Home > Lucent Technologies > Communications System > Lucent Technologies BCS Products Security Handbook

Lucent Technologies BCS Products Security Handbook

    Download as PDF Print this page Share this page

    Have a look at the manual Lucent Technologies BCS Products Security Handbook online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 413 Lucent Technologies manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Voice Messaging Systems 
    Page 5-39 MERLIN LEGEND Communications System 
    5
    nEnter # in the Subscriber Password field to prevent access to the 
    corresponding voice mail.
    nEnter yes in the Does the subscriber have switch call coverage field. On 
    the switch side, do not specify the AUDIX Voice Power System extension 
    as a coverage point for any of these added extensions.
    NOTE:
    Although these restricted voice mailboxes cannot receive Call Answer 
    messages, they do receive broadcast messages and even may receive a 
    misdirected message from another subscriber. To save storage space, you 
    should periodically clean out these mailboxes by accessing the restricted 
    mailboxes and deleting all messages.
    NOTE:
    On AUDIX Voice Power System 2.1.1, mailboxes can be set individually to 
    “1 minute,” reducing the clean-up required to service these mailboxes.
    Protecting the INTUITY Voice Messaging System
    The INTUITY Voice Messaging System provides automated attendant, call answer, 
    and voice mail functionality. The automated attendant feature answers incoming 
    calls and routes them to the appropriate department, person, or mailbox. The call 
    answer feature provides call coverage to voice mailboxes. The voice mail feature 
    provides a variety of voice messaging features.
    Voice Messaging systems have two areas of weakness:
    nCodes that transfer to inside or outside dial tone
    Once thieves transfer to inside dial tone, they have access to any 
    unprotected switch features. Preventing this type of abuse requires 
    security at both the switch and at the voice messaging system.
    nMailboxes that can be used as message drops
    Once thieves break into a mailbox, they can use it as a message drop for 
    untraceable calls for illegal activities. if you have 800 lines that can connect 
    to your voice messaging system, they can pass stolen information around 
    at your expense using your 800 lines. 
    Protecting Passwords
    The INTUITY AUDIX System offers password protection to help restrict 
    unauthorized access. Subscribers should use the longest feasible password 
    length and should change it routinely. Passwords can be up t o 15 digits, and you 
    can specify the minimum number of digits required. Use a minimum of five digits, 
    and a length at least one digit longer than the extension number length. See 
    ‘‘
    Administration / Maintenance Access’’ on page 2-4 and ‘‘General Security 
    Measures’’ on page 2-7 for secure password guidelines. See Appendix E for 
    information on how to change passwords. 
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Voice Messaging Systems 
    Page 5-40 MERLIN LEGEND Communications System 
    5
    Security Tips
    nAt the switch, assign toll restrictions to voice message system and 
    automated attendant ports.
    nIf you do not use the outcalling features of the voice messaging system, 
    restrict the outward calling capability of all voice ports.
    nUse a dial plan that does not allow extensions beginning with the same 
    digits as ARS, TAC, or verification and test codes.
    nInform all system operators that they are not to dial outside calls. Request 
    that operators report all attempts to bypass switch restrictions to the 
    telecommunications department for repairs or to the corporate security 
    office for investigation.
    nRestrict the numbers for outcalling with a disallowed list.
    nDo not use default initial passwords that follow any scheme. Have a list of 
    random passwords and select one when you create the mailbox. Require 
    that the mailbox owner personally appear at the corporate security office or 
    telecommunications office to obtain the initial password. Go over the 
    subscriber password guidelines with the subscriber when you give out the 
    initial password.
    nMake sure subscribers change the initial password the first time they log in 
    to the AUDIX system by making the initial password shorter than the 
    minimum password length.
    nUse the password aging feature so that users must change their 
    passwords monthly.
    nDiscourage the practice of writing down passwords, storing them, or 
    sharing them with others.
    nInform employees on how to report suspected toll fraud to the corporate 
    security office.
