Home
>
Lucent Technologies
>
Communications System
>
Lucent Technologies BCS Products Security Handbook
Lucent Technologies BCS Products Security Handbook
Have a look at the manual Lucent Technologies BCS Products Security Handbook online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 413 Lucent Technologies manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Small Business Communications Systems Page 4-11 MERLIN LEGEND Communications System 4 The following table gives examples of how to allow and disallow calls via star codes and Disallowed Lists. Default Disallowed List By default, Disallowed List #7 contains the following entries, which are frequently associated with toll fraud: n0 n10 n11 n976 n1809 n1700 n1900 n1ppp976 (where each p represents any digit) n* This list is automatically assigned to any port that is programmed as a VMI port. The system manager should assign Disallowed List #7 to any extension that does not require access to the numbers in the list. Table 4-2. Allowing and Disallowing Calls via Star Codes and Disallowed Lists Objective Solution Disallow calls preceded by *67, but allow all other calls.Enter *67 as a Disallowed List entry. Disallow calls preceded by all star codes, but allow all other calls.Enter * as a Disallowed List entry. Disallow calls preceded by either *67 or *69, but allow all other calls.Enter *67 as a Disallowed List entry, and enter *69 as a separate Disallowed List entry. Disallow calls preceded by *67, calls to 900 numbers, and calls to directory assistance (411), but allow all other calls.Enter *67, 900, and 411 as separate Disallowed List entries.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Small Business Communications Systems Page 4-12 MERLIN LEGEND Communications System 4 Assigning a Second Dial Tone Timer A second dial tone timer can be assigned to lines and trunks to help prevent toll fraud. NOTE: This timer can be used with star codes, which are discussed earlier in this chapter. If the timer is assigned, and if the user dials a certain set of digits, the CO provides a second dial tone to prompt the user to enter more digits. This ensures that digits are dialed only when the CO is ready to receive more digits from the caller. Therefore, the risk of toll fraud or of the call being routed incorrectly is reduced. Setting Facility Restriction Levels Facility Restriction Levels (FRLs) can help prevent toll fraud. Some FRLs are already set to a default value before the product is shipped to the customer. Other FRLs can be set by the customer. Security Defaults and Tips The following list identifies features and components that can be restricted by FRLs, identifies the corresponding FRL, and discusses how the FRLs affect these features and components. nVoice Mail Integrated (VMI) Ports The default FRL for VMI ports is now 0. This restricts all outcalling. (Refer to Form 7d, “Group Calling.”) nDefault Local Route Table The default FRL for the Default Local Route Table is now 2. No adjustment to the route FRL is required. (Refer to Table 18 on Planning Form 3g, “ARS Default and Special Numbers Table.”) nAutomatic Route Selection (ARS) The customer receives the product with ARS activated and with all extensions set to FRL 3. This allows all international calling. To prevent toll fraud, set the ARS FRL to the appropriate value in the following list. — 0 (restriction to inside calls only) — 2 (restriction to local calls only) — 3 (restriction to domestic long distance) NOTE: This restriction does not include area code 809, which is part of the North American Numbering Plan (NANP).
