Home
>
Lucent Technologies
>
Communications System
>
Lucent Technologies BCS Products Security Handbook
Lucent Technologies BCS Products Security Handbook
Have a look at the manual Lucent Technologies BCS Products Security Handbook online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 413 Lucent Technologies manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Small Business Communications Systems Page 4-1 4 BCS Products Security Handbook 555-025-600 Issue 6 December 1997 4 4Small Business Communications Systems This chapter provides information on protecting the following communications systems: nMERLIN II Communications System (page 4-6) nMERLIN LEGEND Communications System (page 4-8) nMERLIN Plus Communications System (page 4-16) nPARTNER II Communications System (page 4-18) nPARTNER Plus Communications System (page 4-18) nSystem 25 (page 4-19) Other chapters detail additional security measures to protect your equipment: nChapter 5 contains security measures to protect the attached voice messaging system. For general security measures, refer to ‘‘ Protecting Voice Messaging Systems’’ on page 5-2. For product-specific security measures, refer to: —‘‘ MERLIN II Communications System’’ on page 5-33 —‘‘MERLIN LEGEND Communications System’’ on page 5-36 —‘‘PARTNER II Communications System’’ on page 5-48 —‘‘PARTNER Plus Communications System’’ on page 5-50 —‘‘System 25’’ on page 5-52 nChapter 6 contains security measures to protect the Automated Attendant feature of your communications system. For product-specific security measures, refer to: —‘‘ MERLIN II Communications System R3’’ on page 6-18 —‘‘MERLIN LEGEND Communications System’’ on page 6-19
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Small Business Communications Systems Page 4-2 4 —‘‘PARTNER II Communications System’’ on page 6-20 —‘‘PARTNER Plus Communications System’’ on page 6-20 —‘‘System25’’ on page 6-21
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Small Business Communications Systems Page 4-3 Features for the MERLIN Systems 4 Features for the MERLIN Systems The following table indicates MERLIN II and MERLIN LEGEND security features by release number. Table 4-1. MERLIN II and MERLIN LEGEND Security Features FeaturesMII R3ML R1.0/ 1.1ML R2.0/ 2.1ML R3.0/ 3.1ML R4.0/ 4.1/ 4.2ML R5.0 Comments Automatic Route Selection (ARS)xxxxxx Administration Securityx x x x x 5-character password on SPM program Allowed List x x x x x x 2- to 11-digit code Barrier Code x x x x x x MII: one code, four digits ML R1/R2: 16 codes, four digits each, default is 16 codes ML R3/R4/R5: 16 codes, digits increased to 4 through 11, default is 7 digits Dial Access to Poolsx x x x x x Factory setting specifies no users are able to use any pool dial-out codes Direct Inward System Access NOTE: For MERLIN Legend systems, see “Remote Access.”N/A N/A N/A N/A N/A Users limited to dialing inside users or pool/line codes; ARS cannot be used by DISA callers; feature can be set for inward access only or full access Disallowed List x x x x x x Default is List 7 Facility Restriction Levels (FRLs)x x x x x Levels 0 through 6; ARS related Forced Entry of Account Codesx x x x x x Affects only outgoing calls
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Small Business Communications Systems Page 4-4 Features for the MERLIN Systems 4 Night Service x x x x x Whenever Night Service is on and Shared Remote Access is administered, calls normally routed to internal stations are provided remote access treatment. Reliable/Un-reliab le Disconnectxxxxxx“Un-reliable” setting allows the user to dial without system screening if the far end disconnects. Remote Access x x x x x Access controlled by restrictions associated with the barrier codes. Remote Access Kill After “N” AttemptsxxxxxxN=3 Remote Call Forwardingxxxxx Restrict Incoming Tie Lines* x x x x x MII (*) allows access to stations only on ML; default prohibits access to outgoing facilities via tie lines; access is allowed if the tie line is set for remote access, but access is controlled by an assigned barrier code. Station Message Detail Recording (SMDR)x x x x x x For ML R3 w/ Call ID, remote access number is recorded if received. For ML R4.2 and later releases, the optional ML Reporter Talk Time feature is disabled. Table 4-1. MERLIN II and MERLIN LEGEND Security Features — Continued FeaturesMII R3ML R1.0/ 1.1ML R2.0/ 2.1ML R3.0/ 3.1ML R4.0/ 4.1/ 4.2ML R5.0 Comments
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Small Business Communications Systems Page 4-5 Features for the MERLIN Systems 4 Station Restrictionsx x x x x x Outward, toll, and unrestricted Transfer to Scriber Onlyx x x x x Related to mail system in use Trunk-to-Trunk Transferx x x x x Cannot be deactivated. For ML R3.1 and later releases, trunk-to-trunk transfer can be blocked for an extension. Table 4-1. MERLIN II and MERLIN LEGEND Security Features — Continued FeaturesMII R3ML R1.0/ 1.1ML R2.0/ 2.1ML R3.0/ 3.1ML R4.0/ 4.1/ 4.2ML R5.0 Comments
