Home
>
Lucent Technologies
>
Communications System
>
Lucent Technologies BCS Products Security Handbook
Lucent Technologies BCS Products Security Handbook
Have a look at the manual Lucent Technologies BCS Products Security Handbook online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 413 Lucent Technologies manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Voice Messaging Systems Page 5-19 DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 5 Outgoing Voice Call Detail Record (AUDIX Voice Mail System Only) An outgoing call record is also created for every outbound call that is originated by the AUDIX Voice Mail System via a voice port. This includes call transfers, outcalling, and message waiting activation and/or deactivation via access codes. A record is also created for call attempts for the Message Delivery feature. The outgoing voice call detail record supplies the date the call was placed, the time, the AUDIX Voice Mail System port number used for the call, the duration of Table 5-4. AUDIX Voice Mail System Session Termination Values ValueReason for Session Termination 01 Caller transferred out of the AUDIX Voice Mail System 02 Caller disconnected established call 03 Caller abandoned call before the AUDIX Voice Mail System answered 04 Caller entered 05 Caller entered from Call Answer 06 Caller entered from Voice Mail 07 The AUDIX Voice Mail System terminated the call due to a system problem 08 The AUDIX Voice Mail System terminated the call due to a caller problem (for example, full mailbox timeout) 09 The AUDIX Voice Mail System terminated call originated by another AUDIX Voice Mail System 10 Transfer from an automated attendant to another Automated Attendant Mailbox 11 Transfer from an automated attendant to a Call Answer Mailbox 12 Transfer from an automated attendant to a Mailbox with Guest Greeting **X *R **R
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Voice Messaging Systems Page 5-20 DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 5 the call, the voice mailbox id, the number dialed, and the call type as shown in Table 5-5 . Unsuccessful call transfer attempts can result in multiple records being created for a single session. Review these records regularly for the following signs of hacker activity: nFailed login attempts nMultiple call transfers for a single session nNumerous outbound calls from the same voice mailbox nCalls to strange places nHeavy volume of Transfer Out of AUDIX Voice Mail System calls Protecting Passwords The AUDIX, DEFINITY AUDIX, and Lucent Technologies INTUITY Voice Mail Systems offers passwords and password time-out mechanisms that can help restrict unauthorized users. Voice mail systems R1V4 and later allow you to specify the minimum length required. Use a minimum of six digits, and always specify a minimum password length that is greater than the extension length. For example, if the extensions are five digits, require six or more digits for the password. A longer password is more difficult for a hacker to break, and offers greater system security. Table 5-5. AUDIX Voice Mail System Outgoing Call Type Values Value Outgoing Call Type 10 Transfer from Voice Mail with or 11 Transfer from Voice Mail via return call 12 Transfer from call answer with , or 13 Transfer from automated attendant via menu selection 14 Transfer from automated attendant via extension specification 15 Transfer from automated attendant via time out 16 Transfer from automated attendant via 17 Transfer from Bulletin Board via , or 20 Outcalling for any message 21 Outcalling for priority message 30 Message waiting activation/deactivation 40 Message Delivery *T*0 *T*00 *T *T*00
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Voice Messaging Systems Page 5-21 DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 5 For the Lucent Technologies INTUITY System, administrator passwords follow standard UNIX conventions, but have a 6-character minimum, one of which must be non-alpha. Subscriber passwords can be up to 15 digits. For DEFINITY ECS, administrator passwords are 3 to 10 characters, alpha and numeric. Subscriber passwords can be up to seven digits. Voice mail subscribers are given three attempts in one call to correctly enter their mailbox before they are automatically disconnected. You also can specify how many consecutive invalid attempts are allowed before a voice mailbox is locked. nThe AUDIX, DEFINITY AUDIX, and Lucent Technologies INTUITY Voice Mail Systems provide three logins, each with individual password protection. For the AUDIX and DEFINITY AUDIX Voice Mail Systems, only one of these, “cust,” is customer-controlled. For the Lucent Technologies I NTUITY Voice Mail System, “cust,” “sa,” and “vm” are customer-controlled. For administrative access to a voice mail system, the customer must log in and enter a password. You should routinely change the “cust,” “sa,” and “vm” login passwords, using the maximum digits allowed (10). Lucent Technologies will routinely change the passwords for the two voice mail system support logins. nChange the administration password from the default. nUse the “Minimum Password” feature, when available, to specify a minimum password length of at least 6 characters. Never set the minimum password to 0. nMake sure subscribers change the default password the first time they log into the voice mail system. To insure this, make the default password fewer digits than the minimum password length. See ‘‘ Administration / Maintenance Access’’ on page 2-4 and ‘‘General Security Measures’’ on page 2-7 for secure password guidelines. See Appendix E for information on how to change passwords. Security Features Before implementing any security measures to protect the voice mail system, it is important to understand how they work. You need to be aware of the possible trade-offs associated with each security measure listed below. Basic Call Transfer With Basic Call Transfer, after a voice mail system caller enters , the system performs the following steps: 1. The voice mail system verifies that the digits entered contain the same number of digits administered for extension lengths. If call transfer is restricted to subscribers (for the DEFINITY AUDIX System and the Lucent *T
