Home > Lucent Technologies > Communications System > Lucent Technologies BCS Products Security Handbook Instructions Manual

Lucent Technologies BCS Products Security Handbook Instructions Manual

    Download as PDF Print this page Share this page

    Have a look at the manual Lucent Technologies BCS Products Security Handbook Instructions Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 413 Lucent Technologies manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Large Business Communications Systems 
    Page 3-15 Tools that Restrict Unauthorized Outgoing Calls 
    3
    nToll Restriction: prevents users from placing toll calls over CO, FX, or 
    WATS trunks using dial access codes to trunks. Use ARS/WCR with WCR 
    toll restrictions instead.
    nARS/WCR Toll Restriction: restricts users from dialing the ARS or WCR 
    Network I Toll Access Code or from completing a toll call over ARS/WCR.
    nFRL: establishes the user’s access to AAR/ARS/WCR routes.
    nCDR Account Code: requires the entry of an account code before an 
    ARS/WCR call is processed or before completing a TAC call to a toll 
    destination. 
    NOTE:
    Account code entries are not validated.
    For DEFINITY ECS, DEFINITY G1, G3, and System 75, COS identifies the calling 
    features available to a station, such as auto callback and priority calling. It also 
    provides for the assignment of console permissions; these should be assigned 
    sparingly, and only to terminals that require them. It is especially important that 
    console permissions 
    not be assigned to Remote Access extensions.
    For DEFINITY G3V2 and later releases, which includes DEFINITY ECS, an 
    additional COS option is available:
    nCall Forward Off/On-Net: allows a user to call forward outside the switch 
    (Off-Net), or inside AND outside the switch to non-toll locations 
    (Off/On-Net).
    For DEFINITY G3V4, the list call forward command displays all stations with Call 
    Forwarding On/Off Net Call Forwarding and Busy/Don’t Answer (BY/DA). This 
    display includes the initiating station and destination address.
    For DEFINITY ECS Release 5, a default is in place that should help limit 
    accessibility to the Call Forwarding Off-Net capability. Specifically, the default 
    value for the “Restrict Call Forwarding Off-Net” field on the COS form is “y” for 
    every COS. 
    Also for DEFINITY ECS Release 5, COS can control the Extended User 
    Administration of Redirected Calls feature. To this purpose, the COS form 
    contains two fields: “Extended Forwarding All” and “Extended Forwarding B/DA”. 
    The default for both fields is “n.”
    Facility Restriction Level (FRL)
    FRLs provide up to eight levels of restrictions (0 through 7) for users of 
    AAR/ARS/WCR. FRLs identify where calls can be made and what facilities are 
    used. If the FRL of the originating facility is greater than or equal to the FRL of the 
    route pattern selected, the trunk group is accessible. The lower number FRLs are 
    the most restrictive for stations; FRL 0 can be implemented to provide no outside 
    access. 
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Large Business Communications Systems 
    Page 3-16 Tools that Restrict Unauthorized Outgoing Calls 
    3
    NOTE:
    ARS/WRC route patterns should never be assigned an FRL of 0 (zero).
    The FRL is used by AAR/ARS/WCR to determine call access to an outgoing trunk 
    group. Outgoing call routing is determined by a comparison of the FRLs in the 
    AAR/ARS/WCR routing pattern with the FRL associated with the originating 
    endpoint.
    Authorization codes provide users with an FRL value high enough to give them 
    the calling privileges they require. Only users who enter a valid authorization code 
    with the appropriate calling privileges can override the lower FRL to gain access 
    to a long distance destination.
    NOTE:
    FRLs are not used if trunk groups have dial access allowed.
    Alternate Facility Restriction Levels
    For DEFINITY G2, G3r, and System 85, this tool is used with or without 
    authorization codes to replace originating FRL values (the COS FRL versus the 
    AAR/ARS/WCR pattern preference FRL) with an alternate set of values. This 
    allows FRLs to be set to a lower value outside of normal business hours so more 
    restrictions are placed on after-hours calling.
    NOTE:
    A button is assigned to the attendant console to activate alternate FRLs.
    Toll Analysis (G3 only)
    For DEFINITY ECS and DEFINITY G3, the Toll Analysis screen allows you to 
    specify the toll calls you want to assign to a restricted call list (that is, disallowed), 
    such as 900 numbers, or to an unrestricted (that is, allowed) call list, such as an 
    out-of-area number to a supplier. Call lists can be specified for CO/FX/WATS, 
    TAC, and ARS calls, but not for tie TAC or AAR calls.
