Lucent Technologies BCS Products Security Handbook

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Small Business Communications Systems 
Page 4-11 MERLIN LEGEND Communications System 
4
The following table gives examples of how to allow and disallow calls via star 
codes and Disallowed Lists.
Default Disallowed List
By default, Disallowed List #7 contains the following entries, which are frequently 
associated with toll fraud:
n0
n10
n11
n976
n1809
n1700
n1900
n1ppp976 (where each p represents any digit)
n*
This list is automatically assigned to any port that is programmed as a VMI port.
The system manager should assign Disallowed List #7 to any extension that does 
not require access to the numbers in the list. Table 4-2. Allowing and Disallowing Calls via Star Codes and Disallowed 
Lists
Objective Solution
Disallow calls preceded by 
*67, but allow all other calls.Enter *67 as a Disallowed List entry.
Disallow calls preceded by all 
star codes, but allow all other 
calls.Enter * as a Disallowed List entry.
Disallow calls preceded by 
either *67 or *69, but allow all 
other calls.Enter *67 as a Disallowed List entry, and 
enter *69 as a separate Disallowed List 
entry.
Disallow calls preceded by 
*67, calls to 900 numbers, and 
calls to directory assistance 
(411), but allow all other calls.Enter *67, 900, and 411 as separate 
Disallowed List entries. 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Small Business Communications Systems 
Page 4-12 MERLIN LEGEND Communications System 
4
Assigning a Second Dial Tone Timer
A second dial tone timer can be assigned to lines and trunks to help prevent toll 
fraud.
NOTE:
This timer can be used with star codes, which are discussed earlier in this 
chapter.
If the timer is assigned, and if the user dials a certain set of digits, the CO provides 
a second dial tone to prompt the user to enter more digits. This ensures that digits 
are dialed only when the CO is ready to receive more digits from the caller. 
Therefore, the risk of toll fraud or of the call being routed incorrectly is reduced.
Setting Facility Restriction Levels
Facility Restriction Levels (FRLs) can help prevent toll fraud. Some FRLs are 
already set to a default value before the product is shipped to the customer. Other 
FRLs can be set by the customer.
Security Defaults and Tips
The following list identifies features and components that can be restricted by 
FRLs, identifies the corresponding FRL, and discusses how the FRLs affect these 
features and components.
nVoice Mail Integrated (VMI) Ports
The default FRL for VMI ports is now 0. This restricts all outcalling. (Refer 
to Form 7d, “Group Calling.”)
nDefault Local Route Table
The default FRL for the Default Local Route Table is now 2. No adjustment 
to the route FRL is required. (Refer to Table 18 on Planning Form 3g, “ARS 
Default and Special Numbers Table.”)
nAutomatic Route Selection (ARS)
The customer receives the product with ARS activated and with all 
extensions set to FRL 3. This allows all international calling. To prevent toll 
fraud, set the ARS FRL to the appropriate value in the following list.
— 0 (restriction to inside calls only)
— 2 (restriction to local calls only)
— 3 (restriction to domestic long distance)
NOTE:
This restriction does not include area code 809, which is part 
of the North American Numbering Plan (NANP). 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Small Business Communications Systems 
Page 4-13 MERLIN LEGEND Communications System 
4
— 4 (international calling)
NOTE:
In Release 3.1 and later systems, default local and default toll tables 
are factory-assigned an FRL of 2. This simplifies the task of 
restricting extensions; the FRL for an extension merely needs to be 
changed from the default of 3.
Protecting Remote Access
The Remote Access feature allows users to call into the MERLIN LEGEND 
Communications System from a remote location (for example, a satellite office, or 
while traveling) and use the system to make calls. However, unauthorized 
persons might learn the Remote Access telephone number and password, call 
into the system, and make long distance calls.
For MERLIN LEGEND R3.1 and later systems, system passwords, called barrier 
codes, are by default restricted from making outside calls. In MERLIN LEGEND 
releases prior to Release 3.0, if you do not program specific outward calling 
restrictions, the user is able to place any call normally dialed from a telephone 
associated with the system. Such an off-premises network call is originated at, 
and will be billed from, the system location.
The MERLIN LEGEND Communications System has 16 barrier codes for use with 
Remote Access. For systems prior to MERLIN LEGEND R3, barrier codes have a 
5-digit maximum; for R3 systems and later, barrier codes have an 11-digit 
maximum. For greater security, always use the maximum available digits when 
assigning barrier codes.
Beginning with MERLIN LEGEND R3.0, the following rules on barrier codes have 
been included in order to prevent telephone toll fraud:
— The Remote Access default requires a barrier code
— The barrier code is a flexible-length code ranging from 4 to 11 digits 
(with a default of 7) and includes the * character. The length is set 
system-wide.