    Security Measures
    The following are suggested security measures to be used with the INTUITY AUDIX 
    Voice Messaging System.
    Basic Call Transfer
    With Basic Call Transfer, after a voice mail system caller enters    , the system 
    performs the following steps:
    1. The voice mail system verifies that the digits entered contain the same 
    number of digits administered for extension lengths. If call transfer is 
    restricted to subscribers (for the DEFINITY AUDIX System and the Lucent 
    Technologies I
    NTUITY System only), the voice mail system also verifies 
    that the digits entered match the extension number of an administered 
    subscriber.
    *T 
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Voice Messaging Systems 
    Page 5-41 MERLIN LEGEND Communications System 
    5
    2. If Step 1 is successful, the voice mail system performs a switch-hook flash, 
    putting the caller on hold.
    NOTE:
    If Step 1 is unsuccessful, the voice mail system plays an error 
    message and prompts the caller for another try.
    3. The voice mail system sends the digits to the switch.
    4. The voice mail system completes the transfer.
    With Basic Call Transfer, a caller can dial any number, provided the number of 
    digits matches the length of a valid extension. So, if an unauthorized caller dials a 
    transfer code followed by the first digits of a long-distance telephone number, 
    such as          , the voice mail system passes the numbers on to the 
    switch. (This is an example showing a 5-digit plan.) The switch interprets the first 
    digit ( ) as an access code, and the following digits as the prefix digit and area 
    code. At this point, the caller enters the remaining digits of the phone number to 
    complete the call.
    If call transfer is restricted to subscribers (for the DEFINITY AUDIX System and 
    the Lucent Technologies I
    NTUITY System only), the caller cannot initiate a transfer 
    to an off-premises destination unless the digits entered match an administered 
    subscriber’s mailbox identifier; for example, 91809. To insure the integrity of the 
    subscriber restriction, do not administer mailboxes that start with the same digit(s) 
    as a valid switch Trunk Access Code. It is strongly recommended that all transfers 
    be restricted to subscribers when Basic Call Transfer is used.
    Closely Monitor All Mailboxes
    The use of INTUITY AUDIX system security features in combination with mailbox 
    administration can help reduce the risk of unauthorized use of mailboxes.
    nLock out multiple consecutive attempts to enter a voice mailbox. The 
    INTUITY AUDIX system has a password time-out feature that allows callers 
    three attempts in one call to correctly enter their password before they are 
    automatically disconnected. You can also specify how many consecutive 
    invalid attempts are allowed before a voice mailbox is locked.
    nDeactivate unassigned voice mailboxes. When an employee leaves the 
    company, close or reassign the voice mailbox.
    nDo not create voice mailboxes before they are needed.
    nAvoid or closely monitor the use of “guest” mailboxes (mailboxes without a 
    physical extension that are loaned to outsiders for the duration of a 
    project). If you need a guest mailbox, assign it when it is needed and 
    deactivate or change its password immediately after it is no longer needed. 
    Do not reassign a guest mailbox without changing the password.
    91809
    9 
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Voice Messaging Systems 
    Page 5-42 MERLIN LEGEND Communications System 
    5
    Restrict Outcalling
    Outcalling uses the voice messaging ports. If mailbox security is broken, 
    unauthorized persons can use outcalling to transfer messages at your expense. If 
    you need outcalling, restrict it as far as possible to eliminate the possibilities for 
    theft of services.
    nDo not enable outcalling at all if you do not need it. Do not enable outcalling 
    for any subscribers who do not need it.
    nIf outcalling is used only to ring in-house telephones that do not have 
    message waiting lights, restrict the number of digits to the maximum length 
    of extension.
    nIf possible, restrict outcalling to the local area (7 digits), or North American 
    (10 digits).
    nIf outcalling must be done to pagers, use pagers that have individual DID 
    numbers so that pager identification digits are not required and restrict any 
    additional digits for call identification to the minimum possible.
    nIf a limited number of pagers are in use, consider putting the pager 
    numbers on all unrestricted calling list so that outcalling can be effectively 
    limited to only those numbers.
