Home > Lucent Technologies > Communications System > Lucent Technologies BCS Products Security Handbook

Lucent Technologies BCS Products Security Handbook

    Download as PDF Print this page Share this page

    Have a look at the manual Lucent Technologies BCS Products Security Handbook online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 413 Lucent Technologies manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Voice Messaging Systems 
    Page 5-19 DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 
    5
    Outgoing Voice Call Detail Record 
    (AUDIX Voice Mail System Only)
    An outgoing call record is also created for every outbound call that is originated by 
    the AUDIX Voice Mail System via a voice port. This includes call transfers, 
    outcalling, and message waiting activation and/or deactivation via access codes. 
    A record is also created for call attempts for the Message Delivery feature.
    The outgoing voice call detail record supplies the date the call was placed, the 
    time, the AUDIX Voice Mail System port number used for the call, the duration of  Table 5-4. AUDIX Voice Mail System Session Termination 
    Values
    ValueReason for Session Termination
    01 Caller transferred out of the AUDIX Voice Mail System
    02 Caller disconnected established call
    03 Caller abandoned call before the AUDIX Voice Mail System answered
    04 Caller entered     
    05 Caller entered     from Call Answer
    06 Caller entered       from Voice Mail
    07 The AUDIX Voice Mail System terminated the call due to a system 
    problem
    08 The AUDIX Voice Mail System terminated the call due to a caller 
    problem (for example, full mailbox timeout)
    09 The AUDIX Voice Mail System terminated call originated by another 
    AUDIX Voice Mail System
    10 Transfer from an automated attendant to another Automated 
    Attendant Mailbox
    11 Transfer from an automated attendant to a Call Answer Mailbox
    12 Transfer from an automated attendant to a Mailbox with Guest 
    Greeting
    **X
    *R
    **R 
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Voice Messaging Systems 
    Page 5-20 DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 
    5
    the call, the voice mailbox id, the number dialed, and the call type as shown in 
    Table 5-5
    .
    Unsuccessful call transfer attempts can result in multiple records being created for 
    a single session. Review these records regularly for the following signs of hacker 
    activity:
    nFailed login attempts
    nMultiple call transfers for a single session
    nNumerous outbound calls from the same voice mailbox
    nCalls to strange places
    nHeavy volume of Transfer Out of AUDIX Voice Mail System calls
    Protecting Passwords
    The AUDIX, DEFINITY AUDIX, and Lucent Technologies INTUITY Voice Mail 
    Systems offers passwords and password time-out mechanisms that can help 
    restrict unauthorized users.
    Voice mail systems R1V4 and later allow you to specify the minimum length 
    required. Use a minimum of six digits, and always specify a minimum password 
    length that is greater than the extension length. For example, if the extensions are 
    five digits, require six or more digits for the password. A longer password is more 
    difficult for a hacker to break, and offers greater system security. Table 5-5. AUDIX Voice Mail System Outgoing Call Type 
    Values
    Value Outgoing Call Type
    10 Transfer from Voice Mail with     or     
    11 Transfer from Voice Mail via return call
    12 Transfer from call answer with    ,     or 
    13 Transfer from automated attendant via menu selection
    14 Transfer from automated attendant via extension specification
    15 Transfer from automated attendant via time out
    16 Transfer from automated attendant via     
    17 Transfer from Bulletin Board via    ,     or 
    20 Outcalling for any message
    21 Outcalling for priority message
    30 Message waiting activation/deactivation
    40 Message Delivery
    *T*0
    *T*00
    *T
    *T*00 
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Voice Messaging Systems 
    Page 5-21 DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 
    5
    For the Lucent Technologies INTUITY System, administrator passwords follow 
    standard UNIX conventions, but have a 6-character minimum, one of which must 
    be non-alpha. Subscriber passwords can be up to 15 digits.
    For DEFINITY ECS, administrator passwords are 3 to 10 characters, alpha and 
    numeric. Subscriber passwords can be up to seven digits.
    Voice mail subscribers are given three attempts in one call to correctly enter their 
    mailbox before they are automatically disconnected. You also can specify how 
    many consecutive invalid attempts are allowed before a voice mailbox is locked.
    nThe AUDIX, DEFINITY AUDIX, and Lucent Technologies INTUITY Voice 
    Mail Systems provide three logins, each with individual password 
    protection. For the AUDIX and DEFINITY AUDIX Voice Mail Systems, only 
    one of these, “cust,” is customer-controlled. For the Lucent Technologies 
    I
    NTUITY Voice Mail System, “cust,” “sa,” and “vm” are customer-controlled. 