— The user is given three attempts to enter the correct barrier code
The following security measures assist you in managing the Remote Access 
feature to help prevent unauthorized use.
Security Tips
nEvaluate the necessity for Remote Access. If this feature is not vital to your 
organization, consider not using it or limiting its use. 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Small Business Communications Systems 
Page 4-14 MERLIN LEGEND Communications System 
4
To turn off Remote Access, do the following:
1. On the System Administration screen, select Lines and Trunks and 
then select Remote Access.
2. Choose Disable Remote Access.
If you need the feature, use as many of the security measures presented in 
this section as you can.
nProgram the Remote Access feature to require the caller to enter a barrier 
code before the system will allow the caller access. Up to 16 different 
barrier codes can be programmed, and different restriction levels can be 
set for each barrier code.
nFor MERLIN LEGEND R3.0, program the Remote Access feature to enter 
an authorization code of up to 11 digits. For greater security, always use 
the maximum available digits when assigning authorization codes.
nIt is strongly recommended that customers invest in security adjuncts, 
which typically use one-time passcode algorithms. These security adjuncts 
discourage hackers. Since a secure use of the Remote Access feature 
generally offers savings over credit card calling, the break-even period can 
make the investment in security adjuncts worthwhile. 
nIf a customer chooses to use the Remote Access feature without a security 
adjunct, multiple barrier codes should be employed, with one per user if the 
system permits. The MERLIN LEGEND system permits a maximum of 16 
barrier codes. The barrier code for each user should not be recorded in a 
place or manner that may be accessible for an unauthorized user. The 
code should also not indicate facts about or traits of the user that are easily 
researched (for example, the user’s birthdate) or discernible (for example, 
the user’s hobbies, interests, political inclinations, etc.).
nUse the system’s toll restriction capabilities, to restrict the long distance 
calling ability of Remote Access users as much as possible, consistent with 
the needs of your business.
nBlock out-of-hours calling by manually turning off Remote Access features 
at an administration telephone whenever appropriate (if Remote Access is 
dedicated on a port).
nProtect your Remote Access telephone number and password. Only give 
them to people who need them, and impress upon those people the need 
to keep the telephone number and password secret.
nMonitor your SMDR records and/or your Call Accounting System reports 
regularly for signs of irregular calls. Review these records and reports for 
the following symptoms of abuse:
— Short holding times on one trunk group
— Patterns of authorization code usage (same code used 
simultaneously or high activity)
— Calls to international locations not normal for your business 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Small Business Communications Systems 
Page 4-15 MERLIN LEGEND Communications System 
4
— Calls to suspicious destinations
— High numbers of “ineffective call attempts” indicating attempts at 
entering invalid barrier codes or authorization codes
— Numerous calls to the same number
— Undefined account codes
Protecting Remote System Programming
The Remote System Programming feature allows your system administrator to 
use System Programming and Maintenance (SPM) software to make changes to 
your MERLIN LEGEND Communications System programming from another 
location. The system can be accessed remotely either by dialing into it directly 
using Remote Access or by dialing the system operator and asking to be 
transferred to the system’s built-in modem. The feature also may be used, at your 
request, by Lucent Technologies personnel to do troubleshooting or system 
maintenance.
However, unauthorized persons could disrupt your business by altering your 
system programming. In addition, they could activate features (such as Remote 
Access) that would permit them to make long distance calls, or they could change 
restriction levels to allow long distance calls that would otherwise have been 
blocked.
The following security measures assist you in managing the Remote System 
Programming feature to help prevent unauthorized use.
Security Tips
nThe System Programming capability of the MERLIN LEGEND 
Communications System is protected by a password. Passwords can be 
up to five characters in length and can be alpha or numeric and special 
characters. See ‘‘
Administration / Maintenance Access’’ on page 2-4 and 
‘‘
General Security Measures’’ on page 2-7 for secure password guidelines.
nIf you use Remote Access to do remote system programming on your 
MERLIN LEGEND Communications System, follow all of the security tips 
listed for protecting the Remote Access feature.
— Even if the Remote Access feature is used only for remote system 
programming, it should be protected by a barrier code.
— Do not write the Remote Access telephone number or barrier code 
on the MERLIN LEGEND Communications System, the connecting 
equipment, or anywhere else in the system room.
nTrain all employees, especially your system operator, to transfer only 
authorized callers to the system’s built-in modem for remote programming. 
