Home
>
Lucent Technologies
>
Communications System
>
Lucent Technologies DEFINITY Enterprise Communication Server Release 8.2 Administrators Guide
Lucent Technologies DEFINITY Enterprise Communication Server Release 8.2 Administrators Guide
Have a look at the manual Lucent Technologies DEFINITY Enterprise Communication Server Release 8.2 Administrators Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 413 Lucent Technologies manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
DEFINITY ECS Release 8.2 Administrator’s Guide 555-233-506 Issue 1 April 2000 Enhancing system security 307 Preventing toll fraud 11 Set logoff notification and forced password aging when administering logins. You must assign passwords for these logins at setup time. Establish well-controlled procedures for resetting passwords. 2. Prevent voice mail system transfer to dial tone Activate “secure transfer” features in voice mail systems. Place appropriate restrictions on voice mail access/egress ports. Limit the number of invalid attempts to access a voice mail to five or less. 3. Deny unauthorized users direct inward system access (screen) If you are not using the Remote Access features, deactivate or disable them. If you are using Remote Access, require the use of barrier codes and/or authorization codes set for maximum length. Change the codes frequently. It is your responsibility to keep your own records regarding who is allowed to use which authorization code. 4. Place protection on systems that prompt callers to input digits Prevent callers from dialing unintended digit combinations at prompts. Restrict auto attendants and call vectors from allowing access to dial tone. 5. Use system software to intelligently control call routing Create Automatic Route Selection or World Class Routing patterns to control how each call is to be handled. Use “Time of Day” routing capabilities to limit facilities available on nights and weekends. Deny all end-points the ability to directly access outgoing trunks. 6. Block access to international calling capability When international access is required, establish permission groups. Limit access to only the specific destinations required for business. 7. Protect access to information stored as voice Password restrict access to voice mail mailboxes. Use non-trivial passwords and change passwords regularly. 8. Provide physical security for telecommunications assets Restrict unauthorized access to equipment rooms and wire connection closets. Protect system documentation and reports data from being compromised.
DEFINITY ECS Release 8.2 Administrator’s Guide 555-233-506 Issue 1 April 2000 Enhancing system security 308 Preventing toll fraud 11 9. Monitor traffic and system activity for abnormal patterns Activate features that “turn off” access in response to unauthorized access attempts. Use Traffic and Call Detail reports to monitor call activity levels. 10. Educate system users to recognize toll fraud activity and react appropriately From safely using calling cards to securing voice mailbox password, train your users on how to protect themselves from inadvertent compromises to the system’s security. 11. Monitor access to the dial-up maintenance port. Change the access password regularly and issue it only to authorized personnel. Consider activating Access Security Gateway. 12. Create a switch system management policy concerning employee turnover and include these actions: a. Delete any unused voice mailboxes in the voice mail system. b. Immediately delete any voice mailboxes belonging to a terminated employee. c. Immediately remove the authorization code if a terminated employee had screen calling privileges and a personal authorization code. d. Immediately change barrier codes and/or authorization codes shared by a terminated employee. Notify the remaining users of the change. e. Remove a terminated employee’s login ID if they had access to the system administration interface. Change any associated passwords immediately. 13. Back up system files regularly to ensure a timely recovery. Schedule regular, off-site backups. 14. Callers misrepresenting themselves as the “phone company,” “AT&T,” “RBOCS,” or even known employees within your company may claim to be testing the lines and ask to be transferred to “900,” “90,” or ask the attendant to do “start 9 release.” This transfer reaches an outside operator, allowing the unauthorized caller to place a long distance or international call. Instruct your users to never transfer these calls. Do not assume that if “trunk to trunk transfer” is blocked this cannot happen. 15. Hackers run random generator PC programs to detect dial tone. Then they revisit those lines to break barrier codes and/or authorization codes to make fraudulent calls or resell their services. They do this using your telephone lines to incur the cost of the call. Frequently these call/sell operations are
DEFINITY ECS Release 8.2 Administrator’s Guide 555-233-506 Issue 1 April 2000 Enhancing system security 309 Physical security 11 conducted at public payphones located in subways, shopping malls, or airport locations. Refer to ‘‘ Remote Access’’ on page 857 to prevent this happening to your company. Physical security Physical security is your responsibility. Implement the following safeguards as an added layer of security: 1. Unplug and secure attendant console handsets when the attendant position is not in use. 2. Lock wiring closets and switch rooms. 3. Keep a log book register of technicians and visitors. 4. Shred all switch information or directories you discard. 5. Always demand verification of a technician or visitor by asking for a valid I.D. badge. 6. Keep any reports that may reveal trunk access codes, screen barrier codes, authorization codes, or password information secure. 7. Keep the attendant console and supporting documentation in an office that is secured with a changeable combination lock. Provide the combination only to those individuals who need to enter the office. 8. Keep any documentation pertaining to switch operation secure. 9. Label all backup tapes or flash cards with correct dates to avoid using an outdated one when restoring data. Be sure that all backup media have the correct generic software load. System security checklist Here’s some of the steps required for indemnification. Use these to analyze your system security. 1. Remove all default factory logins of cust, rcust, browse, nms, and bcms and assign unique logins with 7-character alphanumeric passwords and a 90-day password aging. Use the list logins command to find out what logins are there. 2. If you do not use Remote Access, be sure to disable it permanently. Tip: You can use the display remote-access command to check the status of your remote access.
