Lucent Technologies BCS Products Security Handbook

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Large Business Communications Systems 
Page 3-15 Tools that Restrict Unauthorized Outgoing Calls 
3
nToll Restriction: prevents users from placing toll calls over CO, FX, or 
WATS trunks using dial access codes to trunks. Use ARS/WCR with WCR 
toll restrictions instead.
nARS/WCR Toll Restriction: restricts users from dialing the ARS or WCR 
Network I Toll Access Code or from completing a toll call over ARS/WCR.
nFRL: establishes the user’s access to AAR/ARS/WCR routes.
nCDR Account Code: requires the entry of an account code before an 
ARS/WCR call is processed or before completing a TAC call to a toll 
destination. 
NOTE:
Account code entries are not validated.
For DEFINITY ECS, DEFINITY G1, G3, and System 75, COS identifies the calling 
features available to a station, such as auto callback and priority calling. It also 
provides for the assignment of console permissions; these should be assigned 
sparingly, and only to terminals that require them. It is especially important that 
console permissions 
not be assigned to Remote Access extensions.
For DEFINITY G3V2 and later releases, which includes DEFINITY ECS, an 
additional COS option is available:
nCall Forward Off/On-Net: allows a user to call forward outside the switch 
(Off-Net), or inside AND outside the switch to non-toll locations 
(Off/On-Net).
For DEFINITY G3V4, the list call forward command displays all stations with Call 
Forwarding On/Off Net Call Forwarding and Busy/Don’t Answer (BY/DA). This 
display includes the initiating station and destination address.
For DEFINITY ECS Release 5, a default is in place that should help limit 
accessibility to the Call Forwarding Off-Net capability. Specifically, the default 
value for the “Restrict Call Forwarding Off-Net” field on the COS form is “y” for 
every COS. 
Also for DEFINITY ECS Release 5, COS can control the Extended User 
Administration of Redirected Calls feature. To this purpose, the COS form 
contains two fields: “Extended Forwarding All” and “Extended Forwarding B/DA”. 
The default for both fields is “n.”
Facility Restriction Level (FRL)
FRLs provide up to eight levels of restrictions (0 through 7) for users of 
AAR/ARS/WCR. FRLs identify where calls can be made and what facilities are 
used. If the FRL of the originating facility is greater than or equal to the FRL of the 
route pattern selected, the trunk group is accessible. The lower number FRLs are 
the most restrictive for stations; FRL 0 can be implemented to provide no outside 
access. 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Large Business Communications Systems 
Page 3-16 Tools that Restrict Unauthorized Outgoing Calls 
3
NOTE:
ARS/WRC route patterns should never be assigned an FRL of 0 (zero).
The FRL is used by AAR/ARS/WCR to determine call access to an outgoing trunk 
group. Outgoing call routing is determined by a comparison of the FRLs in the 
AAR/ARS/WCR routing pattern with the FRL associated with the originating 
endpoint.
Authorization codes provide users with an FRL value high enough to give them 
the calling privileges they require. Only users who enter a valid authorization code 
with the appropriate calling privileges can override the lower FRL to gain access 
to a long distance destination.
NOTE:
FRLs are not used if trunk groups have dial access allowed.
Alternate Facility Restriction Levels
For DEFINITY G2, G3r, and System 85, this tool is used with or without 
authorization codes to replace originating FRL values (the COS FRL versus the 
AAR/ARS/WCR pattern preference FRL) with an alternate set of values. This 
allows FRLs to be set to a lower value outside of normal business hours so more 
restrictions are placed on after-hours calling.
NOTE:
A button is assigned to the attendant console to activate alternate FRLs.
Toll Analysis (G3 only)
For DEFINITY ECS and DEFINITY G3, the Toll Analysis screen allows you to 
specify the toll calls you want to assign to a restricted call list (that is, disallowed), 
such as 900 numbers, or to an unrestricted (that is, allowed) call list, such as an 
out-of-area number to a supplier. Call lists can be specified for CO/FX/WATS, 
TAC, and ARS calls, but not for tie TAC or AAR calls.
Free Call List
For DEFINITY G2 and System 85, you can identify up to ten 3-digit telephone 
numbers that can be called on otherwise-toll-restricted ports. This list allows toll 
restricted phones to call emergency numbers, such as 911. This option can only 
be used with TAC calls, not AAR/ARS calls.