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Voice Messaging Systems Page 5-22 DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 5 Technologies INTUITY System only), the voice mail system also verifies that the digits entered match the extension number of an administered subscriber. 2. If Step 1 is successful, the voice mail system performs a switch-hook flash, putting the caller on hold. NOTE: If step 1 is unsuccessful, the voice mail system plays an error message and prompts the caller for another try. 3. The voice mail system sends the digits to the switch. 4. The voice mail system completes the transfer. With Basic Call Transfer, a caller can dial any number, provided the number of digits matches the length of a valid extension. So, if an unauthorized caller dials a transfer code followed by the first digits of a long-distance telephone number, such as , the voice mail system passes the numbers on to the switch. (This is an example showing a 5-digit plan.) The switch interprets the first digit ( ) as an access code, and the following digits as the prefix digit and area code. At this point, the caller enters the remaining digits of the phone number to complete the call. If call transfer is restricted to subscribers (for the DEFINITY AUDIX System and the Lucent Technologies I NTUITY System only), the caller cannot initiate a transfer to an off-premises destination unless the digits entered match an administered subscriber’s mailbox identifier; for example, 91809. To insure the integrity of the subscriber restriction, do not administer mailboxes that start with the same digit(s) as a valid switch Trunk Access Code. It is strongly recommended that all transfers be restricted to subscribers when Basic Call Transfer is used. Enhanced Call Transfer With Enhanced Call Transfer, the voice mail system uses a digital control link message to initiate the transfer and the switch verifies that the requested destination is a valid station in the dial plan. With Enhanced Call Transfer, when voice mail system callers enter followed by digits (or for name addressing) and , the following actions take place: 1. The voice mail system verifies that the digits entered contain the same number of digits as administered for extension lengths. If call transfer is restricted to subscribers (for the DEFINITY AUDIX System and the Lucent Technologies I NTUITY System only), the voice mail system also verifies that the digits entered match the extension number of an administered subscriber. NOTE: When callers request a name addressing transfer, the name must match the name of an AUDIX, DEFINITY AUDIX, or Lucent Technologies I NTUITY Voice Mail System subscriber (either local or remote) whose extension number is in the dial plan. 91809 9 *T*A #
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Voice Messaging Systems Page 5-23 DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 5 2. If Step 1 is successful, the voice mail system sends a transfer control link message containing the digits to the switch. If Step 1 is unsuccessful, the voice mail system plays an error message to the caller and prompts for another try. 3. The switch verifies that the digits entered match a valid station number in the dial plan. nIf Step 3 is successful, the switch completes the transfer, disconnects the voice mail system voice port, and sends a “successful transfer” control link message to the voice mail system. nIf Step 3 is unsuccessful, the switch leaves the voice mail system voice port connected to the call, sends a “fail” control link message to the voice mail system, and then the voice mail system plays an error message requesting another try. With Enhanced Call Transfer, the reason for a transfer is included in the control link message that the voice mail system sends to the switch. For Call Answer calls, such as calls that are redirected to the voice mail system when an extension is busy or does not answer, when a caller enters to Escape to Attendant, the voice mail system normally reports the transfer to the switch as “redirected.” The switch uses this reason to determine how to proceed with the call. If the reason for the transfer is “redirected,” the call will not follow the destination’s coverage path or its call forwarding path. This is because the switch will not redirect a previously redirected call. This restriction may not be acceptable where it is desirable to have the call follow the coverage path of the “transferred-to” station. Enhanced Call Transfer can be administered to allow this type of transfer. This capability is available in AUDIX Voice Mail System R1V7, the DEFINITY AUDIX System 3.0, and the Lucent Technologies I NTUITY System. Contact your Lucent Technologies Sales Representative for additional details and availability. Transfer Out of the System The “Transfer Out of AUDIX” feature offers many conveniences for the AUDIX, DEFINITY AUDIX, or Lucent Technologies I NTUITY Voice Mail System caller and subscriber. When Transfer Out of AUDIX is enabled, the voice mail system performs the following services: nCallers can enter or from a voice mail session to call another extension. (Callers can also enter for name addressing.) nSubscribers can return calls from other subscribers. nCallers can enter to call another extension either before or after leaving a Call Answer message. nCallers can enter or to Escape to Attendant either before or after leaving a Call Answer message. 0 *T*0 *T*A *T *00
