Home
>
Lucent Technologies
>
Communications System
>
Lucent Technologies BCS Products Security Handbook Addendum
Lucent Technologies BCS Products Security Handbook Addendum
Have a look at the manual Lucent Technologies BCS Products Security Handbook Addendum online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 413 Lucent Technologies manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Copyright Ó 1999, Lucent Technologies All Rights Reserved Printed in U.S.A. Notice While reasonable efforts were made to ensure that the information in this document was complete and accurate at the time of printing, Lucent Technologies can assume no responsibility for any errors. Changes and corrections to the information contained in this document may be incorporated into future reissues. Your Responsibility for Your System’s SecurityToll fraud is the unauthorized use of your telecommunications system by an unauthorized party, for example, persons other than your company’s employees, agents, subcontractors, or persons working on your company’s behalf. Note that there may be a risk of toll fraud associated with your telecommunications system, and if toll fraud occurs, it can result in substantial additional charges for your telecommunications services. You and your system manager are responsible for the security of your system, such as programming and configuring your equipment to prevent unauthorized use. The system manager is also responsible for reading all installation, instruction, and system administration documents provided with this product in order to fully understand the features that can introduce risk of toll fraud and the steps that can be taken to reduce that risk. Lucent Technologies does not warrant that this product is immune from or will prevent unauthorized use of common-carrier telecommunication services or facilities accessed through or connected to it. Lucent Technologies will not be responsible for any charges that result from such unauthorized use. Lucent Technologies Fraud InterventionIf you suspect you are being victimized by toll fraud and you need technical support or assistance, call the appropriate BCS National Customer Care Center telephone number. Users of the Merlin ®, PARTNER®, and System 25 products should call 1 800 628-2888. Users of the System 75, System 85, DEFINITY Generic 1, 2 and 3, and DEFINITY ® ECS products should call 1 800 643-2353. Customers outside the continental United States should contact their local Lucent representative, or call one of the above numbers in the following manner: 1) Dial the International Access Code; for example, 011. 2) Dial the country code for the U.S., that is, 01. 3) Lastly, dial either of the telephone numbers provided above. WWW Home PageThe www home page for Lucent Technologies is www.lucent.com. AcknowledgmentThis document was prepared by the BCS Product Documentation Development group, Lucent Technologies, Middletown, NJ 07748-9972. TrademarksDEFINITY is a registered trademark of Lucent Technologies. In this document, DEFINITY Communications System Generic 1 is often abbreviated to Generic 1, or G1. DEFINITY Communications System Generic 2 is often abbreviated to Generic 2, or G2. DEFINITY Communications System Generic 3 is often abbreviated to Generic 3, or G3. I NTUITY is a trademark of Lucent Technologies. Ordering Information Call: Lucent Technologies BCS Publications CenterVoice 1 800 457-1235International Voice 317 322-6416 Fax 1 800 457-1764International Fax 317 322-6699 Write:Lucent Technologies BCS Publications Center 2855 N. Franklin Road Indianapolis, IN 46219 Order:Document No. 555-025-600ADD Issue 1, May 1999 For more information about Lucent Technologies documents, refer to the Business Communications Systems Publications Catalog (555-000-010).