NOTE:
This feature should be used only when CO trunks are obtained using TACs. 
The preferred arrangement is always to use ARS/WCR. 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Large Business Communications Systems 
Page 3-17 Tools that Restrict Unauthorized Outgoing Calls 
3
AAR/ARS Analysis
ARS routing allows calls to be routed based on the number dialed and the routing 
plan in effect. The routing is normally to the lowest-cost facility. Different Time of 
Day plans can be implemented to allow or prohibit calling at certain times.
NOTE:
Never route public network calls (leading digit = 0 or 1) via AAR analysis; 
always cross over to ARS. (This happens automatically in G2 and 
System 85 with ETN.)
Some long-distance area codes may start with the same digits as your local 
exchanges. Be cautious when blocking access to those long-distance area codes, 
so that access to required local exchanges is not simultaneously blocked. Since 
COR/COS-to-COR/COS restrictions do not apply to AAR/ARS trunks, use FRLs 
to limit the calling area [see ‘‘
Facility Restriction Level (FRL)’’ on page 3-15 for 
further information].
ARS Dial Tone
For all switches, the dial tone after the ARS feature access code is optional and 
can be eliminated to confuse hackers who listen for it. Conversely, however, its 
elimination may also confuse authorized users who are accustomed to the second 
dial tone.
Station Restrictions
If access to trunks via TACs is necessary for certain users to allow direct dial 
access to specific facilities, use the appropriate restrictions. For DEFINITY G2 
and System 85, assign Miscellaneous Trunk Restriction Groups (MTRGs) to all 
trunk groups that allow dial access, then deny access to the MTRGs on the COS. 
For DEFINITY ECS, DEFINITY G1, G3, and System 75, if all trunk groups have 
their own unique COR, then restrict the station CORs from accessing the trunk 
group CORs. For those stations and all trunk-originated calls, always use 
ARS/WCR for outside calling.
Recall Signaling (Switchhook Flash)
Recall signaling allows analog station users to place a call on hold and consult 
with another party or activate a feature. After consulting with the third party, the 
user can conference the third party with the original party by another recall signal, 
or return to the original party by pressing Recall twice or by flashing the 
switchhook twice.
However, hackers have been able to activate recall signaling to gain second dial 
tone and conference incoming and outgoing paths together. To prevent this,  
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Large Business Communications Systems 
Page 3-18 Tools that Restrict Unauthorized Outgoing Calls 
3
administer switchhook flash to “n” (administered by means of the Add or Change 
Station screen) for FAX machines and modems.
Attendant - Controlled Voice Terminals 
When telephones are located in easily-accessible locations (such as lobbies) that 
do not provide protection against abuse, you can assign them to an 
attendant-controlled voice terminal group. Calls from the group can be connected 
to an attendant who screens the calls. As part of the night shut down procedure, 
the attendant can activate outgoing call restrictions on the group.
Restrictions — Individual and Group-Controlled
(DEFINITY ECS, DEFINITY G1, G3, and
System 75)
For DEFINITY ECS, DEFINITY G1, G3, and System 75, individual and 
group-controlled restrictions allow an attendant or voice terminal user with 
console permission to activate and deactivate the following restrictions for an 
individual terminal or a group of voice terminals:
nOutward — The voice terminals cannot be used for placing calls to the 
public network. Such call attempts receive intercept tone.
nTotal — The voice terminals cannot be used for placing or receiving calls. 
DID calls are routed to the attendant or a recorded announcement. All 
other calls receive intercept tone. As an exception, the following call types 
are allowed: calls to a Remote Access extension, terminating trunk 
transmission tests, and Emergency Access to Attendant calls.
nStation-to-station — The voice terminal cannot receive or place 
station-to-station calls. Such call attempts receive intercept tone.
nTermination — The voice terminal cannot receive any calls. Incoming calls 
are routed to the attendant, are directed via Call Coverage, or receive 
intercept treatment.
All voice terminals with the same COR are affected by a group restriction. When a 
call is placed, both the individual and group restrictions are checked.
To activate the desired Controlled Restriction, the attendant or voice terminal user 
with console permission dials the feature access code for either the extension or 
the group, followed by either 1 for Outward, 2 for Total, 3 for Termination, or 4 for 
Station-to-Station, and then dials the voice terminal extension number (Attendant 
Control — Extension) or the COR for a group of voice terminals (Attendant 
Control — COR).
