Lucent Technologies BCS Products Security Handbook

							Small Business Communications Systems 
Page 4-1  
4
BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
4
4Small Business 
Communications 
Systems
This chapter provides information on protecting the following communications 
systems:
nMERLIN II Communications System (page 4-6)
nMERLIN LEGEND Communications System (page 4-8)
nMERLIN Plus Communications System (page 4-16)
nPARTNER II Communications System (page 4-18)
nPARTNER Plus Communications System (page 4-18)
nSystem 25 (page 4-19)
Other chapters detail additional security measures to protect your equipment:
nChapter 5 contains security measures to protect the attached voice 
messaging system. For general security measures, refer to ‘‘
Protecting 
Voice Messaging Systems’’ on page 5-2. For product-specific security 
measures, refer to:
—‘‘
MERLIN II Communications System’’ on page 5-33
—‘‘MERLIN LEGEND Communications System’’ on page 5-36
—‘‘PARTNER II Communications System’’ on page 5-48
—‘‘PARTNER Plus Communications System’’ on page 5-50
—‘‘System 25’’ on page 5-52
nChapter 6 contains security measures to protect the Automated Attendant 
feature of your communications system. For product-specific security 
measures, refer to:
—‘‘
MERLIN II Communications System R3’’ on page 6-18
—‘‘MERLIN LEGEND Communications System’’ on page 6-19 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Small Business Communications Systems 
Page 4-2  
4
—‘‘PARTNER II Communications System’’ on page 6-20
—‘‘PARTNER Plus Communications System’’ on page 6-20
—‘‘System25’’ on page 6-21 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Small Business Communications Systems 
Page 4-3 Features for the MERLIN Systems 
4
Features for the MERLIN Systems
The following table indicates MERLIN II and MERLIN LEGEND security features 
by release number.
Table 4-1. MERLIN II and MERLIN LEGEND Security Features
FeaturesMII
 R3ML 
R1.0/
 1.1ML 
R2.0/
 2.1ML 
R3.0/
3.1ML 
R4.0/
 4.1/ 
4.2ML 
R5.0 Comments
Automatic Route 
Selection (ARS)xxxxxx
Administration 
Securityx x x x x 5-character password 
on SPM program
Allowed List x x x x x x 2- to 11-digit code
Barrier Code x x x x x x MII: one code, four 
digits
ML R1/R2: 16 codes, 
four digits each, default 
is 16 codes
ML R3/R4/R5: 
16 codes, digits 
increased to 4 through 
11, default is 7 digits
Dial Access to 
Poolsx x x x x x Factory setting 
specifies no users are 
able to use any pool 
dial-out codes
Direct Inward 
System Access
NOTE: For 
MERLIN Legend 
systems, see 
“Remote Access.”N/A N/A N/A N/A N/A Users limited to dialing 
inside users or 
pool/line codes; ARS 
cannot be used by 
DISA callers; feature 
can be set for inward 
access only or full 
access
Disallowed List x x x x x x Default is List 7
Facility 
Restriction 
Levels (FRLs)x x x x x Levels 0 through 6; 
ARS related
Forced Entry of 
Account Codesx x x x x x Affects only outgoing 
calls 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Small Business Communications Systems 
Page 4-4 Features for the MERLIN Systems 
4
Night Service x x x x x Whenever Night 
Service is on and 
Shared Remote 
Access is 
administered, calls 
normally routed to 
internal stations are 
provided remote access 
treatment.
Reliable/Un-reliab
le Disconnectxxxxxx“Un-reliable” setting 
allows the user to dial 
without system 
screening if the far end 
disconnects.
Remote Access x x x x x Access controlled by 
restrictions associated 
with the barrier codes.
Remote Access 
Kill After “N” 
AttemptsxxxxxxN=3
Remote Call 
Forwardingxxxxx
Restrict Incoming 
Tie Lines* x x x x x MII (*) allows access to 
stations only on ML; 
default prohibits 
access to outgoing 
facilities via tie lines; 
access is allowed if the 
tie line is set for remote 
access, but access is 
controlled by an 
assigned barrier code.
Station Message 
Detail Recording 
(SMDR)x x x x x x For ML R3 w/ Call ID, 
remote access number 
is recorded if received. 
For ML R4.2 and later 
releases, the optional 
ML Reporter Talk Time 
feature is disabled.
Table 4-1. MERLIN II and MERLIN LEGEND Security Features — Continued
FeaturesMII
 R3ML 
R1.0/
 1.1ML 
R2.0/
 2.1ML 
R3.0/
3.1ML 
R4.0/
 4.1/ 
4.2ML 
R5.0 Comments 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Small Business Communications Systems 
Page 4-5 Features for the MERLIN Systems 
4
Station 
Restrictionsx x x x x x Outward, toll, and 
unrestricted
Transfer to 
Scriber Onlyx x x x x Related to mail system 
in use
Trunk-to-Trunk 
Transferx x x x x Cannot be deactivated.
