Home
>
Lucent Technologies
>
Communications System
>
Lucent Technologies DEFINITY Enterprise Communications Server Release 8.2 Instructions Manual
Lucent Technologies DEFINITY Enterprise Communications Server Release 8.2 Instructions Manual
Have a look at the manual Lucent Technologies DEFINITY Enterprise Communications Server Release 8.2 Instructions Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 413 Lucent Technologies manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Enhancing system security 317 11 DEFINITY ECS Release 8.2 Administrator’s Guide 555-233-506 Issue 1.1 June 2000 11 Enhancing system security Toll fraud is the theft of long distance service and can come from both internal and external sources. When toll fraud occurs, your company is responsible for usage charges. In addition, unauthorized use may tie up your system, preventing your customers from reaching you and your employees from doing business. Lucent Technologies designed the DEFINITY ECS to help you to limit toll fraud. However, there are steps that you, as the administrator, must also take to keep your system secure from unauthorized use. Need help quickly? nFor assistance with toll fraud prevention (including systems and products), call the Lucent Technologies Toll Fraud Intervention Hotline at 800-643-2353 or contact your Lucent representative. nIf you have identified fraudulent calling in progress, and require assistance in stopping the fraud, call the Lucent Technologies Technical Service Center at 800-242-2121 and select the toll fraud help option or contact your Lucent representative.
DEFINITY ECS Release 8.2 Administrator’s Guide 555-233-506 Issue 1.1 June 2000 Enhancing system security 318 Basic security 11 Basic security Keeping your system secure The following is a partial list you can use to help secure your system. It is not intended as a comprehensive security checklist. Refer to the BCS Products Security Handbook for more information about these and other security-related features. nSecure the system administration and maintenance ports and/or logins on DEFINITY ECS using the Access Security Gateway. This optional password authentication interface program is provided to customers with maintenance contracts. nActivate Security Violation Notification to report unsuccessful attempts to access the system. Security Violation Notification lets you automatically disable a valid login ID following a security violation involving that login ID and disable remote access following a security violation involving a barrier code or authorization code. nUse the list history command to determine if unauthorized changes have been made to the system. To assist in identifying unauthorized use of the system, the History report lists each time a user logs on or off the system. Refer to the DEFINITY ECS Reports for more information about this report. nSecure trunks using Automatic Route Selection, Class of Restriction, Facility Restriction Levels and Alternate Facility Restriction Levels, Authorization Codes, Automatic Circuit Assurance, and Forced Entry of Account Codes (refer to ‘‘ Call Detail Recording’’ on page 1231 for more information). nActivate Enhanced Call Transfer for your voice messaging system, if available. This limits transfers to valid extensions, but you also need to restrict transfers to extensions that may offer dial tone to the caller, such as screen extensions.
DEFINITY ECS Release 8.2 Administrator’s Guide 555-233-506 Issue 1.1 June 2000 Enhancing system security 319 Preventing toll fraud 11 Preventing toll fraud Top 15 tips to help prevent toll fraud 1. Protect system administration access Make sure secure passwords exist for all logins that allow System Administration or Maintenance access to the system. Change the passwords frequently. Set logoff notification and forced password aging when administering logins. You must assign passwords for these logins at setup time. Establish well-controlled procedures for resetting passwords. 2. Prevent voice mail system transfer to dial tone Activate “secure transfer” features in voice mail systems. Place appropriate restrictions on voice mail access/egress ports. Limit the number of invalid attempts to access a voice mail to five or less. 3. Deny unauthorized users direct inward system access (screen) If you are not using the Remote Access features, deactivate or disable them. If you are using Remote Access, require the use of barrier codes and/or authorization codes set for maximum length. Change the codes frequently. It is your responsibility to keep your own records regarding who is allowed to use which authorization code. 4. Place protection on systems that prompt callers to input digits Prevent callers from dialing unintended digit combinations at prompts. Restrict auto attendants and call vectors from allowing access to dial tone. 5. Use system software to intelligently control call routing Create Automatic Route Selection or World Class Routing patterns to control how each call is to be handled. Use “Time of Day” routing capabilities to limit facilities available on nights and weekends. Deny all end-points the ability to directly access outgoing trunks. 6. Block access to international calling capability When international access is required, establish permission groups. Limit access to only the specific destinations required for business.