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Small Business Communications Systems Page 4-13 MERLIN LEGEND Communications System 4 — 4 (international calling) NOTE: In Release 3.1 and later systems, default local and default toll tables are factory-assigned an FRL of 2. This simplifies the task of restricting extensions; the FRL for an extension merely needs to be changed from the default of 3. Protecting Remote Access The Remote Access feature allows users to call into the MERLIN LEGEND Communications System from a remote location (for example, a satellite office, or while traveling) and use the system to make calls. However, unauthorized persons might learn the Remote Access telephone number and password, call into the system, and make long distance calls. For MERLIN LEGEND R3.1 and later systems, system passwords, called barrier codes, are by default restricted from making outside calls. In MERLIN LEGEND releases prior to Release 3.0, if you do not program specific outward calling restrictions, the user is able to place any call normally dialed from a telephone associated with the system. Such an off-premises network call is originated at, and will be billed from, the system location. The MERLIN LEGEND Communications System has 16 barrier codes for use with Remote Access. For systems prior to MERLIN LEGEND R3, barrier codes have a 5-digit maximum; for R3 systems and later, barrier codes have an 11-digit maximum. For greater security, always use the maximum available digits when assigning barrier codes. Beginning with MERLIN LEGEND R3.0, the following rules on barrier codes have been included in order to prevent telephone toll fraud: — The Remote Access default requires a barrier code — The barrier code is a flexible-length code ranging from 4 to 11 digits (with a default of 7) and includes the * character. The length is set system-wide. — The user is given three attempts to enter the correct barrier code The following security measures assist you in managing the Remote Access feature to help prevent unauthorized use. Security Tips nEvaluate the necessity for Remote Access. If this feature is not vital to your organization, consider not using it or limiting its use.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Small Business Communications Systems Page 4-14 MERLIN LEGEND Communications System 4 To turn off Remote Access, do the following: 1. On the System Administration screen, select Lines and Trunks and then select Remote Access. 2. Choose Disable Remote Access. If you need the feature, use as many of the security measures presented in this section as you can. nProgram the Remote Access feature to require the caller to enter a barrier code before the system will allow the caller access. Up to 16 different barrier codes can be programmed, and different restriction levels can be set for each barrier code. nFor MERLIN LEGEND R3.0, program the Remote Access feature to enter an authorization code of up to 11 digits. For greater security, always use the maximum available digits when assigning authorization codes. nIt is strongly recommended that customers invest in security adjuncts, which typically use one-time passcode algorithms. These security adjuncts discourage hackers. Since a secure use of the Remote Access feature generally offers savings over credit card calling, the break-even period can make the investment in security adjuncts worthwhile. nIf a customer chooses to use the Remote Access feature without a security adjunct, multiple barrier codes should be employed, with one per user if the system permits. The MERLIN LEGEND system permits a maximum of 16 barrier codes. The barrier code for each user should not be recorded in a place or manner that may be accessible for an unauthorized user. The code should also not indicate facts about or traits of the user that are easily researched (for example, the user’s birthdate) or discernible (for example, the user’s hobbies, interests, political inclinations, etc.). nUse the system’s toll restriction capabilities, to restrict the long distance calling ability of Remote Access users as much as possible, consistent with the needs of your business. nBlock out-of-hours calling by manually turning off Remote Access features at an administration telephone whenever appropriate (if Remote Access is dedicated on a port). nProtect your Remote Access telephone number and password. Only give them to people who need them, and impress upon those people the need to keep the telephone number and password secret. nMonitor your SMDR records and/or your Call Accounting System reports regularly for signs of irregular calls. Review these records and reports for the following symptoms of abuse: — Short holding times on one trunk group — Patterns of authorization code usage (same code used simultaneously or high activity) — Calls to international locations not normal for your business
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Small Business Communications Systems Page 4-15 MERLIN LEGEND Communications System 4 — Calls to suspicious destinations — High numbers of “ineffective call attempts” indicating attempts at entering invalid barrier codes or authorization codes — Numerous calls to the same number — Undefined account codes Protecting Remote System Programming The Remote System Programming feature allows your system administrator to use System Programming and Maintenance (SPM) software to make changes to your MERLIN LEGEND Communications System programming from another location. The system can be accessed remotely either by dialing into it directly using Remote Access or by dialing the system operator and asking to be transferred to the system’s built-in modem. The feature also may be used, at your request, by Lucent Technologies personnel to do troubleshooting or system maintenance. However, unauthorized persons could disrupt your business by altering your system programming. In addition, they could activate features (such as Remote Access) that would permit them to make long distance calls, or they could change restriction levels to allow long distance calls that would otherwise have been blocked. The following security measures assist you in managing the Remote