Home
>
Lucent Technologies
>
Communications System
>
Lucent Technologies BCS Products Security Handbook
Lucent Technologies BCS Products Security Handbook
Have a look at the manual Lucent Technologies BCS Products Security Handbook online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 413 Lucent Technologies manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Large Business Communications Systems Page 3-25 Security Measures 3 NOTE: System 75 R1V2 customers should contact the Lucent Technologies Technical Service Center for “browse” password administration procedures. — For System 75 R1V3N and the DEFINITY G1.1N and G3V2, systems are shipped with the customer logins disabled. !CAUTION: Systems upgraded from earlier versions will have the logins and passwords of its previous version. This applies to “N” loads and DEFINITY ECS and DEFINITY G3. DEFINITY G3V3 and later systems, which includes DEFINITY ECS, are shipped without any customer logins. Customer logins must be assigned when installing the system. Also, DEFINITY G3V2 and later releases, which includes DEFINITY ECS, provide additional restrictions on logins. For each login, you can limit up to 20 (40 for DEFINITY G3V3 and later including DEFINITY ECS) objects (for example, stations or trunks) from being administered. — For systems covered by warranty, lease, or maintenance contract, Lucent Technologies will routinely change Lucent Technologies-controlled logins. nDEFINITY G2 and System 85 have one security code. Use PROC497 WORD3 FIELD5 to change it. Customers must notify Lucent Technologies prior to changing the code to insure ongoing maintenance. See Appendix E for information on how to change passwords. Restrict Who Can Use Remote Access/Track its Usage For maximum security, barrier codes and authorization codes must be given only to the people who have a need to use the feature. For DEFINITY ECS, DEFINITY G1, G2.2 Release 3.0, G3, and System 75 R1V3, use both codes. For DEFINITY G2 and System 85, use a barrier code to access the feature, and then use authorization codes to screen outbound calls. For DEFINITY ECS, DEFINITY G1, G3, and System 75 R1V3: nUse change system-parameters feature to display the Feature-Related System Parameters screen. nIf the software has been purchased, enter y in the Authorization Code Enabled field. nEnter 7 in the Authorization Code Length field. nEnter # or 1 in the Authorization Code Cancellation Symbol field.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Large Business Communications Systems Page 3-26 Security Measures 3 nWhen providing attendant coverage, enter y in the Timeout to Attendant field. Invalid entries of authorization codes and failure to enter an authorization code result in a transfer to an attendant. nUse change remote-access to display the Remote Access screen. nIf not already assigned, enter the appropriate extension number in the Remote Access Extension field. nEnter 7 in the Barrier Code Length field. nIf you are using authorization codes, enter y in the Authorization Code Required field, and then enter n in the Remote Access Dial Tone field. nEnter up to 10 barrier codes (use all seven digits) and assign each a COR and COS that allow only necessary calls. The COR should be restricted so that even if a hacker deciphers the barrier code, a valid authorization code is still needed to make a call. NOTE: Use Remote Access only on an as-needed basis, and assign a unique COR to each barrier code. Change the barrier codes periodically. See ‘‘ Remote Access Barrier Code Aging/Access Limits (DEFINITY G3V3 and Later)’’ on page 3-61. nWhen assigning authorization codes used only to upgrade FRLs, use an outward-restricted COR with the appropriate FRL. Use change authorization code to display the Authorization Code-COR Mapping screen. NOTE: Be sure to remove the authorization code whenever an authorized user leaves the company or no longer needs the Remote Access feature. nConsider using a special partition group for the Remote Access COR, and then administer the AAR/ARS tables only for those external locations you allow Remote Access users to call. Use change cor to specify either the Time-of-Day routing or partition group. Use change ars analysis partition to define the appropriate partition group. nMonitor authorization code usage with CDR. See ‘‘Call Detail Recording (CDR) / Station Message Detail Recording (SMDR)’’ on page 3-48 for further details. For DEFINITY G2 and System 85: nUse PROC010 WORD1-4 to set COS 31 for Remote Access. nUse PROC285 WORD1 FIELD1 to require a barrier code for Remote Access.