DEFINITY ECS Release 8.2 Administrator’s Guide 555-233-506 Issue 1.1 June 2000 Enhancing system security 320 Preventing toll fraud 11 7. Protect access to information stored as voice Password restrict access to voice mail mailboxes. Use non-trivial passwords and change passwords regularly. 8. Provide physical security for telecommunications assets Restrict unauthorized access to equipment rooms and wire connection closets. Protect system documentation and reports data from being compromised. 9. Monitor traffic and system activity for abnormal patterns Activate features that “turn off” access in response to unauthorized access attempts. Use Traffic and Call Detail reports to monitor call activity levels. 10. Educate system users to recognize toll fraud activity and react appropriately From safely using calling cards to securing voice mailbox password, train your users on how to protect themselves from inadvertent compromises to the system’s security. 11. Monitor access to the dial-up maintenance port. Change the access password regularly and issue it only to authorized personnel. Consider activating Access Security Gateway. 12. Create a switch system management policy concerning employee turnover and include these actions: a. Delete any unused voice mailboxes in the voice mail system. b. Immediately delete any voice mailboxes belonging to a terminated employee. c. Immediately remove the authorization code if a terminated employee had screen calling privileges and a personal authorization code. d. Immediately change barrier codes and/or authorization codes shared by a terminated employee. Notify the remaining users of the change. e. Remove a terminated employee’s login ID if they had access to the system administration interface. Change any associated passwords immediately. 13. Back up system files regularly to ensure a timely recovery. Schedule regular, off-site backups.
DEFINITY ECS Release 8.2 Administrator’s Guide 555-233-506 Issue 1.1 June 2000 Enhancing system security 321 Physical security 11 14.Callers misrepresenting themselves as the “phone company,” “AT&T,” “RBOCS,” or even known employees within your company may claim to be testing the lines and ask to be transferred to “900,” “90,” or ask the attendant to do “start 9 release.” This transfer reaches an outside operator, allowing the unauthorized caller to place a long distance or international call. Instruct your users to never transfer these calls. Do not assume that if “trunk to trunk transfer” is blocked this cannot happen. 15. Hackers run random generator PC programs to detect dial tone. Then they revisit those lines to break barrier codes and/or authorization codes to make fraudulent calls or resell their services. They do this using your telephone lines to incur the cost of the call. Frequently these call/sell operations are conducted at public payphones located in subways, shopping malls, or airport locations. Refer to ‘‘ Remote Access’’ on page 870 to prevent this happening to your company. Physical security Physical security is your responsibility. Implement the following safeguards as an added layer of security: 1. Unplug and secure attendant console handsets when the attendant position is not in use. 2. Lock wiring closets and switch rooms. 3. Keep a log book register of technicians and visitors. 4. Shred all switch information or directories you discard. 5. Always demand verification of a technician or visitor by asking for a valid I.D. badge. 6. Keep any reports that may reveal trunk access codes, screen barrier codes, authorization codes, or password information secure. 7. Keep the attendant console and supporting documentation in an office that is secured with a changeable combination lock. Provide the combination only to those individuals who need to enter the office. 8. Keep any documentation pertaining to switch operation secure. 9. Label all backup tapes or flash cards with correct dates to avoid using an outdated one when restoring data. Be sure that all backup media have the correct generic software load.
