Lucent Technologies BCS Products Security Handbook

							555-025-600
Comcode 108074378
Issue 6
December 1997
BCS Products
Security Handbook 
						

							Copyright Ó 1996, Lucent Technologies
All Rights Reserved
Printed in U.S.A.
NoticeWhile reasonable efforts were made to ensure that the 
information in this document was complete and accurate at the 
time of printing, Lucent Technologies can assume no 
responsibility for any errors. Changes and corrections to the 
information contained in this document may be incorporated into 
future reissues.
Your Responsibility for Your System’s SecurityToll fraud is the unauthorized use of your telecommunications 
system by an unauthorized party, for example, persons other 
than your company’s employees, agents, subcontractors, or 
persons working on your company’s behalf. Note that there may 
be a risk of toll fraud associated with your telecommunications 
system, and if toll fraud occurs, it can result in substantial 
additional charges for your telecommunications services.
You and your system manager are responsible for the security of 
your system, such as programming and configuring your 
equipment to prevent unauthorized use. The system manager is 
also responsible for reading all installation, instruction, and 
system administration documents provided with this product in 
order to fully understand the features that can introduce risk of 
toll fraud and the steps that can be taken to reduce that risk. 
Lucent Technologies does not warrant that this product is 
immune from or will prevent unauthorized use of common-carrier 
telecommunication services or facilities accessed through or 
connected to it. Lucent Technologies will not be responsible for 
any charges that result from such unauthorized use.
Lucent Technologies Fraud InterventionIf you suspect you are being victimized by toll fraud and you 
need technical support or assistance, call the appropriate BCS 
National Customer Care Center telephone number. Users of the 
Merlin
®, PARTNER®, and System 25 products should call 1 800 
628-2888.  Users of the System 75, System 85, DEFINITY 
Generic 1, 2 and 3, and DEFINITY
® ECS products should call 1 
800 643-2353.Customers outside the continental United States should contact 
their local Lucent representative, or call one of the above 
numbers in the following manner: 
1) Dial the International Access Code; for example, 011. 
2) Dial the country code for the U.S., that is, 01. 
3) Lastly, dial either of the telephone numbers provided above.
WWW Home PageThe www home page for Lucent Technologies is 
www.lucent.com.
AcknowledgmentThis document was prepared by the BCS Product 
Documentation Development group, Lucent Technologies, 
Middletown, NJ 07748-9972.
TrademarksAUDIX is a registered trademark of Lucent Technologies.
CallMaster is a registered trademark of Lucent Technologies.
CallVisor is a registered trademark of Lucent Technologies.
Carbon Copy Plus is a trademark of Microcom Systems, Inc.
CentreVu is a trademark of Lucent Technologies.
CONVERSANT is a registered trademark of Lucent 
Technologies.
DEFINITY is a registered trademark of Lucent Technologies. In 
this document, DEFINITY Communications System Generic 1 
is often abbreviated to Generic 1, or G1. DEFINITY 
Communications System Generic 2 is often abbreviated to 
Generic 2, or G2. DEFINITY Communications System Generic 
3 is often abbreviated to Generic 3, or G3.
DIMENSION is a registered trademark of Lucent Technologies.
HackerTracker is a registered trademark of AT&T.
Intel is a registered trademark of Intel Corporation.
I
NTUITY is a trademark of Lucent Technologies.
Macintosh is a registered trademark of Apple Computer, Inc.
MERLIN is a registered trademark of Lucent Technologies.
MERLIN LEGEND is a registered trademark of Lucent 
Technologies.
MERLIN MAIL is a registered trademark of Lucent Technologies.
Microsoft and Windows are registered trademarks of Microsoft 
Corporation.
NetPROTECT is a service mark of Lucent Technologies.
Netware is a registered trademark of Novell Inc.
Norton pcANYWHERE is a registered trademark of Symantic 
Corp.
OS/2 is a registered trademark of the International Business 
Machines Corporation.
PARTNER is a registered trademark of Lucent Technologies.
PARTNER MAIL is a registered trademark of Lucent 
Technologies.
PARTNER MAIL VS is a registered trademark of Lucent 
Technologies.
PassageWay is a registered trademark of Lucent Technologies.
Sun is a registered trademark and SPARCserver is a trademark 
of Sun Microsystems Inc .
TransTalk is a trademark of Lucent Technologies.
Windows is a registered trademark of Microsoft Corporation.
Windows NT is a trademark of Microsoft Corporation.
UNIX is a registered trademark in the United States and other 
countries, licensed exclusively through X/Open Company 
Limited.
Voice Power is a registered trademark of Lucent Technologies.
Ordering Information
Call:Lucent Technologies BCS Publications Center
Voice  1 800 457-1235 International Voice 317 
322-6416
Fax 1 800 457-1764 International Fax 317 
322-6699
Write:Lucent Technologies BCS Publications Center
2855 N. Franklin Road
                Indianapolis, IN 46219
Order:Document No. 555-025-600
Issue 6, December 1997
For more information about Lucent Technologies documents, 
refer to the
 Business Communications Systems Publications 
Catalog 
(555-000-010). 
						