Hackers have also been known to use “Social Engineering” to gain transfer 
to the built-in modem. 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Small Business Communications Systems 
Page 4-16 MERLIN Plus Communications System 
4
Protecting Remote Call Forwarding
The Remote Call Forwarding feature allows a customer to forward an incoming 
call to another off-premises number. However, a caller could stay on the line and 
receive another dial tone. At this point, the caller could initiate another toll call.
The following security measures assist you in managing the Remote Call 
Forwarding feature to help prevent unauthorized use:
nProvide the Remote Call Forwarding capability only to those people who 
need it.
nDo not use this feature with loop-start lines. Due to unreliable disconnects 
from the carrier’s central office, this feature may allow dial-tone to be 
re-established and additional calls to be made.
MERLIN Plus Communications 
System
This section provides information on protecting the MERLIN Plus 
Communications System. 
Protecting Remote Line Access (R2 only)
The Remote Line Access feature allows users to call into the MERLIN Plus 
Communications System from a remote location (for example, a satellite office, or 
while traveling) and use the system to make calls. However, unauthorized 
persons might learn the Remote Line Access telephone number and password, 
call into the system, and make long distance calls.
The following security measures assist you in managing the Remote Line Access 
feature to help prevent unauthorized use.
Security Tips
nEvaluate the necessity for Remote Line Access. If this feature is not vital to 
your organization, consider not using it or limiting its use. If you need the 
feature, use as many of the security measures presented in this section as 
you can.
nDisallow all or selected international calls on remote line access ports.
nAdminister trunk pools for Originated Line Screening to avoid 
operator-assisted calls from toll-restricted stations.
nProgram the Remote Line Access feature to require the caller to enter a 
5-digit password before the system will allow the caller access. The 
password is comprised of the user’s extension number (first 2 digits) plus 3 
unique digits. 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Small Business Communications Systems 
Page 4-17 MERLIN Plus Communications System 
4
nUse the system’s toll restriction capabilities to restrict the long distance 
calling ability of Remote Line Access users as much as possible, 
consistent with the needs of your business.
nBlock out-of-hours calling by turning off DXD and Remote Line Access 
features at an extension 10 telephone whenever possible.
nProtect your Remote Line Access telephone number and password. Only 
give them to people who need them, and impress upon these people the 
need to keep the telephone number and password secret.
nMonitor your SMDR records and/or your Call Accounting System reports 
regularly for signs of irregular calls. Review these records and reports for 
the following symptoms of abuse:
— Patterns of authorization code usage (same code used 
simultaneously or high activity)
— Calls to international locations not normal for your business
— Calls to suspicious destinations
— High numbers of “ineffective call attempts” indicating attempts at 
entering invalid barrier codes or authorization codes
— Numerous calls to the same number 
— Undefined account codes
n Activate “Automatic Call Restriction Reset” (R2 only)
Protecting Remote Call Forwarding (R2 only)
For Release 2, the MERLIN Plus Communications System allows a customer to 
forward an incoming call to another (remotely located) telephone number. 
However, a caller could stay on the line and receive another dial tone. At this 
point, the caller could initiate a toll call without any outward call restrictions at all.
The following security measures assist you in managing the Remote Call 
Forwarding feature to help prevent unauthorized use.
nImplement the “Automatic Timeout” feature of the MERLIN Plus 
Communications System R2 “B” (Remote Call Forwarding feature). 
Contact the Lucent Technologies National Service Assistance Center 
(NSAC) at 800 628-2888 to determine if your system has the Automatic 
Timeout feature as part of the 533B memory module.
nProvide the Remote Call Forwarding capability only to those who need it. 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Small Business Communications Systems 
Page 4-18 PARTNER II Communications System 
4
PARTNER II Communications System
This section provides information on protecting the PARTNER II Communications 
System. 
Additional security measures are required to protect adjunct equipment.
nChapter 5 contains security measures to protect the attached voice 
messaging system. For general security measures, refer to ‘‘
Protecting 
Voice Messaging Systems’’ on page 5-2. For product-specific security 
measures, refer to ‘‘
PARTNER II Communications System’’ on page 5-48.
nChapter 6 contains security measures to protect the Automated Attendant 
feature of your communications system. See ‘‘
PARTNER II 
Communications System’’ on page 6-20.
The PARTNER II Communications System does not permit trunk-to-trunk 
transfers, thus reducing the risk of toll fraud. In addition, it allows individual 
stations to be administered for outward restriction.
An optional Remote Administration Unit provides remote administration for all 
releases of the PARTNER II Communications System. Protect the Remote 
Administration Unit by making sure to assign a password for unattended mode, 
and once remote administration is not necessary, remove it from unattended 
mode. Otherwise, a hacker could change the programming remotely.
PARTNER Plus Communications 
System
This section provides information on protecting the PARTNER Plus 
Communications System. 