For ML R3.1 and later 
releases, trunk-to-trunk 
transfer can be blocked 
for an extension.
Table 4-1. MERLIN II and MERLIN LEGEND Security Features — Continued
FeaturesMII
 R3ML 
R1.0/
 1.1ML 
R2.0/
 2.1ML 
R3.0/
3.1ML 
R4.0/
 4.1/ 
4.2ML 
R5.0 Comments 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Small Business Communications Systems 
Page 4-6 MERLIN II Communications System 
4
MERLIN II Communications System
This section provides information on protecting the MERLIN II Communications 
System. 
Additional security measures are required to protect adjunct equipment.
nChapter 5 contains security measures to protect the attached voice 
messaging system. For general security measures, refer to ‘‘
Protecting 
Voice Messaging Systems’’ on page 5-2. For product-specific security 
measures, refer to ‘‘
MERLIN II Communications System’’ on page 5-33.
nChapter 6 contains security measures to protect the Automated Attendant 
feature of your communications system. See ‘‘
MERLIN II Communications 
System R3’’ on page 6-18.
Protecting Direct Inward System Access (DISA)
The Direct Inward System Access feature allows users to call into the MERLIN II 
Communications System from a remote location (for example, a satellite office, or 
while traveling) and use the system to make calls. However, unauthorized 
persons might learn the DISA telephone number and password, call into the 
system, and make long distance calls.
The following security measures assist you in managing the DISA feature to help 
prevent unauthorized use.
Security Tips
nTo reduce the system’s vulnerability to toll fraud, outward restrict the port to 
which the Remote Maintenance Device is connected.
nEvaluate the necessity for DISA. If this feature is not vital to your 
organization, consider not using it or limiting its use. 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Small Business Communications Systems 
Page 4-7 MERLIN II Communications System 
4
To restrict DISA lines, do the following:
— With a BIS-34D Console:
1. Move the TP switch to P.
2. Press the conference button twice.
3. Press the message button.
4. Dial #325.
5. Dial 0 for Outward Restriction.
6. Press the message button again.
— With a MERLIN II Communications System display console:
1. From the administration menu, press these buttons:  
.
2. If callers must dial a password to make DISA calls, dial a 
4-digit password.
3. Press .
4. Press   for no restriction, or   for inward 
restriction.
5. Press the line buttons until the lights next to them show the 
appropriate code:
Green light on = line or line pool can be used for DISA
Green light off = line or line pool cannot be used for DISA
6. Press Conference to return to the administration menu or 
leave administration mode.
If you need the feature, use as many of the security measures presented in 
this section as you can.
nProgram DISA to require the caller to enter a system password before the 
system will allow the caller access. See ‘‘
Administration / Maintenance 
Access’’ on page 2-4 and ‘‘General Security Measures’’ on page 2-7 for 
secure password guidelines.
nUse the system’s toll restriction capabilities to restrict the long distance 
calling ability of DISA users as much as possible, consistent with the needs 
of your business.
nBlock out-of-hours calling by turning off Remote Access features at an 
intercom 10 administration telephone whenever possible.
nProtect your DISA telephone number and password. Only give them to 
people who need them, and impress upon these people the need to keep 
the telephone number and password secret.
nMonitor your SMDR records and/or your Call Accounting System reports 
regularly for signs of irregular calls. Review these records and reports for 
the following symptoms of abuse:
Lines
DISA
Enter
NoRestrInwdOnly 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Small Business Communications Systems 
Page 4-8 MERLIN LEGEND Communications System 
4
— Short holding times on one trunk group
— Calls to international locations not normal for your business
— Calls to suspicious destinations
— High numbers of “ineffective call attempts” indicating attempts at 
entering invalid barrier codes
— Numerous calls to the same number 
— Undefined account codes
MERLIN LEGEND Communications 
System
This section provides information on protecting the MERLIN LEGEND 
Communications System. 
Unauthorized persons concentrate their activities in the following two areas with 
the MERLIN LEGEND Communications System:
nTransfer out of the MERLIN LEGEND Communications System to gain 
access to an outgoing trunk and make long distance calls. 
nLocate unused or unprotected mailboxes and use them as drop-off points 
for their own messages.
Additional security measures are required to protect adjunct equipment.
nChapter 5 contains security measures to protect the attached voice 
messaging system. For general security measures, refer to ‘‘
Protecting 
Voice Messaging Systems’’ on page 5-2. For product-specific security 
measures, refer to ‘‘
MERLIN LEGEND Communications System’’ on page 
5-36.
nChapter 6 contains security measures to protect the Automated Attendant 
feature of your communications system. See ‘‘
MERLIN LEGEND 
Communications System’’ on page 6-19.