DEFINITY ECS Release 8.2 Administrator’s Guide 555-233-506 Issue 1 April 2000 Enhancing system security 310 System security checklist 11 To disable Remote Access, on the Remote Access screen, Permanently Disable field, type y. Refer to ‘‘Remote Access’’ on page 857 for more information on remote access. NOTE: Lucent recommends that you permanently disable Remote Access using the change remote-access command. If you do permanently disable Remote Access, the code is removed from the software. Lucent charges a fee to restore the Remote Access feature. 3. If you use Remote Access, but only for internal calls, change announcements or remote service observing. a. Use a 7-digit barrier code. b. Assign a unique Class of Restriction (COR) to the 7-digit barrier code. The unique COR must be administered where the FRL is 0, the Calling Party Restriction field is outward, the Calling Permissions field is n on all unique Trunk Group COR. c. Assign Security Violation Notification Remote to 10 attempts in 2 minutes. d. Set the aging cycle to 90 days with 100 call limit per barrier code. Refer to ‘‘ Remote Access’’ on page 857 for more information. 4. If you use Remote Access to process calls off-net or in any way access the public network: a. Use a 7-digit barrier code. b. Assign a unique COR to the barrier code. c. Restrict the COR assigned to each barrier code by FRL level to only the required calling areas to conduct business. d. Set the aging cycle to 90 days with 100 call limit per barrier code. e. Suppress dial tone where applicable. f. Administer Authorization Codes. g. Use a minimum of 11 digits (combination of barrier codes and authorization codes). h. Assign Security Violation Notification Remote to 10 attempts in 2 minutes.
DEFINITY ECS Release 8.2 Administrator’s Guide 555-233-506 Issue 1 April 2000 Enhancing system security 311 System security checklist 11 5. If you use vectors: a. Assign all Vector Directory Numbers (VDN) a unique COR. Refer to DEFINITY ECS Guide to ACD Call Centers for more information. NOTE: The COR associated with the VDN dictates the calling privileges of the VDN/vector. High susceptibility to toll fraud exists on vectors that have “collect digits” steps. When a vector collects digits, it processes those digits back to the switch and if the COR of the VDN allows it to complete the call off-net, it will do so. For example, the announcement “If you know your party’s 4-digit extension number, enter it now” results in 4 digits being collected in step 6. If you input “90##” or “900#”, the 4 digits are analyzed and if “9” points towards ARS and “0” or “00” is assigned in the ARS Analysis Tables and the VDN COR allows it, the call routes out of the switch to an outside local exchange or long distance operator. The operator then connects the call to the requested number. b. If vectors associated with the VDN do not require routing the call off-net or via AAR, assign a unique COR where the FRL is 0, the Calling Party Restriction field is outward, the Calling Permissions field is n on all unique Trunk Group COR. c. If the vector has a “route-to” step that routes the call to a remote switch via AAR, assign a unique COR with a unique ARS/AAR Partition Group, the lowest FRL to complete an AAR call, and n on all unique COR assigned to your public network trunking facilities on the Calling Permissions. Assign the appropriate AAR route patterns on the AAR Partition Group using the change aar analysis partition x 2 command. Tip: You can use the display aar analysis print command to print a copy of your Automatic Alternate Routing (AAR) setup before making any changes. You can use the printout to correct any mistakes. d. If the vector has a “route-to” step that routes the call to off-net, assign a unique COR with a unique ARS/AAR Partition Group, the lowest FRL to complete an ARS call, and n on all unique COR assigned to your public network trunking facilities on the Calling Permissions. Assign the appropriate complete dial string in the “route-to” step of the vector the unique ARS Partition Group using the change ars analysis partition x 2 command.