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Small Business Communications Systems Page 4-6 MERLIN II Communications System 4 MERLIN II Communications System This section provides information on protecting the MERLIN II Communications System. Additional security measures are required to protect adjunct equipment. nChapter 5 contains security measures to protect the attached voice messaging system. For general security measures, refer to ‘‘ Protecting Voice Messaging Systems’’ on page 5-2. For product-specific security measures, refer to ‘‘ MERLIN II Communications System’’ on page 5-33. nChapter 6 contains security measures to protect the Automated Attendant feature of your communications system. See ‘‘ MERLIN II Communications System R3’’ on page 6-18. Protecting Direct Inward System Access (DISA) The Direct Inward System Access feature allows users to call into the MERLIN II Communications System from a remote location (for example, a satellite office, or while traveling) and use the system to make calls. However, unauthorized persons might learn the DISA telephone number and password, call into the system, and make long distance calls. The following security measures assist you in managing the DISA feature to help prevent unauthorized use. Security Tips nTo reduce the system’s vulnerability to toll fraud, outward restrict the port to which the Remote Maintenance Device is connected. nEvaluate the necessity for DISA. If this feature is not vital to your organization, consider not using it or limiting its use.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Small Business Communications Systems Page 4-7 MERLIN II Communications System 4 To restrict DISA lines, do the following: — With a BIS-34D Console: 1. Move the TP switch to P. 2. Press the conference button twice. 3. Press the message button. 4. Dial #325. 5. Dial 0 for Outward Restriction. 6. Press the message button again. — With a MERLIN II Communications System display console: 1. From the administration menu, press these buttons: . 2. If callers must dial a password to make DISA calls, dial a 4-digit password. 3. Press . 4. Press for no restriction, or for inward restriction. 5. Press the line buttons until the lights next to them show the appropriate code: Green light on = line or line pool can be used for DISA Green light off = line or line pool cannot be used for DISA 6. Press Conference to return to the administration menu or leave administration mode. If you need the feature, use as many of the security measures presented in this section as you can. nProgram DISA to require the caller to enter a system password before the system will allow the caller access. See ‘‘ Administration / Maintenance Access’’ on page 2-4 and ‘‘General Security Measures’’ on page 2-7 for secure password guidelines. nUse the system’s toll restriction capabilities to restrict the long distance calling ability of DISA users as much as possible, consistent with the needs of your business. nBlock out-of-hours calling by turning off Remote Access features at an intercom 10 administration telephone whenever possible. nProtect your DISA telephone number and password. Only give them to people who need them, and impress upon these people the need to keep the telephone number and password secret. nMonitor your SMDR records and/or your Call Accounting System reports regularly for signs of irregular calls. Review these records and reports for the following symptoms of abuse: Lines DISA Enter NoRestrInwdOnly
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Small Business Communications Systems Page 4-8 MERLIN LEGEND Communications System 4 — Short holding times on one trunk group — Calls to international locations not normal for your business — Calls to suspicious destinations — High numbers of “ineffective call attempts” indicating attempts at entering invalid barrier codes — Numerous calls to the same number — Undefined account codes MERLIN LEGEND Communications System This section provides information on protecting the MERLIN LEGEND Communications System. Unauthorized persons concentrate their activities in the following two areas with the MERLIN LEGEND Communications System: nTransfer out of the MERLIN LEGEND Communications System to gain access to an outgoing trunk and make long distance calls. nLocate unused or unprotected mailboxes and use them as drop-off points for their own messages. Additional security measures are required to protect adjunct equipment. nChapter 5 contains security measures to protect the attached voice messaging system. For general security measures, refer to ‘‘ Protecting Voice Messaging Systems’’ on page 5-2. For product-specific security measures, refer to ‘‘ MERLIN LEGEND Communications System’’ on page 5-36. nChapter 6 contains security measures to protect the Automated Attendant feature of your communications system. See ‘‘ MERLIN LEGEND Communications System’’ on page 6-19. The MERLIN LEGEND Communications System permits trunk-to-trunk transfers from Voice Mail Integrated (VMI) ports starting with Release 2.1. Starting with Release 3.1, the following are in effect: nVMI ports are assigned outward restrictions by default nTrunk-to-trunk transfer can be allowed or disallowed on a per-station basis, and the default setting for all stations is restricted. Trunk-to-trunk transfer is the transferring of an outside call to another outside number. Whenever trunk-to-trunk transfer is disabled, users cannot transfer an outside call to an outside line.