DEFINITY ECS Release 8.2 Administrator’s Guide 555-233-506 Issue 1.1 June 2000 Enhancing system security 322 System security checklist 11 System security checklist Here’s some of the steps required for indemnification. Use these to analyze your system security. 1. Remove all default factory logins of cust, rcust, browse, nms, and bcms and assign unique logins with 7-character alphanumeric passwords and a 90-day password aging. Use the list logins command to find out what logins are there. 2. If you do not use Remote Access, be sure to disable it permanently. Tip: You can use the display remote-access command to check the status of your remote access. To disable Remote Access, on the Remote Access screen, Permanently Disable field, type y. Refer to ‘‘Remote Access’’ on page 870 for more information on remote access. NOTE: Lucent recommends that you permanently disable Remote Access using the change remote-access command. If you do permanently disable Remote Access, the code is removed from the software. Lucent charges a fee to restore the Remote Access feature. 3. If you use Remote Access, but only for internal calls, change announcements or remote service observing. a. Use a 7-digit barrier code. b. Assign a unique Class of Restriction (COR) to the 7-digit barrier code. The unique COR must be administered where the FRL is 0, the Calling Party Restriction field is outward, the Calling Permissions field is n on all unique Trunk Group COR. c. Assign Security Violation Notification Remote to 10 attempts in 2 minutes. d. Set the aging cycle to 90 days with 100 call limit per barrier code. Refer to ‘‘ Remote Access’’ on page 870 for more information.
DEFINITY ECS Release 8.2 Administrator’s Guide 555-233-506 Issue 1.1 June 2000 Enhancing system security 323 System security checklist 11 4. If you use Remote Access to process calls off-net or in any way access the public network: a. Use a 7-digit barrier code. b. Assign a unique COR to the barrier code. c. Restrict the COR assigned to each barrier code by FRL level to only the required calling areas to conduct business. d. Set the aging cycle to 90 days with 100 call limit per barrier code. e. Suppress dial tone where applicable. f. Administer Authorization Codes. g. Use a minimum of 11 digits (combination of barrier codes and authorization codes). h. Assign Security Violation Notification Remote to 10 attempts in 2 minutes. 5. If you use vectors: a. Assign all Vector Directory Numbers (VDN) a unique COR. Refer to DEFINITY ECS Guide to ACD Call Centers for more information. NOTE: The COR associated with the VDN dictates the calling privileges of the VDN/vector. High susceptibility to toll fraud exists on vectors that have “collect digits” steps. When a vector collects digits, it processes those digits back to the switch and if the COR of the VDN allows it to complete the call off-net, it will do so. For example, the announcement “If you know your party’s 4-digit extension number, enter it now” results in 4 digits being collected in step 6. If you input “90##” or “900#”, the 4 digits are analyzed and if “9” points towards ARS and “0” or “00” is assigned in the ARS Analysis Tables and the VDN COR allows it, the call routes out of the switch to an outside local exchange or long distance operator. The operator then connects the call to the requested number. b. If vectors associated with the VDN do not require routing the call off-net or via AAR, assign a unique COR where the FRL is 0, the Calling Party Restriction field is outward, the Calling Permissions field is n on all unique Trunk Group COR.
DEFINITY ECS Release 8.2 Administrator’s Guide 555-233-506 Issue 1.1 June 2000 Enhancing system security 324 System security checklist 11 c.If the vector has a “route-to” step that routes the call to a remote switch via AAR, assign a unique COR with a unique ARS/AAR Partition Group, the lowest FRL to complete an AAR call, and n on all unique COR assigned to your public network trunking facilities on the Calling Permissions. Assign the appropriate AAR route patterns on the AAR Partition Group using the change aar analysis partition x 2 command. Tip: You can use the display aar analysis print command to print a copy of your Automatic Alternate Routing (AAR) setup before making any changes. You can use the printout to correct any mistakes. d. If the vector has a “route-to” step that routes the call to off-net, assign a unique COR with a unique ARS/AAR Partition Group, the lowest FRL to complete an ARS call, and n on all unique COR assigned to your public network trunking facilities on the Calling Permissions. Assign the appropriate complete dial string in the “route-to” step of the vector the unique ARS Partition Group using the change ars analysis partition x 2 command. 6. On the Feature Access Code screen, Facility Test Calls Access Code, the Data Origination Access Code, and the Data Privacy Access Code fields, change from the default or remove them. NOTE: These codes, when dialed, return system dial tone or direct access to outgoing trunking facilities. Transfers to these codes can take place via an unsecured vector with “collect digits” steps or an unsecured voice mail system. 7. Restrict Call Forwarding Off Net on every class of service. Refer to ‘‘ Class of Service’’ on page 545 for more information on Class of Service. NOTE: You cannot administer loop-start trunks if Call Forwarding Off Net is required.
