Lucent Technologies BCS Products Security Handbook

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Voice Messaging Systems 
Page 5-9 DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 
5
nEnter the FRL number (0 through 7) in the FRL field. Assign the lowest FRL 
that will meet the outcalling requirements, if the outcalling feature is being 
utilized. The route patterns for restricted calling areas should have a higher 
FRL assigned to the trunk groups.
nUse change route-pattern to display the Route Pattern screen.
nUse a separate partition group for ARS on the ports used for outcalling, 
and limit the numbers that can be called.
NOTE:
For DEFINITY ECS and DEFINITY G3, the Restricted Call List on the Toll 
Analysis Table can also be used to restrict calls to specified areas.
For DEFINITY G2 and System 85:
nUse PROC010 WORD3 FIELD23 to assign FRLs for use with 
AAR/ARS/WCR trunks. Assign higher FRLs to restricted patterns in 
PROC309 than the FRL in the COS for the voice mail ports.
nFor DEFINITY G2.2, do not use PROC314 to mark disallowed destinations 
with a higher FRL value. PROC314 WORD1 assigns a Virtual Nodepoint 
Identifier (VNI) to the restricted dial string. PROC317 WORD2 maps the 
VNI to the pattern, and PROC317 WORD2 shows the pattern preference, 
with the FRL in field 4.
For earlier releases, use PROC313 to enter disallowed destinations in the 
Unauthorized Call Control table.
Allow Calling Only to Specified Numbers
A reverse strategy to preventing calls is to allow outbound calls only to certain 
numbers. For G1 and System 75, you must specify both the area code and the 
office code of the allowable numbers. For G3, you can specify the area code or 
telephone number of calls you allow.
For DEFINITY G1 and System 75:
nUse change ars fnpa xxx to display the ARS FNPA Table, where xxx is 
the NPA that will have some unrestricted exchanges.
nRoute the NPA to an RHNPA table (for example, r1).
nUse change rnhpa r1: xxx to route unrestricted exchanges to a pattern 
choice with an FRL equal to or lower than the originating FRL of the voice 
mail ports.
nIf the unrestricted exchanges are in the Home NPA, and the Home NPA 
routes to h on the FNPA Table, use change hnpa xxx to route unrestricted 
exchanges to a pattern with a low FRL. 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Voice Messaging Systems 
Page 5-10 DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 
5
NOTE:
If assigning a low FRL to a pattern preference conflicts with requirements for 
other callers (it allows calls that should not be allowed), use ARS partitioning 
to establish separate FNPA/HNPA/RHNPA tables for the voice mail ports.
For DEFINITY G2 and System 85:
nUse PROC311 WORD2 to establish 6-digit translation tables for foreign 
NPAs, and assign up to 10 different routing designators to each foreign 
NPA (area code).
nUse PROC311 WORD3 to map restricted and unrestricted exchanges to 
different routing designators.
nIf the unrestricted toll exchanges are in the Home NPA, use PROC311 
WORD1 to map them to a routing designator.
nIf the Tenant Services feature is used, use PROC314 WORD1 to map 
routing designators to patterns. If Tenant Services is not used, the pattern 
number will be the same as the routing designator number.
nUse PROC309 WORD3 to define the restricted and unrestricted patterns.
For DEFINITY ECS and DEFINITY G3:
nUse change ars analysis to display the ARS Analysis screen.
nEnter the area codes or telephone numbers that you want to allow and 
assign an available routing pattern to each of them.
nUse change routing pattern to give the pattern preference an FRL that is 
equal to or lower than the FRL of the voice mail ports.
NOTE:
For DEFINITY G3, the Unrestricted Call List (UCL) on the Toll Analysis Table 
can be used to allow calls to specified numbers through ARS/WCR. The 
COR for the voice mail ports should show “all-toll” restriction and access to 
at least one UCL.
