Lucent Technologies BCS Products Security Handbook

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Large Business Communications Systems 
Page 3-5 Keeping Unauthorized Third Parties from Entering the System 
3
Figure 3-1. Remote Access Call Path
INCOMING
REMOTE
ACCESS CALL
YES
YES
NO
YES
CODE?VALID
CODE ENTERED
CODE?VALID
STOP
BARRIER
CODE
REQUIRED?NO
APPLY SECURITY
VIOLATION NOTIFICATION
STOP
NO
STOP
YES
ROUTE TO ATTENDANT
OR DISCONNECT
STOPNO
CODE ENTERED
ACCESS DIAL
TONE?
LOG INVALID ATTEMPT
DISCONNECT CALL
SYSTEM DIAL TONECALL PLACED
CALL PLACED SYSTEM DIAL TONE
SYSTEM DIAL TONENO
YES CODE AUTHORIZATION
REQUIRED?
REMOTE
SYSTEM DIAL TONE 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Large Business Communications Systems 
Page 3-6 Keeping Unauthorized Third Parties from Entering the System 
3
For DEFINITY ECS, DEFINITY G1, G3, and System 75, you can assign up to 10 
barrier codes to provide the first checkpoint. When barrier codes are required for 
Remote Access, callers hear a special dial tone, and then must enter a valid 
barrier code before they can access the PBX system.
NOTE:
With DEFINITY ECS, DEFINITY G1, G3, and System 75 R1V3, you can 
require the entry of an authorization code after the barrier code prior to 
callers receiving system dial tone for placing calls.
Barrier codes can be up to seven digits (use all seven for maximum security). 
Each barrier code can be assigned a different Class of Restriction (COR) and 
Class of Service (COS) to identify the calling privileges available to the user who 
enters it. For Remote Access calls, dialing a barrier code overrides the COR set 
for the incoming facility; if no barrier code is required, the default COR on the 
Trunk Group is used.
NOTE:
The COS assigned to the barrier code should be set to console 
permission = n.
For DEFINITY G3V3 and later (which includes DEFINITY ECS), the Remote 
Access Barrier Code Aging feature provides a means of limiting the time that 
remote access barrier codes are valid, and/or specifying the number of remote 
access calls that can be placed per barrier code. The ability to define a barrier 
code’s lifespan and automatically retire it at the end of its usefulness, or to specify 
the number of times it can be used before it is retired can significantly reduce the 
opportunity for unauthorized, fraudulent use of the remote access feature. For 
more information, see ‘‘
Remote Access Barrier Code Aging/Access Limits 
(DEFINITY G3V3 and Later)’’ on page 3-61, and ‘‘Administering Barrier Code 
Aging’’ on page D-11.
For DEFINITY G3V3 and later, which includes DEFINITY ECS, the security 
violation notification feature alerts the switch administrator of a login violation. 
When a violation is detected for a valid login ID, the login ID is disabled, 
prohibiting its further use until the security violation is investigated and the login ID 
re-enabled. For more information, see ‘‘
Administering Login ID Kill After N 
Attempts’’ on page D-7.
For DEFINITY G3V4 and later, which includes DEFINITY ECS, the Remote 
Access Notification feature provides automatic reporting when Remote Access is 
in use. For more information, see ‘‘
Adding Customer Logins and Assigning Initial 
Password’’ on page D-13.
For DEFINITY G2 and System 85, either a barrier code or an authorization code 
(see below) can be required before callers can access switch features or trunks. 
There is only one 4-digit barrier code for Remote Access. This can be changed 
using a Feature Access Code, and is normally assigned by the attendant. When 
callers enter the wrong barrier code, the calls are given intercept treatment. 
(When no barrier code is entered, the call can be routed to an attendant.) A barrier  
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Large Business Communications Systems 
Page 3-7 Keeping Unauthorized Third Parties from Entering the System 
3
code should be used to screen entry into Remote Access; authorization codes 
can then be used to screen outgoing calls on Automatic Alternate Routing (AAR), 
Automatic Route Selection (ARS), and World Class Routing (WCR) (G2.2) trunks.
Authorization Codes1
NOTE:
For all systems, once established, the number of digits (four to seven) in the 
authorization code remains fixed unless all codes are removed and 
re-entered. All authorization codes used in the system must be the same 
length.