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Large Business Communications Systems Page 3-27 Security Measures 3 NOTE: As an alternative, you can require an authorization code. However, since only one code can be used to gain access to Remote Access, more protection is provided when you require a barrier code to enter Remote Access and then an authorization code to dial out of the system. nUse PROC350 WORD2 FIELD1 = 26 to assign an access code that allows you to change the barrier code using the attendant console. nWhen authorization codes are assigned, use PROC282 WORD1 FIELD2 to administer the lowest FRL you can. nUse PROC286 WORD1 FIELD16 to send calls to an intercept tone, a CAS attendant, or a local attendant when the caller does not enter a code. nUse PROC289, Programmable Intercept Treatment, to transfer calls to an attendant when the caller enters an invalid trunk access code, feature access code, or extension. nTurn on CDR for incoming calls by entering PROC275 WORD1 FIELD14. Also turn on CDR for the Remote Access Trunk Group using PROC101 WORD1 FIELD8. See ‘‘ Call Detail Recording (CDR) / Station Message Detail Recording (SMDR)’’ on page 3-48 for more information on CDR. Fully Restrict Service Fully Restricted Service is assigned to a COR that prevents assigned stations from having access to either incoming or outgoing public network calls. Stations have access to internal calls only. In addition, fully restricted station users cannot use authorization codes to deactivate this feature. Any calls from the public network to a station with Fully Restricted Service are redirected to intercept treatment or to the attendant. If the call is redirected to the attendant, the attendant’s display indicates the call is being redirected because of Fully Restricted Service. The reason-code displayed is FULL. When the call is redirected to the attendant, the following may be appropriate actions: nThe attendant connected with a CO may call or intrude on the called station user. nThe attendant cannot extend, conference, or bridge the redirected call. nThe attendant can place a CO call on hold and call the station with Fully Restricted Service for consultation.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Large Business Communications Systems Page 3-28 Security Measures 3 Provide Individualized Calling Privileges Using FRLs FRLs are used to allow or deny calls when AAR/ARS/WCR route patterns are accessed. An originating FRL assigned to a station or tie-line trunk group must be equal to or greater than the terminating route pattern FRL for the call to be completed. A COR or COS assigned an FRL of 7 is allowed to complete a call on any route pattern. A COR or COS assigned an FRL of 2 can only access route patterns assigned an FRL of 0, 1, 2, or 3. A low FRL should be assigned to analog stations used for voice mail, remote access barrier codes, VDNs, and tie-lines from other systems. Refer to Table 3-3 for a list of suggested FRL values. NOTE: If dial access is allowed for a trunk group, the caller can bypass the FRL restrictions and directly access the trunk group. NOTE: FRLs 1 through 7 include the capabilities of the lower FRLs. For DEFINITY ECS, DEFINITY G1, G3 and System 75: nUse change cor to display the Class of Restriction screen. nEnter the FRL number (0 through 7) in the FRL field. nUse change route-pattern to display the Route Pattern screen. nAssign the appropriate FRL to the route pattern defined by ARS/WCR. Table 3-3. Suggested Values for FRLs FRL Suggested Value 0No outgoing (off-switch) calls permitted. 1Allow local calls only; deny 0+ and 1 800 calls. 2Allow local calls, 0+, and 1 800 calls. 3Allow local calls plus calls on FX and WATS trunks. 4Allow toll calls within the home NPA. 5Allow calls to certain destinations within the continental USA. 6Allow calls throughout the continental USA. 7Allow international calling. Assign Attendant Console FRL 7.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Large Business Communications Systems Page 3-29 Security Measures 3 For DEFINITY G2 and System 85: nUse PROC010 WORD3 FIELD23 to assign FRLs to a station originator’s COS for use with AAR/ARS/WCR trunks. (COS 31 is used for Remote Access.) nUse PROC103 WORD1 FIELD2 to assign FRLs to an incoming trunk. nUse PROC309 WORD1 FIELD3 to assign FRLs to an ARS route pattern. nUse PROC321 WORD1 FIELD4 to assign FRLs to an AAR pattern. nOn DEFINITY G2.2, use PROC318 WORD1 FIELD4 to assign FRLs on WCR. Prevent After-Hours Calling Using Time of Day Routing or Alternate FRLs You can regulate the days of the week and specific times that outgoing calls can be made. Depending on the time of day and day of the week, calls can be blocked or routed to the least-costly facility available. Since late evenings and weekends are particularly vulnerable times for toll hacking, set up separate plans with the most restrictive plan reserved for evenings and weekends. If you do not want toll calls made after hours, block them during those times. You can also use Call Vectoring