Home
>
Lucent Technologies
>
Communications System
>
Lucent Technologies BCS Products Security Handbook
Lucent Technologies BCS Products Security Handbook
Have a look at the manual Lucent Technologies BCS Products Security Handbook online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 413 Lucent Technologies manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Contents Page xi nToll Fraud Contact ListG-5 H Product Security Checklists H-1 nGeneral Security ProceduresH-3 nAUDIX, DEFINITY AUDIX and INTUITY AUDIX Voice Messaging SystemsH-5 nAUDIX Voice Power SystemH-7 nBasicWorksH-9 nCONVERSANT Voice Information SystemH-13 nDEFINITY ECS, DEFINITY G1 and G3, and System75H-15 nDEFINITY G2 and System85H-21 nDIMENSION PBX SystemH-25 nLucent Technologies/Bay NetworksH-28 nMERLIN II Communications SystemH-29 nMERLIN LEGEND Communications SystemH-31 nMERLIN MAIL Voice Messaging SystemH-34 nMERLIN MAIL-ML Voice Messaging SystemH-36 nMERLIN MAIL R3 Voice Messaging SystemH-38 nMERLIN Plus Communications SystemH-41 nMultimedia Communications Exchange ServerH-42 nMultipoint Conferencing Unit (MCU)/Conference Reservation and Control System (CRCS)H-43 ESM Security ChecklistH-45 CRCS Security ChecklistH-47 MSM Security ChecklistH-48 nPARTNER II and PARTNER Plus Communications SystemsH-53 nPARTNER MAIL and PARTNER MAIL VS SystemsH-56 nSystem25H-58 nPassageWay Telephony ServicesH-60 I Large Business Communications Systems Security Tools by Release I-1 GL Glossary 1 IN Index IN-1
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Contents Page xii
About This Document Page xiii Scope of this Handbook BCS Products Security Handbook 555-025-600 Issue 6 December 1997 About This Document Scope of this Handbook This handbook discusses security risks and measures that can help prevent external telecommunications fraud involving the following Lucent Technologies products: Communications Server: nDEFINITY® Enterprise Communications Server (ECS) Release 5 and later PBX systems: nDEFINITY® Generic 1, 2, and 3 Communications Systems nMERLIN® II Communications System nMERLIN LEGEND® Communications System nMERLIN® Plus Communications System nPARTNER® II Communications System nPARTNER® Plus Communications System nSystem 25 Communications System nSystem 75 (R1V1, R1V2, R1V3) nSystem 85 (R1, R2V2, R2V3, R2V4) Voice processing systems: nAUDIX® Voice Mail System nAUDIX® Voice Power® System nCONVERSANT® Voice Information System
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 About This Document Page xiv Scope of this Handbook nDEFINITY® AUDIX® System nINTUITY™ AUDIX® Voice Messaging System nINTUITY™ CONVERSANT® Voice Information System nMERLIN MAIL® Voice Messaging System nMERLIN MAIL®-ML Voice Messaging System nMERLIN MAIL® R3 Voice Messaging System nPARTNER MAIL® System nPARTNER MAIL VS® System Other products and services: nCall Management System (R3V2) nCallMaster® PC nMultipoint Conferencing Unit (MCU) nPassageWay® Telecommunications Interface nTransTalk™ 9000 Digital Wireless System nTelephony Services for Netware® NOTE: Although the DIMENSION® Call Management System is not covered explicitly in this handbook, the information supplied for System 85 Release 2 applies to the DIMENSION PBX System as well. NOTE: This document describes switch features and how they are related to security. It is not designed to fully describe the capabilities of each feature. For further details about all the security features and their interactions with other system features, refer to the appropriate system manual for your telecommunications system. (See ‘‘ Related Documentation’’ in this chapter for titles and document numbers.) For the latest updates on the security of products, the following options are available: nPurchase the Toll Fraud Prevention training video This videotape is divided into three segments: general information to illustrate the impact of toll fraud, testimony taken from a real hacker, and interviews with toll fraud victims. Covered topics include hacker access techniques, toll fraud issues, safeguard features, effective system management, security plans, and security monitoring solutions. To order, call the Lucent Technologies Sourcebook Catalog at 1 800 635-8866, then select prompt #1, PEC 1469-021.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 About This Document Page xv Reason for Reissue nEnroll in Lucent Technologies BCS Advanced Security for DEFINITY ECS This advanced 2-day training course provides additional technical methods and procedures in recognizing and preventing toll fraud for the DEFINITY user. To enroll, call 1 800 255-8988, PEC 1460-095. Reason for Reissue This issue, Issue 6 of the GBCS Products Security Handbook, updates information to include the following: nChanges in the text to reflect the addition of the DEFINITY Enterprise Communications Server Release 5 and Release 6 nThe Security Violations Measurement Reports used with the DEFINITY switch nMERLIN LEGEND Release 3.1, 4.0, 4.1, 4.2, and 5.0 nMERLIN LEGEND MAIL nPARTNER MAIL Release 3 nINTUITY AUDIX® used with MERLIN LEGEND Minor edits and other additions have also been included in this issue. Intended Audience Telecommunications managers, console operators, and security organizations within a company should be aware of the information in Chapters 1 and 2. Chapter 3 introduces more technical information and is directed at people responsible for implementing and administering the security aspects of systems. Appendices A through D expand upon technical information in the handbook and are intended for use by the system administrator. Appendices E, F, H, and I have application throughout the organization. Appendix G is specifically intended for telecommunications management personnel with responsibilities for implementing a security policy.