For DEFINITY ECS, DEFINITY G1, G3, and System 75 R1V3, the calling 
privileges of an authorization code overrides the privileges established by the 
barrier code. With Remote Access calls, dialing an authorization code overrides 
the COR set for the barrier code. Individual users should be assigned unique 
authorization codes from four to seven digits (use all seven for maximum 
security).
Authorization codes serve as a second layer of protection when combined with 
barrier codes for Remote Access. When authorization codes are required, the 
caller hears a special dial tone (optional) and must then enter a valid authorization 
code to access the system.
NOTE:
If a Remote Access caller is to be restricted from long distance but allowed 
other ARS calls (for example, local), then the authorization code COR 
should have an appropriately low FRL.
NOTE:
Authorization codes are also recorded by the PBX’s call detail recording 
feature (SMDR/CDR), allowing for call verification by the individual assigned 
the authorization code. Proper security must be followed to protect any 
printed copies of the call records.
For DEFINITY G2 and System 85, authorization codes can replace barrier codes 
on incoming Remote Access facilities or can be used to screen outgoing calls on 
AAR/ARS/WCR trunks. Only authorization codes with the Network Access Flag 
set are permitted to make outgoing calls.
The authorization code option requires that the caller enter a valid authorization 
code to receive switch dial tone. The authorization code used for Remote Access 
has an FRL value used by AAR/ARS/WCR trunks for outgoing calls [see ‘‘
Facility 
Restriction Level (FRL)’’ on page 3-15]. Up to 5,000 authorization codes can be 
issued to System 75 R1V3 and DEFINITY G1 users, and up to 90,000 for 
1. Authorization codes are standard only in System 85 and DEFINITY G2. They are an option 
for System 75 R1V3, DEFINITY G1, and G3, and DEFINITY ECS require the customer to 
purchase the appropriate right to use. 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Large Business Communications Systems 
Page 3-8 Keeping Unauthorized Third Parties from Entering the System 
3
System 85, DEFINITY G2, and G3 users. However, it is best to keep the number 
of authorized users to a minimum.
To maximize the security of the system, follow these steps:
nWhen assigning authorization codes, give the users the lowest possible 
FRL needed for their calling requirements.
nBe sure to remove any unused authorization codes from the system, 
including those assigned to employees who have changed assignments or 
left the company.
nAssign each authorization code the minimum level of calling permissions 
required.
nMake authorization codes nonconsecutive (random).
nAdminister each authorization code to the maximum length allowed by the 
system (7 digits).
NOTE:
When a call directed to a VDN points to a vector containing a Route To step, 
and that Route To step attempts to utilize an authorization code, the call will 
be denied.
Feature Access Code Administration
Certain Feature Access Codes may facilitate egress from the system and should 
be used with care. These include: Data Origination, Data Privacy, Data 
Restriction, Abbreviated Dialing, ARS/AAR, Call Forwarding, and Facility Test 
Calls.
Trunk Administration
When trunk groups are administered they are assigned a Trunk Access Code 
(TAC). Unless they are needed, prohibit both direct dial access and facility test 
call access to trunk groups. This prevents callers from using TACs to obtain an 
outgoing trunk.
Remote Access Dial Tone
For DEFINITY ECS, DEFINITY G1, G3, and System 75 R1V3, when a user 
reaches the Remote Access port, if authorization codes are administered and 
barrier codes are not used, the system can be administered so the caller will hear 
a dial tone, a Remote Access tone, or silence as a prompt for the authorization 
code.
Night Service
You can control the time of day that Remote Access is available by using the night 
service feature. This limits the amount of time Remote Access is available and 
thus reduces risks. 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Large Business Communications Systems 
Page 3-9 Keeping Unauthorized Third Parties from Entering the System 
3
For DEFINITY ECS, DEFINITY G1, G3, and System 75, trunks translated for 
Remote Access can be given a night service destination. Although it is not 
recommended, trunks accessing the system can be assigned a Remote Access 
extension as a night service destination. The system will change to either allow or 
deny access for a feature. A night service button can be assigned to implement 
this capability. When night service is activated for these trunk groups, the Remote 
Access feature is available. When night service is deactivated, calls can be routed 
to an attendant for handling.