    Free Call List
    For DEFINITY G2 and System 85, you can identify up to ten 3-digit telephone 
    numbers that can be called on otherwise-toll-restricted ports. This list allows toll 
    restricted phones to call emergency numbers, such as 911. This option can only 
    be used with TAC calls, not AAR/ARS calls.
    NOTE:
    This feature should be used only when CO trunks are obtained using TACs. 
    The preferred arrangement is always to use ARS/WCR. 
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Large Business Communications Systems 
    Page 3-17 Tools that Restrict Unauthorized Outgoing Calls 
    3
    AAR/ARS Analysis
    ARS routing allows calls to be routed based on the number dialed and the routing 
    plan in effect. The routing is normally to the lowest-cost facility. Different Time of 
    Day plans can be implemented to allow or prohibit calling at certain times.
    NOTE:
    Never route public network calls (leading digit = 0 or 1) via AAR analysis; 
    always cross over to ARS. (This happens automatically in G2 and 
    System 85 with ETN.)
    Some long-distance area codes may start with the same digits as your local 
    exchanges. Be cautious when blocking access to those long-distance area codes, 
    so that access to required local exchanges is not simultaneously blocked. Since 
    COR/COS-to-COR/COS restrictions do not apply to AAR/ARS trunks, use FRLs 
    to limit the calling area [see ‘‘
    Facility Restriction Level (FRL)’’ on page 3-15 for 
    further information].
    ARS Dial Tone
    For all switches, the dial tone after the ARS feature access code is optional and 
    can be eliminated to confuse hackers who listen for it. Conversely, however, its 
    elimination may also confuse authorized users who are accustomed to the second 
    dial tone.
    Station Restrictions
    If access to trunks via TACs is necessary for certain users to allow direct dial 
    access to specific facilities, use the appropriate restrictions. For DEFINITY G2 
    and System 85, assign Miscellaneous Trunk Restriction Groups (MTRGs) to all 
    trunk groups that allow dial access, then deny access to the MTRGs on the COS. 
    For DEFINITY ECS, DEFINITY G1, G3, and System 75, if all trunk groups have 
    their own unique COR, then restrict the station CORs from accessing the trunk 
    group CORs. For those stations and all trunk-originated calls, always use 
    ARS/WCR for outside calling.
    Recall Signaling (Switchhook Flash)
    Recall signaling allows analog station users to place a call on hold and consult 
    with another party or activate a feature. After consulting with the third party, the 
    user can conference the third party with the original party by another recall signal, 
    or return to the original party by pressing Recall twice or by flashing the 
    switchhook twice.
    However, hackers have been able to activate recall signaling to gain second dial 
    tone and conference incoming and outgoing paths together. To prevent this,  
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Large Business Communications Systems 
    Page 3-18 Tools that Restrict Unauthorized Outgoing Calls 
    3
    administer switchhook flash to “n” (administered by means of the Add or Change 
    Station screen) for FAX machines and modems.
    Attendant - Controlled Voice Terminals 
    When telephones are located in easily-accessible locations (such as lobbies) that 
    do not provide protection against abuse, you can assign them to an 
    attendant-controlled voice terminal group. Calls from the group can be connected 
    to an attendant who screens the calls. As part of the night shut down procedure, 
    the attendant can activate outgoing call restrictions on the group.
    Restrictions — Individual and Group-Controlled
    (DEFINITY ECS, DEFINITY G1, G3, and
    System 75)
    For DEFINITY ECS, DEFINITY G1, G3, and System 75, individual and 
    group-controlled restrictions allow an attendant or voice terminal user with 
    console permission to activate and deactivate the following restrictions for an 
    individual terminal or a group of voice terminals:
    nOutward — The voice terminals cannot be used for placing calls to the 
    public network. Such call attempts receive intercept tone.
    nTotal — The voice terminals cannot be used for placing or receiving calls. 
    DID calls are routed to the attendant or a recorded announcement. All 
    other calls receive intercept tone. As an exception, the following call types 
    are allowed: calls to a Remote Access extension, terminating trunk 
    transmission tests, and Emergency Access to Attendant calls.
    nStation-to-station — The voice terminal cannot receive or place 
    station-to-station calls. Such call attempts receive intercept tone.
    nTermination — The voice terminal cannot receive any calls. Incoming calls 
    are routed to the attendant, are directed via Call Coverage, or receive 
    intercept treatment.
    All voice terminals with the same COR are affected by a group restriction. When a 
    call is placed, both the individual and group restrictions are checked.