    For administrative access to a voice mail system, the customer must log in 
    and enter a password.
    You should routinely change the “cust,” “sa,” and “vm” login passwords, 
    using the maximum digits allowed (10). Lucent Technologies will routinely 
    change the passwords for the two voice mail system support logins.
    nChange the administration password from the default.
    nUse the “Minimum Password” feature, when available, to specify a 
    minimum password length of at least 6 characters. Never set the minimum 
    password to 0.
    nMake sure subscribers change the default password the first time they log 
    into the voice mail system. To insure this, make the default password fewer 
    digits than the minimum password length.
    See ‘‘
    Administration / Maintenance Access’’ on page 2-4 and ‘‘General Security 
    Measures’’ on page 2-7 for secure password guidelines. See Appendix E for 
    information on how to change passwords.
    Security Features
    Before implementing any security measures to protect the voice mail system, it is 
    important to understand how they work. You need to be aware of the possible 
    trade-offs associated with each security measure listed below.
    Basic Call Transfer
    With Basic Call Transfer, after a voice mail system caller enters    , the system 
    performs the following steps:
    1. The voice mail system verifies that the digits entered contain the same 
    number of digits administered for extension lengths. If call transfer is 
    restricted to subscribers (for the DEFINITY AUDIX System and the Lucent *T 
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Voice Messaging Systems 
    Page 5-22 DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 
    5
    Technologies INTUITY System only), the voice mail system also verifies 
    that the digits entered match the extension number of an administered 
    subscriber.
    2. If Step 1 is successful, the voice mail system performs a switch-hook flash, 
    putting the caller on hold.
    NOTE:
    If step 1 is unsuccessful, the voice mail system plays an error 
    message and prompts the caller for another try.
    3. The voice mail system sends the digits to the switch.
    4. The voice mail system completes the transfer.
    With Basic Call Transfer, a caller can dial any number, provided the number of 
    digits matches the length of a valid extension. So, if an unauthorized caller dials a 
    transfer code followed by the first digits of a long-distance telephone number, 
    such as          , the voice mail system passes the numbers on to the 
    switch. (This is an example showing a 5-digit plan.) The switch interprets the first 
    digit ( ) as an access code, and the following digits as the prefix digit and area 
    code. At this point, the caller enters the remaining digits of the phone number to 
    complete the call.
    If call transfer is restricted to subscribers (for the DEFINITY AUDIX System and 
    the Lucent Technologies I
    NTUITY System only), the caller cannot initiate a transfer 
    to an off-premises destination unless the digits entered match an administered 
    subscriber’s mailbox identifier; for example, 91809. To insure the integrity of the 
    subscriber restriction, do not administer mailboxes that start with the same digit(s) 
    as a valid switch Trunk Access Code. It is strongly recommended that all transfers 
    be restricted to subscribers when Basic Call Transfer is used.
    Enhanced Call Transfer
    With Enhanced Call Transfer, the voice mail system uses a digital control link 
    message to initiate the transfer and the switch verifies that the requested 
    destination is a valid station in the dial plan. With Enhanced Call Transfer, when 
    voice mail system callers enter     followed by digits (or     for name 
    addressing) and  , the following actions take place:
    1. The voice mail system verifies that the digits entered contain the same 
    number of digits as administered for extension lengths. If call transfer is 
    restricted to subscribers (for the DEFINITY AUDIX System and the Lucent 
    Technologies I
    NTUITY System only), the voice mail system also verifies 
    that the digits entered match the extension number of an administered 
    subscriber.
    NOTE:
    When callers request a name addressing transfer, the name must 
    match the name of an AUDIX, DEFINITY AUDIX, or Lucent 
    Technologies I
    NTUITY Voice Mail System subscriber (either local or 
    remote) whose extension number is in the dial plan.
    91809
    9
    *T*A
    # 
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Voice Messaging Systems 
    Page 5-23 DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 
    5
    2. If Step 1 is successful, the voice mail system sends a transfer control link 
    message containing the digits to the switch. If Step 1 is unsuccessful, the 
    voice mail system plays an error message to the caller and prompts for 
    another try.