DEFINITY ECS Release 8.2 Administrator’s Guide 555-233-506 Issue 1.1 June 2000 Enhancing system security 325 System security checklist 11 8. If loop start trunks are administered in the switch and cannot be changed by the Local Exchange Company, block all class of service from forwarding calls off-net. In the Class of Service screen, Restriction Call Fwd-Off Net field, set to y for the 16 (0-15) COS numbers. Refer to ‘‘ Class of Service’’ on page 545 for more information. NOTE: If a station is call forwarded off-net and an incoming call to the extension establishes using a loop-start trunk, incorrect disconnect supervision can occur at the Local Exchange Central Office when the call terminates. This gives the caller recall or transfer dial tone to establish a fraudulent call. 9. Administer Call Detail Recording on all trunk groups to record both incoming and outgoing calls. Refer to ‘‘ Collecting information about calls’’ on page 453 for more information. 10. On the ‘‘ Route Pattern’’ on page 877, be careful assigning route patterns with an FRL of 0; these allow access to outgoing trunking facilities. Lucent recommends assigning routes with an FRL of 1 or higher. NOTE: An exception might be assigning a route pattern with an FRL of 0 to be used for 911 calls so even restricted users may dial this in emergencies. Tip: You can use the list route-pattern print command to print a copy of your facility restriction levels (FRL) and check their status. 11. On all trunk group screens, set the Dial Access field to n. If set to y, it allows users to dial Trunk Access Codes, thus bypassing all the ARS call screening functions. Refer to ‘‘ Trunk Group’’ on page 980 for more information. 12. On the ‘‘ AAR and ARS Digit Analysis Table’’ on page 465, set all dial strings not required to conduct business to den (deny). 13. If you require international calling, on the ‘‘ AAR and ARS Digit Conversion Table’’ on page 470, use only the 011+ country codes/city codes or specific dial strings.
DEFINITY ECS Release 8.2 Administrator’s Guide 555-233-506 Issue 1.1 June 2000 Enhancing system security 326 System security checklist 11 14. Assign all trunk groups or same trunk group types a unique Class of Restriction. If the trunk group does not require networking through your switch, administer the Class of Restriction of the trunk group where the FRL is 0, the Calling Party Restriction field is outward, and all unique Class of Restriction assigned to your outgoing trunk groups are n. Refer to ‘‘ Class of Restriction’’ on page 533 for more information. Tip: You can use the list trunk-group print command to have a printout of all your trunks groups. Then, you can use the display trunk-group x command (where x is the trunk group) to check the Class of Restriction (COR) of each trunk group. 15. For your AUDIX, on the System Appearance screen, set: nthe Enhanced Call Transfer field to y. nthe Transfer Type field to enhanced. If set to basic, set the Transfer Restriction field to subscribers. Refer to ‘‘Feature-Related System Parameters’’ on page 646 for more information. NOTE: The Class of Restriction of the voice mail ports dictates the calling restrictions of the voice mail. If the above settings are not administered correctly, the possibility exists to complete a transfer to trunk access codes or ARS/AAR feature codes for fraudulent purposes. Never assign mailboxes that begin with the digits or trunk access codes of ARS/AAR feature access codes. Require your users to use a mailbox password length greater than the amount of digits in the extension number. 16. Lucent recommends you administer the following on all voice mail ports: nAssign all voice mail ports a unique Class of Restriction. Refer to ‘‘ Class of Restriction’’ on page 533 for more information. nIf you are not using outcalling, fax attendant, or networking, administer the unique Class of Restriction where the FRL is 0, the Calling Party Restriction field is outward, and all unique trunk group Class of Restriction on the Calling Permissions are n. Refer to ‘‘ Class of Restriction’’ on page 533 for more information. NOTE: Lucent recommends you administer as many layers of security as possible. You can implement steps 9 and 16 as a double layer of security. In the event that the voice mail becomes unsecured for any reason, the layer of security on the switch takes over, and vice versa.