    To activate the desired Controlled Restriction, the attendant or voice terminal user 
    with console permission dials the feature access code for either the extension or 
    the group, followed by either 1 for Outward, 2 for Total, 3 for Termination, or 4 for 
    Station-to-Station, and then dials the voice terminal extension number (Attendant 
    Control — Extension) or the COR for a group of voice terminals (Attendant 
    Control — COR).
    This feature is especially helpful in businesses such as hotels, where you might 
    want to restrict phones in empty conference rooms or in guest rooms after a client 
    has checked out. You might also want to restrict phones in an entire wing of a 
    building at times. 
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Large Business Communications Systems 
    Page 3-19 Tools that Restrict Unauthorized Outgoing Calls 
    3
    Central Office Restrictions
    Some Central Offices offer additional services that screen long distance calls, 
    such as  + calls and 10xxx + calls. Contact your local telephone company for 
    details.
    Restricting Incoming Tie Trunks
    You can deny access to AAR/ARS/WCR trunks when the caller is on an incoming 
    tie trunk. For all the switches, you can force the caller to enter an authorization 
    code when AAR/ARS/WCR is used.
    Use the COR of the incoming tie trunk to restrict calls from accessing the network. 
    Set the calling party restriction to outward, set the FRL to 0, and specify n for all 
    other trunk group CORs on the calling permissions screen.
    Authorization Codes
    Authorization codes can be used to protect outgoing trunks if an unauthorized 
    caller gains entry into the Remote Access feature. Authorization codes are also 
    used to override originating FRLs to allow access to restricted AAR/ARS/WCR 
    facilities. They can be recorded on SMDR/CAS to check against abuse. Refer to 
    the description of Authorization Codes in ‘‘
    Authorization Codes’’ on page 3-7.
    The list command can be used to display all administered authorization codes.
    Trunk-to-Trunk Transfer
    Trunk-to-Trunk Transfer allows a station to connect an incoming trunk to an 
    outgoing trunk and then drop the connection. When this feature is disabled, it 
    prevents stations from transferring an incoming trunk call to an outgoing trunk. 
    Then if the controlling station drops off the call, the call is torn down.
    NOTE:
    Hackers use this to convince unsuspecting employees to transfer them to 9# 
    or 900. If trunk-to-trunk transfer is allowed, the station can transfer the 
    incoming trunk call to an outgoing trunk and hang up, leaving the trunks still 
    connected.
    System 75, System 85, DEFINITY ECS, DEFINITY G1, G2, G3V1, and G3V2 can 
    either allow or disallow trunk-to-trunk transfer. This is for public network trunks 
    only. DS1 and WATS trunks assigned as tielines are not considered public 
    network trunks.
    DEFINITY G3V3 and later releases, including DEFINITY ECS Release 5 and 
    later, offer three options:
    nall — All trunks are transferred.
    0 
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Large Business Communications Systems 
    Page 3-20 Tools that Restrict Unauthorized Outgoing Calls 
    3
    nrestricted — Public network trunks are not transferred.
    nnone — No trunks are transferred.
    NOTE:
    Starting with DEFINITY ECS Release 5, trunk-to-trunk transfer is 
    automatically restricted via administration. To this end, the “Restriction 
    Override” field in the Class of Restriction form is set to none by default.
    To disallow this feature, refer to the procedure provided in ‘‘
    Disallow 
    Trunk-to-Trunk Transfer’’ on page 3-39.
    NOTE:
    When conferencing calls, to prevent inadvertent trunk-to-trunk transfers, 
    always conference together two outgoing calls. When the calling station 
    disconnects, it forces the trunks to disconnect as well.
    NOTE:
    When the trunk-to-trunk transfer feature is disabled, the attendant console 
    can continue to pass dial-tone to an inbound trunk caller by pressing  
     .
    Forced Entry of Account Code
    To maximize system security, it is recommended that the Forced Entry of Account 
    Code feature be enabled and administered on the system.
    NOTE:
    For DEFINITY G2, Call Detail Recording (CDR) is required with this option. 
    See ‘‘
    Call Detail Recording (CDR) / Station Message Detail Recording 
    (SMDR)’’ on page 3-48 for more information. Depending on the required 
    length, the account code may replace other data in the CDR report.
    An entry of an account number (1 to 15 digits) can be required for the originating 
    station COR/COS, toll calls, or WCR network calls. If an account number is not 
    entered when required, the call is denied. Although the account number is not 
    verified, callers must enter the appropriate number of digits set by the system 
    administrator. This adds another level of digit entry that a hacker must crack to 
    gain access to an outside line.