    3. The switch verifies that the digits entered match a valid station number in 
    the dial plan.
    nIf Step 3 is successful, the switch completes the transfer, 
    disconnects the voice mail system voice port, and sends a 
    “successful transfer” control link message to the voice mail system.
    nIf Step 3 is unsuccessful, the switch leaves the voice mail system 
    voice port connected to the call, sends a “fail” control link message 
    to the voice mail system, and then the voice mail system plays an 
    error message requesting another try.
    With Enhanced Call Transfer, the reason for a transfer is included in the control 
    link message that the voice mail system sends to the switch. For Call Answer 
    calls, such as calls that are redirected to the voice mail system when an extension 
    is busy or does not answer, when a caller enters   to Escape to Attendant, the 
    voice mail system normally reports the transfer to the switch as “redirected.”
    The switch uses this reason to determine how to proceed with the call. If the 
    reason for the transfer is “redirected,” the call will not follow the destination’s 
    coverage path or its call forwarding path. This is because the switch will not 
    redirect a previously redirected call.
    This restriction may not be acceptable where it is desirable to have the call follow 
    the coverage path of the “transferred-to” station. Enhanced Call Transfer can be 
    administered to allow this type of transfer. This capability is available in AUDIX 
    Voice Mail System R1V7, the DEFINITY AUDIX System 3.0, and the Lucent 
    Technologies I
    NTUITY System. Contact your Lucent Technologies Sales 
    Representative for additional details and availability.
    Transfer Out of the System
    The “Transfer Out of AUDIX” feature offers many conveniences for the AUDIX, 
    DEFINITY AUDIX, or Lucent Technologies I
    NTUITY Voice Mail System caller and 
    subscriber. When Transfer Out of AUDIX is enabled, the voice mail system 
    performs the following services:
    nCallers can enter     or     from a voice mail session to call another 
    extension. (Callers can also enter         for name addressing.)
    nSubscribers can return calls from other subscribers.
    nCallers can enter     to call another extension either before or after 
    leaving a Call Answer message.
    nCallers can enter     or   to Escape to Attendant either before or after 
    leaving a Call Answer message.
    0
    *T*0
    *T*A
    *T
    *00 
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Voice Messaging Systems 
    Page 5-24 DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 
    5
    nThe voice mail system transfers calls from the automated attendant via a 
    menu selection, extension request, or time out.
    nThe voice mail system transfers calls from the automated attendant or 
    Bulletin Board sessions (some versions) when the caller enters    .
    NOTE:
    For the DEFINITY AUDIX System Release 2.2, transfers are permitted only 
    to numbers administered in the transfer-dialplan screen. Refer to your 
    DEFINITY AUDIX System Release 2.2 documentation for additional 
    procedures and information.
    Outcalling
    Outcalling automatically notifies authorized voice mail system subscribers 
    whenever a message arrives in their voice mail. When outcalling is activated, after 
    a caller leaves a message for a subscriber, the voice mail system calls the number 
    designated by the subscriber and delivers a recorded message notification. 
    Outcalling also can be used for message notification when a subscriber’s phone 
    does not have a message indicator lamp.
    Outcalling permission may be administered on a per-subscriber and a per-COS 
    basis in the voice mail system. The maximum number of digits to be used for 
    outcalling is administered on a per-system basis.
    NOTE:
    This feature is not affected by Enhanced Call Transfer.
    AMIS Networking
    AMIS Networking (the DEFINITY AUDIX System, the AUDIX Voice Mail System 
    R1V6 and later, and the Lucent Technologies I
    NTUITY System) allows voice 
    messages to be sent to and received from subscribers on other vendors’ voice 
    messaging systems. This service is based on the Audio Message Interchange 
    Specification. This feature allows calls to be placed to off-premises voice 
    messaging systems.
    Message Delivery
    AMIS Networking (the DEFINITY AUDIX System, the AUDIX Voice Mail System 
    R1V6 and later, and the Lucent Technologies I
    NTUITY System) offers a message 
    delivery service that delivers voice messages to any designated telephone 
    number. As in the case of outcalling, this feature allows calls to be placed to 
    destinations that are off-premises.
    Security Measures
    Where indicated, the security measures in this section apply to specific releases 
    of both the AUDIX Voice Mail System and the switch.