System Programming feature to help prevent unauthorized use. Security Tips nThe System Programming capability of the MERLIN LEGEND Communications System is protected by a password. Passwords can be up to five characters in length and can be alpha or numeric and special characters. See ‘‘ Administration / Maintenance Access’’ on page 2-4 and ‘‘ General Security Measures’’ on page 2-7 for secure password guidelines. nIf you use Remote Access to do remote system programming on your MERLIN LEGEND Communications System, follow all of the security tips listed for protecting the Remote Access feature. — Even if the Remote Access feature is used only for remote system programming, it should be protected by a barrier code. — Do not write the Remote Access telephone number or barrier code on the MERLIN LEGEND Communications System, the connecting equipment, or anywhere else in the system room. nTrain all employees, especially your system operator, to transfer only authorized callers to the system’s built-in modem for remote programming. Hackers have also been known to use “Social Engineering” to gain transfer to the built-in modem.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Small Business Communications Systems Page 4-16 MERLIN Plus Communications System 4 Protecting Remote Call Forwarding The Remote Call Forwarding feature allows a customer to forward an incoming call to another off-premises number. However, a caller could stay on the line and receive another dial tone. At this point, the caller could initiate another toll call. The following security measures assist you in managing the Remote Call Forwarding feature to help prevent unauthorized use: nProvide the Remote Call Forwarding capability only to those people who need it. nDo not use this feature with loop-start lines. Due to unreliable disconnects from the carrier’s central office, this feature may allow dial-tone to be re-established and additional calls to be made. MERLIN Plus Communications System This section provides information on protecting the MERLIN Plus Communications System. Protecting Remote Line Access (R2 only) The Remote Line Access feature allows users to call into the MERLIN Plus Communications System from a remote location (for example, a satellite office, or while traveling) and use the system to make calls. However, unauthorized persons might learn the Remote Line Access telephone number and password, call into the system, and make long distance calls. The following security measures assist you in managing the Remote Line Access feature to help prevent unauthorized use. Security Tips nEvaluate the necessity for Remote Line Access. If this feature is not vital to your organization, consider not using it or limiting its use. If you need the feature, use as many of the security measures presented in this section as you can. nDisallow all or selected international calls on remote line access ports. nAdminister trunk pools for Originated Line Screening to avoid operator-assisted calls from toll-restricted stations. nProgram the Remote Line Access feature to require the caller to enter a 5-digit password before the system will allow the caller access. The password is comprised of the user’s extension number (first 2 digits) plus 3 unique digits.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Small Business Communications Systems Page 4-17 MERLIN Plus Communications System 4 nUse the system’s toll restriction capabilities to restrict the long distance calling ability of Remote Line Access users as much as possible, consistent with the needs of your business. nBlock out-of-hours calling by turning off DXD and Remote Line Access features at an extension 10 telephone whenever possible. nProtect your Remote Line Access telephone number and password. Only give them to people who need them, and impress upon these people the need to keep the telephone number and password secret. nMonitor your SMDR records and/or your Call Accounting System reports regularly for signs of irregular calls. Review these records and reports for the following symptoms of abuse: — Patterns of authorization code usage (same code used simultaneously or high activity) — Calls to international locations not normal for your business — Calls to suspicious destinations — High numbers of “ineffective call attempts” indicating attempts at entering invalid barrier codes or authorization codes — Numerous calls to the same number — Undefined account codes n Activate “Automatic Call Restriction Reset” (R2 only) Protecting Remote Call Forwarding (R2 only) For Release 2, the MERLIN Plus Communications System allows a customer to forward an incoming call to another (remotely located) telephone number. However, a caller could stay on the line and receive another dial tone. At this point, the caller could initiate a toll call without any outward call restrictions at all. The following security measures assist you in managing the Remote Call Forwarding feature to help prevent unauthorized use. nImplement the “Automatic Timeout” feature of the MERLIN Plus Communications System R2 “B” (Remote Call Forwarding feature). Contact the Lucent Technologies National Service Assistance Center (NSAC) at 800 628-2888 to determine if your system has the Automatic Timeout feature as part of the 533B memory module. nProvide the Remote Call Forwarding capability only to those who need it.