    World Class Routing (DEFINITY ECS and
    DEFINITY G2.2 and G3 only)
    The World Class Routing (WCR) feature replaces and enhances the AAR/ARS 
    feature. Specific digit strings are assigned to either allow or deny calls. The 900 
    look-alike numbers can be routed for interception. The 800 numbers for ICX 
    carriers can be blocked. This still allows normal 800 numbers to be dialed. 
    Specific international numbers can also be blocked.
    START
    9RELEASE 
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Large Business Communications Systems 
    Page 3-21 Tools that Restrict Unauthorized Outgoing Calls 
    3
    You may also route  or   calls to a local attendant for handling. In addition, 
    10xxx + calls can be restricted. Certain laws and regulations may prevent you 
    from blocking these calls, however. Check with your local or long distance carrier 
    for applicable laws and regulations.
    If possible, use WCR to shut down toll routes during out-of-business hours by 
    using Time-of-Day routing.
    Digit Conversion
    Digit conversion allows you to identify numbers, area codes, or countries you do 
    not want called. Whenever the numbers entered correspond to the numbers on 
    the conversion list, the numbers are given a different value, such as  , and then 
    forwarded to the new destination, such as the attendant console.
    nFor DEFINITY G1 and G3i, the conversion can be to “blank” (intercept 
    tone), or to a Route Number Index (RNX) private network number, where 
    Private Network Access (PNA) software is required to route the call 
    through AAR.
    nFor DEFINITY G2 and System 85, the conversion is to an RNX private 
    network number, and AAR software is required.
    nFor DEFINITY G1, G2, G3i, and System 85, once the call is sent to AAR 
    software, the RNX can be translated as “local,” and the call can be directed 
    to an internal station or to the attendant console.
    Station Security Codes (SSCs)
    Station Security Codes (SSCs) are used with two features: Personal Station 
    Access and Extended User Administration of Redirected Calls. Starting with 
    DEFINITY ECS Release 5, the Security Violations Status report shows the 16 
    most recent invalid attempts of SSC use. The report is refreshed every 16 
    seconds, and it shows the date, time, port/extension, FAC, and dialed digits for 
    each invalid attempt. Enter the monitor security-violations 
    station-security-codes command at the prompt to access this report.
    SSC violations are summarized in the Security Violations Summary report. Enter 
    the list measurements security-violations summary command to access this 
    report.
    SSC input entry has a pre-administered security capability. For details, refer to the 
    “Person Station Access” section in this chapter.
    Finally, SSCs should be changed about once every six months.
    000
    0 
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Large Business Communications Systems 
    Page 3-22 Tools that Restrict Unauthorized Outgoing Calls 
    3
    Personal Station Access (PSA)
    The Personal Station Access (PSA) feature allows multiple users to work at the 
    same voice terminal location at different times. PSA provides capabilities that are 
    similar to TTI, but for a single station. This feature is available starting with 
    DEFINITY ECS Release 5.
    Each PSA user must have a Station Security Code (SSC), which includes as 
    many as eight digits.
    The feature has a pre-administered security feature regarding input entry by the 
    user. Once the user enters his or her extension at the appropriate time, a “no 
    response” feedback is provided whether or not the entered extension is valid. For 
    an invalid extension, the system simply waits, without responding, until it reaches 
    a timeout threshold. As such, an unauthorized user does not know that input entry 
    is the cause of the error. The same security feature is in effect whenever the user 
    enters the SSC at the appropriate time.
    The dissociate function within PSA allows a user to restrict the features available 
    to a voice terminal. Whenever a terminal is dissociated via PSA, it can be used 
    only to call an attendant, accept a TTI merge request, or accept a PSA associate 
    request.
    Security Tips
    PSA/TTI transactions are recorded in the history log, which can be accessed by 
    entering the list history command at the prompt. If there is a concern about 
    unauthorized PSA/TTI usage, refer to the history log for verification. To enable 
    recording PSA/TTI transactions, access the Feature-Related System Parameters 
    form by entering the change system-parameters features command at the 
    prompt. Then ensure that the “Record PSA/TTI Transactions in History Log” field 
    is set to y. (Sometimes this flag is set to n if PSA/TTI entries tend to flood the 
    history log, therefore making it difficult to find other entries.) The default for the 
    field is y.
    A COS for the user’s extension must be administered to have access to PSA. 
    However, be sure to limit PSA COS assignments to stations that need to access 
    PSA.
    Once a PSA station is associated with a terminal, anyone using that terminal has 
    all the privileges and capabilities of that station. Therefore, use of the dissociate 
    Facility Access Code (FAC) is recommended whenever the terminal is not in use.