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 About This Document Page xvi How this Guide is Organized How this Guide is Organized The GBCS Products Security Handbook has the following chapters and appendices: Chapter 1: Introduction Provides a background for toll fraud. Chapter 2: Security RisksDiscusses the major areas in which customer premises equipment-based systems are vulnerable, and introduces available security measures. Chapter 3: Large Business Communications SystemsProvides information on protecting the DEFINITY ECS Release 5 and later, DEFINITY Communications System Generic 1, Generic 2, and Generic 3, System 75, and System 85. Details how Remote Access is vulnerable to toll fraud, explains numerous system security features, and provides detailed procedures. Chapter 4: Small Business Communications SystemsProvides information on protecting the MERLIN II, MERLIN LEGEND, MERLIN Plus, PARTNER II, PARTNER Plus, and System 25 Communications Systems. Details product features that are vulnerable to toll fraud, such as Remote Access and Remote Call Forwarding, and recommends security measures. Chapter 5: Voice Messaging SystemsProvides information on protecting voice messaging systems. Explains the tools available and recommends security measures. Chapter 6: Automated AttendantProvides information on protecting Automated Attendant systems. Explains the features available and recommends security measures. Chapter 7: Other Products and ServicesProvides information to protect other Lucent Technologies products and services from toll fraud. Appendix A: Call RoutingDetails call flow through a customer premises equipment-based system. Appendix B: Blocking CallsProvides procedures for blocking calls to common toll fraud destinations. Appendix C: Remote Access Example (G1, G3, and System 75)Offers an example of how to set up Remote Access and an example of how to disable it. Appendix D: Administering Features of the DEFINITY G3V3 and LaterProvides information on administering features available in DEFINITY Releases G3V3 and later, including the DEFINITY ECS Release 5 and 6.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 About This Document Page xvii Lucent Technologies’ Statement of Direction Lucent Technologies’ Statement of Direction The telecommunications industry is faced with a significant and growing problem of theft of customer services. To aid in combating these crimes, Lucent Technologies intends to strengthen relationships with its customers and its support of law enforcement officials in apprehending and successfully prosecuting those responsible. No telecommunications system can be entirely free from the risk of unauthorized use. However, diligent attention to system management and to security can reduce that risk considerably. Often, a trade-off is required between reduced risk and ease of use and flexibility. Customers who use and administer their systems make this trade-off decision. They know how to best tailor the system to meet their unique needs and, necessarily, are in the best position to protect the system from unauthorized use. Because the customer has ultimate control over the configuration and use of Lucent Technologies services and products it purchases, the customer properly bears responsibility for fraudulent uses of those services and products. To help customers use and manage their systems in light of the trade-off decisions they make and to ensure the greatest security possible, Lucent Technologies commits to the following: nLucent Technologies products and services will offer the widest range of options available in the industry to help customers secure their communications systems in ways consistent with their telecommunications needs. Appendix E: Changing Your PasswordTells how to change passwords for systems in the handbook. Appendix F: Toll Fraud Job AidsProvides job aids to help prevent toll fraud. Appendix G: Special Security Product and Service OffersDetails special product and service offers and provides a toll fraud contact list. Appendix H: Product Security ChecklistsLists the available security features and tips by product. Appendix I: Large Business Communications Systems Security Tools by ReleaseDetails security tools referenced in this guide, for the System 75, System 85, DEFINITY ECS, and DEFINITY Communications Systems by release.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 About This Document Page xviii Lucent Technologies/Customer Security Roles and Responsibilities nLucent Technologies is committed to develop and offer services that, for a fee, reduce or eliminate customer liability for PBX toll fraud, provided the customer implements prescribed security requirements in its telecommunications systems. nLucent Technologies’ product and service literature, marketing information and contractual documents will address, wherever practical, the security features of our offerings and their limitations, and the responsibility our customers have for preventing fraudulent use of their Lucent Technologies products and services. nLucent Technologies sales and service people will be the best informed in the industry on how to help customers manage their systems securely. In their continuing contact with customers, they will provide the latest information on how to do that most effectively. nLucent Technologies will train its sales, installation and maintenance, and technical support people to focus customers on known toll fraud risks; to describe mechanisms that reduce those risks; to discuss the trade-offs between enhanced security and diminished ease of use and flexibility; and to ensure that customers understand their role in the decision-making process and their corresponding financial responsibility for fraudulent use of their telecommunications system. nLucent Technologies will provide education programs for internal and external customers to keep them apprised of emerging technologies, trends, and options in the area of telecommunications fraud. nAs new fraudulent schemes develop, Lucent Technologies will promptly initiate ways to impede those schemes, share our learning with our customers, and work with law enforcement officials to identify and prosecute fraudulent users whenever possible. We are committed to meeting and exceeding our customers’ expectations, and to providing services and products that are easy to use and high in value. This fundamental principle drives Lucent Technologies’ renewed assault on the fraudulent use by third parties of our customers’ communications services and products. Lucent Technologies/Customer Security Roles and Responsibilities The purchase of a telecommunications system is a complicated process involving many phases, including: system selection, design, ordering, implementation, and assurance testing. Throughout these phases, customers, vendors, and their agents each have specific roles and responsibilities. Insuring that systems are designed, ordered, installed, and maintained in a secure fashion is a responsibility each organization must understand. Lucent Technologies, seeking to be our customers’ Partner of Choice, clearly defined its mission in this area in a Statement of Direction issued in May, 1992.