ATT DEFINITY Communications System Generic 3 Instructions Manual

							Security Violation Notification (SVN)
Issue  3   March 1996
3-1075
3
Security Violation Notification (SVN)
Feature Availability
This feature is available on all versions of the DEFINITY Communications System.
Description
The Security Violation Notification (SVN) feature notifies a designated referral 
point of a security violation. A designated referral point can be an attendant 
console, display equipped voice terminal, or voice terminal without display 
requiring the notification to be by announcement. The SVN feature provides the 
capacity to disable a valid login ID or remote access following a security 
violation. The SVN feature also provides an audit trail containing  information 
about each attemp t to access the switch. If disabled, the login ID, or remote 
access feature remains disabled until re-enabled by a login ID with correct 
permissions.
Sequence of events with the SVN feature enabled and a security violation oc c urs:
1. SVN parameters are exceeded (the number of invalid attempts permitted 
in a specified time interval is exceeded).
2. A SVN referral call with announcements (announcement message 
identifying the violation) is placed to a designated point and the SVN 
feature provides an audit trail containing information about each attempt 
to a c cess the switch.
3. The SVN feature disables a valid login ID or remote access barrier code 
following the security violation.
4. The Login ID or Remote Ac cess remains disabled until re-enabled by an 
authorized login ID, with the correct permissions.
SVN Enhancements
Referral Call Activation/Deactivation
Referral Call Placement is automatic with G3V3, and later releases. SVN referral 
calls are placed by the system any time a security threshold violation occurs. To 
stop placement of referral calls, activate these b uttons.
NOTE:
Calls are placed if these buttons are not activated.
nThe login security violation feature button ‘‘lsvn-halt.’’
nThe remote access security violation feature button ‘‘rsvn-halt.’’ 
						

							Feature Descriptions
3-1076Issue  3   March 1996 
nThe authorization c o de security violation feature button ‘‘asvn-halt.’’
Repeated  security violations can result in numerous referral calls being ma de in 
a short  period of time.
Login ID Kill After ‘‘N’’ Attempts
The Login ID Kill After ‘‘N’’ Attemp ts feature p rovides the ability to disable a login  
ID when a login security violation is d etected for a valid login ID (the numb er of 
invalid login attempts permitted in a specified time interval is exceeded). If the 
login security violation parameters are exceeded, the login ID is disabled until 
re-enabled by a login ID with re-activation permissions. This feature is controlled 
by an administrable parameter an d is optional on a per-login ID basis. The 
system default value is to disable a login ID if the SVN feature is active and a 
security violation occurs. Any attempt to access the switch using a login ID that 
has been disabled by the Security Violation Notification (SVN) feature fails, even 
if the correct login ID and password is entered. If the login ID is disabled while 
logg e d in on another session, once that session is terminated any subsequent 
attempt to log in using that login ID is prohibited. SVN referral calls are placed by 
the system each time a login security violation occurs. A disabled login ID 
remains disabled until it is re-enabled by a login ID with reactivation permissions.
A major alarm is log g ed whenever a security violation is detected involving an 
AT&T services login ID and that login ID has been disabled as a result of the 
security violation. AT&T is responsible for retiring the alarm.
Remote Access Kill After ‘‘N’’ Attempts
The Remote Access Kill After ‘‘N’’ Attempts SVN feature provides the ability to 
disable the Remote Access feature when a remote a c cess b arrier code security 
violation is detected (the  numb er of invalid Remote Access attempts permitted in 
a specified time interval is exceeded), and the “Disable Following a Security 
Violation” field is enabled. Any attempt to use the Remote Ac cess feature once it 
has been disabled fails, even if a correct barrier code or barrier 
code/authorization code c ombination is given. SVN referral calls are placed by 
the system any time a Remote Ac cess security violation occurs. The Remote 
Access feature remains disabled until re-enabled by a login ID with re-activation 
permissions.
Authorization Code Security Violation
The Authorization Code Security Violation feature g enerates a referral call upon 
detection  of a violation. An audit trail containing relevant information about each 
attempt  is registered. 
						

