Home
>
Lucent Technologies
>
Communications System
>
Lucent Technologies BCS Products Security Handbook
Lucent Technologies BCS Products Security Handbook
Have a look at the manual Lucent Technologies BCS Products Security Handbook online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 413 Lucent Technologies manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Voice Messaging Systems Page 5-49 PARTNER II Communications System 5 — Assign a Class of Service that provides outcalling privileges (for PARTNER MAIL Release 1, assign 4, 5, 6, or 8; for PARTNER MAIL Release 3, assign 3,4, or 6) only to those mailboxes requiring these privileges. — Assign Classes of Service 1-6 (for PARTNER MAIL Release 1) or 1-4 and 20-23 (for PARTNER MAIL Release 3), Transfer Permitted, only to mailboxes for which the mailbox number is a real extension on the PARTNER II Communications System. Use Classes of Service 7-9 (for PARTNER MAIL Release 1) or 5, 6, and 15-19 (for PARTNER MAIL Release 3), Transfer Not Permitted, for all mailboxes for which there is no corresponding extension on the PARTNER II Communications System. — If outcalling is not used, assign system mailboxes (90 to 98, and 9997 to 9999) to Class of Service (COS) 7 or 9 (for PARTNER MAIL Release 1) or 5, 15-17,18, 19 (for PARTNER MAIL Release 3). nRequire employees who have voice mailboxes to use passwords to protect their mailboxes. nRequire the System Administrator and all voice mailbox owners to change their password from the default. nThe System Administrator can set the Minimum Password Length to any value from 0-15 digits. The default value is six digits. Every subscriber’s mailbox password and the System Administration Password must be at least six digits. NOTE: A Minimum Password Length of at least six digits is strongly recommended. The shorter the Minimum Password Length, the more vulnerable your system is to abuse by unauthorized persons. Choose the largest acceptable minimum length in order to maximize the security of your system. nInstruct employees not to make a statement, in their recorded greeting, indicating that they will accept collect calls. nHave the voice messaging System Administrator delete unneeded voice mailboxes from the system immediately. nThe Security Violation Notification feature enables the System Administrator to choose to be warned about possible mailbox break-in attempts. The System Administrator can choose from the following options: nMailbox Lock — Locks the subscriber’s mailbox and sends a warning message to the mailbox owner’s mailbox and the System Administrator’s mailbox. nWarning Message — Sends a warning message to the mailbox owner’s mailbox and the System Administrator’s mailbox (factory setting).
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Voice Messaging Systems Page 5-50 PARTNER Plus Communications System 5 nNo Security Notification (strongly discouraged). nProgram the PARTNER II Communications System to: — Block direct access to outgoing lines and force the use of account codes and/or authorization codes. — Assign toll restrictions to individual’s phones, especially in public areas. — If you do not need to use the Outcalling feature of the PARTNER MAIL System, completely restrict the outward calling capability of its system ports by using Inside Calls Only. — If outcalling is required, assign outgoing call restriction local only with the appropriate toll call prefix to ports used for outcalling. Assign applicable allowed and disallowed number lists to the PARTNER MAIL System ports used for outcalling. Two-port PARTNER MAIL Systems use port 2 for outcalling. Four-port systems use port 4 for outcalling. Six-port systems use ports 5 and 6 for outcalling. Outward restrict all other ports. PARTNER Plus Communications System The PARTNER Plus Communications System R3.1 and later releases support the PARTNER MAIL System, and the PARTNER MAIL VS System. For information on these systems, see ‘‘ Protecting the PARTNER MAIL and PARTNER MAIL VS Systems’’ on page 5-50. Also see ‘‘Related Documentation’’ in the ‘‘About This Document’’ section for a list of manuals on these products. Protecting the PARTNER MAIL and PARTNER MAIL VS Systems The PARTNER MAIL and PARTNER MAIL VS Systems provide automated attendant, call answer, and voice mail functionality. The automated attendant feature answers incoming calls and routes them to the appropriate department or person. The call answer feature provides call coverage to voice mailboxes. The voice mail feature provides a variety of voice messaging features. Unauthorized persons try to locate unused or unprotected mailboxes and use them as dropoff points for their own messages, especially if inbound calls are free (for example, 800 inbound service).