For DEFINITY G2.2:
nUse PROC314 WORD1 to assign a VNI to the unrestricted dial string. Map 
the VNI to a routing pattern in PROC317 WORD2, and assign a low FRL to 
the pattern in PROC318 WORD1. If you permit only certain numbers, 
consider using Network 3, which contains only those numbers. 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Voice Messaging Systems 
Page 5-11 DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 
5
Detecting Voice Mail Fraud
Table 5-3 shows the reports that help determine if a voice mail system used with 
the DEFINITY ECS, DEFINITY Communications Systems, System 75, or 
System 85 is being used for fraudulent purposes.
See ‘‘Security Tips’’ on page 5-3 for additional ways to detect voice mail fraud.
NOTE:
The System Administrator can also view a logfile to see if a mailbox is being 
hacked. For the AUDIX Voice Mail System R1, the administrator can view 
the logfile by typing system:log:display. For the DEFINITY AUDIX and 
Lucent Technologies I
NTUITY Voice Mail Systems, the administrator can 
view the logfile by typing display administration-log.
Call Detail Recording (CDR) / Station Message 
Detail Recording (SMDR)
With Call Detail Recording activated for the incoming trunk groups, you can check 
the calls into your voice mail ports. A series of short holding times may indicate 
repeated attempts to enter voice mailbox passwords. See also ‘‘
Security Violation 
Notification Feature (DEFINITY ECS and DEFINITY G3 only)’’ on page 3-53.
Table 5-3. Reports and Monitoring Techniques for Voice Mail
Monitoring Technique Switch Page #
Call Detail Recording (SMDR) All5-11
Traffic Measurements and 
PerformanceAll5-13
Automatic Circuit Assurance All5-14
Busy Verification All5-15
Call Traffic Report All5-13
Trunk Group Report G1, G3, System 755-13
Traffic  Reports Any with the AUDIX 
Voice Mail System5-15
Call Detail Recording Any with the AUDIX 
Voice Mail System 
R1V5 with Digital 
Networking5-18 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Voice Messaging Systems 
Page 5-12 DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 
5
NOTE:
Most call accounting packages discard this valuable security information. If 
you are using a call accounting package, check to see if this information can 
be stored by making adjustments in the software. If it cannot be stored, be 
sure to check the raw data supplied by the CDR.
Review CDR for the following symptoms of voice mail abuse:
nShort holding times on any trunk group where voice mail is the originating 
endpoint or terminating endpoint
nCalls to international locations not normal for your business
nCalls to suspicious destinations
nNumerous calls to the same number 
nUndefined account codes
NOTE:
For DEFINITY G2 and System 85, since CDR only records the last 
extension on the call, internal toll abusers transfer unauthorized calls to 
another extension before they disconnect so that the CDR does not track 
the originating station. If the transfer is to your voice mail system, it could 
give a false indication that your voice mail system is the source of the toll 
fraud.
For DEFINITY ECS, DEFINITY G1, G3, and System 75:
nTo display the Features-Related System Parameters screen, use the 
change system-parameters feature (G1 and System 75 only) or the 
change system-parameters cdr feature (G3 only).
NOTE:
Also using direct TACs on some SMDRs/CDRs can result in the 
non-recording of fraudulent calls.
nAdminister the appropriate format to collect the most information. The 
format depends on the capabilities of your CDR analyzing and recording 
device.
nUse change trunk-group to display the Trunk Group screen.
nEnter y in the SMDR/CDR Reports field.
For DEFINITY G2: 
nUse PROC275 WORD1 FIELD14 to turn on the CDR for incoming calls.
nUse PROC101 WORD1 FIELD8 to specify the trunk groups. 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Voice Messaging Systems 
Page 5-13 DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 
5
Call Traffic Report
This report provides hourly port usage data and counts the number of calls 
originated by each port. By tracking normal traffic patterns, you can respond 
quickly if an unusually high volume of calls begins to appear, especially after 
business hours or during weekends, which might indicate hacker activity.