    Detecting Toll Fraud
    With SMDR activated for incoming calls, you can check the calls into your voice 
    mail ports. A series of short holding times may indicate repeated attempts to enter 
    voice mailbox passwords.
    Review SMDR reports for the following symptoms of voice messaging abuse:
    nShort holding times on calls where voice messaging is the originating 
    endpoint or terminating endpoint
    nCalls to international locations not normal for your business
    nCalls to suspicious destinations
    nNumerous calls to the same number
    nUndefined account codes
    NOTE:
    The MERLIN LEGEND system only records the last extension on the call. 
    Internal toll abusers transfer unauthorized calls to another extension before 
    they disconnect so that the SMDR does not track the originating station. If 
    the transfer is to your voice messaging system, it could give a false 
    indication that your voice messaging system is the source of the toll fraud. 
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Voice Messaging Systems 
    Page 5-43 MERLIN LEGEND Communications System 
    5
    Protecting the MERLIN MAIL, MERLIN
    MAIL-ML, MERLIN MAIL R3, and MERLIN
    LEGEND Mail Voice Messaging Systems
    The MERLIN MAIL, MERLIN MAIL-ML, MERLIN MAIL R3, and MERLIN LEGEND 
    Mail Voice Messaging Systems provide automated attendant, call answer, and 
    voice mail functionality. The automated attendant feature answers incoming calls 
    and routes them to the appropriate department, person, or mailbox. The call 
    answer feature provides call coverage to voice mailboxes. The voice mail feature 
    provides a variety of voice messaging features.
    Beginning with Release 3.1, ports assigned for use by voice messaging systems 
    (including generic or integrated VMI ports) are now assigned outward restrictions 
    by default. Also, FRL 0 and Disallowed List #7 are used. Prior to Release 3.1,
    FRL 3 is used. If a voice messaging system should be allowed to call out (for 
    example, to send calls to a user’s home office), the system manager must remove 
    these restrictions. Provide outcalling only to mailboxes that have a business need 
    for the feature.
    NOTE:
    Unauthorized persons concentrate their activities in two areas: they try to 
    transfer out of the voice messaging system to gain access to an outgoing 
    trunk and make long distance calls; or they try to locate unused or 
    unprotected mailboxes and use them as dropoff points for their own 
    messages.
    Protecting Automated Attendant
    Two areas of toll fraud risk are associated with the automated attendant feature. 
    These are listed below.
    nPooled facility (line/trunk) access codes are translated to a selector code to 
    allow Remote Access. If a hacker chooses this selector code, the hacker 
    has immediate access.
    nIf the automated attendant prompts callers to use the host switch’s Remote 
    Call Forwarding (RCF) to reach an outside telephone number, the system 
    may be susceptible to toll fraud. An example of this application is a menu or 
    submenu that says, “To reach our answering service, press 5,” then 
    transfers the caller to an external telephone number.
    Remote Call Forwarding can only be used securely when the central office 
    provides “reliable disconnect.” This is sometimes referred to as a forward 
    disconnect or disconnect supervision. This guarantees that the central 
    office will not return a dial tone after the called party hangs up. In many 
    cases, the central office facility is a loop-start line/trunk which does not 
    provide reliable disconnect. When loop-start lines/trunks are used, if the 
    calling party stays on the line, the central office will return a dial tone at the 
    conclusion of the call, enabling the caller to place another call as if it were 
    being placed from your company. 
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Voice Messaging Systems 
    Page 5-44 MERLIN LEGEND Communications System 
    5
    Take the following preventative measures to limit the risk of unauthorized use of 
    the automated attendant feature by hackers:
    nDo not use automated attendant selector codes for Automatic Route 
    Selection (ARS) codes or Pooled Facility codes.
    nAssign all unused automated attendant selector codes to zero, so that 
    attempts to dial these will be routed to the system operator or General 
    Mailbox.
    nIf Remote Call Forwarding (RCF) is required, coordinate with your Lucent 
    Technologies Account Team or authorized dealer to verify the type of 
    central office facility used for RCF. If a ground-start line/trunk, or a 
    loop-start line/trunk and central office reliable disconnect can be ensured, 
    then nothing else need be done.