The MERLIN LEGEND Communications System permits trunk-to-trunk transfers 
from Voice Mail Integrated (VMI) ports starting with Release 2.1. Starting with 
Release 3.1, the following are in effect:
nVMI ports are assigned outward restrictions by default
nTrunk-to-trunk transfer can be allowed or disallowed on a per-station basis, 
and the default setting for all stations is restricted. Trunk-to-trunk transfer is 
the transferring of an outside call to another outside number. Whenever 
trunk-to-trunk transfer is disabled, users cannot transfer an outside call to 
an outside line. 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Small Business Communications Systems 
Page 4-9 MERLIN LEGEND Communications System 
4
NOTE:
The ability to transfer internal calls to outside numbers cannot be 
blocked for an individual extension. However, Calling Restrictions or 
Disallowed Lists can be assigned to individual extensions to prevent 
outward or toll calls. Also, a call transfer to an outside destination is 
disconnected if the original call is on a trunk that does not have 
reliable disconnect, or if another user joined the call, and the call is 
now a conference call (which cannot be transferred).
nPool dial-out codes are restricted for all extensions by default. No 
extension or remote access user with a barrier code has access to pools 
until the restriction is removed by the system manager.
Unlike the MERLIN II Communications System R3, the MERLIN LEGEND 
Communications System does not allocate touch-tone receivers for incoming 
calls, and thus will not interpret touch tones from a caller as an attempt to 
circumvent toll restriction, and will not disconnect the call. This could leave the 
MERLIN LEGEND Communications System vulnerable to toll fraud if the ports are 
not outward restricted.
Preventative Measures
nProvide good physical security for the room containing your 
telecommunications equipment and the room with administrative tools, 
records, and system programming information. These areas should be 
locked when not attended. 
nProvide a secure trash disposal for all sensitive information, including 
telephone directories, call accounting records, or anything that may supply 
information about your communications system. This trash should be 
shredded. 
nEducate employees that hackers may try to trick them into providing them 
with dial tone or dialing a number for them. All reports of trouble, requests 
for moving extensions, or any other administrative details associated with 
the MERLIN LEGEND Communications System should be handled by one 
person (the system manager) or within a specified department. Anyone 
claiming to be a telephone company representative should be referred to 
this person or department. 
nNo one outside of Lucent Technologies needs to use the MERLIN 
LEGEND Communications System to test facilities (lines/trunks). If a caller 
identifies himself or herself as an Lucent Technologies employee, the 
system manager should ask for a telephone number where the caller can 
be reached. The system manager should be able to recognize the number 
as an Lucent Technologies telephone number. 
Before connecting the caller 
to the administrative port of the MERLIN LEGEND Communications 
system, the system manager should feel comfortable that a good reason to  
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Small Business Communications Systems 
Page 4-10 MERLIN LEGEND Communications System 
4
do so exists. In any event, it is not advisable to give anyone access to 
network facilities or operators, or to dial a number at the request of the 
caller.
nAny time a call appears to be suspicious, call the Lucent Technologies BCS 
Fraud Intervention Center at 1 800 628-2888 (fraud intervention for 
System 25, PARTNER and MERLIN systems). 
nCustomers should also take advantage of Lucent Technologies monitoring 
services and devices, such as the NetPROTECTSM family of 
fraud-detection services, CAS with HackerTracker
® and CAT Terminal with 
Watchdog. Call 1 800 638-7233 to get more information on these Lucent 
Technologies fraud detection services and products. 
Protection Via Star Codes and
Allowed/Disallowed Lists
Starting with MERLIN LEGEND Release 3.1, star codes can be added to Allowed 
and Disallowed Lists to help prevent toll fraud. These codes are dialed usually 
before an outgoing call, and they allow telephone users to obtain special services 
provided by the central office (CO). For example, in many areas, a telephone user 
can dial *67 before a telephone number to disable CO-supplied caller 
identification at the receiving party’s telephone. 
Whenever a user dials a star code, the system checks the Allowed and 
Disallowed Lists to determine whether the star code is allowed. If the star code is 
allowed, the star code is passed to the CO, the Calling Restrictions are reset, and 
the digits following the star code are checked by the Allowed Lists, Disallowed 
Lists, and Calling Restrictions.
The system recognizes star codes containing two digits ranging from either 00 
through 19 or 40 through 99 (for example, *14). It also recognizes star codes 
containing three digits ranging from 200 through 399 (for example, *234).
Therefore, for example, if a caller dials *67280, the system checks *67 against the 
Allowed and Disallowed Lists. If this code is allowed, the system then checks 280 
against the Allowed and Disallowed Lists.
Multiple leading star codes (such as *67*70) are also handled by the system: the 
dialed number is checked against the Allowed and Disallowed Lists after each star 
code is detected.