This feature is especially helpful in businesses such as hotels, where you might 
want to restrict phones in empty conference rooms or in guest rooms after a client 
has checked out. You might also want to restrict phones in an entire wing of a 
building at times. 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Large Business Communications Systems 
Page 3-19 Tools that Restrict Unauthorized Outgoing Calls 
3
Central Office Restrictions
Some Central Offices offer additional services that screen long distance calls, 
such as  + calls and 10xxx + calls. Contact your local telephone company for 
details.
Restricting Incoming Tie Trunks
You can deny access to AAR/ARS/WCR trunks when the caller is on an incoming 
tie trunk. For all the switches, you can force the caller to enter an authorization 
code when AAR/ARS/WCR is used.
Use the COR of the incoming tie trunk to restrict calls from accessing the network. 
Set the calling party restriction to outward, set the FRL to 0, and specify n for all 
other trunk group CORs on the calling permissions screen.
Authorization Codes
Authorization codes can be used to protect outgoing trunks if an unauthorized 
caller gains entry into the Remote Access feature. Authorization codes are also 
used to override originating FRLs to allow access to restricted AAR/ARS/WCR 
facilities. They can be recorded on SMDR/CAS to check against abuse. Refer to 
the description of Authorization Codes in ‘‘
Authorization Codes’’ on page 3-7.
The list command can be used to display all administered authorization codes.
Trunk-to-Trunk Transfer
Trunk-to-Trunk Transfer allows a station to connect an incoming trunk to an 
outgoing trunk and then drop the connection. When this feature is disabled, it 
prevents stations from transferring an incoming trunk call to an outgoing trunk. 
Then if the controlling station drops off the call, the call is torn down.
NOTE:
Hackers use this to convince unsuspecting employees to transfer them to 9# 
or 900. If trunk-to-trunk transfer is allowed, the station can transfer the 
incoming trunk call to an outgoing trunk and hang up, leaving the trunks still 
connected.
System 75, System 85, DEFINITY ECS, DEFINITY G1, G2, G3V1, and G3V2 can 
either allow or disallow trunk-to-trunk transfer. This is for public network trunks 
only. DS1 and WATS trunks assigned as tielines are not considered public 
network trunks.
DEFINITY G3V3 and later releases, including DEFINITY ECS Release 5 and 
later, offer three options:
nall — All trunks are transferred.
0 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Large Business Communications Systems 
Page 3-20 Tools that Restrict Unauthorized Outgoing Calls 
3
nrestricted — Public network trunks are not transferred.
nnone — No trunks are transferred.
NOTE:
Starting with DEFINITY ECS Release 5, trunk-to-trunk transfer is 
automatically restricted via administration. To this end, the “Restriction 
Override” field in the Class of Restriction form is set to none by default.
To disallow this feature, refer to the procedure provided in ‘‘
Disallow 
Trunk-to-Trunk Transfer’’ on page 3-39.
NOTE:
When conferencing calls, to prevent inadvertent trunk-to-trunk transfers, 
always conference together two outgoing calls. When the calling station 
disconnects, it forces the trunks to disconnect as well.
NOTE:
When the trunk-to-trunk transfer feature is disabled, the attendant console 
can continue to pass dial-tone to an inbound trunk caller by pressing  
 .
Forced Entry of Account Code
To maximize system security, it is recommended that the Forced Entry of Account 
Code feature be enabled and administered on the system.
NOTE:
For DEFINITY G2, Call Detail Recording (CDR) is required with this option. 
See ‘‘
Call Detail Recording (CDR) / Station Message Detail Recording 
(SMDR)’’ on page 3-48 for more information. Depending on the required 
length, the account code may replace other data in the CDR report.
An entry of an account number (1 to 15 digits) can be required for the originating 
station COR/COS, toll calls, or WCR network calls. If an account number is not 
entered when required, the call is denied. Although the account number is not 
verified, callers must enter the appropriate number of digits set by the system 
administrator. This adds another level of digit entry that a hacker must crack to 
gain access to an outside line.
