Home
>
Lucent Technologies
>
Communications System
>
Lucent Technologies BCS Products Security Handbook Instructions Manual
Lucent Technologies BCS Products Security Handbook Instructions Manual
Have a look at the manual Lucent Technologies BCS Products Security Handbook Instructions Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 413 Lucent Technologies manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Large Business Communications Systems Page 3-15 Tools that Restrict Unauthorized Outgoing Calls 3 nToll Restriction: prevents users from placing toll calls over CO, FX, or WATS trunks using dial access codes to trunks. Use ARS/WCR with WCR toll restrictions instead. nARS/WCR Toll Restriction: restricts users from dialing the ARS or WCR Network I Toll Access Code or from completing a toll call over ARS/WCR. nFRL: establishes the user’s access to AAR/ARS/WCR routes. nCDR Account Code: requires the entry of an account code before an ARS/WCR call is processed or before completing a TAC call to a toll destination. NOTE: Account code entries are not validated. For DEFINITY ECS, DEFINITY G1, G3, and System 75, COS identifies the calling features available to a station, such as auto callback and priority calling. It also provides for the assignment of console permissions; these should be assigned sparingly, and only to terminals that require them. It is especially important that console permissions not be assigned to Remote Access extensions. For DEFINITY G3V2 and later releases, which includes DEFINITY ECS, an additional COS option is available: nCall Forward Off/On-Net: allows a user to call forward outside the switch (Off-Net), or inside AND outside the switch to non-toll locations (Off/On-Net). For DEFINITY G3V4, the list call forward command displays all stations with Call Forwarding On/Off Net Call Forwarding and Busy/Don’t Answer (BY/DA). This display includes the initiating station and destination address. For DEFINITY ECS Release 5, a default is in place that should help limit accessibility to the Call Forwarding Off-Net capability. Specifically, the default value for the “Restrict Call Forwarding Off-Net” field on the COS form is “y” for every COS. Also for DEFINITY ECS Release 5, COS can control the Extended User Administration of Redirected Calls feature. To this purpose, the COS form contains two fields: “Extended Forwarding All” and “Extended Forwarding B/DA”. The default for both fields is “n.” Facility Restriction Level (FRL) FRLs provide up to eight levels of restrictions (0 through 7) for users of AAR/ARS/WCR. FRLs identify where calls can be made and what facilities are used. If the FRL of the originating facility is greater than or equal to the FRL of the route pattern selected, the trunk group is accessible. The lower number FRLs are the most restrictive for stations; FRL 0 can be implemented to provide no outside access.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Large Business Communications Systems Page 3-16 Tools that Restrict Unauthorized Outgoing Calls 3 NOTE: ARS/WRC route patterns should never be assigned an FRL of 0 (zero). The FRL is used by AAR/ARS/WCR to determine call access to an outgoing trunk group. Outgoing call routing is determined by a comparison of the FRLs in the AAR/ARS/WCR routing pattern with the FRL associated with the originating endpoint. Authorization codes provide users with an FRL value high enough to give them the calling privileges they require. Only users who enter a valid authorization code with the appropriate calling privileges can override the lower FRL to gain access to a long distance destination. NOTE: FRLs are not used if trunk groups have dial access allowed. Alternate Facility Restriction Levels For DEFINITY G2, G3r, and System 85, this tool is used with or without authorization codes to replace originating FRL values (the COS FRL versus the AAR/ARS/WCR pattern preference FRL) with an alternate set of values. This allows FRLs to be set to a lower value outside of normal business hours so more restrictions are placed on after-hours calling. NOTE: A button is assigned to the attendant console to activate alternate FRLs. Toll Analysis (G3 only) For DEFINITY ECS and DEFINITY G3, the Toll Analysis screen allows you to specify the toll calls you want to assign to a restricted call list (that is, disallowed), such as 900 numbers, or to an unrestricted (that is, allowed) call list, such as an out-of-area number to a supplier. Call lists can be specified for CO/FX/WATS, TAC, and ARS calls, but not for tie TAC or AAR calls. Free Call List For DEFINITY G2 and System 85, you can identify up to ten 3-digit telephone numbers that can be called on otherwise-toll-restricted ports. This list allows toll restricted phones to call emergency numbers, such as 911. This option can only be used with TAC calls, not AAR/ARS calls. NOTE: This feature should be used only when CO trunks are obtained using TACs. The preferred arrangement is always to use ARS/WCR.