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Voice Messaging Systems Page 5-51 PARTNER Plus Communications System 5 Protecting Passwords For PARTNER MAIL Release 1 and all releases of PARTNER MAIL VS, passwords can be up to four digits. For PARTNER MAIL Release 3, passwords can be up to 15 digits in length. See ‘‘ Administration / Maintenance Access’’ on page 2-4 and ‘‘General Security Measures’’ on page 2-7 for secure password guidelines. See Appendix E for information on how to change passwords in the PARTNER MAIL System and the PARTNER MAIL VS System. Security Tips nMonitor SMDR reports and/or Call Accounting System reports for outgoing calls that might be originated by internal and external abusers. nFor PARTNER MAIL System mailboxes, exercise caution when assigning a Class of Service. — Assign a Class of Service that provides outcalling privileges (for PARTNER MAIL Release 1 and PARTNER VS, assign 4, 5, 6, or 8; for PARTNER MAIL Release 3, assign 3,4, or 6) only to those mailboxes requiring these privileges. — Assign Classes of Service 1-6 (for PARTNER MAIL Release 1 and PARTNER VS) or 1-4 and 20-23 (for PARTNER MAIL Release 3), Transfer Permitted, only to mailboxes for which the mailbox number is a real extension on the PARTNER Plus Communications System. Use Classes of Service 7-9 (for PARTNER MAIL Release 1 and PARTNER VS) or 5, 6, and 15-19 (for PARTNER MAIL Release 3), Transfer Not Permitted, for all mailboxes for which there is no corresponding extension on the PARTNER Plus Communications System. — If outcalling is not used, assign system mailboxes (90 to 98, and 9997 to 9999) to Class of Service (COS) 7 or 9 (for PARTNER MAIL Release 1) or 5, 15-17,18, 19 (for PARTNER MAIL Release 3). nRequire employees who have voice mailboxes to use passwords to protect their mailboxes. nRequire the System Administrator and all voice mailbox owners to change their password from the default. nThe System Administrator can set the Minimum Password Length to any value from 0-15 digits. The default value is six digits. Every subscriber’s mailbox password and the System Administration Password must be at least six digits. NOTE: A Minimum Password Length of at least six digits is strongly recommended. The shorter the Minimum Password Length, the more vulnerable your system is to abuse by unauthorized persons. Choose
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Voice Messaging Systems Page 5-52 System 25 5 the largest acceptable minimum length in order to maximize the security of your system. nInstruct employees not to make a statement, in their recorded greeting, indicating that they will accept collect calls. nHave the voice messaging System Administrator delete unneeded voice mailboxes from the system immediately. nThe Security Violation Notification feature enables the System Administrator to choose to be warned about possible mailbox break-in attempts. The System Administrator can choose from the following options: nMailbox Lock — Locks the subscriber’s mailbox and sends a warning message to the mailbox owner’s mailbox and the System Administrator’s mailbox. nWarning Message — Sends a warning message to the mailbox owner’s mailbox and the System Administrator’s mailbox (factory setting). nNo Security Notification (strongly discouraged). nProgram the PARTNER Plus Communications System to: — Block direct access to outgoing lines and force the use of account codes and/or authorization codes. — Assign toll restrictions to individual’s phones, especially in public areas. — If you do not need to use the Outcalling feature of the PARTNER MAIL System, completely restrict the outward calling capability of its system ports by using Inside Calls Only. — If outcalling is required, assign outgoing call restriction local only with the appropriate toll call prefix to ports used for outcalling. Assign applicable allowed and disallowed number lists to the PARTNER MAIL System ports used for outcalling. Two-port PARTNER MAIL Systems use port 2 for outcalling. Four-port systems use port 4 for outcalling. Six-port systems use ports 5 and 6 for outcalling. Outward restrict all other ports. System 25 System 25 may be used with the AUDIX Voice Power System. (For information on this system, see ‘‘ Protecting the AUDIX Voice Power System’’ on page 5-53.) Also see ‘‘Related Documentation’’ in the ‘‘About This Document’’ section for a list of manuals on this product. Follow the steps listed below for securing a voice processing system on the System 25. nOutward restrict the voice processing ports whenever possible.