							Security Violation Notification (SVN)
Issue  3   March 1996
3-1077
SVN Referral Call With Announcement
The SVN Referral Call with Announcement option has the capacity to provide a 
recorded message identifying the type of violation accompanying the SVN 
referral call. Using Call  Forwarding, Call Coverage, or Call Vector  Time-of-Day 
Routing (to route to an extension or a number off the switch), SVN referral calls 
with  announcements can terminate to a point on or off the switch.
Use of other means to route SVN referral calls to alternate destinations are not 
supported at this time. An attempt to use an alternate method to route SVN 
referral calls may result in a failure to receive the call or to hear the 
announ cement.
Monitor Security Violations Report
The security violations reports p rovide current status information for invalid  Login 
or Remote Ac cess (barrier c o de) or Authorization Code attempts. The data 
displayed by these reports is up dated every 30  seconds. A total of 16 entries is 
maintained for each type of violation. The oldest information is overwritten by the 
new entries  at each 30-se cond update. When a login is added or removed, the 
Security Measurements reports are not up d ated until the next hourly p oll, or a 
clear measurements security-violations command is entered. The security 
violations report is divided into three distinct reports:
nLogin Violations
nRemote Access Barrier Code Violations
nAuthorizations Code Violations
To access Monitor Security Violations reports, enter the command interface 
command monitor security-violations . The report names are 
‘‘login,’’ remote-access,’’ and ‘‘authorization-code.’’
The following fields are displayed on the Login Violation report:
nDate: The  date  the  attempt  occurred.
nTime: The time the attempt occurred.
nLogin: The login string entered as part of the login violation attempt. An 
invalid password may cause a security violation. If a valid login ID causes 
a security violation by entering an incorrect password , the Login Violation 
report displays the valid login ID.
nPort: The port on which the failed login session was attempted. The  
following a b breviations are used for G3i:
—MGR1: The dedicated management terminal connection (the EIA  
connection to the maintenance board).
—NET-N: A network controller dialup port (1-4).
—EPN: The EPN maintenance EIA port.
—INADS: The INADS port (Initialization and Administration System). 
						

							Feature Descriptions
3-1078Issue  3   March 1996 
—EIA: Other EIA ports.
The following a b breviations are used for G3r:
—SYSAM-LCL: Local administration to Manager 1.
—SYSAM-RMT: Dial up port on SYSAM board, typically used by  
services for remote maintenance, and used b y the switch to c all out  
with alarm information.
—SYS-PORT: System ports accessed through TDM bus.
—MAINT: Ports on exp ansion p ort network maintenance boards, 
used  as a local connection for onsite maintenance.
nExt: The extension assigned to the network controller board that the  failed 
login session was attemp ted on. This field is present only in the  case 
where the System Manager’s SAT is administered through a  network 
controller port.
The following fields are displayed on the Remote Access Violations report:
nDate: The  date  that the  attempt  occurred.
nTime: The time that the attempt occurred.
nTG No: The trunk group number associated with the trunk where the  
remote access attempt terminate d.
nMbr: The trunk group member number associated with the trunk  where 
the remote access attempt terminated.
nExt: The extension used to interface with the Remote Access feature.
nBarrier Code: The  incorrect  barrier code that resulte d in the invalid  
attemp t.
The following fields are displayed on the Authorization Code Violations report:
nDate: The  date  that the  attempt  occurred.
nTime: The time that the attempt occurred.
nOriginator: The  type  of resourc e originating the call that generate d  the 
invalid authorization code access attempt. Originator typ es include:
— Station.
— Trunk (other than a trunk assigned to a remote access trunk group).
— Remote Access (when the invalid authorization code is associated  
with an attempt to invoke the Remote Access feature).
— Attendant.
nAuth Code: The invalid authorization code entered.
nTG No: The trunk group number associated with the trunk where the  
attempt terminated. It appears only when an authorization code is used to 
access a trunk. 
						

							Security Violation Notification (SVN)
Issue  3   March 1996
3-1079
nMbr: The trunk group member number associated with the trunk  where 
the attempt terminated. It a p pears only when an authorization code is 
used to access a trunk.
nBarrier Code: The  incorrect  barrier code that resulte d in the invalid  
attempt. It a p pears only when an authorization code is entered to invoke 
Remote Access.
nExt: The extension associated with the station or attendant originating the 
call. It appears only when authorization code is entered from the station or 
attendant console.
Administering SVN System Parameters
To activate SVN system features, three sets of system level parameters must be  
administered:
nSVN Login Violation Notification
nSVN Remote Ac c ess Violation Notification
nSVN Authorization Code Violation Notification
Refer to the SVN Referral Call With Announcement section on page 3-1077.
Administering the SVN Login Security Violation
Notification Feature
To administer the login component of the SVN feature, enter the change 
system-parameters security c ommand.
To administer system p arameters for the login component of the SVN feature 
violation notification:
1. Access the “System Parameter Security”  form by entering the change  
system-parameters security command from the command line  
interface.
2. When the “SVN Login Violation Notification Enabled” field is enabled, the  
following fields appear on the “ Security-Related System Parameters”  form:
nOriginating Extension
Requires the entry of an unassigned extension local to the switch 
and conforms to the d ial plan for the purpose of originating  and 
identifying SVN referral calls for login security violations.
The originating extension initiates the referral call in the event of a  
login security violation. It also sends the a ppropriate alerting  
message or display to the referral destination. 
						