Additional security measures are required to protect adjunct equipment.
nChapter 5 contains security measures to protect the attached voice 
messaging system. For general security measures, refer to ‘‘
Protecting 
Voice Messaging Systems’’ on page 5-2. For product-specific security 
measures, refer to ‘‘
PARTNER Plus Communications System’’ on page 
5-50.
nChapter 6 contains security measures to protect the Automated Attendant 
feature of your communications system. See ‘‘
PARTNER Plus 
Communications System’’ on page 6-20.
The PARTNER Plus Communications System does not permit trunk-to-trunk 
transfers, thus reducing the risk of toll fraud. In addition, it allows individual 
stations to be administered for outward restriction.
An optional Remote Administration Unit provides remote administration for all 
releases of the PARTNER Plus Communications System. Protect the Remote  
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Small Business Communications Systems 
Page 4-19 System 25 
4
Administration Unit by making sure to assign a password for unattended mode, 
and once remote administration is not necessary, remove it from unattended 
mode. Otherwise, a hacker could change the programming remotely.
System 25
This section provides information on protecting the System 25.
Additional security measures are required to protect adjunct equipment.
nChapter 5 contains security measures to protect the attached voice 
messaging system. For general security measures, refer to ‘‘
Protecting 
Voice Messaging Systems’’ on page 5-2. For product-specific security 
measures, refer to page 5-52
.
nChapter 6 contains security measures to protect the Automated Attendant 
feature of your communications system. See ‘‘
PARTNER Plus 
Communications System’’ on page 6-20.
System 25 allows trunk-to-trunk transfer capability, increasing the opportunities 
for toll fraud. However, trunk-to-trunk transfers on loop-start trunks are not allowed 
unless the switch is administered to allow it. A fast busy signal indicates that the 
transfer is not allowed. Do not allow trunk-to-trunk transfers on loop start trunks 
unless there is a business need for it. This may be administered from the system 
administration menu.
For R3V3, international calls (or international calls to selected countries) can be 
disallowed from a toll restricted station, and toll restricted stations can be blocked 
from using Interexchange Carrier Codes (IXCs) to make domestic or international 
direct dialed calls. Also, unless a trunk pool is administered for “Originating Line 
Screening,” toll restricted stations cannot make operator-assisted calls.
To further reduce the system’s vulnerability to toll fraud, outward restrict the 
tip/ring port to which the Remote Maintenance Device is connected.
Protecting Remote Access
The Remote Access feature allows users to call into System 25 from a remote 
location (for example, a satellite office, or while traveling) and use the system to 
make calls. However, unauthorized persons might learn the Remote Access 
telephone number and password (barrier access code), call into the system, and 
make long distance calls.
System 25 allows up to 16 different barrier access codes and one Remote 
Maintenance barrier access code for use with the Remote Access feature. Except 
for R3V3, barrier access codes have a 5-digit maximum. R3V3 allows up to 15 
characters, including the digits 0 to 9, #, and *. Also for R3V3, an alarm is 
generated at the attendant console if an invalid barrier access code is entered.  
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Small Business Communications Systems 
Page 4-20 System 25 
4
For greater security, always use the maximum available digits when assigning 
barrier access codes.
The following security measures assist you in managing the Remote Access 
feature to help prevent unauthorized use.
Security Tips
nEvaluate the necessity for Remote Access. If this feature is not vital to your 
organization, consider not using it or limiting its use. If you need the 
feature, use as many of the security measures presented in this section as 
you can.
nProgram the Remote Access feature to require the caller to enter a 
password (barrier access code) before the system will allow the caller 
access.
nUse the system’s toll restriction capabilities to restrict the long distance 
calling ability of Remote Access users as much as possible, consistent with 
the needs of your business. For example, allow users to make calls only to 
certain area codes, or do not allow international calls.
nProtect your Remote Access telephone number and password (barrier 
access code). Only give them to people who need them, and impress upon 
these people the need to keep the telephone number and password 
(barrier access code) secret.
nMonitor your SMDR records and/or your Call Accounting System reports 
regularly for signs of irregular calls. Review these records and reports for 
the following symptoms of abuse:
— Short holding times on one trunk group
— Calls to international locations not normal for your business
— Calls to suspicious destinations
— High numbers of “ineffective call attempts” indicating attempts at 
entering invalid barrier codes or authorization codes
— Numerous calls to the same number 
— Undefined account codes
Protecting Remote System Administration
The Remote System Administration feature allows your telephone system 
administrator to make changes to your System 25 system programming from 
another location by dialing into the system. The feature also may be used, at your 
request, by Lucent Technologies personnel to do troubleshooting or system 
maintenance.