    NOTE:
    In many cases these will be loop-start lines/trunks without reliable 
    disconnect. The local telephone company will need to be involved to 
    change the facilities used for RCF to ground start lines/trunks. 
    Usually a charge applies for this change. Also, hardware and 
    software changes may need to be made in the MERLIN LEGEND 
    Communications System. The automated attendant feature merely 
    accesses the RCF feature in the MERLIN LEGEND Communications 
    System. Without these changes being made, this feature is highly 
    susceptible to toll fraud. The same preventative measures must be 
    taken if the RCF feature is active for MERLIN LEGEND 
    Communications System extensions, whether or not accessed by an 
    automated attendant menu.
    Protecting Passwords
    For the MERLIN MAIL and MERLIN MAIL-ML Voice Messaging Systems, 
    passwords can be up to four digits. For the MERLIN MAIL R3 and MERLIN 
    LEGEND Mail Voice Messaging System, passwords can be up to 15 digits. See 
    ‘‘
    Administration / Maintenance Access’’ on page 2-4 and ‘‘General Security 
    Measures’’ on page 2-7 for secure password guidelines. See Appendix E for 
    information on how to change passwords.
    Security Tips
    The MERLIN MAIL, MERLIN MAIL-ML, MERLIN MAIL R3, and MERLIN LEGEND 
    Mail Voice Messaging Systems, through proper administration, can help you 
    reduce the risk of unauthorized persons gaining access to the network. However, 
    phone numbers and authorization codes can be compromised when overheard in 
    a public location, lost through theft of a wallet or purse containing access 
    information, or when treated carelessly (writing codes on a piece of paper and 
    improperly discarding them). 
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Voice Messaging Systems 
    Page 5-45 MERLIN LEGEND Communications System 
    5
    Hackers may also use a computer to dial an access code and then publish the 
    information for other hackers. Substantial charges can accumulate quickly. It is 
    your responsibility to take appropriate steps to implement the features properly, to 
    evaluate and administer the various restriction levels, and to protect and carefully 
    distribute access codes.
    To reduce the risk of unauthorized access through your voice messaging system, 
    also observe the following procedures:
    nMonitor SMDR reports and/or Call Accounting System reports for outgoing 
    calls that might be originated by internal and external abusers.
    nIf the MERLIN MAIL, MERLIN MAIL-ML, MERLIN MAIL R3, and/or 
    MERLIN LEGEND Mail Voice Messaging System outcalling feature will be 
    used, on the MERLIN LEGEND Communications System, outward restrict 
    (FRL 0) all voice messaging system ports not used for outcalling. This 
    denies access to facilities (lines/trunks).
    nThe two-port systems (MERLIN MAIL Voice Messaging System, 
    MERLIN MAIL-ML Voice Messaging System, MERLIN MAIL R3 
    Voice Messaging System, and MERLIN LEGEND Mail Voice 
    Messaging System) use port 2 for outcalling; outward restrict port 1.
    nThe four-port systems (MERLIN MAIL Voice Messaging System, 
    MERLIN MAIL-ML Voice Messaging System, MERLIN MAIL R3 
    Voice Messaging System, and MERLIN LEGEND Mail Voice 
    Messaging System) use port 4 for outcalling; outward restrict ports 
    1, 2, and 3.
    nThe six-port system (MERLIN MAIL R3 and MERLIN LEGEND Mail 
    Voice Messaging Systems) uses ports 5 and 6 for outcalling; 
    outward restrict ports 1, 2, 3, and 4.