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Small Business Communications Systems Page 4-9 MERLIN LEGEND Communications System 4 NOTE: The ability to transfer internal calls to outside numbers cannot be blocked for an individual extension. However, Calling Restrictions or Disallowed Lists can be assigned to individual extensions to prevent outward or toll calls. Also, a call transfer to an outside destination is disconnected if the original call is on a trunk that does not have reliable disconnect, or if another user joined the call, and the call is now a conference call (which cannot be transferred). nPool dial-out codes are restricted for all extensions by default. No extension or remote access user with a barrier code has access to pools until the restriction is removed by the system manager. Unlike the MERLIN II Communications System R3, the MERLIN LEGEND Communications System does not allocate touch-tone receivers for incoming calls, and thus will not interpret touch tones from a caller as an attempt to circumvent toll restriction, and will not disconnect the call. This could leave the MERLIN LEGEND Communications System vulnerable to toll fraud if the ports are not outward restricted. Preventative Measures nProvide good physical security for the room containing your telecommunications equipment and the room with administrative tools, records, and system programming information. These areas should be locked when not attended. nProvide a secure trash disposal for all sensitive information, including telephone directories, call accounting records, or anything that may supply information about your communications system. This trash should be shredded. nEducate employees that hackers may try to trick them into providing them with dial tone or dialing a number for them. All reports of trouble, requests for moving extensions, or any other administrative details associated with the MERLIN LEGEND Communications System should be handled by one person (the system manager) or within a specified department. Anyone claiming to be a telephone company representative should be referred to this person or department. nNo one outside of Lucent Technologies needs to use the MERLIN LEGEND Communications System to test facilities (lines/trunks). If a caller identifies himself or herself as an Lucent Technologies employee, the system manager should ask for a telephone number where the caller can be reached. The system manager should be able to recognize the number as an Lucent Technologies telephone number. Before connecting the caller to the administrative port of the MERLIN LEGEND Communications system, the system manager should feel comfortable that a good reason to
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Small Business Communications Systems Page 4-10 MERLIN LEGEND Communications System 4 do so exists. In any event, it is not advisable to give anyone access to network facilities or operators, or to dial a number at the request of the caller. nAny time a call appears to be suspicious, call the Lucent Technologies BCS Fraud Intervention Center at 1 800 628-2888 (fraud intervention for System 25, PARTNER and MERLIN systems). nCustomers should also take advantage of Lucent Technologies monitoring services and devices, such as the NetPROTECTSM family of fraud-detection services, CAS with HackerTracker ® and CAT Terminal with Watchdog. Call 1 800 638-7233 to get more information on these Lucent Technologies fraud detection services and products. Protection Via Star Codes and Allowed/Disallowed Lists Starting with MERLIN LEGEND Release 3.1, star codes can be added to Allowed and Disallowed Lists to help prevent toll fraud. These codes are dialed usually before an outgoing call, and they allow telephone users to obtain special services provided by the central office (CO). For example, in many areas, a telephone user can dial *67 before a telephone number to disable CO-supplied caller identification at the receiving party’s telephone. Whenever a user dials a star code, the system checks the Allowed and Disallowed Lists to determine whether the star code is allowed. If the star code is allowed, the star code is passed to the CO, the Calling Restrictions are reset, and the digits following the star code are checked by the Allowed Lists, Disallowed Lists, and Calling Restrictions. The system recognizes star codes containing two digits ranging from either 00 through 19 or 40 through 99 (for example, *14). It also recognizes star codes containing three digits ranging from 200 through 399 (for example, *234). Therefore, for example, if a caller dials *67280, the system checks *67 against the Allowed and Disallowed Lists. If this code is allowed, the system then checks 280 against the Allowed and Disallowed Lists. Multiple leading star codes (such as *67*70) are also handled by the system: the dialed number is checked against the Allowed and Disallowed Lists after each star code is detected.