DEFINITY ECS Release 8.2 Administrator’s Guide 555-233-506 Issue 1 April 2000 Enhancing system security 312 System security checklist 11 6. On the Feature Access Code screen, Facility Test Calls Access Code, the Data Origination Access Code, and the Data Privacy Access Code fields, change from the default or remove them. NOTE: These codes, when dialed, return system dial tone or direct access to outgoing trunking facilities. Transfers to these codes can take place via an unsecured vector with “collect digits” steps or an unsecured voice mail system. 7. Restrict Call Forwarding Off Net on every class of service. Refer to ‘‘ Class of Service’’ on page 532 for more information on Class of Service. NOTE: You cannot administer loop-start trunks if Call Forwarding Off Net is required. 8. If loop start trunks are administered in the switch and cannot be changed by the Local Exchange Company, block all class of service from forwarding calls off-net. In the Class of Service screen, Restriction Call Fwd-Off Net field, set to y for the 16 (0-15) COS numbers. Refer to ‘‘ Class of Service’’ on page 532 for more information. NOTE: If a station is call forwarded off-net and an incoming call to the extension establishes using a loop-start trunk, incorrect disconnect supervision can occur at the Local Exchange Central Office when the call terminates. This gives the caller recall or transfer dial tone to establish a fraudulent call. 9. Administer Call Detail Recording on all trunk groups to record both incoming and outgoing calls. Refer to ‘‘ Collecting information about calls’’ on page 439 for more information. 10. On the ‘‘ Route Pattern’’ on page 865, be careful assigning route patterns with an FRL of 0; these allow access to outgoing trunking facilities. Lucent recommends assigning routes with an FRL of 1 or higher. NOTE: An exception might be assigning a route pattern with an FRL of 0 to be used for 911 calls so even restricted users may dial this in emergencies.
DEFINITY ECS Release 8.2 Administrator’s Guide 555-233-506 Issue 1 April 2000 Enhancing system security 313 System security checklist 11 Tip: You can use the list route-pattern print command to print a copy of your facility restriction levels (FRL) and check their status. 11. On all trunk group screens, set the Dial Access field to n. If set to y, it allows users to dial Trunk Access Codes, thus bypassing all the ARS call screening functions. Refer to ‘‘ Trunk Group’’ on page 967 for more information. 12. On the ‘‘ AAR and ARS Digit Analysis Table’’ on page 451, set all dial strings not required to conduct business to den (deny). 13. If you require international calling, on the ‘‘ AAR and ARS Digit Conversion Table’’ on page 455, use only the 011+ country codes/city codes or specific dial strings. 14. Assign all trunk groups or same trunk group types a unique Class of Restriction. If the trunk group does not require networking through your switch, administer the Class of Restriction of the trunk group where the FRL is 0, the Calling Party Restriction field is outward, and all unique Class of Restriction assigned to your outgoing trunk groups are n. Refer to ‘‘ Class of Restriction’’ on page 520 for more information. Tip: You can use the list trunk-group print command to have a printout of all your trunks groups. Then, you can use the display trunk-group x command (where x is the trunk group) to check the Class of Restriction (COR) of each trunk group. 15. For your AUDIX, on the System Appearance screen, set: nthe Enhanced Call Transfer field to y. nthe Transfer Type field to enhanced. If set to basic, set the Transfer Restriction field to subscribers. Refer to ‘‘Feature-Related System Parameters’’ on page 632 for more information. NOTE: The Class of Restriction of the voice mail ports dictates the calling restrictions of the voice mail. If the above settings are not administered correctly, the possibility exists to complete a transfer to trunk access codes or ARS/AAR feature codes for fraudulent purposes. Never assign mailboxes that begin with the digits or trunk access codes of ARS/AAR feature access codes. Require your users to use a mailbox password length greater than the amount of digits in the extension number.