For DEFINITY G2 and System 85, when the Remote Access feature is “shared” 
with Listed Directory Number (LDN) service, a Remote Access call is routed to the 
attendant under normal (business hours) conditions, and the attendant extends 
the call like any other LDN call. When Unattended Console Service is active, 
“shared” non-DID LDN service becomes inactive, and Remote Access calls are 
handled as direct dialed access calls. In effect, with “shared” non-DID LDN 
service, the Remote Access feature is turned off while the attendant is on duty. 
This provides a degree of security for Remote Access during normal business 
hours by allowing the attendant to screen Remote Access calls before extending 
them.
Call Vectoring (DEFINITY ECS and DEFINITY 
G3 only)
For DEFINITY ECS and DEFINITY G3, administering access to the Remote 
Access feature through the use of Vector Directory Numbers (VDNs) can help 
make the feature more secure. Call Vectoring allows incoming and internal calls to 
be processed according to a programmed set of vector commands.
To restrict the use of Remote Access at night, a DID/DNIS VDN can be translated 
to route to a vector that has a step to route to the Remote Access extension. The 
vector can check time of day and day of week to route the call to an 
announcement or intercept tone if Remote Access is not allowed at certain times.
Protecting Vectors That Contain Call Prompting
Hackers try to enter unanticipated digit strings and deceive the switch into 
transferring the call to a dial tone source. The Call Prompting feature can collect 
digits from the user and route calls to a destination specified by those digits and/or 
do conditional processing according to the digits dialed. Examples of destinations 
include:
non-premises or off-premises destinations 
na hunt group or split
na specific call treatment such as an announcement, forced disconnect or 
delay treatment
Calls access call vectors, or the different destinations, by means of VDNs, “soft” 
switch extensions not assigned to a physical equipment location but having many 
of the properties of a normal extension number, including a COR. The VDN, when  
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Large Business Communications Systems 
Page 3-10 Keeping Unauthorized Third Parties from Entering the System 
3
dialed (or inferred), routes calls to the vector. Calls processed by the vector 
carry the permissions and restrictions associated with the COR of the VDN
.
In order to deny incoming callers access to outgoing facilities, including tie lines, 
configure the COR of the VDN to prohibit outgoing access. To do this, follow the 
steps listed below. Also see ‘‘
Trunk-to-Trunk Transfer’’ on page 3-19.
nAssign a Calling Party Restriction of “Outward” and deny Facility Test Call 
capability.
nLower the FRL in the COR to the lowest acceptable value and use 
COR-to-COR restrictions to deny access to specific outgoing trunk groups. 
(FRL=0 would deny access to network routing preferences.)
nBlock access to specific CORs assigned to outgoing trunk groups by using 
the Calling Permissions section of the Class of Restriction screen.
For DEFINITY ECS and DEFINITY G3, use of Call Vectoring with Prompting for 
Remote Access allows the PBX to require a touch-tone response before the caller 
hears a Remote Access dial tone. If no response is given, the call can be routed to 
an attendant, announcement, or intercept tone. This makes it more difficult for 
hackers to detect a Remote Access port.
NOTE:
Lucent Technologies strongly recommends, for both security and 
performance reasons, that the Ethernet connectivity between the MFB and 
the set of hosts with which it will communicate be a separate LAN segment. 
Otherwise, an unscrupulous person could gain unauthorized access to the 
DEFINITY LAN Gateway application in order to commit toll fraud and/or 
tamper with the real-time aspects of CTI applications.
For additional information, refer to 
CallVisor ASAI Over the DEFINITY LAN 
Gateway
, 555-230-223.
Status Remote Access Command
For DEFINITY G3V4 and later, which includes DEFINITY ECS, the status 
remote-access command provides the status of remote access. The display 
provides data on whether or not a barrier code has expired, the expiration date 
and time of the barrier code, the cause of the expiration, whether Remote Access 
is disabled (SVN or command), the time and date when it was disabled, and 
barrier codes.
Logoff Screen Notification
For DEFINITY G3V4 and later, which includes DEFINITY ECS, a notification is 
provided on the logoff screen that identifies when Remote Access is enabled and 
when the Facility Test Call Feature Access Code is active. The user has the option 
of acknowledging these notifications. 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Large Business Communications Systems 
Page 3-11 Tools that Restrict Unauthorized Outgoing Calls 
3
Use of the acknowledgment option is strongly recommended for those systems 
utilizing both Remote Access and Facility Test Call (for notification if the feature is 
inadvertently left enabled), or those systems requiring notification if Facility Test 
Call is linked to hacking activity.