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Voice Messaging Systems Page 5-53 System 25 5 nUse the voice processing system’s maximum extension length, valid extension range, and transfer to subscriber only feature, if available. nTightly control system administration access to these systems. nProgram the System 25 to: — Block direct access to outgoing lines and force the use of account codes and/or authorization codes. — Disallow trunk-to-trunk transfer unless it is required. NOTE: This parameter only applies to loop start lines. nDo not administer the voice mail/coverage ports for remote call forwarding. nMonitor SMDR reports and/or Call Accounting System reports for outgoing calls that might be originated by internal and external abusers. Protecting the AUDIX Voice Power System The AUDIX Voice Power System provides both automated attendant and voice mail functionality. The automated attendant feature answers incoming calls and routes them to the appropriate department or person. The voice mail feature provides call coverage to voice mailboxes along with a variety of voice messaging features. Unauthorized persons concentrate their activities in two areas with the AUDIX Voice Power System: nThey try to transfer out of the AUDIX Voice Power System to gain access to an outgoing trunk and make long distance calls. nThey try to locate unused or unprotected mailboxes and use them as dropoff points for their own messages. Protecting Passwords The AUDIX Voice Power System offers password protection to help restrict unauthorized access. Subscribers should use a maximum length password and should change it routinely. Passwords can be up to 9 digits. See ‘‘ Administration / Maintenance Access’’ on page 2-4 and ‘‘General Security Measures’’ on page 2-7 for secure password guidelines. See Appendix E for information on how to change passwords. Security Tips The following security measures assist you in managing features of the AUDIX Voice Power System to help prevent unauthorized use. nSet Transfer to Subscribers Only to yes. This limits transfers to valid extensions.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Voice Messaging Systems Page 5-54 System 25 5 nIf you have Release 1.0 of the AUDIX Voice Power System, implement all appropriate security measures on the PBX side. nRequire employees who have voice mailboxes to use passwords to protect their mailboxes. See ‘‘ Administration / Maintenance Access’’ on page 2-4 and ‘‘ General Security Measures’’ on page 2-7 for secure password guidelines. nMake sure subscribers change the default password the first time they log in to the AUDIX Voice Power System. nHave the AUDIX Voice Power System Administrator delete unneeded voice mailboxes from the system immediately. nOn the System Parameters form, use the maximum number of digits allowable for extension entry (six). This will make it more difficult for criminals to guess the login and password combinations of your users. nSet up auto attendant selection codes so that they do not permit outside line selection. nAssign toll restriction levels to the AUDIX Voice Power System ports. nIf you do not need to use the Outcalling feature of the AUDIX Voice Power System, completely restrict the outward calling capability of the AUDIX Voice Power System ports. nDisallow transfers to extensions not registered as valid subscribers. !WARNING: Entering “#” transfers calls to the switch; that is, the transfer feature is always available and appropriate outgoing port restrictions must be in place to avoid toll fraud. Security Measures The security measures described in this section do not apply if you are using Release 1.0 of the AUDIX Voice Power System. In this case, use PBX restrictions. Transfer Only to System Subscribers The AUDIX Voice Power System has the ability to allow callers to transfer only to mailbox subscribers. When an AUDIX Voice Power System caller requests a transfer using followed by an extension number, the AUDIX Voice Power System can compare the extension number entered with the valid extension numbers administered in the subscriber database. If the extension is invalid, the transfer is denied and an error message is played to the caller. However, it does not prevent transfers from pre-administered dial strings in the automated attendant from accessing the outgoing facilities. Refer to Chapter 6 for procedures to restrict the automated attendant ports. nOn the AUDIX Voice Power System, within the System Parameter Administration form, enter yes in the Transfer to Subscribers Only field. *T
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Voice Messaging Systems Page 5-55 System 25 5 NOTE: You cannot use this security measure if calls are transferred to people in your company who are not AUDIX Voice Power System subscribers (see ‘‘ Limit Transfers Out of the System’’ on page 5-30). Limit Transfers Out of the System When you need to allow transfers to people who are not AUDIX Voice Power System subscribers, you can add their extension numbers to the AUDIX Voice Power System subscriber database, but restrict access to their voice mailboxes. nOn the System Parameter Administration form, enter yes in the Transfer to Subscriber Only field. nOn the Subscriber Administration form, add each extension number for non-AUDIX Voice Power System subscribers. nEnter # in the Subscriber Password field to prevent access to the corresponding voice mail. nEnter yes in the Does the subscriber have switch call coverage field. On the switch side, do not specify the AUDIX Voice Power System extension as a coverage point for any of these added extensions. NOTE: Although these restricted voice mailboxes cannot receive Call Answer messages, they do receive broadcast messages and even may receive a misdirected message from another subscriber. To save storage space, you should periodically clean out these mailboxes by accessing the restricted mailboxes and deleting all messages. NOTE: On AUDIX Voice Power System 2.1.1, mailboxes can be set individually to “1 minute,” reducing the clean-up required to service these mailboxes.