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Large Business Communications Systems Page 3-17 Tools that Restrict Unauthorized Outgoing Calls 3 AAR/ARS Analysis ARS routing allows calls to be routed based on the number dialed and the routing plan in effect. The routing is normally to the lowest-cost facility. Different Time of Day plans can be implemented to allow or prohibit calling at certain times. NOTE: Never route public network calls (leading digit = 0 or 1) via AAR analysis; always cross over to ARS. (This happens automatically in G2 and System 85 with ETN.) Some long-distance area codes may start with the same digits as your local exchanges. Be cautious when blocking access to those long-distance area codes, so that access to required local exchanges is not simultaneously blocked. Since COR/COS-to-COR/COS restrictions do not apply to AAR/ARS trunks, use FRLs to limit the calling area [see ‘‘ Facility Restriction Level (FRL)’’ on page 3-15 for further information]. ARS Dial Tone For all switches, the dial tone after the ARS feature access code is optional and can be eliminated to confuse hackers who listen for it. Conversely, however, its elimination may also confuse authorized users who are accustomed to the second dial tone. Station Restrictions If access to trunks via TACs is necessary for certain users to allow direct dial access to specific facilities, use the appropriate restrictions. For DEFINITY G2 and System 85, assign Miscellaneous Trunk Restriction Groups (MTRGs) to all trunk groups that allow dial access, then deny access to the MTRGs on the COS. For DEFINITY ECS, DEFINITY G1, G3, and System 75, if all trunk groups have their own unique COR, then restrict the station CORs from accessing the trunk group CORs. For those stations and all trunk-originated calls, always use ARS/WCR for outside calling. Recall Signaling (Switchhook Flash) Recall signaling allows analog station users to place a call on hold and consult with another party or activate a feature. After consulting with the third party, the user can conference the third party with the original party by another recall signal, or return to the original party by pressing Recall twice or by flashing the switchhook twice. However, hackers have been able to activate recall signaling to gain second dial tone and conference incoming and outgoing paths together. To prevent this,
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Large Business Communications Systems Page 3-18 Tools that Restrict Unauthorized Outgoing Calls 3 administer switchhook flash to “n” (administered by means of the Add or Change Station screen) for FAX machines and modems. Attendant - Controlled Voice Terminals When telephones are located in easily-accessible locations (such as lobbies) that do not provide protection against abuse, you can assign them to an attendant-controlled voice terminal group. Calls from the group can be connected to an attendant who screens the calls. As part of the night shut down procedure, the attendant can activate outgoing call restrictions on the group. Restrictions — Individual and Group-Controlled (DEFINITY ECS, DEFINITY G1, G3, and System 75) For DEFINITY ECS, DEFINITY G1, G3, and System 75, individual and group-controlled restrictions allow an attendant or voice terminal user with console permission to activate and deactivate the following restrictions for an individual terminal or a group of voice terminals: nOutward — The voice terminals cannot be used for placing calls to the public network. Such call attempts receive intercept tone. nTotal — The voice terminals cannot be used for placing or receiving calls. DID calls are routed to the attendant or a recorded announcement. All other calls receive intercept tone. As an exception, the following call types are allowed: calls to a Remote Access extension, terminating trunk transmission tests, and Emergency Access to Attendant calls. nStation-to-station — The voice terminal cannot receive or place station-to-station calls. Such call attempts receive intercept tone. nTermination — The voice terminal cannot receive any calls. Incoming calls are routed to the attendant, are directed via Call Coverage, or receive intercept treatment. All voice terminals with the same COR are affected by a group restriction. When a call is placed, both the individual and group restrictions are checked. To activate the desired Controlled Restriction, the attendant or voice terminal user with console permission dials the feature access code for either the extension or the group, followed by either 1 for Outward, 2 for Total, 3 for Termination, or 4 for Station-to-Station, and then dials the voice terminal extension number (Attendant Control — Extension) or the COR for a group of voice terminals (Attendant Control — COR). This feature is especially helpful in businesses such as hotels, where you might want to restrict phones in empty conference rooms or in guest rooms after a client has checked out. You might also want to restrict phones in an entire wing of a building at times.