Tools that Restrict Unauthorized 
Outgoing Calls
Use the following tools to prevent fraudulent calls and monitor long distance 
usage. (See Table 3-2.)
Table 3-2. Security Tools for Outgoing Calls
Security Tool Switch Page
Class of Restriction DEFINITY ECS, DEFINITY G1, G3, and 
System 753-12
Class of Service All3-14
Facility Restriction Levels All3-15
Alternate Facility Restriction Levels DEFINITY ECS, DEFINITY G2, G3, and 
System 853-16
Toll Analysis DEFINITY ECS and DEFINITY G33-16
Free Call List All3-16
AAR/ARS Analysis DEFINITY ECS, DEFINITY G1, G2.1, G3, 
System 75, System 853-17
ARS Dial Tone All3-17
Station Restrictions All3-17
Fully Restricted Service All3-27
Recall Signaling DEFINITY ECS, DEFINITY G1, G3, and 
System 753-17
Attendant-Controlled Voice Terminals All3-18
Restrictions—Individual and 
Group-ControlledDEFINITY ECS, DEFINITY G1, G3, and 
System 753-18
Central Office Restrictions All3-19
Restricting Incoming Tie Trunks All3-19
Monitoring Trunks DEFINITY ECS and DEFINITY G1 and G33-41
Terminal Translation Initialization DEFINITY ECS, DEFINITY G2, G3r, 
G3V2, System 853-42
Authorization Codes DEFINITY ECS, DEFINITY G1, G2, G3, 
System 75 (R1V3), System 85 3-19 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Large Business Communications Systems 
Page 3-12 Tools that Restrict Unauthorized Outgoing Calls 
3
Class of Restriction
For DEFINITY ECS, DEFINITY G1, G3, and System 75, the Class of Restriction 
(COR) places calling permissions and restrictions on both the calling party and the 
called extension. Up to 64 CORs can be defined in the system. For DEFINITY 
ECS, DEFINITY G3rV1, G3i-Global, and G3V2, the number of CORs has been 
increased to 96. For DEFINITY ECS and DEFINITY G3V3, each COR may be 
assigned a unique name via the Class of Restriction Form. CORs are assigned to 
trunks, stations, authorization codes, attendant consoles (as a group), remote 
access barrier codes, and loudspeaker paging access zones. CORs provide or 
prevent the ability to make specific types of calls or calls to trunks and stations 
with other specified CORs.
You can use the COR calling permissions (COR-to-COR restrictions) that set 
calling permissions on the COR to disallow stations to access trunks, and to 
disallow trunk groups to access other trunk groups. The COR also assigns Facility 
Restriction Levels (FRLs) for use by WCR/AAR/ARS routing.
NOTE:
When a call is routed to a VDN, the COR of the VDN determines where the 
call can be routed. If the COR is not restricted and the vector contains a 
collect digit step, the caller could dial 9 or a TAC and be routed out of the 
system to the network.
For DEFINITY G3 systems prior to DEFINITY ECS Release 5, as well as for G1 
and System 75 systems, the default value of the “FRL” field on the COR form is 7. 
Starting with DEFINITY ECS Release 5, the default value of the field is 0. This is 
true for all CORs except for CORs 10 through 17, whose defaults are 0 through 7, 
respectively. These defaults help ensure that FRLs with greater calling privileges 
are assigned only when appropriate.
To help maximize system security, follow these steps:
nAssign a separate COR to incoming and outgoing trunk groups, and then 
restrict calling between the two groups.
nLimit the calling permissions as much as possible by setting appropriate 
Calling Party Restrictions and FRLs.
nRestrict the port COR of adjuncts from accessing the trunk group CORs.
Calling Party and Called Party Restrictions
For DEFINITY G3 systems prior to DEFINITY ECS Release 5, as well as for G1 
and System 75 systems, the default value of the “Calling Party Restriction” field 
on the COR form is “none.” Starting with DEFINITY ECS Release 5, the default 
value of the field is “outward.” This default ensures that the ability to place calls 
that access public network facilities is assigned only when appropriate. 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Large Business Communications Systems 
Page 3-13 Tools that Restrict Unauthorized Outgoing Calls 
3
The following restrictions can be placed on the originating station or trunk:
nOutward Restricted: cannot make Public Network Calls via AAR/ARS or 
TACs. Calls can be placed to internal stations, to tie trunks via TACs, and 
off-switch via the Uniform Dial Plan (UDP).