BCS Products Security Handbook Addendum 585-025-600ADD Issue 1 May 1999 Contents iii Contents Contents iii About This Addendum v nPurpose of this Addendumv 1 Securing Remote Lucent Technologies Systems 1-1 nOverview1-1 Lock and Key Features1-2 Organization of This Chapter1-2 nSecuring DEFINITY Systems (Prior to Release 7.2) with the Remote Port Security Device (RPSD)1-3 nSecuring DEFINITY Systems (Release 7.2 and Later) with Access Security Gateway (ASG)1-4 Administering Access Security Gateway1-5 Logging in via Access Security Gateway (Session Establishment)1-5 Maintaining Login IDs1-6 Temporarily Disabling Access Security Gateway Access for Login1-6 Restarting Temporarily Disabled Access Security Gateway Access for Login1-7 Maintaining the Access Security Gateway History Log1-7 Loss of an ASG Key1-7 Interactions of ASG1-8 nSecuring INTUITY AUDIX Ports (Release 5.0 and Later) with ASG1-9 Logging In With ASG1-9 Maintaining Login IDs1-10 Adding an ASG Login1-10 Blocking or Reinstating Access Privileges for an ASG Login1-11 Changing the Encryption Key Number for an ASG Login1-12 Displaying ASG Login Information1-12 Disabling ASG Authentication1-13
BCS Products Security Handbook Addendum 585-025-600ADD Issue 1 May 1999 Contents iv Setting and Resolving Violation Warnings1-13 Setting Notification Limits1-13 Resolving ASG Violation Alarms1-14 nLucent Technologies Support1-14 2 Messaging 2000 Voice Mail System 2-1 nOverview2-1 nMaintaining Message 2000 System Security2-1 nSecurity Recommendations for Remote Access2-6 3 New and Updated Security Checklists 3-1 nOverview3-1 nMessaging 2000 Voice Mail System3-2 nPARTNER, PARTNER II, and PARTNER Plus Communications Systems, and PARTNER Advanced Communications System (ACS)3-7 n PARTNER MAIL, PARTNER MAIL VS, and PARTNER Voice Mail (PVM) Systems3-12
About This Addendum v Purpose of this Addendum BCS Products Security Handbook Addendum 585-025-600ADD Issue 1 May 1999 About This Addendum Purpose of this Addendum This ad d end um to the BCS Prod uc ts Sec urity Hand b ook, Issue 6, Dec emb er, 1997, 555-025-600, desc rib es and d isc usses sec urity p rod uc ts that have b ec ome g enerally availab le sinc e the p rint d ate of that issue. These new p rod uc ts are the following : nAc c ess Sec urity Gateway (ASG) used with the DEFINITY® EC S s w i t c h , Release 7.2 nASG used with the INTUITY™ Messag ing System nMesseng er 2000 Messag ing System nPA R T N E R® Ad vanc ed Communic ations System (ACS) nPARTNER Voic e Mail (PVM) Inc lud ed in Chap ter 3 are sec urity c hec klists for Messeng er 2000 Messag ing System, for the PARTNER systems inc lud ing the PARTNER ACS, and one for PA R T N E R M A I L ®, PARTNER MAIL VS®, and the PARTNER Voic e Mail system. NOTE: Ad ditional c op ies of the BCS Prod uc ts Sec urity Hand b ook can be ordered from the Luc ent Tec hnologies BCS Pub lic ations Center at 1 800 457-1235. Ord er the manual with this numb er: 555-025-600.
BCS Products Security Handbook Addendum 585-025-600ADD Issue 1 May 1999 About This Addendum vi Purpose of this Addendum
Securing Remote Lucent Technologies Systems 1-1 Overview 1 BCS Products Security Handbook Addendum 585-025-600ADD Issue 1 May 1999 1 1Securing Remote Lucent Technologies Systems Overview Communic ations systems, suc h as the DEFINITY Enterp rise Communic ations Server (ECS), typ ic ally c onsist of a mix of d ig ital PBXs, voic e mail systems, and ad junc t ap p lic ations c omp uters. Dial-up p orts on these systems p rovide remote ac c ess for maintenanc e and ad ministration sup p ort and provid e ac c ess to d ata networks and c omp uters that c ontain c ritic al d ata and software ap p lic ations. However, while these p orts help to imp rove p rod uc tivity and inc rease c ustomer satisfac tion, they also p rovid e p otential ac c ess to hac kers or thieves who use easily ob tainable c omp uters and software to g ain unauthorized ac c ess to your systems. Onc e hac kers g ains ac c ess to your systems, they c an exp lore sensitive information, disrupt voic e and d ata c ommunic