    If PSA and DCP extenders are used to permit remote DCP access, the security 
    provided may not be adequate. A user connecting via DCP extenders must 
    provide a password. However, once the user is connected, the remote DCP 
    station has the capabilities and permissions of whatever station is associated or 
    merged with the local DCP extender port unless the station has been dissociated  
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Large Business Communications Systems 
    Page 3-23 Tools that Restrict Unauthorized Outgoing Calls 
    3
    or separated. Therefore, PSA users should dissociate before they disconnect 
    from a DCP extender.
    PSA security violations are recorded by SVN software, if enabled. Refer to the 
    SVN feature description and to the 
    DEFINITY ECS Release 5 Feature Description 
    and to 
    DEFINITY ECS Release 5 Implementation for security report information.
    Extended User Administration of Redirected 
    Calls
    This feature allows station users to select one of two previously administered call 
    coverage paths assigned to them (for example, a work location coverage path or 
    a remote work location coverage path) from any on-site extension or from a 
    remote location (for example, home). Also provided is the ability to activate, 
    change, or deactivate Call Forward Add or Call Forward Busy/Don’t Answer from 
    any on-site extension or from a remote location.
    For security purposes, each user of this feature is administered a SSC. Users 
    must enter an SSC to use this feature. In addition, the COS and COR for the 
    user’s extension must be administered to have access to this feature. Any attempt 
    by an invalid extension or invalid SSC to use the feature is recorded as a security 
    violation.
    For remote users, an additional security precaution for feature access is provided 
    via the Telecommuting Access Extension. This extension provides access only to 
    this feature; access to any other system features or functions via this extension is 
    denied.
    Access to the extended forwarding capability provided by this feature is controlled 
    by the “Extended Forwarding All” and “Extended Forwarding B/DA” fields in the 
    COS form. To access the form, enter the change cos command.
    Remote User Administration of Call Coverage
    NOTE:
    This feature requires one SSC for every user or extension. SSCs should be 
    changed about once every six months.
    The system allows calls that are forwarded off of the network (that is, off-net) to be 
    tracked for busy or no-answer conditions and to be brought back for further call 
    coverage processing in such cases. However, ensure that the principal has a 
    coverage path; otherwise, the system will not track the call, and the call will be left 
    at the off-net destination regardless of whether it is answered or busy.
    If the principal has Send All Calls (SAC) activated, the system will not attempt Call 
    Forwarding Off-Net, except for priority calls. Likewise, except for priority calls, the 
    system will not attempt Call Forwarding Off-Net for coverage paths that specify 
    Cover All. 
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Large Business Communications Systems 
    Page 3-24 Security Measures 
    3
    Invalid attempts to change the coverage path or the call forwarding destination are 
    recorded by the SVN.
    To identify unauthorized activation of the Call Forwarding features, use the
    list call-forwarding command. The command output includes stations that have 
    Call Forwarding All Calls and Call Forwarding Busy/Don’t Answer active. Also 
    displayed are the number and name of the extensions that have the feature active 
    as well as the “forwarded-to” destination.
    Security Measures
    The following procedures explain how to use security tools to create restrictions 
    that help prevent unauthorized access to your PBX system’s facilities.
    Require Passwords
    For DEFINITY ECS, DEFINITY G1, G3, and System 75, passwords may be up to 
    7 alphanumeric characters (11 for G3V3 and later). For System 85 and DEFINITY 
    G2, the security code may be up to 6 digits.
    Change passwords for system logins frequently according to the guidelines listed 
    below.
    nFor DEFINITY G1 and System 75, routinely change logins for Network 
    Management Systems (NMS), “cust,” “rcust,” “browse,” and “bcms.”
    nDisable any unused login. Except for System 75 R1V1, to disable a login, 
    type VOID in the Password field. (Note that VOID must be typed in 
    uppercase.)
    NOTE:
    “NMS,” browse,” and “bcms” are not available in System 75 
    R1V1; “NMS” is not available in System 75 R1V2; “bcms” is not 
    available in System 75.
    NOTE:
    Do not use VOID to disable logins in System 75 R1V1; it will not 
    work. In this release, if the password has been set to VOID, typing 
    VOID when prompted for the password will result in a successful 
    login. It is not possible to disable logins for this release. Instead, you 
    can change all permissions on logins, change the password, select 
    carefully constructed passwords, change passwords frequently, and 
    purchase the Remote Port Security Device (RPSD) hardware for 
    added security. 
    						
    All Lucent Technologies manuals Comments (0)

    Related Manuals for Lucent Technologies BCS Products Security Handbook Instructions Manual