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Large Business Communications Systems Page 3-19 Tools that Restrict Unauthorized Outgoing Calls 3 Central Office Restrictions Some Central Offices offer additional services that screen long distance calls, such as + calls and 10xxx + calls. Contact your local telephone company for details. Restricting Incoming Tie Trunks You can deny access to AAR/ARS/WCR trunks when the caller is on an incoming tie trunk. For all the switches, you can force the caller to enter an authorization code when AAR/ARS/WCR is used. Use the COR of the incoming tie trunk to restrict calls from accessing the network. Set the calling party restriction to outward, set the FRL to 0, and specify n for all other trunk group CORs on the calling permissions screen. Authorization Codes Authorization codes can be used to protect outgoing trunks if an unauthorized caller gains entry into the Remote Access feature. Authorization codes are also used to override originating FRLs to allow access to restricted AAR/ARS/WCR facilities. They can be recorded on SMDR/CAS to check against abuse. Refer to the description of Authorization Codes in ‘‘ Authorization Codes’’ on page 3-7. The list command can be used to display all administered authorization codes. Trunk-to-Trunk Transfer Trunk-to-Trunk Transfer allows a station to connect an incoming trunk to an outgoing trunk and then drop the connection. When this feature is disabled, it prevents stations from transferring an incoming trunk call to an outgoing trunk. Then if the controlling station drops off the call, the call is torn down. NOTE: Hackers use this to convince unsuspecting employees to transfer them to 9# or 900. If trunk-to-trunk transfer is allowed, the station can transfer the incoming trunk call to an outgoing trunk and hang up, leaving the trunks still connected. System 75, System 85, DEFINITY ECS, DEFINITY G1, G2, G3V1, and G3V2 can either allow or disallow trunk-to-trunk transfer. This is for public network trunks only. DS1 and WATS trunks assigned as tielines are not considered public network trunks. DEFINITY G3V3 and later releases, including DEFINITY ECS Release 5 and later, offer three options: nall — All trunks are transferred. 0
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Large Business Communications Systems Page 3-20 Tools that Restrict Unauthorized Outgoing Calls 3 nrestricted — Public network trunks are not transferred. nnone — No trunks are transferred. NOTE: Starting with DEFINITY ECS Release 5, trunk-to-trunk transfer is automatically restricted via administration. To this end, the “Restriction Override” field in the Class of Restriction form is set to none by default. To disallow this feature, refer to the procedure provided in ‘‘ Disallow Trunk-to-Trunk Transfer’’ on page 3-39. NOTE: When conferencing calls, to prevent inadvertent trunk-to-trunk transfers, always conference together two outgoing calls. When the calling station disconnects, it forces the trunks to disconnect as well. NOTE: When the trunk-to-trunk transfer feature is disabled, the attendant console can continue to pass dial-tone to an inbound trunk caller by pressing . Forced Entry of Account Code To maximize system security, it is recommended that the Forced Entry of Account Code feature be enabled and administered on the system. NOTE: For DEFINITY G2, Call Detail Recording (CDR) is required with this option. See ‘‘ Call Detail Recording (CDR) / Station Message Detail Recording (SMDR)’’ on page 3-48 for more information. Depending on the required length, the account code may replace other data in the CDR report. An entry of an account number (1 to 15 digits) can be required for the originating station COR/COS, toll calls, or WCR network calls. If an account number is not entered when required, the call is denied. Although the account number is not verified, callers must enter the appropriate number of digits set by the system administrator. This adds another level of digit entry that a hacker must crack to gain access to an outside line. World Class Routing (DEFINITY ECS and DEFINITY G2.2 and G3 only) The World Class Routing (WCR) feature replaces and enhances the AAR/ARS feature. Specific digit strings are assigned to either allow or deny calls. The 900 look-alike numbers can be routed for interception. The 800 numbers for ICX carriers can be blocked. This still allows normal 800 numbers to be dialed. Specific international numbers can also be blocked. START 9RELEASE