ations, and manip ulate software ap p lic ations. This ac c ess c an result in unauthorized use of network fac ilities and the theft of voic e p roc essing servic es esp ec ially long d istanc e servic es. While effective system security manag ement can usually stop the hac ker, Lucent Tec hnolog ies’s two Loc k and Key features, the Ac c ess Sec urity Gateway (ASG) software interfac e integ rated into the DEFINITY ECS Release 7.2 (or later releases) and Intuity Release 5 software b ase and the Remote Port Sec urity hard ware Devic e (RPSD) used p rior to DEFINITY G3V7.2, give you an effec tive and effic ient way of p reventing unauthorized users or hac kers from ac c essing your switc h’s d ial-up c ommunic ations p orts. Both the ASG and the RPSD interfac e help to: np rotec t remote loc ations that c ommunic ate with a c entral network via dial-up lines nsafeg uard c omp anies that remotely ad minister PBX and voic e mail systems
BCS Products Security Handbook Addendum 585-025-600ADD Issue 1 May 1999 Securing Remote Lucent Technologies Systems 1-2 Overview 1 nensure that c ritic al network routing information and PBX feature translations are not c omp romised nsec ure ac c ess to d ial-up p orts b y remote maintenanc e or servic e p ersonnel nAn Alarm Contac t Closure interfac e is p rovid ed to g enerate an alarm when the Loc k loses p ower. Lock and Key Features The Loc k and Key feature used b y b oth the ASG interfac e and the RPSD hard ware uses a sop histic ated d ynamic c halleng e/resp onse tec hniq ue to assist you in p reventing unauthorized ac c ess to your ad ministration and maintenanc e ports. NOTE: The Loc k and Key feature works with all data c ommunic ations protoc ols. In g eneral, Loc k and Key features suc h as the ASG software interfac e or the RPSD hard ware have the following c ap abilities: nUse rand omly-g enerated enc ryp ted d ata to p erform Loc k/Key authentic ation hand shake. nTime of Day/Day of Week restric tions c an c ontrol Key ac c ess to Loc ks. Eac h user p rofile c an have up to 14 restric tions set. nHistory Log s p rovid e aud it trails of the last 500 ad ministrative c hang es, ac c esses, and failures. nSystem Ad ministration p rovid es menu-d riven c ommand s with on-line help and sec urity options for ad ministrative ac c ess. nSelf-c hec k and b uilt-in d iag nostic s enab le simp le and fast p rob lem d iag nosis. nA Power Monitor Circ uit allows you to fail or byp ass c alls to the Loc k d uring a p ower failure. Organization of This Chapter The following remote loc ation sec urity p rotec tion d evic es are c overed in this chapter: nThe RPSD, a Lock and Key system which can be used with DEFINITY systems p rior to DEFINITY Release 7.2. For more information, see “ Sec uring DEFINITY Systems (Prior to Release 7.2) with the Remote Port Security Device (RPSD)” beginning on page 1-3 .
BCS Products Security Handbook Addendum 585-025-600ADD Issue 1 May 1999 Securing Remote Lucent Technologies Systems 1-3 Securing DEFINITY Systems (Prior to Release 7.2) with the Remote Port Security 1 nAc c ess Sec urity Gateway (ASG), another Loc k and Key system with DEFINITY Release 7.2 systems and later releases. For more information, see “ Sec uring DEFINITY Systems (Prior to Release 7.2) with the Remote Po r t Se c u r i t y D e v ic e ( RPSD ) ” b e g i n n in g o n page 1-4 . nASG with INTUITY AUDIX Release 5.0 and later releases. For more information, see “ Sec uring INTUITY AUDIX Ports (Release 5.0 and Later) with ASG” beginning on page 1-9 . Securing DEFINITY Systems (Prior to Release 7.2) with the Remote Port Security Device (RPSD) If your telep hones are c onnec ted to a DEFINITY switc h or DEFINITY ECS p rior to Release 7.2 (whic h is the same as DEFINITY G3V7.2) you may wish to use the Luc ent Tec hnolog ies Remote Port Sec urity Devic e, the RPSD. (Note that this Loc k and Key system is availab le ONLY in the United States.) The RPSD hard ware offers enhanc ed p rotec tion for d ial-up d ata ac c ess so that hac kers and other unauthorized users c annot