For DEFINITY ECS, DEFINITY G1, G3, and System 75, traffic data reports are 
maintained for the last hour and the peak hour. For DEFINITY G2 and System 85, 
traffic data is available via Monitor I which can store the data and analyze it over 
specified periods.
Trunk Group Report
This report tracks call traffic on trunk groups at hourly intervals. Since trunk traffic 
is fairly predictable, you can easily establish over time what is normal usage for 
each trunk group. Use this report to watch for abnormal traffic patterns, such as 
unusually high off-hour loading. 
SAT, Manager I, and G3-MT Reporting
Traffic reporting capabilities are built-in and are obtained through the System 
Administrator Tool (SAT), Manager I, and G3-MT terminals. These programs track 
and record the usage of hardware and software features. The measurements 
include peg counts (number of times accessed) and call seconds of usage. Traffic 
measurements are maintained constantly and are available on demand. However, 
reports are not archived and should therefore be printed to monitor a history of 
traffic patterns.
For DEFINITY ECS, DEFINITY G1, G3, and System 75:
nTo record traffic measurements: 
—Use change trunk-group to display the Trunk Group screen.
— In the Measured field, enter both if you have BCMS and CMS, 
internal if you have only BCMS, or external if you have only 
CMS.
nTo review the traffic measurements, use list measurements followed by 
one of the measurement types (trunk-groups, call-rate, call-summary, or 
outage-trunk) and the timeframe (yesterday-peak, today-peak, or 
last-hour).
nTo review performance, use list performance followed by one of the 
performance types (summary or trunk-group) and the timeframe 
(yesterday or today). 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Voice Messaging Systems 
Page 5-14 DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 
5
ARS Measurement Selection
The ARS Measurement Selection can monitor up to 20 routing patterns 
(25 for G3) for traffic flow and usage.
For DEFINITY ECS, DEFINITY G1, G3, and System 75:
nUse change ars meas-selection to choose the routing patterns you want 
to track.
nUse list measurements route-pattern followed by the timeframe 
(yesterday, today, or last-hour) to review the measurements.
For DEFINITY G2, use Monitor I to perform the same function.
Automatic Circuit Assurance
This monitoring technique detects a number of short holding time calls or a single 
long holding time call which may indicate hacker activity. Long holding times on 
Trunk-to-Trunk calls can be a warning sign. The ACA feature allows you to 
establish time limit thresholds defining what is considered a short holding time and 
a long holding time. When a violation occurs, a designated station is visually 
notified.
When notification occurs, determine if the call is still active. If toll fraud is 
suspected, use the busy verification feature (see ‘‘
Busy Verification’’ on page 
5-15) to monitor the call in progress.
For DEFINITY ECS, DEFINITY G1, G3, and System 75:
nUse change system-parameters feature to display the Features-Related 
System Parameters screen.
nEnter y in the Automatic Circuit Assurance (ACA) Enabled field.
nEnter local, primary, or remote in the ACA Referral Calls field. If 
primary is selected, calls can be received from other switches. Remote 
applies if the PBX being administered is a DCS node, perhaps unattended, 
that wants ACA referral calls to go to an extension or console at another 
DCS node.
nUse change trunk group to display the Trunk Group screen.
nEnter y in the ACA Assignment field.
nEstablish short and long holding times. The defaults are 10 seconds (short 
holding time) and one hour (long holding time).
nTo review, use list measurements aca.
nAdminister an aca button on the console or display station to which the 
referral will be sent. 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Voice Messaging Systems 
Page 5-15 DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 
5
For DEFINITY G2 and System 85:
nUse PROC285 WORD1 FIELD5 and PROC286 WORD1 FIELD1 to enable 
ACA system-wide.
nUse PROC120 WORD1 to set ACA call limits and number of calls 
thresholds.
nUse PROC286 WORD1 FIELD3 to send the alarms and/or reports to an 
attendant.