							BCS Products
Security Handbook  
555-025-600  
Issue 6
December 1997
Contents 
Page iii  
Contents
About This Document xiii
nScope of this Handbookxiii
nReason for Reissuexv
nIntended Audiencexv
nHow this Guide is Organizedxvi
nLucent Technologies’ Statement of Directionxvii
nLucent Technologies/Customer Security Roles and 
Responsibilitiesxviii
Lucent Technologies’ Roles and Responsibilitiesxix
Customer Roles and Responsibilitiesxx
nLucent Technologies Security Offeringsxx
nLucent Technologies Toll Fraud Crisis Interventionxxi
Helplinesxxi
nRelated Documentationxxii
1 Introduction 1-1
nBackground1-1
nWho is the Enemy?1-2
Hackers and Phreakers1-2
Call Sell Operations1-2
Drug Dealers1-3
nWhat is in a Loss?1-3
Cost of the Phone Bill1-3
Lost Revenue1-3
Expenses1-3
nKnown Toll Fraud Activity1-3
2 Security Risks 2-1
nOverview2-1
nRemote Access2-2
nAutomated Attendant2-3
nOther Port Security Risks2-3
nVoice Messaging Systems2-4
nAdministration / Maintenance Access2-4
Passwords2-4
Increasing Adjunct Access Security2-6 
						

							BCS Products
Security Handbook  
555-025-600  
Issue 6
December 1997
Contents 
Page iv  
Increasing Product Access (Port) Security2-6
nGeneral Security Measures2-7
Educating Users2-7
Establishing a Policy2-8
Physical Security2-9
nSecurity Goals Tables2-9
3 Large Business Communications Systems 3-1
nKeeping Unauthorized Third Parties
from Entering the System3-2
How Third Parties Enter the System3-2
Protecting the Remote Access Feature3-2
Security Tips3-2
Disabling/Removing Remote Access3-3
Tools to Protect Remote Access3-3
Status Remote Access Command3-10
Logoff Screen Notification3-10
nTools that Restrict Unauthorized Outgoing Calls3-11
Class of Restriction3-12
Class of Service3-14
Facility Restriction Level (FRL)3-15
Alternate Facility Restriction Levels3-16
Toll Analysis (G3 only)3-16
Free Call List3-16
AAR/ARS Analysis3-17
ARS Dial Tone3-17
Station Restrictions3-17
Recall Signaling (Switchhook Flash)3-17
Attendant - Controlled Voice Terminals3-18
Restrictions — Individual and Group-Controlled
(DEFINITY ECS, DEFINITY G1, G3, and
System 75)3-18
Central Office Restrictions3-19
Restricting Incoming Tie Trunks3-19
Authorization Codes3-19
Trunk-to-Trunk Transfer3-19
Forced Entry of Account Code3-20 
						

							BCS Products
Security Handbook  
555-025-600  
Issue 6
December 1997
Contents 
Page v  
World Class Routing (DEFINITY ECS and
DEFINITY G2.2 and G3 only)3-20
Digit Conversion3-21
Station Security Codes (SSCs)3-21
Personal Station Access (PSA)3-22
Extended User Administration of Redirected Calls3-23
Remote User Administration of Call Coverage3-23
nSecurity Measures3-24
Require Passwords3-24
Restrict Who Can Use Remote Access/Track 
its Usage3-25
Fully Restrict Service3-27
Provide Individualized Calling Privileges 
Using FRLs3-28
Prevent After-Hours Calling Using Time of Day
Routing or Alternate FRLs3-29
Block International Calling3-30
Limit International Calling3-32
Select Authorization Code Time-Out to Attendant3-33
Restrict Calls to Specified Area Codes3-33
Allow Calling to Specified Numbers3-33
Use Attendant Control of Remote Access Calls
(DEFINITY G2 and System 85 only)3-34
Use Attendant Control of Specific Extensions3-34
Disable Direct Access to Trunks3-35
Use Attendant Control of Trunk Group Access3-36
Disable Facility Test Calls3-36
Suppress Remote Access Dial Tone3-38
Disallow Trunk-to-Trunk Transfer3-39
Disable Transfer Outgoing Trunk to 
Outgoing Trunk3-40
Disallow Outgoing Calls from Tie Trunks3-40
Limit Access to Tie Trunks3-41
Monitor Trunks3-41
Use Terminal Translation Initialization3-42
Require Account Codes3-42
Assign COR Restrictions to Adjuncts when Using
Expert Agents3-43 
						