    nRequire employees who have voice mailboxes to use passwords to protect 
    their mailboxes. For the MERLIN MAIL and MERLIN MAIL-ML Voice 
    Messaging Systems, passwords should be four digits long. For MERLIN 
    MAIL R3 and MERLIN LEGEND Mail Voice Messaging Systems, 
    passwords should be at least six digits long.
    nRequire the System Administrator and all voice mailbox owners to change 
    their password from the default.
    nHave employees use random sequence passwords.
    nImpress upon employees the importance of keeping their passwords a 
    secret.
    nEncourage employees to change their passwords regularly.
    nUse a secure password for the General Mailbox.
    nReassign the System Administrator’s mailbox/extension number from the 
    default of 9997. Be certain to password protect the new mailbox.
    nHave the System Administrator delete unneeded voice mailboxes from the 
    system immediately. 
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Voice Messaging Systems 
    Page 5-46 MERLIN LEGEND Communications System 
    5
    nSet the maximum number of digits in an extension parameter appropriate 
    to your dial plan. The voice messaging system will not perform transfers to 
    extensions greater than that number.
    nWhen possible, restrict the off-network capability of callers by using calling 
    restrictions, Facility Restriction Levels, and Disallowed List features.
    nOutward restrict all MERLIN LEGEND voice mail port extensions not used 
    for outcalling. This denies access to facilities (lines/trunks). Beginning with 
    Release 3.1, this is the default. You should change this setting only after 
    careful consideration.
    nCreate a Disallowed List to disallow dialing 0, 70, 011, 809, 1809, 0809, 10, 
    9999, 411, 1411, 800, 888, 700, 900, 976, 550, 1800, 1888, 1700, 1500, 
    1900, 1976, 1550, 0800, 0888, 0700, 0500, 0900, 0976, and 0550. Assign 
    all voice mail ports to this list. Lucent Technologies recommends using List 
    7 — the last Disallowed List. This is an added layer of security, in case 
    other restrictions are inadvertently removed.
    nIf outcalling is required by users of the voice messaging system:
    nProgram an ARS Facility Restriction Level (FRL) of 2 for voice mail 
    port extension(s) used for outcalling.
    nIf 800 and 888 numbers are used as outcalling destinations, remove 
    1800 and 1888 from Disallowed List number 7.
    nIf outcalling is allowed to long distance numbers, build an Allowed 
    List and assign it to the voice mail port extension(s) used for 
    outcalling. On a two-port system, port 2 is used for outcalling. On a 
    four-port system, port 4 is used for outcalling. On a 6-port system, 
    ports 5 and 6 are used for outcalling. This list should contain the 
    area code and first three digits of the local exchange telephone 
    numbers to be allowed.
    nWhen possible, block out-of-hours calling.
    nLimit outcalling to persons on a need-to-have basis.
    nUse the Transfer to Subscribers Only feature (MERLIN MAIL R3 Voice 
    Messaging System only).
    nRequire network dialing for all extensions, including voice mail port 
    extensions, to be through ARS using dial access code 9.
    nDeny access to pooled facility codes by removing pool dial-out codes 70, 
    890-899, or any others on your system.
    nInstruct employees to contact their System Administrator immediately if 
    any of the following occur:
    nstrange voice mail messages are received
    ntheir personal greeting has been changed
    nthey suspect their MERLIN MAIL Voice Messaging System mailbox 
    is being used by someone else 
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Voice Messaging Systems 
    Page 5-47 MERLIN LEGEND Communications System 
    5
    Additional MERLIN MAIL R3 and MERLIN 
    LEGEND Mail Voice Messaging System Security 
    Features
    The MERLIN MAIL R3 and MERLIN LEGEND Mail Voice Messaging System 
    includes the following additional security features:
    nThe Transfer to Registered Subscribers Only setting of the Transfer 
    Restrictions feature allows callers to be transferred only to users who have 
    mailboxes in the system. Lucent Technologies strongly recommends using 
    this feature to guard against toll fraud.
    nTransfer-Only mailboxes allow callers to reach extensions that need to be 
    transfer destinations but do not need to receive messages. A maximum of 
    255 Transfer-Only mailboxes are available.
    nThe System Administrator can set the Minimum Password Length to any 
    value from 0-15 digits. The default value is six digits. Every subscriber’s 
    mailbox password and the System Administration Password must be 
    at 
    least
     six digits.