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Large Business Communications Systems Page 3-21 Tools that Restrict Unauthorized Outgoing Calls 3 You may also route or calls to a local attendant for handling. In addition, 10xxx + calls can be restricted. Certain laws and regulations may prevent you from blocking these calls, however. Check with your local or long distance carrier for applicable laws and regulations. If possible, use WCR to shut down toll routes during out-of-business hours by using Time-of-Day routing. Digit Conversion Digit conversion allows you to identify numbers, area codes, or countries you do not want called. Whenever the numbers entered correspond to the numbers on the conversion list, the numbers are given a different value, such as , and then forwarded to the new destination, such as the attendant console. nFor DEFINITY G1 and G3i, the conversion can be to “blank” (intercept tone), or to a Route Number Index (RNX) private network number, where Private Network Access (PNA) software is required to route the call through AAR. nFor DEFINITY G2 and System 85, the conversion is to an RNX private network number, and AAR software is required. nFor DEFINITY G1, G2, G3i, and System 85, once the call is sent to AAR software, the RNX can be translated as “local,” and the call can be directed to an internal station or to the attendant console. Station Security Codes (SSCs) Station Security Codes (SSCs) are used with two features: Personal Station Access and Extended User Administration of Redirected Calls. Starting with DEFINITY ECS Release 5, the Security Violations Status report shows the 16 most recent invalid attempts of SSC use. The report is refreshed every 16 seconds, and it shows the date, time, port/extension, FAC, and dialed digits for each invalid attempt. Enter the monitor security-violations station-security-codes command at the prompt to access this report. SSC violations are summarized in the Security Violations Summary report. Enter the list measurements security-violations summary command to access this report. SSC input entry has a pre-administered security capability. For details, refer to the “Person Station Access” section in this chapter. Finally, SSCs should be changed about once every six months. 000 0
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Large Business Communications Systems Page 3-22 Tools that Restrict Unauthorized Outgoing Calls 3 Personal Station Access (PSA) The Personal Station Access (PSA) feature allows multiple users to work at the same voice terminal location at different times. PSA provides capabilities that are similar to TTI, but for a single station. This feature is available starting with DEFINITY ECS Release 5. Each PSA user must have a Station Security Code (SSC), which includes as many as eight digits. The feature has a pre-administered security feature regarding input entry by the user. Once the user enters his or her extension at the appropriate time, a “no response” feedback is provided whether or not the entered extension is valid. For an invalid extension, the system simply waits, without responding, until it reaches a timeout threshold. As such, an unauthorized user does not know that input entry is the cause of the error. The same security feature is in effect whenever the user enters the SSC at the appropriate time. The dissociate function within PSA allows a user to restrict the features available to a voice terminal. Whenever a terminal is dissociated via PSA, it can be used only to call an attendant, accept a TTI merge request, or accept a PSA associate request. Security Tips PSA/TTI transactions are recorded in the history log, which can be accessed by entering the list history command at the prompt. If there is a concern about unauthorized PSA/TTI usage, refer to the history log for verification. To enable recording PSA/TTI transactions, access the Feature-Related System Parameters form by entering the change system-parameters features command at the prompt. Then ensure that the “Record PSA/TTI Transactions in History Log” field is set to y. (Sometimes this flag is set to n if PSA/TTI entries tend to flood the history log, therefore making it difficult to find other entries.) The default for the field is y. A COS for the user’s extension must be administered to have access to PSA. However, be sure to limit PSA COS assignments to stations that need to access PSA. Once a PSA station is associated with a terminal, anyone using that terminal has all the privileges and capabilities of that station. Therefore, use of the dissociate Facility Access Code (FAC) is recommended whenever the terminal is not in use. If PSA and DCP extenders are used to permit remote DCP access, the security provided may not be adequate. A user connecting via DCP extenders must provide a password. However, once the user is connected, the remote DCP station has the capabilities and permissions of whatever station is associated or merged with the local DCP extender port unless the station has been dissociated