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Voice Messaging Systems Page 5-24 DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 5 nThe voice mail system transfers calls from the automated attendant via a menu selection, extension request, or time out. nThe voice mail system transfers calls from the automated attendant or Bulletin Board sessions (some versions) when the caller enters . NOTE: For the DEFINITY AUDIX System Release 2.2, transfers are permitted only to numbers administered in the transfer-dialplan screen. Refer to your DEFINITY AUDIX System Release 2.2 documentation for additional procedures and information. Outcalling Outcalling automatically notifies authorized voice mail system subscribers whenever a message arrives in their voice mail. When outcalling is activated, after a caller leaves a message for a subscriber, the voice mail system calls the number designated by the subscriber and delivers a recorded message notification. Outcalling also can be used for message notification when a subscriber’s phone does not have a message indicator lamp. Outcalling permission may be administered on a per-subscriber and a per-COS basis in the voice mail system. The maximum number of digits to be used for outcalling is administered on a per-system basis. NOTE: This feature is not affected by Enhanced Call Transfer. AMIS Networking AMIS Networking (the DEFINITY AUDIX System, the AUDIX Voice Mail System R1V6 and later, and the Lucent Technologies I NTUITY System) allows voice messages to be sent to and received from subscribers on other vendors’ voice messaging systems. This service is based on the Audio Message Interchange Specification. This feature allows calls to be placed to off-premises voice messaging systems. Message Delivery AMIS Networking (the DEFINITY AUDIX System, the AUDIX Voice Mail System R1V6 and later, and the Lucent Technologies I NTUITY System) offers a message delivery service that delivers voice messages to any designated telephone number. As in the case of outcalling, this feature allows calls to be placed to destinations that are off-premises. Security Measures Where indicated, the security measures in this section apply to specific releases of both the AUDIX Voice Mail System and the switch. *T
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Voice Messaging Systems Page 5-25 DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 5 Disallow Outside Calls !CAUTION: If TAC calls are permitted, they may be accepted as a valid extension number. Even with Enhanced Call Transfer activated, toll hackers may be able to enter a TAC to get an outside line if 3-digit station numbers and 3-digit TACs are used. The Enhanced Call Transfer feature is available on a voice mail system integrated with the System 85 R2V4, System 75 R1V3, Issue 2.0, and later software releases, DEFINITY Generic 1, Issue 5.0, and later software releases, DEFINITY Generic 2, DEFINITY Generic 3, and DEFINITY ECS. If you have an earlier release but want the added security offered by Enhanced Call Transfer, consider upgrading to the required PBX software. Use the following procedures to activate Enhanced Call Transfer. NOTE: For System 75 R1V3, Issue 2.2 is required if you are using 3-digit extension numbers. For ALL systems (DEFINITY ECS, DEFINITY G1, G2, G3, System 75, and System 85 R2V4): 1. On the AUDIX Voice Mail System R1 system:appearance form, enter y in both the Call Transfer Out of AUDIX field and in the Enhanced Call Transfer field. Then press . or For the DEFINITY AUDIX System and the Lucent Technologies I NTUITY System, use the system-parameters features form and enter enhanced in the Transfer Type field. Then press . NOTE: When the Enhanced Call Transfer feature is activated, there is a change in how the Escape to Attendant feature works. If a calling party enters or to transfer to the covering extension after being redirected to the voice mail system, the call does not follow the coverage path when the covering extension is busy or does not answer. The AUDIX Voice Mail System R1V7, DEFINITY AUDIX System 3.0, and Lucent Technologies I NTUITY Voice Mail System allow calls to follow a coverage path. 2. On the AUDIX Voice Mail System R1 Maintenance:audits:fp form, tab to the Service Dispatcher field and enter x. Tab to the Start field and enter x. Then press . Change/Run ENTER 0*0 Change/Run
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Voice Messaging Systems Page 5-26 DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 5 NOTE: For the DEFINITY AUDIX System and the Lucent Technologies I NTUITY System, no audit is required. 3. For DEFINITY ECS, DEFINITY G1, G3, and System 75: On the switch, use change listed-directory-number to change the Listed Directory Number form, and enter a 4-digit extension number that routes calls to an attendant. For DEFINITY G2 and System 85: On the switch, use PROC204 WORD1 to assign a Listed Directory Number and display characters for the attendant console. On the AUDIX Voice Mail System R1 System:appearance form, or System-parameters features form for the DEFINITY AUDIX System and the Lucent Technologies I NTUITY System; if “0000” appears in the System Covering Extension field, change the entry to the new 4-digit Listed Directory Number. After you activate Enhanced Call Transfer, test it by following the steps below: 1. Dial into your voice mail system. 2. Press . 