							Feature Descriptions
3-1080Issue  3   March 1996 
nReferral Destination
This field requires an entry of an extension, assigned to a station, 
attendant console, or vector directory number (VDN) that receives 
the referral call when a security violation occurs. If a VDN is 
assigned the Time-of-Day routing capability, Call Vectoring may be 
used to route the referral call to different destinations based on the 
time of day or the day of the week. The referral destination must be 
equip ped with a display module unless the Announcement 
Extension is assigned. Administration of the Announcement 
Extension is also required if the referral destination is a VDN.
nLogin Threshold
This field requires an entry of the minimum number of login  
attempts that are permitted before a referral call is made. The  
value assigned to this field, in conjunction with the “ Time Interval”  
field, determines whether a security violation has occurred. The 
system default is 5.
nTime Interval
This field requires the entry of the time interval in which a login 
security  violation must o ccur. The range for the time interval is one  
minute to eight hours (0:01 to 7:59), and is entered in the form  
‘‘xx:xx.’’ For example, if you want the time interval to be one minute, 
you  enter 0:01. If you want the time interval to be seven and 
one-half hours, you enter 7:30. The system d efault is 0:03.
nAnnouncement Extension
This field requires an entry of a extension that is assigned to an 
SVN  announcement.
3. Administer an ‘‘lsvn-halt’’ button on any station/attendant console 
(maximum 1 per system). The SVN button location can be determined by 
entering the command display svn-button location.
Enable/Disable a Login ID
The “Disable a Login ID Following a Security Violation”  field on the “Login 
Administration”  form is used to set the SVN  parameters for a single login. When 
set to ‘‘y’’ (yes) this SVN disables the specified login ID (system default is y). 
When set to ‘‘n’’ the SVN  feature does not disable the specified login ID if a 
security violation is d etected for the login ID. The “Disable a Login ID Following a  
Security Violation”  field is dynamic and only appears on the “Login 
Ad ministration”  form when the login component of the SVN feature is enabled.
To enable a login ID that has been disabled by a security violation, or disabled  
manually with the command disable login the user must:
1. Log in to the switch using a login ID with the correct permissions.
2. Enter the command enable login . 
						

							Security Violation Notification (SVN)
Issue  3   March 1996
3-1081
To disable a login ID, the user must:
1. Log in to the switch using a login ID with the correct permissions.
2. Enter the command disable login .
List the Status of a Login ID
To list the status of a login ID, the user must:
1. Log in to the switch using a login ID with the correct permissions.
2. Enter the command list login.
You see a display indicating the status of the s pecified login ID. A login ID  status 
can be listed as:
nLogin ID status equals disabled indicating that the login ID was disabled  
manually using the disable login command.
nLogin ID status equals svn-disabled indicating that a security violation  
was detected for that login ID and the login was disabled by the SVN  
feature.
nLogin ID status equals active indicating that the login ID is currently 
logged in.
nLogin ID status equals inactive indicating that the login ID is not logged 
in.
Administering Remote Access Security Violation
Notification Parameters
To administer the Remote Access component of the SVN feature:
1. Access the “System Parameter Security”  form by entering the change  
system-parameters security command from the command line  
interface.
2. Enable the Remote Ac cess comp onent of the feature  by entering a ‘‘y’’ in 
the “ SVN Remote Access Violation Notification”  field on the “ System  
Parameters Security” form.
3. When the “ SVN Remote Access Violation Notification Enabled”  field is  
enabled, the following additional fields ap p ear on the “ Security-Relate d  
System Parameters”  form:
nOriginating Extension
This field requires the entry of an unassigned extension that is local 
to the  switch and conforms to the dial plan for the purpose of 
originating and  identifying SVN referral calls for remote access 
barrier c o de violations. 
						