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Small Business Communications Systems Page 4-18 PARTNER II Communications System 4 PARTNER II Communications System This section provides information on protecting the PARTNER II Communications System. Additional security measures are required to protect adjunct equipment. nChapter 5 contains security measures to protect the attached voice messaging system. For general security measures, refer to ‘‘ Protecting Voice Messaging Systems’’ on page 5-2. For product-specific security measures, refer to ‘‘ PARTNER II Communications System’’ on page 5-48. nChapter 6 contains security measures to protect the Automated Attendant feature of your communications system. See ‘‘ PARTNER II Communications System’’ on page 6-20. The PARTNER II Communications System does not permit trunk-to-trunk transfers, thus reducing the risk of toll fraud. In addition, it allows individual stations to be administered for outward restriction. An optional Remote Administration Unit provides remote administration for all releases of the PARTNER II Communications System. Protect the Remote Administration Unit by making sure to assign a password for unattended mode, and once remote administration is not necessary, remove it from unattended mode. Otherwise, a hacker could change the programming remotely. PARTNER Plus Communications System This section provides information on protecting the PARTNER Plus Communications System. Additional security measures are required to protect adjunct equipment. nChapter 5 contains security measures to protect the attached voice messaging system. For general security measures, refer to ‘‘ Protecting Voice Messaging Systems’’ on page 5-2. For product-specific security measures, refer to ‘‘ PARTNER Plus Communications System’’ on page 5-50. nChapter 6 contains security measures to protect the Automated Attendant feature of your communications system. See ‘‘ PARTNER Plus Communications System’’ on page 6-20. The PARTNER Plus Communications System does not permit trunk-to-trunk transfers, thus reducing the risk of toll fraud. In addition, it allows individual stations to be administered for outward restriction. An optional Remote Administration Unit provides remote administration for all releases of the PARTNER Plus Communications System. Protect the Remote
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Small Business Communications Systems Page 4-19 System 25 4 Administration Unit by making sure to assign a password for unattended mode, and once remote administration is not necessary, remove it from unattended mode. Otherwise, a hacker could change the programming remotely. System 25 This section provides information on protecting the System 25. Additional security measures are required to protect adjunct equipment. nChapter 5 contains security measures to protect the attached voice messaging system. For general security measures, refer to ‘‘ Protecting Voice Messaging Systems’’ on page 5-2. For product-specific security measures, refer to page 5-52 . nChapter 6 contains security measures to protect the Automated Attendant feature of your communications system. See ‘‘ PARTNER Plus Communications System’’ on page 6-20. System 25 allows trunk-to-trunk transfer capability, increasing the opportunities for toll fraud. However, trunk-to-trunk transfers on loop-start trunks are not allowed unless the switch is administered to allow it. A fast busy signal indicates that the transfer is not allowed. Do not allow trunk-to-trunk transfers on loop start trunks unless there is a business need for it. This may be administered from the system administration menu. For R3V3, international calls (or international calls to selected countries) can be disallowed from a toll restricted station, and toll restricted stations can be blocked from using Interexchange Carrier Codes (IXCs) to make domestic or international direct dialed calls. Also, unless a trunk pool is administered for “Originating Line Screening,” toll restricted stations cannot make operator-assisted calls. To further reduce the system’s vulnerability to toll fraud, outward restrict the tip/ring port to which the Remote Maintenance Device is connected. Protecting Remote Access The Remote Access feature allows users to call into System 25 from a remote location (for example, a satellite office, or while traveling) and use the system to make calls. However, unauthorized persons might learn the Remote Access telephone number and password (barrier access code), call into the system, and make long distance calls. System 25 allows up to 16 different barrier access codes and one Remote Maintenance barrier access code for use with the Remote Access feature. Except for R3V3, barrier access codes have a 5-digit maximum. R3V3 allows up to 15 characters, including the digits 0 to 9, #, and *. Also for R3V3, an alarm is generated at the attendant console if an invalid barrier access code is entered.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Small Business Communications Systems Page 4-20 System 25 4 For greater security, always use the maximum available digits when assigning barrier access codes. The following security measures assist you in managing the Remote Access feature to help prevent unauthorized use. Security Tips nEvaluate the necessity for Remote Access. If this feature is not vital to your organization, consider not using it or limiting its use. If you need the feature, use as many of the security measures presented in this section as you can. nProgram the Remote Access feature to require the caller to enter a password (barrier access code) before the system will allow the caller access. nUse the system’s toll restriction capabilities to restrict the long distance calling ability of Remote Access users as much as possible, consistent with the needs of your business. For example, allow users to make calls only to certain area codes, or do not allow international calls. nProtect your Remote Access telephone number and password (barrier access code). Only give them to people who need them, and impress upon these people the need to keep the telephone number and password (barrier access code) secret. nMonitor your SMDR records and/or your Call Accounting System reports regularly for signs of irregular calls. Review these records and reports for the following symptoms of abuse: — Short holding times on one trunk group — Calls to international locations not normal for your business — Calls to suspicious destinations — High numbers of “ineffective call attempts” indicating attempts at entering invalid barrier codes or authorization codes — Numerous calls to the same number — Undefined account codes Protecting Remote System Administration The Remote System Administration feature allows your telephone system administrator to make changes to your System 25 system programming from another location by dialing into the system. The feature also may be used, at your request, by Lucent Technologies personnel to do troubleshooting or system maintenance.