Busy Verification 
When toll fraud is suspected, you can interrupt the call on a specified trunk group 
and monitor the call in progress. Callers will hear a long tone to indicate the call is 
being monitored.
For DEFINITY ECS, DEFINITY G1, G3, and System 75:
nUse change station to display the Station screen for the station that will be 
assigned the Busy Verification button.
nIn the Feature Button Assignment field, enter verify.
nTo activate the feature, press the Verify button and then enter the Trunk 
Access Code and member number to be monitored.
For DEFINITY G2 and System 85:
nAdminister a Busy Verification button on the attendant console.
nTo activate the feature, press the button and enter the trunk access code 
and the member number.
Protecting the AUDIX, DEFINITY AUDIX, and 
Lucent Technologies INTUITY Voice Mail Systems
Toll fraud is possible when the application allows the incoming caller to make a 
network connection with another person. Thus, bridging to an outbound call, call 
transfer, and 3-way-conferencing are vulnerable areas and should be protected.
Unauthorized System Use
You can minimize the risk of unauthorized people gaining access to your system 
by strictly following the compliance guidelines for, and using the aging feature of, 
your Voice Mail (vm) and AUDIX System Administration (sa) passwords. 
Additionally, a new option — the trusted server — has been introduced in this 
release. The trusted server has direct access to AUDIX and its functionality. The 
same strict adherence to guidelines of trusted server passwords as with 
administration passwords is strongly recommended.
This section discusses security considerations for these topics. 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Voice Messaging Systems 
Page 5-16 DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 
5
Administration Passwords
Your INTUITY AUDIX system comes equipped with administrative password 
features and options that you control to assist you in securing your system. These 
include:
nChange default administrator password
nAdministrator password standards
nAdministrator password aging
Changing the Default Administrator Password. When you first get your system, 
both the 
sa (system administrator) and vm (voice mail administrator) logins come 
with a default password. You are required to change this password immediately. 
Administrator Password Standards. There are certain minimum standards 
passwords must follow to comply with the system’s standards.
Administration of Password Aging. You can administer several parameters of 
the password aging feature that will enhance the level of security the system 
maintains. Password aging ensures that administration passwords are changed at 
reasonable intervals. Use the 
Password Expiration feature for administrative 
logins to reduce the danger of unauthorized system access.
Some people tend to change a password when they must do so and then, shortly 
afterwards, to change back to an old familiar password. Administering the 
Minimum Age Before Changes feature makes it inconvenient to use this tactic.
Three new items were added to the Lucent I
NTUITY menu system to define the 
limits associated with password aging. They are listed below:
nPassword Expiration
nMinimum Age Before Changes
nExpiration Warning
These items can be located by selecting Customer/Services 
Administration from the Main Menu.
Trusted Server Security
A trusted server is a computer or a software application in a domain outside of 
I
NTUITY AUDIX that uses its own login and password to launch a Lucent INTUITY 
Messaging Applications Programming Interface (IMAPI) LAN session and access 
AUDIX mailboxes. Two examples of trusted servers are:
nSynchronizer software running on an e-mail server
nEnhanced List Application (ELA) software running as a server on the 
Lucent I
NTUITY 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Voice Messaging Systems 
Page 5-17 DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 
5
Trusted servers can access and manipulate an AUDIX message just as the 
AUDIX application can do. (See 
Lucent Technologies INTUITY Messaging 
Solutions Release 4 Administration
, 585-310-564 for in-depth discussions and 
definitions of trusted servers, domains, and integration of e-mail and other trusted 
server software with AUDIX.)
Securing a system that allows access from another domain involves a 
two-pronged approach. You must consider security from both an internal and an 
external perspective. External security involves administration to prevent access 
from an unauthorized source, such as a trusted server or trusted server 
administrator. Internal security focuses on preventing, or recovering from, damage 
if a breach occurs (for example, a virus is transmitted in a message component, 
such as an attached software file).