    *T 
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Voice Messaging Systems 
    Page 5-25 DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 
    5
    Disallow Outside Calls
    !CAUTION:
    If TAC calls are permitted, they may be accepted as a valid extension 
    number. Even with Enhanced Call Transfer activated, toll hackers may be 
    able to enter a TAC to get an outside line if 3-digit station numbers and 
    3-digit TACs are used.
    The Enhanced Call Transfer feature is available on a voice mail system integrated 
    with the System 85 R2V4, System 75 R1V3, Issue 2.0, and later software 
    releases, DEFINITY Generic 1, Issue 5.0, and later software releases, DEFINITY 
    Generic 2, DEFINITY Generic 3, and DEFINITY ECS. If you have an earlier 
    release but want the added security offered by Enhanced Call Transfer, consider 
    upgrading to the required PBX software. Use the following procedures to activate 
    Enhanced Call Transfer.
    NOTE:
    For System 75 R1V3, Issue 2.2 is required if you are using 3-digit extension 
    numbers.
    For ALL systems (DEFINITY ECS, DEFINITY G1, G2, G3, System 75, and 
    System 85 R2V4):
    1. On the AUDIX Voice Mail System R1 system:appearance form, enter y in 
    both the Call Transfer Out of AUDIX field and in the Enhanced Call 
    Transfer field.
    Then press  .
    or
    For the DEFINITY AUDIX System and the Lucent Technologies I
    NTUITY 
    System, use the system-parameters features form and enter enhanced in 
    the Transfer Type field. Then press  .
    NOTE:
    When the Enhanced Call Transfer feature is activated, there is a 
    change in how the Escape to Attendant feature works. If a calling 
    party enters   or     to transfer to the covering extension after 
    being redirected to the voice mail system, the call does not follow the 
    coverage path when the covering extension is busy or does not 
    answer. The AUDIX Voice Mail System R1V7, DEFINITY AUDIX 
    System 3.0, and Lucent Technologies I
    NTUITY Voice Mail System 
    allow calls to follow a coverage path.
    2. On the AUDIX Voice Mail System R1 Maintenance:audits:fp form, tab to 
    the Service Dispatcher field and enter x.
    Tab to the Start field and enter x.
    Then press  .
    Change/Run
    ENTER
    0*0
    Change/Run 
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Voice Messaging Systems 
    Page 5-26 DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 
    5
    NOTE:
    For the DEFINITY AUDIX System and the Lucent Technologies 
    I
    NTUITY System, no audit is required.
    3. For DEFINITY ECS, DEFINITY G1, G3, and System 75:
    On the switch, use change listed-directory-number to change the Listed 
    Directory Number form, and enter a 4-digit extension number that routes 
    calls to an attendant.
    For DEFINITY G2 and System 85:
    On the switch, use PROC204 WORD1 to assign a Listed Directory Number 
    and display characters for the attendant console.
    On the AUDIX Voice Mail System R1 System:appearance form, or 
    System-parameters features form for the DEFINITY AUDIX System and 
    the Lucent Technologies I
    NTUITY System; if “0000” appears in the System 
    Covering Extension field, change the entry to the new 4-digit Listed 
    Directory Number.
    After you activate Enhanced Call Transfer, test it by following the steps below:
    1. Dial into your voice mail system.
    2. Press  .
    3. Enter an invalid extension number followed by  . 
    The failed 
    announcement should play, followed by a prompt for another extension 
    number
    .
    4. Enter a valid extension number followed by  . 
    You should notice that the 
    call transfers much faster than with Basic Call Transfer.
    Disable Transfer Out of the System
    When the “Transfer Out of AUDIX” feature is teamed with Enhanced Call Transfer, 
    the risk of toll fraud is minimized since the switch confirms that the number 
    entered for the transfer is a valid PBX extension. However, if you do not need to 
    transfer out, consider eliminating this feature (see ‘‘
    Transfer Out of the System’’ 
    on page 5-23 for details).
    To do this, on the AUDIX Voice Mail System R1 System:appearance form, enter n 
    in the Call Transfer Out of AUDIX field. For the DEFINITY AUDIX and Lucent 
    Technologies I
    NTUITY Systems, use the System-parameters features form, 
    entering none in the Transfer Type field. 
    NOTE:
    If your automated attendant system uses transfer to an extension, you 
    cannot use this security measure.
    1. On the AUDIX Voice Mail System R1 Maintenance:audits:fp form, tab to 
    the Service Dispatcher field and enter x.