    NOTE:
    A Minimum Password Length of at least six digits is strongly 
    recommended. The shorter the Minimum Password Length, the more 
    vulnerable your system is to abuse by unauthorized persons. Choose 
    the largest acceptable minimum length in order to maximize the 
    security of your system.
    nThe Security Violation Notification feature enables the System 
    Administrator to choose to be warned about possible mailbox break-in 
    attempts. The System Administrator can choose from the following options:
    nMailbox Lock — Locks the subscriber’s mailbox and sends a 
    warning message to the mailbox owner’s mailbox and the System 
    Administrator’s mailbox.
    nWarning Message — Sends a warning message to the mailbox 
    owner’s mailbox and the System Administrator’s mailbox (factory 
    setting).
    nNo Security Notification (strongly discouraged).
    When a caller reaches the maximum number of unsuccessful login 
    attempts, and Security Violation Notification is set to either Mailbox Lock or 
    Warning Message, the system plays the message, “Login incorrect. Too 
    many unsuccessful login attempts. The System Administrator has been 
    notified. Good-bye.” The system sends a warning message to the mailbox 
    owner and to the System Administrator.
    NOTE:
    The System Administrator should use the most restrictive form of the 
    feature that the business allows. Use the Mailbox Lock option unless 
    this is too restrictive for your business. Use the Warning Message  
    						
    							BCS Products
    Security Handbook  
    555-025-600  Issue 6
    December 1997
    Voice Messaging Systems 
    Page 5-48 PARTNER II Communications System 
    5
    option otherwise. It is strongly discouraged to administer a system 
    without Security Violation Notification. The System Administrator 
    should investigate all warning messages received.
    PARTNER II Communications System
    The PARTNER II Communications System R3, and later releases, supports the 
    PARTNER MAIL System. The PARTNER II Communications System R3.1 and 
    later releases support the PARTNER MAIL System and the PARTNER MAIL VS 
    System.
    For information on these systems, see ‘‘
    Protecting the PARTNER MAIL and 
    PARTNER MAIL VS Systems’’ on page 5-48.
    Also see ‘‘Related Documentation’’ in the ‘‘About This Document’’ section for a list 
    of manuals on these products.
    Protecting the PARTNER MAIL and PARTNER
    MAIL VS Systems
    The PARTNER MAIL and PARTNER MAIL VS Systems provide automated 
    attendant, call answer, and voice mail functionality. The automated attendant 
    feature answers incoming calls and routes them to the appropriate department, 
    person, or mailbox. The call answer feature provides call coverage to voice 
    mailboxes.The voice mail feature provides a variety of voice messaging features.
    Unauthorized persons try to locate unused or unprotected mailboxes and use 
    them as dropoff points for their own messages, especially if inbound calls are free 
    (for example, 800 inbound service).
    Protecting Passwords
    For PARTNER MAIL Release 1 and all releases of PARTNER MAIL VS, 
    passwords can be up to four digits. For PARTNER MAIL Release 3, passwords 
    can be up to 15 digits in length. See ‘‘
    Administration / Maintenance Access’’ on 
    page 2-4 and ‘‘General Security Measures’’ on page 2-7 for secure password 
    guidelines. See Appendix E for information on how to change the passwords.
    Security Tips
    nMonitor SMDR reports and/or Call Accounting System reports for outgoing 
    calls that might be originated by internal and external abusers.
    nFor PARTNER MAIL System mailboxes, exercise caution when assigning a 
    Class of Service. 
    						
    All Lucent Technologies manuals Comments (0)

    Related Manuals for Lucent Technologies BCS Products Security Handbook