3. Enter an invalid extension number followed by . The failed announcement should play, followed by a prompt for another extension number . 4. Enter a valid extension number followed by . You should notice that the call transfers much faster than with Basic Call Transfer. Disable Transfer Out of the System When the “Transfer Out of AUDIX” feature is teamed with Enhanced Call Transfer, the risk of toll fraud is minimized since the switch confirms that the number entered for the transfer is a valid PBX extension. However, if you do not need to transfer out, consider eliminating this feature (see ‘‘ Transfer Out of the System’’ on page 5-23 for details). To do this, on the AUDIX Voice Mail System R1 System:appearance form, enter n in the Call Transfer Out of AUDIX field. For the DEFINITY AUDIX and Lucent Technologies I NTUITY Systems, use the System-parameters features form, entering none in the Transfer Type field. NOTE: If your automated attendant system uses transfer to an extension, you cannot use this security measure. 1. On the AUDIX Voice Mail System R1 Maintenance:audits:fp form, tab to the Service Dispatcher field and enter x. *T # #
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Voice Messaging Systems Page 5-27 DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 5 2. Tab to the Start field and enter x. 3. Then press . NOTE: For the DEFINITY AUDIX System and the Lucent Technologies I NTUITY System, no audit is required. Limit Outcalling The measures you can take to minimize the security risk of outcalling depend on how it is used. When outcalling is used only to alert on-premises subscribers who do not have voice mail system message indicator lamps on their phones, you can assign an outward-restricted COR to the voice mail system voice ports. For DEFINITY ECS, DEFINITY G1, G3, and System 75: nUse change cor to display the Class of Restriction screen, and then create an outward restricted COR by entering outward in the Calling Party Restriction field. The COR should carry an FRL of 0. Outward calling party restrictions and calling permissions should be blocked from all trunk CORs. nAssign the outward restricted COR to the voice mail system voice ports. For DEFINITY G2 and System 85: nUse PROC010 WORD3 FIELD19 to assign outward restriction to the voice mail system voice ports’ COS. Assign an FRL of 0 to the COR, and enter no for all Miscellaneous Trunk Group Restrictions. When outcalling is used for subscribers who are off-site (often the message notification is forwarded to a call pager number), three options exist to minimize toll fraud: 1) the voice mail system voice ports can be assigned to a toll-restricted COR that allows calling only within a local area, 2) the outcalling numbers can be entered into an unrestricted calling list for either ARS or Toll Analysis, or 3) outcalling numbers can be limited to 7 or 10 digits. nOn the voice mail system subscriber form, turn off outcalling by entering n in the outcalling field. nOn the voice mail system outcalling form, limit the number of digits that can be dialed for outcalling; allowing exactly the number of digits required to complete the call. NOTE: If outcalling is to a pager, additional digits may be required. Protect AMIS Networking To increase security for AMIS analog networking, including the Message Delivery service, restrict the number ranges that may be used to address messages. Be sure to assign all the appropriate PBX outgoing call restrictions on the voice mail system voice ports. Change/Run
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Voice Messaging Systems Page 5-28 DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 5 Security Tips nRequire callers to use passwords. nHave the application verify that long distance numbers are not being requested, or verify that only permitted numbers are requested. nUse appropriate switch translation restrictions. nAdminister all appropriate switch restrictions on the voice mail system voice ports. nYou may determine whether to allow transfer only to another system subscriber or to any extension of the correct extension length (that is, the number of digits for extensions administered through the switch). For example, your system may be configured to support the 4-digit plan, the 5-digit plan, and so on. The most secure approach, which is the default, is to only allow transfers to other system subscribers. If you decide to allow transfers to any extension, then you should check the switch COR on the voice ports for proper restrictions. nAdminister the voice mail system to use Enhanced Call Transfer if the switch software allows. NOTE: When configured to operate in Digital Port Emulation mode, the DEFINITY AUDIX System does not support Enhanced Call Transfer. Protecting the AUDIX Voice Power System The AUDIX Voice Power System provides both automated attendant and voice mail functionality. The automated attendant feature answers incoming calls and routes them to the appropriate department, person, or mailbox. The voice mail feature provides call coverage to voice mailboxes along with a variety of voice messaging features. Unauthorized persons concentrate their activities in two areas with the AUDIX Voice Power System: nThey try to transfer out of the AUDIX Voice Power System to gain access to an outgoing trunk and make long distance calls. nThey try to locate unused or unprotected mailboxes and use them as dropoff points for their own messages. Traffic Reports The AUDIX Voice Power System tracks traffic data over various timespans. Reviewing these reports on a regular basis helps to establish traffic trends. If increased activity or unusual usage patterns occur, such as heavy call volume on ports assigned to outcalling, they can be investigated immediately.