External Security for Trusted Servers. The trusted server is empowered to do 
everything to a user mailbox that an AUDIX user can do. You must administer a 
password that the trusted server application uses to request a connection to the 
AUDIX server. Additionally, to prevent unauthorized access through IMAPI into 
your system from an external source, such as a trusted server, you can administer 
an IMAPI password that the trusted server must also use when connecting to 
AUDIX. This IMAPI password prevents an unauthorized source from starting an 
IMAPI session and is used as a secondary layer of security in addition to the 
required trusted server password.
While administration of the IMAPI password is optional, it is 
strongly 
recommended
. If you choose to administer this password, it is further 
recommended that you change it on a regular basis (for example, monthly). (If you 
have your administrator’s password set to age automatically, you could use the 
system prompt telling you that your password must be changed as a reminder to 
change the IMAPI password, as well.)
The two new trusted server screens that have been added for Release 4 are 
Trusted-Server Profile and IMAPI-Password. Instructions for their 
administration are in 
Lucent Technologies INTUITY Messaging Solutions 
Release 4 Administration
, 585-310-564.
Internal Security. I
NTUITY AUDIX R4 allows the transmission between domains of 
two new message components, including text (e-mail) and binary (software) file 
attachments. Within the AUDIX system, Message Manager supports these 
message components as well. With these new components come new security 
considerations, namely the inadvertent delivery of a “virus” that may be 
embedded in a file attachment. This can occur in 
any system that supports the 
delivery of binary files. While the AUDIX machine cannot be infected with viruses 
embedded in these software files, client machines may become infected when a 
user launches the application associated with the software file.
AUDIX does not perform any virus detection. Your company should carefully 
evaluate the security risks of file attachments and make provisions for virus 
detection software on PCs running an e-mail application or Message Manager. 
Your PC/LAN administrator(s) likely has considerable experience detecting and  
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Voice Messaging Systems 
Page 5-18 DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 
5
preventing the transmission of software viruses that you can use when planning 
for e-mail. Furthermore, your administrator has minimum requirements that the 
AUDIX server and e-mail server must meet to be allowed on the company 
network at all.
At a minimum, you should advise your users that file attachments should be 
detached (
not launched) and scanned for viruses before use.
Traffic Reports (AUDIX Voice Mail System Only)
The AUDIX Voice Mail System provides tracking of traffic data over various 
timespans. Reviewing these reports on a regular basis helps to establish traffic 
trends. If increased activity or unusual usage patterns occur, such as heavy call 
volume on ports assigned to outcalling, they can be investigated immediately. 
Beginning with AUDIX Voice Mail System R1V2, the AUDIX Data Acquisition 
Package (ADAP) uses a PC to provide extended storage and analysis capabilities 
for the traffic data.
Call Detail Recording (AUDIX Voice Mail 
System Only)
For the AUDIX Voice Mail System R1V5 and later, this optional feature provides a 
detailed view of the activity associated with each voice mail session, outgoing 
calls, and system-wide activity.
Voice Session Record (AUDIX Voice Mail System Only)
The activity for each individual voice mailbox is recorded in a Voice Session 
Record. A voice session begins whenever a caller attempts to log into the AUDIX 
Voice Mail System, is redirected to the voice mail system for call answering, 
enters    , or      , transfers from one automated attendant to another 
(nested), or is transferred by the Enhanced Automated Attendant feature.
The record reveals the routing of the call, including the caller (if internal), recipient, 
port, community, Mailbox IDs (corresponds to the voice mail system subscriber’s 
extension number input during a login or as input by the calling party), the time 
and duration of the call, the type of session (voice mail, call answer, guest 
password, or automated attendant), the message activity, and number of login 
attempts.
Also reported is the session termination method. Each possible termination 
method is assigned a value as shown in Table 5-4
. This information can be 
downloaded to a PC using ADAP to be available on demand or at scheduled 
intervals.
*R**R