DEFINITY ECS Release 8.2 Administrator’s Guide 555-233-506 Issue 1 April 2000 Enhancing system security 314 Adding logins and passwords 11 16. Lucent recommends you administer the following on all voice mail ports: nAssign all voice mail ports a unique Class of Restriction. Refer to ‘‘ Class of Restriction’’ on page 520 for more information. nIf you are not using outcalling, fax attendant, or networking, administer the unique Class of Restriction where the FRL is 0, the Calling Party Restriction field is outward, and all unique trunk group Class of Restriction on the Calling Permissions are n. Refer to ‘‘ Class of Restriction’’ on page 520 for more information. NOTE: Lucent recommends you administer as many layers of security as possible. You can implement steps 9 and 16 as a double layer of security. In the event that the voice mail becomes unsecured for any reason, the layer of security on the switch takes over, and vice versa. 17. Administer all fax machines, modems, and answering machines analog voice ports as follows: nSet the Switchhook Flash field to n. nSet the Distinctive Audible Alert field to n. Refer to ‘‘Station’’ on page 882 for more information. 18. Install a Call Accounting System to maintain call records. In the CDR System Parameters screen, Record Outgoing Calls Only field, set to y. Refer to ‘‘ CDR System Parameters’’ on page 508 for more information. NOTE: Call Accounting Systems produce reports of call records. It detects phones that are being hacked by recording the extension number, date and time of the call, and what digits were dialed. Adding logins and passwords This section shows you how to add a user and their password. To add a login, you must be a superuser with authority to administer permissions. When adding logins, remember the following: nType the new login name as part of the add command. The name must be 3–6 alphanumeric characters in length, and can contain the characters 0-9, a-z, A-Z. nThe password must be from 7 to 11 alphanumeric characters in length and contain at least 1 non-alphabetic character.
DEFINITY ECS Release 8.2
Administrator’s Guide 555-233-506 Issue 1
April 2000
Enhancing system security
315 Adding logins and passwords
11
Instructions
We will add the login
angi3 with the password b3stm0m. We also will require the
user to change their password every 30 days.
To add new logins and passwords:
1. Type
add login angi3 and press RETURN.
The Login Administration
screen appears.
The Login’s Name field shows the name you typed in the
add command.
2. In the Password of Login Making Change field, type your superuser
password.
3. In the Disable Following a Security Violation field, type
y to disable this
login following a login security violation.
This field appears only if on the Security-Related System Parameters
screen, SVN Login Violation Notification field is
y.
4. In the Login’s Password field, type
b3stm0m.
The password does not appear on the screen as you type.
5. In the Reenter Login’s Password field, retype
b3stm0m.
6. In the Password Aging Cycle Length (Days) field, type
30.
This requires the user to change the password every 30 days.
7. Press
ENTER to save your changes.
Now you need to set the permissions for this new login.
LOGIN ADMINISTRATION
Password of Login Making Change:
LOGIN BEING ADMINISTERED
Login’s Name: angi3
Login Type:
Service Level:
Disable Following a Security Violation?
Access to INADS Port? _
LOGIN’S PASSWORD INFORMATION
Login’s Password:
Reenter Login’s Password:
Password Aging Cycle Length (Days): 30
LOGOFF NOTIFICATION
Facility Test Call Notification? y Acknowledgment Required? y
Remote Access Notification? y Acknowledgment Required? y
ACCESS SECURITY GATEWAY PARAMETERS
Access Security Gateway? n
DEFINITY ECS Release 8.2
Administrator’s Guide 555-233-506 Issue 1
April 2000
Enhancing system security
316 Adding logins and passwords
11
8. Type change permissions angi3 and press RETURN.
The Command Permission Categories
screen appears.
9. In the Administer Stations field, type
y.
This allows your user to add, change, duplicate, or remove stations, data
modules and associated features.
10. In the Additional Restrictions field, type
y.
A
y in this field brings up the second and third pages of this screen.
11. In the first field, type
vdn.
This restricts your user from administering a VDN.
12. Press
ENTER to save your changes.
COMMAND PERMISSION CATEGORIES
Login Name: angi3
COMMON COMMANDS
Display Admin. and Maint. Data? n
System Measurements? n
ADMINISTRATION COMMANDS
Administer Stations? y Administer Features? n
Administer Trunks? n Administer Permissions? n
Additional Restrictions? y
MAINTENANCE COMMANDS
Maintain Stations? n Maintain Switch Circuit Packs? n
Maintain Trunks? n Maintain Process Circuit Packs? n
Maintain Systems? n Maintain Enhanced DS1? n
COMMAND PERMISSION CATEGORIES
RESTRICTED OBJECT LIST
vdn ______________________
_______________________ ______________________
_______________________ ______________________
_______________________ ______________________
_______________________ ______________________
_______________________ ______________________
_______________________ ______________________
_______________________ ______________________
_______________________ ______________________
_______________________ ______________________