Automated Attendant Page 6-1 DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 6 BCS Products Security Handbook 555-025-600 Issue 6 December 1997 6 6Automated Attendant DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 Automated attendant is a service that connects to the PBX/communications system to help route calls to the appropriate extension. A menu of options allows callers to choose a predefined destination, such as a department, announcement, or an attendant, or a user-defined destination, such as an extension number. Many automated attendant systems are vulnerable to toll fraud and are easy targets for toll hackers. Although there are some steps you can take to tighten the security of the automated attendant itself, additional steps must be taken on the switch side to reduce the risk of toll fraud. Security Tips nNever allow a menu choice to transfer to an outgoing trunk without a specific destination. nWhen a digit ( through ) is not a menu option, program it to transfer to an attendant, an announcement, a disconnect, or other intercept treatment. nThis tip does not apply to the AUDIX Voice Mail System: When or are Feature Access Codes for the switch, make sure the same numbers on the automated attendant menu are either translated to an extension or, if not a menu option, are programmed to transfer to an attendant, an announcement, a disconnect, or other intercept treatment. nAUDIX Voice Mail System owners: use Enhanced Call Transfer. Apply the appropriate security measures described in Chapter 5. 09 89
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Automated Attendant Page 6-2 DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 6 Tools that Prevent Unauthorized Calls You can help prevent unauthorized callers who enter the automated attendant system from obtaining an outgoing facility by using the security tools shown in Table 6-1 . Facility Restriction Levels The switch treats all the PBX ports used by automated attendant systems as stations. Therefore, each automated attendant port can be assigned a COR with an FRL associated with the COR. FRLs provide for eight different levels of restrictions for AAR/ARS/WCR calls. FRLs are used in combination with calling permissions and routing patterns and/or preferences to determine where calls can be made. FRLs range from 0 to 7, with each number representing a different level of restriction (or no restrictions at all). The FRL is used for the AAR/ARS/WCR feature to determine call access to an outgoing trunk group. Outgoing call routing is determined by a comparison of the FRLs in the AAR/ARS/WCR routing pattern to the FRL associated with the COR/COS of the call originator. The higher the station FRL number, the greater the calling privileges. For example, if a station is not permitted to make outside calls, assign it an FRL value of 0. Then ensure that the FRLs on the trunk group preferences in the routing patterns are 1 or higher. For example, when automated attendant ports are assigned to a COR with an FRL of 0, outside calls are disallowed. If that is too restrictive, the automated Table 6-1. Automated Attendant Security Tools Security ToolSwitch Page # Enhanced Call Transfer (see ‘‘ Protecting the AUDIX, DEFINITY AUDIX, and Lucent Technologies INTUITY Voice Mail Systems’’)DEFINITY ECS, DEFINITY G1, G2, G3, System 75 R1V3 Issue 2.0, System 85 R2V45-15 Facility Restriction Levels* All6-2 Station-to-Trunk Restrictions* All6-3 Class of Restriction DEFINITY ECS, DEFINITY G1, G3, and System 756-3 Class of Service DEFINITY G2 and System 856-3 Toll Analysis DEFINITY ECS, DEFINITY G1, G2, G3, and System 856-5