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 About This Document Page xix Lucent Technologies/Customer Security Roles and Responsibilities (See the preceding section.) More specifically, Lucent Technologies BCS recognized four areas where we or our agents had specific responsibilities to our customers. These areas, and our responsibilities in each area, are detailed in the next section, “Lucent Technologies’ Roles and Responsibilities.” In addition, customers have specific responsibilities to insure the system they are installing is as secure as their requirements dictate. The following quote is from A Cooperative Solution to the Fraud that Targets Telecom Systems, a position paper developed by the Toll Fraud Prevention Committee (TFPC) of the Alliance for Telecommunications Industry Solutions: “It is necessary to stress that the business owner, the owner or lessee of the CPE [Customer Premises Equipment], has the primary and paramount care, custody, and control of the CPE. The owner has the responsibility to protect this asset, the telecommunications system equally as well as other financial assets of the business.” This document attempts to define industry standards for the roles and responsibilities of the various organizations involved in a system implementation. Portions of this document are applicable to this document and are quoted throughout. Customers interested in the entire document can receive copies by contacting the Alliance for Telecommunications Industry Solutions, 1200 G Street, NW, Suite 500, Washington, DC 20005. Lucent Technologies’ Roles and Responsibilities 1. Lucent Technologies BCS, as a manufacturer, has the responsibility to PROVIDE the customer with securable technology, the information resources (product documentation) to understand the capabilities of the technology, and the configuration of the equipment when it shipped from the factory. 2. Lucent Technologies BCS, as a sales organization, has the responsibility to INFORM the customer of potential toll fraud, how it can happen, and what roles and responsibilities Lucent Technologies and the customer need to accept to work together in reducing the customer’s potential for toll fraud. 3. Lucent Technologies BCS, as a provisioning organization, has the responsibility to ASSIST the customer in understanding the risks inherent in the use of certain equipment features, and the methods available to minimize those risks. Together with the customer Lucent Technologies must come to an agreement on the desired configuration, and insure that customers’ requests are carried out correctly. 4. Lucent Technologies BCS, as a maintenance provider, has the responsibility to ENSURE that no action, taken by us, serves to introduce risk to the customer’s system. At the very least we must ensure the customer is as secure after our assistance as they were before it.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 About This Document Page xx Lucent Technologies Security Offerings Customer Roles and Responsibilities The customer as the business owner has the responsibility to SELECT AND MANAGE the security of their system. Specifically, according to the TFPC of the Alliance for Telecommunications: “The basic responsibility of the business owner is to devote adequate resources (time, talent, capital, etc.) to the selection of CPE and to its management, including fraud prevention, detection and deterrence. It is an essential part of managing the business. The owner must demand that the internal staff and supporting external professionals, such as consultants, include security concerns in the evaluation, design, and operation of the telecommunications environment for his/her business.” Lucent Technologies Security Offerings Lucent Technologies has developed a variety of offerings to assist in maximizing the security of your system. These offerings include: nSecurity Audit Service of your installed systems (see Appendix G). nSecurity Tune-up Service (see Appendix G). nToll Fraud Crisis Intervention Service (see “Lucent Technologies Toll Fraud Crisis Intervention” in this section). nThe BCS Product Security Kit, 555-025-601, includes this Security Handbook, a self-paced tutorial that uses diagrams of system administration screens to help customers design security into their systems, and a training video tape addressing customer needs for tools to share within their own companies. The video tape provides customers with valuable information on ways to recognize and defend against toll fraud. nThe HackerTracker™ Call Accounting package that calls you when preset types and thresholds of calls are established (see “Lucent Technologies HackerTracker” in Appendix G). nRemote Port Security Device (RPSD) that makes it difficult for computer hackers to access the remote maintenance ports (see Appendix G). nIntegrated Lock for Security Toolkit (or SoftLock) feature (see Appendix G). This feature provides many of the same options as the RPSD listed above, but whereas the RPSD is a hardware device, the SoftLock feature is a software interface that can be installed directly in the DEFINITY ECS software base. This software can be used only with the DEFINITY ECS Release 6.2 and later. nSoftware that can identify the exact digits passed through the voice mail system (AUDIX Data Acquisition Package [ADAP]). See your account representative.