 
    threshold
    Prevent 
    unauthorized use 
    of facilitiesRestrict who can 
    dial outSwitch Dial 
    RestrictionsUse line access 
    restrictions, 
    outgoing call 
    restrictions, 
    allowed lists, and 
    disallowed lists; 
    assign to VMS hunt 
    group extensions 
    						
    							Large Business Communications Systems 
    Page 3-1  
    3
    BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    3
    3Large Business Communications 
    Systems
    This chapter provides information on protecting the following:
    nDEFINITY ECS Release 5 and later
    nDEFINITY Communications Systems
    nSystem 75
    nSystem 85
    The first section of this chapter, ‘‘
    Keeping Unauthorized Third Parties from 
    Entering the System’’ details the major ways third parties enter the system and 
    tells how to keep them from doing so. The second section, ‘‘
    Tools that Restrict 
    Unauthorized Outgoing Calls’’details features within the system that prevent 
    unauthorized egress from the system. The third section, ‘‘
    Security Measures’’ tells 
    how to use the tools described in the preceding section. The final section, 
    ‘‘
    Detecting Toll Fraud’’ details methods for monitoring the system and determining 
    the effectiveness of the security measures you implemented.
    Other chapters detail additional security measures to protect your equipment:
    nChapter 5 contains security measures to protect the attached voice 
    messaging system. For general security measures, refer to ‘‘
    Protecting 
    Voice Messaging Systems’’ on page 5-2. For product-specific security 
    measures, refer to ‘‘
    DEFINITY ECS, DEFINITY Communications Systems, 
    System75, and System85’’ on page 5-4.
    nChapter 6 contains security measures to protect the Automated Attendant 
    feature of your communications system. See ‘‘
    DEFINITY ECS, DEFINITY 
    Communications Systems, System75, and System85’’ on page 6-1.
    nAppendix D provides instructions for administering the features of the 
    DEFINITY G3V3 and later (which includes DEFINITY ECS), specifically 
    designed to provide protection from toll fraud. 
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Large Business Communications Systems 
    Page 3-2 Keeping Unauthorized Third Parties from Entering the System 
    3
    Keeping Unauthorized Third Parties
    from Entering the System
    How Third Parties Enter the System
    The major ways in which unauthorized third parties gain entry into the system are 
    as follows:
    nRemote Access
    nRemote Maintenance Port
    nVectors
    nTransfers from adjunct systems, including voice mail systems, call 
    prompters, and voice response systems.
    Protecting the Remote Access Feature
    Remote Access, or Direct Inward System Access (DISA), allows callers to call into 
    the PBX from a remote location (for example, a satellite office or while traveling) 
    and use the system facilities to make calls. When properly secured, the Remote 
    Access feature is both cost-efficient and convenient. However, every security 
    measure has an offsetting level of inconvenience for the user. These 
    inconveniences must be weighed against the possible risk of toll fraud.
    Security Tips
    nEvaluate the necessity for Remote Access. If this feature is not vital to your 
    organization, consider deactivating the feature. If you need the feature, use 
    as many of the security measures presented in this chapter as you can.
    nUse a unpublished telephone number for this feature. Professional hackers 
    scan telephone directories for local numbers and 800 numbers used for 
    Remote Access. Keeping your Remote Access number out of the phone 
    book helps prevent it from getting into the wrong hands. Avoid 
    administering a night service destination to Remote Access on any 
    published number.
    nKeep an authorized user list and reevaluate it on a need-to-have basis.
    nIf possible, administer Remote Access (DEFINITY ECS, DEFINITY G1, 
    G3, and System 75) so no dial-tone prompt is supplied for entry of the 
    Authorization Code. No dial tone after a Remote Access call is connected 
    discourages most hackers who listen for dial tone or use modems to detect 
    dial tone.
    nRestrict the bands or area code sets when you offer Remote Access on an 
    800 number. If all your authorized users are on the east coast, for example, 
    do not provide trunks that allow calling in from San Francisco. 
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Large Business Communications Systems 
    Page 3-3 Keeping Unauthorized Third Parties from Entering the System 
    3
    nRequire maximum length barrier codes and authorization codes. For 
    System 75 R1V1 and R1V2, require the entry of a barrier code. For 
    System 85 and releases of DEFINITY G2.1 and G2.2 prior to 3.0, require 
    either a barrier code or an authorization code. For DEFINITY G2 and 
    System 85, require the entry of 11 digits (4-digit barrier code and 7-digit 
    authorization code). For DEFINITY G1, G2.2 Issue 3.0 and later, DEFINITY 
    G3, DEFINITY ECS, and System 75 R1V3, require the entry of 14 digits (a 
    7-digit barrier code and a 7-digit authorization code) before users can gain 
    access to the feature. 
    nDo not assign barrier codes or authorization codes in sequential order. 
    Assign random number barrier codes and authorization codes to users so if 
    a hacker deciphers one code, it will not lead to the next code.
    nSince most toll fraud happens after hours and on week-ends, restrict the 
    hours that Remote Access is available.
    Disabling/Removing Remote Access
    For the “n” versions of DEFINITY G1, G2.2 Issue 3.0 and later, DEFINITY G3, 
    DEFINITY ECS, System 85 R2V4n, and System 75 R1V3, as an additional step 
    to ensure system security, the Remote Access feature may be “permanently” 
    disabled if there is no current or anticipated need for it. Permanent removal 
    protects against unauthorized remote access usage even if criminals break into 
    the maintenance port. Once Remote Access is permanently disabled, however, it 
    will require Lucent Technologies maintenance personnel intervention to reactivate 
    the feature.
    See your Account Representative for information on the North American Dialing 
    Plan, and on the “n” upgrade. See Appendix C for procedures to permanently 
    disable the Remote Access feature.
    Tools to Protect Remote Access
    You can help prevent unauthorized users from gaining access to the PBX system 
    by using the following tools. (See Table 3-1.) 
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Large Business Communications Systems 
    Page 3-4 Keeping Unauthorized Third Parties from Entering the System 
    3
    *For ASAI, see the applicable product feature description.
    Barrier Codes
    Figure 3-1 illustrates how barrier codes and/or authorization codes can provide 
    added security for Remote Access calls. Refer to this flowchart as necessary 
    throughout the sections on Barrier Codes and Authorization Codes.
    Table 3-1. Security Tools for Remote Access
    Security Tool Switch Page #
    Barrier Code All3-4
    Authorization Code DEFINITY ECS, 
    DEFINITY G1, G2, G3, 
    System 85, and 
    System 75 (R1V3)3-7
    Feature Access Code 
    AdministrationAll3-8
    Trunk Administration All3-8
    Remote Access Dial Tone  DEFINITY ECS, 
    DEFINITY G1, G2, G3, 
    System 85, and 
    System 75 (R1V3)3-8
    Night Service All3-8
    Call Vectoring DEFINITY ECS and 
    DEFINITY G33-9
    Call Prompting/ASAI* DEFINITY ECS and 
    DEFINITY G2 and G33-9
    Barrier Code Aging/Access 
    LimitsDEFINITY G3V3 and 
    later including 
    DEFINITY ECS3-61
    Security Violation Notification 
    (SVN)DEFINITY ECS and 
    DEFINITY G33-53
    Status Remote Access 
    CommandDEFINITY G3V4 and 
    later including 
    DEFINITY ECS3-10
    Logoff Screen Enhancements DEFINITY G3V4 and 
    later including 
    DEFINITY ECS3-10 
    						
    All Lucent Technologies manuals Comments (0)

    Related Manuals for Lucent Technologies BCS Products Security Handbook Instructions Manual