    *T
    #
    # 
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Voice Messaging Systems 
    Page 5-27 DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 
    5
    2. Tab to the Start field and enter x.
    3. Then press  .
    NOTE:
    For the DEFINITY AUDIX System and the Lucent Technologies 
    I
    NTUITY System, no audit is required.
    Limit Outcalling
    The measures you can take to minimize the security risk of outcalling depend on 
    how it is used. When outcalling is used only to alert on-premises subscribers who 
    do not have voice mail system message indicator lamps on their phones, you can 
    assign an outward-restricted COR to the voice mail system voice ports.
    For DEFINITY ECS, DEFINITY G1, G3, and System 75:
    nUse change cor to display the Class of Restriction screen, and then create 
    an outward restricted COR by entering outward in the Calling Party 
    Restriction field. The COR should carry an FRL of 0. Outward calling party 
    restrictions and calling permissions should be blocked from all trunk CORs.
    nAssign the outward restricted COR to the voice mail system voice ports.
    For DEFINITY G2 and System 85:
    nUse PROC010 WORD3 FIELD19 to assign outward restriction to the voice 
    mail system voice ports’ COS. Assign an FRL of 0 to the COR, and enter 
    no for all Miscellaneous Trunk Group Restrictions.
    When outcalling is used for subscribers who are off-site (often the message 
    notification is forwarded to a call pager number), three options exist to minimize 
    toll fraud: 1) the voice mail system voice ports can be assigned to a toll-restricted 
    COR that allows calling only within a local area, 2) the outcalling numbers can be 
    entered into an unrestricted calling list for either ARS or Toll Analysis, or 
    3) outcalling numbers can be limited to 7 or 10 digits.
    nOn the voice mail system subscriber form, turn off outcalling by entering n 
    in the outcalling field.
    nOn the voice mail system outcalling form, limit the number of digits that can 
    be dialed for outcalling; allowing exactly the number of digits required to 
    complete the call.
    NOTE:
    If outcalling is to a pager, additional digits may be required.
    Protect AMIS Networking
    To increase security for AMIS analog networking, including the Message Delivery 
    service, restrict the number ranges that may be used to address messages. Be 
    sure to assign all the appropriate PBX outgoing call restrictions on the voice mail 
    system voice ports.
    Change/Run 
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Voice Messaging Systems 
    Page 5-28 DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 
    5
    Security Tips
    nRequire callers to use passwords.
    nHave the application verify that long distance numbers are not being 
    requested, or verify that only permitted numbers are requested.
    nUse appropriate switch translation restrictions.
    nAdminister all appropriate switch restrictions on the voice mail system 
    voice ports.
    nYou may determine whether to allow transfer only to another system 
    subscriber or to any extension of the correct extension length (that is, the 
    number of digits for extensions administered through the switch). For 
    example, your system may be configured to support the 4-digit plan, the 
    5-digit plan, and so on. The most secure approach, which is the default, is 
    to only allow transfers to other system subscribers. If you decide to allow 
    transfers to any extension, then you should check the switch COR on the 
    voice ports for proper restrictions.
    nAdminister the voice mail system to use Enhanced Call Transfer if the 
    switch software allows.
    NOTE:
    When configured to operate in Digital Port Emulation mode, the 
    DEFINITY AUDIX System does not support Enhanced Call Transfer.
    Protecting the AUDIX Voice Power System
    The AUDIX Voice Power System provides both automated attendant and voice 
    mail functionality. The automated attendant feature answers incoming calls and 
    routes them to the appropriate department, person, or mailbox. The voice mail 
    feature provides call coverage to voice mailboxes along with a variety of voice 
    messaging features.
    Unauthorized persons concentrate their activities in two areas with the AUDIX 
    Voice Power System:
    nThey try to transfer out of the AUDIX Voice Power System to gain access to 
    an outgoing trunk and make long distance calls.
    nThey try to locate unused or unprotected mailboxes and use them as 
    dropoff points for their own messages.
    Traffic Reports
    The AUDIX Voice Power System tracks traffic data over various timespans. 
    Reviewing these reports on a regular basis helps to establish traffic trends. If 
    increased activity or unusual usage patterns occur, such as heavy call volume on 
    ports assigned to outcalling, they can be investigated immediately. 
    						
    All Lucent Technologies manuals Comments (0)

    Related Manuals for Lucent Technologies BCS Products Security Handbook