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Large Business Communications Systems Page 3-23 Tools that Restrict Unauthorized Outgoing Calls 3 or separated. Therefore, PSA users should dissociate before they disconnect from a DCP extender. PSA security violations are recorded by SVN software, if enabled. Refer to the SVN feature description and to the DEFINITY ECS Release 5 Feature Description and to DEFINITY ECS Release 5 Implementation for security report information. Extended User Administration of Redirected Calls This feature allows station users to select one of two previously administered call coverage paths assigned to them (for example, a work location coverage path or a remote work location coverage path) from any on-site extension or from a remote location (for example, home). Also provided is the ability to activate, change, or deactivate Call Forward Add or Call Forward Busy/Don’t Answer from any on-site extension or from a remote location. For security purposes, each user of this feature is administered a SSC. Users must enter an SSC to use this feature. In addition, the COS and COR for the user’s extension must be administered to have access to this feature. Any attempt by an invalid extension or invalid SSC to use the feature is recorded as a security violation. For remote users, an additional security precaution for feature access is provided via the Telecommuting Access Extension. This extension provides access only to this feature; access to any other system features or functions via this extension is denied. Access to the extended forwarding capability provided by this feature is controlled by the “Extended Forwarding All” and “Extended Forwarding B/DA” fields in the COS form. To access the form, enter the change cos command. Remote User Administration of Call Coverage NOTE: This feature requires one SSC for every user or extension. SSCs should be changed about once every six months. The system allows calls that are forwarded off of the network (that is, off-net) to be tracked for busy or no-answer conditions and to be brought back for further call coverage processing in such cases. However, ensure that the principal has a coverage path; otherwise, the system will not track the call, and the call will be left at the off-net destination regardless of whether it is answered or busy. If the principal has Send All Calls (SAC) activated, the system will not attempt Call Forwarding Off-Net, except for priority calls. Likewise, except for priority calls, the system will not attempt Call Forwarding Off-Net for coverage paths that specify Cover All.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Large Business Communications Systems Page 3-24 Security Measures 3 Invalid attempts to change the coverage path or the call forwarding destination are recorded by the SVN. To identify unauthorized activation of the Call Forwarding features, use the list call-forwarding command. The command output includes stations that have Call Forwarding All Calls and Call Forwarding Busy/Don’t Answer active. Also displayed are the number and name of the extensions that have the feature active as well as the “forwarded-to” destination. Security Measures The following procedures explain how to use security tools to create restrictions that help prevent unauthorized access to your PBX system’s facilities. Require Passwords For DEFINITY ECS, DEFINITY G1, G3, and System 75, passwords may be up to 7 alphanumeric characters (11 for G3V3 and later). For System 85 and DEFINITY G2, the security code may be up to 6 digits. Change passwords for system logins frequently according to the guidelines listed below. nFor DEFINITY G1 and System 75, routinely change logins for Network Management Systems (NMS), “cust,” “rcust,” “browse,” and “bcms.” nDisable any unused login. Except for System 75 R1V1, to disable a login, type VOID in the Password field. (Note that VOID must be typed in uppercase.) NOTE: “NMS,” browse,” and “bcms” are not available in System 75 R1V1; “NMS” is not available in System 75 R1V2; “bcms” is not available in System 75. NOTE: Do not use VOID to disable logins in System 75 R1V1; it will not work. In this release, if the password has been set to VOID, typing VOID when prompted for the password will result in a successful login. It is not possible to disable logins for this release. Instead, you can change all permissions on logins, change the password, select carefully constructed passwords, change passwords frequently, and purchase the Remote Port Security Device (RPSD) hardware for added security.