							BCS Products
Security Handbook  
555-025-600  
Issue 6
December 1997
Contents 
Page vi  
Disable Distinctive Audible Alert3-43
Remove Data Origination Code3-44
Use World Class Routing Restrictions 
(DEFINITY G2.2 and G3 only)3-44
Change Override Restrictions on 3-way 
COR Check3-45
nDetecting Toll Fraud3-45
Administration Security3-47
Call Detail Recording (CDR) / Station Message Detail 
Recording (SMDR)3-48
Traffic Measurements and Performance3-49
Automatic Circuit Assurance (ACA)3-51
BCMS Measurements (DEFINITY ECS and
DEFINITY G1 and G3 only)3-52
CMS Measurements3-52
Security Violation Notification Feature
(DEFINITY ECS and DEFINITY G3 only)3-53
Security Violations Measurement Report3-56
Remote Access Barrier Code Aging/Access Limits 
(DEFINITY G3V3 and Later)3-61
Recent Change History Report (DEFINITY ECS and 
DEFINITY G1 and G3 only)3-61
Malicious Call Trace3-62
Service Observing3-63
Busy Verification3-64
List Call Forwarding Command3-64
4 Small Business Communications Systems 4-1
nFeatures for the MERLIN Systems4-3
nMERLIN II Communications System4-6
Protecting Direct Inward System Access (DISA)4-6
nMERLIN LEGEND Communications System4-8
Preventative Measures4-9
Protection Via Star Codes and
Allowed/Disallowed Lists4-10
Assigning a Second Dial Tone Timer4-12
Setting Facility Restriction Levels4-12
Protecting Remote Access4-13
Protecting Remote System Programming4-15 
						

							BCS Products
Security Handbook  
555-025-600  
Issue 6
December 1997
Contents 
Page vii  
Protecting Remote Call Forwarding4-16
nMERLIN Plus Communications System4-16
Protecting Remote Line Access (R2 only)4-16
Protecting Remote Call Forwarding (R2 only)4-17
nPARTNER II Communications System4-18
nPARTNER Plus Communications System4-18
nSystem254-19
Protecting Remote Access4-19
Protecting Remote System Administration4-20
5 Voice Messaging Systems 5-1
nProtecting Voice Messaging Systems5-2
Security Tips5-3
nDEFINITY ECS, DEFINITY Communications Systems, 
System75, and System855-4
Tools that Prevent Unauthorized Calls5-5
Security Measures in the PBX5-7
Detecting Voice Mail Fraud5-11
Protecting the AUDIX, DEFINITY AUDIX, and Lucent 
Technologies INTUITY Voice Mail Systems5-15
Protecting the AUDIX Voice Power System5-28
Protecting the CONVERSANT Voice Information
System5-31
nMERLIN II Communications System5-33
Protecting the MERLIN MAIL Voice Messaging
System5-33
nMERLIN LEGEND Communications System5-36
Protecting the AUDIX Voice Power System5-37
Protecting the INTUITY Voice Messaging System5-39
Protecting the MERLIN MAIL, MERLIN
MAIL-ML, MERLIN MAIL R3, and MERLIN
LEGEND Mail Voice Messaging Systems5-43
nPARTNER II Communications System5-48
Protecting the PARTNER MAIL and PARTNER
MAIL VS Systems5-48
nPARTNER Plus Communications System5-50
Protecting the PARTNER MAIL and PARTNER
MAIL VS Systems5-50
nSystem 255-52 
						