to route to different trunk groups; for example, after hours you may want only 50 trunks available instead of 200. For DEFINITY ECS and DEFINITY G1 and G3: nUse change ars analysis partition x to define an ARS Analysis Table to be used for after-hours calling. nUse change time-of-day y to select and define a Time of Day plan. nAdminister the times you want to offer Remote Access and the times you do not. nUse change cor xx to assign the Time of Day plan to the COR for barrier codes or authorization codes. For DEFINITY G3r: nUse change attendant to display the Attendant screen. nIn the Feature Button Assignment field, enter alt-frl to administer an alternate FRL button on the attendant console. This button is used to activate lower FRLs after business hours so the calling area is limited. nUse change alternate frl to assign the alternate FRL that will replace each original FRL when the attendant activates the feature. For DEFINITY G2 and System 85: nThere are three Time of Day plans (seven for G2.2). Use PROC316 WORD1 to set day, hour and minute, and plan number.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Large Business Communications Systems Page 3-30 Security Measures 3 nWhen using WCR, enter PROC311 to separate toll and non-toll numbers into different routing indices. Use PROC314 for tenant services to separate toll and non-toll numbers into different routing indices. nUse PROC311, PROC316, and PROC317 to shut down toll routes outside of business hours. nUse PROC286 WORD1 FIELD5-12 to lower FRLs after hours to make them more restrictive. nEnter PROC203 WORD1 Button Type 19 to set the alternate FRL button on the attendant console. This allows attendants to manually change to alternate FRLs. Block International Calling If your company does not do business overseas, deny everyone the ability to directly dial international calls; in other words, block calling the international dial prefix, for example, 011. However, this will impact your company’s ability to reach the “Telco” operator since 0+ dialing is blocked. This affects credit card calls, Collect calls, Third Party Calls, and Special Use (0700+) numbers. For DEFINITY G1 and System 75: nEnter change ars fnpa 000 to display the ARS FNPA Table screen. ARS Routing Table Operator 000 Toll Operator 002 International Operator 010 International Direct Dial 011 Toll Operator Direct Dial 003 International Operator Assistance012 Operator Assistance 001
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Large Business Communications Systems Page 3-31 Security Measures 3 nLeave the following FNPA fields for international calling blank, or, for older versions of software, assign them to an unused route pattern (for example, 254) with no trunk assignments. NOTE: As a reminder, not all international calls follow this pattern. For example, Canada uses standard area codes. For DEFINITY ECS and DEFINITY G3: nEnter change ars analysis partition to display the ARS Analysis screen. nLeave the route pattern blank for the following numbers: — 01 = international operator — 010 = international calls — 011 = international calls — 10xxx01 = international operator — 10xxx011 = international calls For DEFINITY G2 and System 85: nFor DEFINITY G2.1 and System 85, block international calls by not assigning a routing designator in PROC311 WORD1 for office code “1” or assign “01”) to Pattern 1. nFor DEFINITY G2.2, use digit conversion to reroute international calls to an attendant or do not administer international calling prefixes. Use PROC314 WORD1 to route 010 and 011 (7 to 16 digits) to VNI 0. nFor System 85 R2V4n and DEFINITY G2.12.0, route both 01 and 011 to pattern 1 in PROC311 WORD1. Digits Dialed FNPA Translator Table 011 11 010 10 10xxx011 111 001 4 010n 12 10xxx010 110 10xxx01 112
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Large Business Communications Systems Page 3-32 Security Measures 3 Limit International Calling If your company does business overseas with certain countries, you can allow calls to those countries while blocking calls to other countries. For DEFINITY G1 and System 75: For 000, 011, and each country code to be blocked: nEnter change ars fnpa nnn (where nnn is either 000, 011, or the country code to be blocked) to display the ARS FNPA Table screen. nFor each country where calls are allowed, enter the appropriate routing pattern (r1 through r32). nEnter change rhnpa to screen on the next three digits. nDisable DAC/FAC dialing (see ‘‘Disable Direct Access to Trunks’’ on page 3-35). For DEFINITY ECS and DEFINITY G3: nEnter change ars analysis to display the ARS Analysis screen. nSpecify the telephone numbers in the Dial String field that you do not want dialed by entering blank in the routing pattern or routing to a pattern that contains a high FRL. nDisable TAC/DAC dialing (see ‘‘Disable Direct Access to Trunks’’ on page 3-35). nTo block calls to countries in the North American dial plan, enter the area code plus any required prefix digit ( and ). Be sure to define possible variations of the number. For example, to block calls to the 809 area code, enter 1809 and 0809 with 11 in both the Min and Max fields. If you do not include a prefix digit, enter 10 in both the Min and Max fields. For DEFINITY G2 and System 85: nFor DEFINITY G2.1 and System 85 R2V4, assign numbers to the Unauthorized Call Control feature using PROC313 WORD1. The FRL for unauthorized call control is assigned in PROC275 WORD3 FIELD10. It should be assigned FRL 7. nFor DEFINITY G2.2, use digit conversion to reroute abused telephone numbers to an attendant or to VNI 0. Enter PROC314 WORD1. NOTE: Make sure Remote Access barrier codes have properly assigned CORs with FRLs set low to restrict access to the network, and use COR-to-COR restrictions to prevent access to trunk groups. 01
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Large Business Communications Systems Page 3-33 Security Measures 3 Select Authorization Code Time-Out to Attendant For DEFINITY ECS, DEFINITY G1, G3, and System 75, you can send calls to an attendant if the caller fails to enter a required authorization code within 10 seconds. For DEFINITY G2 and System 85, you can route calls to an attendant when callers fail to enter a required telephone number or authorization code within 10 seconds. For all switches: nSelect the Timeout to Attendant feature when you administer authorization codes. For DEFINITY ECS, DEFINITY G1, G3, and System 75: nUse the System-Parameters screen to request authorization code timeout. Restrict Calls to Specified Area Codes If your business does not make calls to certain area codes, you can prevent users from entering numbers within those area codes. For DEFINITY G1 and System 75: See ‘‘ Allow Calling to Specified Numbers’’ on page 3-33. For DEFINITY ECS and DEFINITY G3: nEnter change ars analysis to display the ARS Analysis screen. nSpecify the telephone numbers in the Dial String field that you do not want dialed. Either leave the field blank, enter den (for deny) in the routing pattern, or use a pattern that contains a high FRL. nDisable TAC dialing (see ‘‘Disable Direct Access to Trunks’’ on page 3-35). For DEFINITY G2.1 and System 85: nEnter PROC311 WORD1 to send calls for specific area codes to route pattern 1. For DEFINITY G2.2: nEnter PROC314 to route calls for specific area codes to VNI 0. Allow Calling to Specified Numbers A reverse strategy to preventing calls is to allow outbound calls only to certain numbers. For DEFINITY G1 and System 75, you must specify both the area code and the office code of the allowable numbers. For DEFINITY ECS and DEFINITY G3, you can specify the area codes or telephone numbers of calls you allow.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Large Business Communications Systems Page 3-34 Security Measures 3 For DEFINITY G1 and System 75: nEnter change ars fnpa xxx, where xxx is the area code, to display the ARS FNPA Tables screen. nAssign RHNPA table r1-r32 to the area code. For example, enter change ars fnpa r1:, where r1 is NXX. For DEFINITY ECS and DEFINITY G3: nEnter change ars analysis to display the ARS Analysis screen. nEnter the area codes or telephone numbers you want to allow and assign an available routing pattern to each of them. Remote HNPAs can also be used. For DEFINITY G2.2: nUse WCR with PROC314 WORD1 and WORD2 and permit only certain numbers. Consider using Network 3, which contains only those numbers, to reduce the administrative clutter in your outgoing calling network. Use Attendant Control of Remote Access Calls (DEFINITY G2 and System 85 only) Instead of allowing Remote Access callers to dial numbers directly, an attendant can handle the calls. This “shared” option disables the Remote Access feature during business hours when an attendant is available to handle the calls. For DEFINITY G2 and System 85: nEnter PROC275 WORD2 FIELD10 to specify that the Remote Access trunks are shared. In this case, Remote Access is available only when the switch is in Unattended Console Service (night mode). nAssign remote access time-out to the attendant using PROC286 WORD1 FIELD16. Use Attendant Control of Specific Extensions Phones that are in easily-accessible areas (such as lobbies) can be placed in an attendant-controlled group. The attendant can change the restrictions on these phones from the console. For System 75, DEFINITY ECS, and DEFINITY G1, and G3: nEnter change feature-access-codes to display the FAC screen. nIn the User-Control Restrict Activation/Deactivation fields, enter a valid FAC. nEnter change system-parameters feature to display the Feature-Related System Parameters screen.