World Class Routing (DEFINITY ECS and
DEFINITY G2.2 and G3 only)
The World Class Routing (WCR) feature replaces and enhances the AAR/ARS 
feature. Specific digit strings are assigned to either allow or deny calls. The 900 
look-alike numbers can be routed for interception. The 800 numbers for ICX 
carriers can be blocked. This still allows normal 800 numbers to be dialed. 
Specific international numbers can also be blocked.
START
9RELEASE 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Large Business Communications Systems 
Page 3-21 Tools that Restrict Unauthorized Outgoing Calls 
3
You may also route  or   calls to a local attendant for handling. In addition, 
10xxx + calls can be restricted. Certain laws and regulations may prevent you 
from blocking these calls, however. Check with your local or long distance carrier 
for applicable laws and regulations.
If possible, use WCR to shut down toll routes during out-of-business hours by 
using Time-of-Day routing.
Digit Conversion
Digit conversion allows you to identify numbers, area codes, or countries you do 
not want called. Whenever the numbers entered correspond to the numbers on 
the conversion list, the numbers are given a different value, such as  , and then 
forwarded to the new destination, such as the attendant console.
nFor DEFINITY G1 and G3i, the conversion can be to “blank” (intercept 
tone), or to a Route Number Index (RNX) private network number, where 
Private Network Access (PNA) software is required to route the call 
through AAR.
nFor DEFINITY G2 and System 85, the conversion is to an RNX private 
network number, and AAR software is required.
nFor DEFINITY G1, G2, G3i, and System 85, once the call is sent to AAR 
software, the RNX can be translated as “local,” and the call can be directed 
to an internal station or to the attendant console.
Station Security Codes (SSCs)
Station Security Codes (SSCs) are used with two features: Personal Station 
Access and Extended User Administration of Redirected Calls. Starting with 
DEFINITY ECS Release 5, the Security Violations Status report shows the 16 
most recent invalid attempts of SSC use. The report is refreshed every 16 
seconds, and it shows the date, time, port/extension, FAC, and dialed digits for 
each invalid attempt. Enter the monitor security-violations 
station-security-codes command at the prompt to access this report.
SSC violations are summarized in the Security Violations Summary report. Enter 
the list measurements security-violations summary command to access this 
report.
SSC input entry has a pre-administered security capability. For details, refer to the 
“Person Station Access” section in this chapter.
Finally, SSCs should be changed about once every six months.
000
0 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Large Business Communications Systems 
Page 3-22 Tools that Restrict Unauthorized Outgoing Calls 
3
Personal Station Access (PSA)
The Personal Station Access (PSA) feature allows multiple users to work at the 
same voice terminal location at different times. PSA provides capabilities that are 
similar to TTI, but for a single station. This feature is available starting with 
DEFINITY ECS Release 5.
Each PSA user must have a Station Security Code (SSC), which includes as 
many as eight digits.
The feature has a pre-administered security feature regarding input entry by the 
user. Once the user enters his or her extension at the appropriate time, a “no 
response” feedback is provided whether or not the entered extension is valid. For 
an invalid extension, the system simply waits, without responding, until it reaches 
a timeout threshold. As such, an unauthorized user does not know that input entry 
is the cause of the error. The same security feature is in effect whenever the user 
enters the SSC at the appropriate time.
The dissociate function within PSA allows a user to restrict the features available 
to a voice terminal. Whenever a terminal is dissociated via PSA, it can be used 
only to call an attendant, accept a TTI merge request, or accept a PSA associate 
request.
Security Tips
PSA/TTI transactions are recorded in the history log, which can be accessed by 
entering the list history command at the prompt. If there is a concern about 
unauthorized PSA/TTI usage, refer to the history log for verification. To enable 
recording PSA/TTI transactions, access the Feature-Related System Parameters 
form by entering the change system-parameters features command at the 
prompt. Then ensure that the “Record PSA/TTI Transactions in History Log” field 
is set to y. (Sometimes this flag is set to n if PSA/TTI entries tend to flood the 
history log, therefore making it difficult to find other entries.) The default for the 
field is y.
A COS for the user’s extension must be administered to have access to PSA. 
However, be sure to limit PSA COS assignments to stations that need to access 
PSA.
Once a PSA station is associated with a terminal, anyone using that terminal has 
all the privileges and capabilities of that station. Therefore, use of the dissociate 
Facility Access Code (FAC) is recommended whenever the terminal is not in use.