g ain ac c ess to your systems. NOTE: Sp ec ific ally, the RPSD c an b e used with the DEFINITY ECS, DEFINITY Communic ations Systems, System 75 (V2 or hig her), System 85 and DIMENSION PBX Systems; the AUDIX, DEFINITY AUDIX, and AUDIX Voic e Power Systems; and all System Manag ement p rod uc ts On the RSPD, the Loc k and Key authentic ation p roc ess is as follows: The Loc k answers the inc oming c all d estined for the d ial-up mod em p ort. It g enerates a d ynamic c halleng e, uniq ue to every c all, and transmits it to the RPSD installed at the c alling end . The Loc k and Key must b e initialized with the same sec ret enc ryption key value. This sec ret enc ryp tion key has ap proximately 70 q uad rillion c omb inations. When the RPSD Key rec eives the c halleng e, it g enerates a resp onse using the sec ret enc ryp tion key. It then transmits the exp ec ted resp onse b ac k to the RPSD Loc k. If the RPSD loc k suc c essfully authentic ates the resp onse, it p rovides ring ing to the terminating mod em and the c all c omp letes. The RPSD terminates a c all immed iately if any step in the c halleng e/resp onse authentic ation p roc ess is not completed successfully. For more information about the RPSD hard ware, see the DEFINITY Communic ations System Remote Port Sec urity Devic e user’s Manual 555-025-400.IMPORTANT NOTE: Sinc e the RPSD c ontains a Data Enc ryp tion Stand ard (DES) alg orithm, its use outsid e the United States and Canada is prohibited by law.
BCS Products Security Handbook Addendum 585-025-600ADD Issue 1 May 1999 Securing Remote Lucent Technologies Systems 1-4 Securing DEFINITY Systems (Release 7.2 and Later) with Access Security 1 Securing DEFINITY Systems (Release 7.2 and Later) with Access Security Gateway (ASG) The Ac c ess Sec urity Gateway (ASG) integ rates c halleng e/resp onse tec hnolog y into Luc ent Tec hnolog ies p rod uc ts and is availab le, b eg inning with the DEFINITY ECS Release 7.2 (that is, DEFINITY G3V7.2), to sec ure the DEFINITY switc h ad ministration and maintenanc e p orts and log ins and thus red uc e the p ossib ility of unauthorized ac c ess to the system. The c halleng e/resp onse neg otiation starts after you have estab lished an RS-232 session and have entered a valid DEFINITY ECS log in ID. The authentic ation transac tion c onsists of a challenge, issued by DEFINITY ECS based on the login ID that you have just entered , followed b y the exp ec ted resp onse, whic h you must enter. The c ore of this transac tion is a sec ret key, whic h is information-p ossessed b y b oth the loc k (ASG) and the key. Interc ep tion of either the c halleng e or resp onse d uring transmission d oes not c omp romise the sec urity of the system. The relevanc e of the authentic ation token used to p erform the c halleng e/resp onse is limited to the c urrent c halleng e/resp onse exc hang e (session). Currently sup p orted keys c onsist of a hand -held token g enerating d evic e (ASG Key). The ASG Key (response g enerator) d evic e is pre-p rog rammed with the ap p rop riate sec ret key to c ommunic ate with c orresp ond ing Ac c ess Sec urity Gateway protec ted log in IDs on DEFINITY ECS. For more information on using the ASG Key, see the Ac c ess Sec urity Gateway Key User’s Guid e, 555-212-012. Ac c ess Sec urity Gateway ad ministration p arameters sp ec ify whether ac c ess to the system ad ministration or maintenanc e interfac e req uires ASG authentic ation. This sec urity software c an b e assig ned to all system administration maintenanc e p orts or to a sub -set of those p orts. If the port b eing ac c essed is not p rotec ted b y ASG, the stand ard DEFINITY log in and password p roc ed ure will be satisfac tory for the user to enter the system. For more information about Ac c ess Sec urity Gateway and req uired ASG forms, see the DEFINITY Enterp rise Communic ations Server (ECS) Release 6.3 Ad ministration and Feature Desc ription manual, 555-230-522. NOTE: ASG does not p rotec t log in ac c ess to a Multiple Ap p lic ation Platform for DEFINITY (MAPD).