							BCS Products
Security Handbook  
555-025-600  
Issue 6
December 1997
Contents 
Page viii  
Protecting the AUDIX Voice Power System5-53
6 Automated Attendant 6-1
nDEFINITY ECS, DEFINITY Communications Systems, 
System75, and System856-1
Security Tips6-1
Tools that Prevent Unauthorized Calls6-2
Security Measures6-5
Detecting Automated Attendant Toll Fraud6-8
Protecting Automated Attendant on the 
AUDIX Voice Mail System6-16
Protecting Automated Attendant on the AUDIX
Voice Power System6-17
Protecting Automated Attendant on the
CONVERSANT Voice Information System6-17
Protecting Automated Attendant on the
DEFINITY AUDIX System6-18
Protecting Automated Attendant on the Lucent
Technologies INTUITY System6-18
nMERLIN II Communications 
System R36-18
MERLIN MAIL Voice Messaging System6-18
MERLIN Attendant6-18
nMERLIN LEGEND Communications System6-19
AUDIX Voice Power System6-19
MERLIN MAIL, MERLIN MAIL-ML, and
MERLIN MAIL R3 Voice Messaging Systems6-19
MERLIN Attendant6-19
nPARTNER II Communications System6-20
PARTNER MAIL and PARTNER MAIL VS Systems6-20
PARTNER Attendant6-20
nPARTNER Plus Communications System6-20
PARTNER MAIL and PARTNER MAIL VS Systems6-20
PARTNER Attendant6-20
nSystem256-21
AUDIX Voice Power System6-21
7 Other Products and Services 7-1
nCall Management System (R3V4)7-1
Security Tips7-1 
						

							BCS Products
Security Handbook  
555-025-600  
Issue 6
December 1997
Contents 
Page ix  
CMS Helplines7-2
nCallMaster PC7-3
Security Tips7-3
nMultipoint Conferencing Unit
(MCU)/Conference Reservation and
Control System (CRCS)7-4
nPassageWay®Telephony Services for
NetWare® and Windows NT®7-4
Security Tips7-5
nTransTalk 9000 Digital Wireless System7-8
Security Tips7-8
A Call Routing A-1
nCall RoutingA-1
B Blocking Calls B-1
nCountry CodesB-1
nBlocking Toll Fraud DestinationsB-8
Blocking ARS Calls on DEFINITY G1 and
System 75B-9
Blocking ARS Calls on G2.1 and System 85B-14
Blocking WCR Calls on DEFINITY G2.2B-15
Blocking ARS Calls on G3B-16
Blocking ARS Calls on System 25 R3V3B-18
C Remote Access Example
(DEFINITY ECS, DEFINITY G1, G3, 
and System 75) C-1
nSetting Up Remote AccessC-1
nPermanently Disabling Remote AccessC-3
D Administering Features of the
DEFINITY G3V3 and Later,
Including DEFINITY ECS D-1
nAdministering the SVN FeatureD-1
Administering the Login ComponentD-2
Administering the Remote Access ComponentD-4
Administering the Authorization Code ComponentD-8
Administering the Station Security Code ComponentD-9
nAdministering Barrier Code AgingD-11 
						

							BCS Products
Security Handbook  
555-025-600  
Issue 6
December 1997
Contents 
Page x  
nAdministering Customer Logins and
Forced Password AgingD-13
Adding Customer Logins and Assigning Initial
PasswordD-13
Changing a Login’s AttributesD-15
Administering Login Command PermissionsD-16
nAdministering the Security Violations ReportsD-17
E Changing Your Password E-1
nAUDIX Voice Mail SystemE-1
nAUDIX Voice Power SystemE-1
nCONVERSANT Voice Information SystemE-2
nDEFINITY AUDIX SystemE-3
nDEFINITY ECS and DEFINITY G1 
and G3E-4
nDEFINITY G2E-5
nLucent Technologies INTUITY SystemE-5
nMERLIN MAIL or MERLIN MAIL-ML
Voice Messaging SystemE-6
nMERLIN MAIL R3, MERLIN LEGEND
Mail, or PARTNER MAIL R3 Voice Messaging SystemE-7
nPARTNER MAIL SystemE-8
nPARTNER MAIL VS SystemE-8
nSystem25E-9
nSystem75E-9
nSystem85E-10
F Toll Fraud Job Aids F-1
nToll Fraud Warning SignsF-1
nSystem Security Action PlanF-3
nTop 10 Tips to Help Prevent Phone “Phraud”F-4
G Special Security Product and Service Offers G-1
nRemote Port Security Device (RPSD)G-1
Key and Lock FeaturesG-2
Lucent Technologies SupportG-3
nSecurity Audit ServiceG-3
nLucent Technologies HackerTrackerG-3
nSecurity Tune-Up ServiceG-4