If PSA and DCP extenders are used to permit remote DCP access, the security 
provided may not be adequate. A user connecting via DCP extenders must 
provide a password. However, once the user is connected, the remote DCP 
station has the capabilities and permissions of whatever station is associated or 
merged with the local DCP extender port unless the station has been dissociated  
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Large Business Communications Systems 
Page 3-23 Tools that Restrict Unauthorized Outgoing Calls 
3
or separated. Therefore, PSA users should dissociate before they disconnect 
from a DCP extender.
PSA security violations are recorded by SVN software, if enabled. Refer to the 
SVN feature description and to the 
DEFINITY ECS Release 5 Feature Description 
and to 
DEFINITY ECS Release 5 Implementation for security report information.
Extended User Administration of Redirected 
Calls
This feature allows station users to select one of two previously administered call 
coverage paths assigned to them (for example, a work location coverage path or 
a remote work location coverage path) from any on-site extension or from a 
remote location (for example, home). Also provided is the ability to activate, 
change, or deactivate Call Forward Add or Call Forward Busy/Don’t Answer from 
any on-site extension or from a remote location.
For security purposes, each user of this feature is administered a SSC. Users 
must enter an SSC to use this feature. In addition, the COS and COR for the 
user’s extension must be administered to have access to this feature. Any attempt 
by an invalid extension or invalid SSC to use the feature is recorded as a security 
violation.
For remote users, an additional security precaution for feature access is provided 
via the Telecommuting Access Extension. This extension provides access only to 
this feature; access to any other system features or functions via this extension is 
denied.
Access to the extended forwarding capability provided by this feature is controlled 
by the “Extended Forwarding All” and “Extended Forwarding B/DA” fields in the 
COS form. To access the form, enter the change cos command.
Remote User Administration of Call Coverage
NOTE:
This feature requires one SSC for every user or extension. SSCs should be 
changed about once every six months.
The system allows calls that are forwarded off of the network (that is, off-net) to be 
tracked for busy or no-answer conditions and to be brought back for further call 
coverage processing in such cases. However, ensure that the principal has a 
coverage path; otherwise, the system will not track the call, and the call will be left 
at the off-net destination regardless of whether it is answered or busy.
If the principal has Send All Calls (SAC) activated, the system will not attempt Call 
Forwarding Off-Net, except for priority calls. Likewise, except for priority calls, the 
system will not attempt Call Forwarding Off-Net for coverage paths that specify 
Cover All. 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Large Business Communications Systems 
Page 3-24 Security Measures 
3
Invalid attempts to change the coverage path or the call forwarding destination are 
recorded by the SVN.
To identify unauthorized activation of the Call Forwarding features, use the
list call-forwarding command. The command output includes stations that have 
Call Forwarding All Calls and Call Forwarding Busy/Don’t Answer active. Also 
displayed are the number and name of the extensions that have the feature active 
as well as the “forwarded-to” destination.
Security Measures
The following procedures explain how to use security tools to create restrictions 
that help prevent unauthorized access to your PBX system’s facilities.
Require Passwords
For DEFINITY ECS, DEFINITY G1, G3, and System 75, passwords may be up to 
7 alphanumeric characters (11 for G3V3 and later). For System 85 and DEFINITY 
G2, the security code may be up to 6 digits.
Change passwords for system logins frequently according to the guidelines listed 
below.
nFor DEFINITY G1 and System 75, routinely change logins for Network 
Management Systems (NMS), “cust,” “rcust,” “browse,” and “bcms.”
nDisable any unused login. Except for System 75 R1V1, to disable a login, 
type VOID in the Password field. (Note that VOID must be typed in 
uppercase.)
NOTE:
“NMS,” browse,” and “bcms” are not available in System 75 
R1V1; “NMS” is not available in System 75 R1V2; “bcms” is not 
available in System 75.
NOTE:
Do not use VOID to disable logins in System 75 R1V1; it will not 
work. In this release, if the password has been set to VOID, typing 
VOID when prompted for the password will result in a successful 
login. It is not possible to disable logins for this release. Instead, you 
can change all permissions on logins, change the password, select 
carefully constructed passwords, change passwords frequently, and 
purchase the Remote Port Security Device (RPSD) hardware for 
added security.