							Feature Descriptions
3-1082Issue  3   March 1996 
The originating extension initiates the referral call in the event of a 
Remote  Ac c ess security violation. It also sends the appropriate 
alerting message  or display to the referral destination.
nReferral Destination
This field requires an entry of an extension, assigned to a station, 
attendant console, or vector directory number (VDN) that receives 
the referral call when a security  violation occurs. If a VDN is 
assigned the Time-of-Day routing capability, Call Vectoring may be 
used to route the referral call to different destinations based on the 
time of day or the day of the week. The referral destination must be 
equip ped with a display module unless the Announcement 
Extension is assigned. Administration of the Announcement 
Extension is also required if the referral destination is a VDN.
nBarrier Code Threshold
This field requires an entry of the minimum number of remote  
access barrier c o de attempts that are permitted before a referral 
call is made. The  value assigned to this field, in conjunction with 
the “ Time Interval”  field,  determine whether a security violation has 
occurred. The system default  for Barrier code threshold is 10.
nTime Interval
This field requires the entry of the time interval in which the remote 
access  barrier code attempts must occur. The range for the time 
interval is  one minute to eight hours (0:01 to 7:59), and is entered in 
the form  ‘‘xx:xx.’’ For exam ple, if you want the time interval to be 
one minute, you  enter ‘‘0:01.’’ If you want the time interval to be 
seven and one-half  hours, you enter ‘‘7:30.’’ The system default is 
0:03.
nAnnouncement Extension
This field requires an entry of a extension that is assigned to the 
SVN remote access barrier code violation announcement.
4. Administer an ‘‘rsvn-halt’’ button on any station or attendant console 
(maximum 1 per system). The SVN button location can be determined by 
entering the command display svn-button-location.
Enable/Disable Remote Access Code
To enable remote access that has been disabled following detection of a remote 
access security violation, or disabled manually with the command  disable 
remote access, the user  must:
1. Log in to the switch using a login ID with the correct permissions.
2. Enter the command enable remote access. 
						

							Security Violation Notification (SVN)
Issue  3   March 1996
3-1083
To disable Remote Access, the user must:
1. Log in to the switch using a login ID with the correct permissions.
2. Enter the command disable login.
Administering Authorization Code Security 
Violation Parameters
To administer the Authorization Code component of the SVN feature, the user 
must:
1. Access the “System Parameter Security”  form by entering the change  
system-parameters security command from the command line  
interface.
2. When the “ SVN Authorization Code Violation Notification Enabled” field is  
enabled, the following additional fields ap p ear on the “ Security-Relate d  
System Parameters”  form:
nOriginating Extension
This field requires the entry of an unassigned extension that is local 
to  the switch and conforms to the dial plan for the purpose of 
originating  and identifying SVN referral calls for authorization code 
security violations.
The originating extension initiates the referral call in the event of a  
authorization code security violation. It also sends the appropriate  
alerting message or display to the referral destination.
nReferral Destination
This field requires an entry of an extension, assigned to a station, 
attendant console, or vector directory number (VDN) that receives 
the referral call when a security  violation occurs. If a VDN is 
assigned the Time-of-Day routing capability, Call Vectoring may be 
used to route the referral call to different destinations based on the 
time of day or the day of the week. The referral destination must be 
equip ped with a display module unless the Announcement 
Extension is assigned. Administration of the Announcement 
Extension is also required if the referral destination is a VDN.
nAuthorization Code Threshold
This field requires an entry of the minimum number of invalid  
authorization code security violations attempts that are permitted  
before a referral call is made. The value assigned to this field in 
conjunction with the “Time Interval” field, determines whether a 
security violation  has occurred. The system default for 
authorization code security  violations threshold is 10. 
						

							Feature Descriptions
3-1084Issue  3   March 1996 
nTime Interval
This field requires the entry of the time interval in which the 
authorization  c o de se curity violations must occur. The range for the 
time  interval is one minute to eight hours (0:01 to 7:59), and is 
entered in  the form ‘‘x:xx.’’ For example, if you want the time 
interval to be one  minute, you enter ‘‘0:01.’’ If you want the time 
interval to be  seven and one-half hours, you enter ‘‘7:30.’’ The 
system default is 0:03.
nAnnouncement Extension
This field requires an entry of a extension that is assigned to an 
SVN  authorization c o de announcement.
3. The SVN button location can be determined by entering the command 
display svn-button-location
Screen 3-40. Monitor Security Violations Report (Login)
     --------------------------------------------------------------------------
     monitor security-violations login
     --------------------------------------------------------------------------
                           SECURITY VIOLATIONS STATUS
                                           Date:  NN:nn DAY MON nn 199n
                                    LOGIN VIOLATIONS
                       Date     Time     Login     Port      Ext
         01/08    07:51    root      NET-1     4030
       01/08    07:51    admin     NET-1     4030
      01/07    07:52    system technician  MGR1
     --------------------------------------------------------------------------
     --------------------------------------------------------------------------