NOTE:
Some states require that all telephones be able to dial emergency 
numbers, such as 911.
nToll Restriction: cannot make toll calls unless the numbers are specified on 
an unrestricted call list. For G3, you can specify if the restriction applies to 
all toll calls or only TAC toll calls over CO/FX trunks.
NOTE:
The switch identifies all public network calls with  or   as the first 
or second digit as toll calls. For G3, toll calls and private network calls 
are defined on the Toll Analysis screen. For G2.2, only the first digit, 
 or  , identifies it as a toll call.
nCode Restriction: for DEFINITY G1 and System 75, denies outgoing calls 
to selected office and area codes administered in the code table.
nFully Restricted: for DEFINITY ECS and DEFINITY G3, denies outgoing 
calls, including dial access to trunks. Allows no incoming calls via Public 
Network trunks. See also ‘‘
Fully Restrict Service’’ on page 3-27.
COR-to-COR Restrictions/Calling Permissions
If it is not practical to dial-access-restrict outgoing or two-way trunk groups, then 
COR-to-COR restrictions should be used to prevent direct access to those trunk 
groups. These restrictions can give no calling permissions to CORs assigned to 
trunk groups or data stations.
The following options are available:
nVoice Terminal—Public Restriction: restricts callers at specified voice 
terminals from receiving public network calls. A denied call is routed to an 
intercept tone, a recorded announcement, or the attendant.
Calls can redirect to a public-restricted voice terminal. The COR of the 
originally called extension number is the only one checked.
nVoice Terminal—Termination Restriction: restricts voice terminal users on 
specified extension numbers from receiving any calls. However, voice 
terminal users CAN originate calls. Direct Inward Dialing or Advanced 
Private Line Termination calls are routed to a recorded announcement or 
the attendant.
NOTE:
When a call is to a VDN extension, the COR of the caller and the 
VDN are compared to determine if the associated Call Vector can be 
01
01 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Large Business Communications Systems 
Page 3-14 Tools that Restrict Unauthorized Outgoing Calls 
3
accessed. After the vector is accessed, the COR of the VDN is used 
for further call permission checking. See also ‘‘
Restriction Override 
(3-way COR Check)’’ on page 3-14.
Restriction Override (3-way COR Check)
The Restriction Override feature, which is available only with DEFINITY 
G3i-Global and G3V2 and later, determines whether or not there is a 3-way COR 
check made on Conference and Transfer Calls.
For DEFINITY G3 systems prior to DEFINITY ECS Release 5, as well as for G1 
and System 75 systems, the default value of the “Restriction Override” field on the 
COR form is “all.” Starting with DEFINITY ECS Release 5, the default value of the 
field is “none” for all CORs. This helps ensure that the feature is assigned only 
when appropriate.
If Restriction Override=all, only the controlling party’s COR is checked against the 
CORs of all other parties on the conference and/or transfer call for 
station-controlled transfers and conferences, not attendant-controlled 
conferences and attendant-extended calls. If Restriction Override=none, the new 
party’s COR is always checked against the CORs of all other parties on attendant 
extended calls and attendant-controlled conferences, as well as on all 
station-controlled conferences and transfers.
Class of Service
For DEFINITY G2 and System 85, station access to various switch features is 
controlled by options in the Class of Service (COS) associated with the extension 
number. The following COS options are related to toll fraud prevention:
nCall Forward Off-Net: allows a user to call forward outside the switch to 
non-toll locations (G2.1). In G2.2, the user may be allowed to forward to a 
toll location (including international destinations), depending on the 
permissions and restrictions for that extension, as defined in PROC000, 
WORD3, FIELD7.
nCall Forward Follow Me: allows a user to forward calls outside the switch 
when other options are set. 
nMiscellaneous Trunk Restrictions: restricts certain stations from calling 
certain trunk groups via dial access codes.
nAPLT Off-Net: allows callers to dial public network numbers over the 
EPSCS private network.
nTerminal-to-Terminal Restriction: restricts the user from placing or receiving 
any calls except to and from other stations on the switch.
nOutward Restriction: restricts the user from placing calls over the CO, FX, 
or WATS trunks using dial access codes to trunks. Outward restriction also 
restricts the user from placing calls via ARS/WCR. Use ARS/WCR with 
WCR toll restrictions instead.