Lucent Technologies BCS Products Security Handbook

							BCS Products
Security Handbook  
555-025-600  
Issue 6
December 1997
Contents 
Page xi  
nToll Fraud Contact ListG-5
H Product Security Checklists H-1
nGeneral Security ProceduresH-3
nAUDIX, DEFINITY AUDIX and INTUITY AUDIX Voice 
Messaging SystemsH-5
nAUDIX Voice Power SystemH-7
nBasicWorksH-9
nCONVERSANT Voice Information SystemH-13
nDEFINITY ECS, DEFINITY G1 and G3, and System75H-15
nDEFINITY G2 and System85H-21
nDIMENSION PBX SystemH-25
nLucent Technologies/Bay NetworksH-28
nMERLIN II Communications SystemH-29
nMERLIN LEGEND Communications SystemH-31
nMERLIN MAIL Voice Messaging SystemH-34
nMERLIN MAIL-ML Voice Messaging SystemH-36
nMERLIN MAIL R3 Voice Messaging SystemH-38
nMERLIN Plus Communications SystemH-41
nMultimedia Communications Exchange ServerH-42
nMultipoint Conferencing Unit
(MCU)/Conference Reservation and
Control System (CRCS)H-43
ESM Security ChecklistH-45
CRCS Security ChecklistH-47
MSM Security ChecklistH-48
nPARTNER II and PARTNER Plus
Communications SystemsH-53
nPARTNER MAIL and PARTNER MAIL VS SystemsH-56
nSystem25H-58
nPassageWay Telephony ServicesH-60
I Large Business Communications
Systems Security Tools by Release I-1
GL Glossary 1
IN Index IN-1 
						

							BCS Products
Security Handbook  
555-025-600  
Issue 6
December 1997
Contents 
Page xii   
						

							About This Document 
Page xiii Scope of this Handbook 
BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
About This Document
Scope of this Handbook
This handbook discusses security risks and measures that can help prevent 
external telecommunications fraud involving the following Lucent Technologies 
products:
Communications Server:
nDEFINITY® Enterprise Communications Server (ECS) Release 5 and later 
PBX systems:
nDEFINITY® Generic 1, 2, and 3 Communications Systems 
nMERLIN® II Communications System
nMERLIN LEGEND® Communications System
nMERLIN® Plus Communications System
nPARTNER® II Communications System
nPARTNER® Plus Communications System
nSystem 25 Communications System
nSystem 75 (R1V1, R1V2, R1V3)
nSystem 85 (R1, R2V2, R2V3, R2V4)
Voice processing systems:
nAUDIX® Voice Mail System
nAUDIX® Voice Power® System
nCONVERSANT® Voice Information System 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
About This Document 
Page xiv Scope of this Handbook 
nDEFINITY® AUDIX® System
nINTUITY™ AUDIX® Voice Messaging System
nINTUITY™ CONVERSANT® Voice Information System
nMERLIN MAIL® Voice Messaging System
nMERLIN MAIL®-ML Voice Messaging System
nMERLIN MAIL® R3 Voice Messaging System
nPARTNER MAIL® System
nPARTNER MAIL VS® System
Other products and services:
nCall Management System (R3V2)
nCallMaster® PC
nMultipoint Conferencing Unit (MCU)
nPassageWay® Telecommunications Interface
nTransTalk™ 9000 Digital Wireless System
nTelephony Services for Netware®
NOTE:
Although the DIMENSION® Call Management System is not covered 
explicitly in this handbook, the information supplied for System 85 Release 2 
applies to the DIMENSION PBX System as well.
NOTE:
This document describes switch features and how they are related to 
security. It is not designed to fully describe the capabilities of each feature. 
For further details about all the security features and their interactions with 
other system features, refer to the appropriate system manual for your 
telecommunications system. (See ‘‘
Related Documentation’’ in this chapter 
for titles and document numbers.)
For the latest updates on the security of products, the following options are 
available:
nPurchase the Toll Fraud Prevention training video
This videotape is divided into three segments: general information to 
illustrate the impact of toll fraud, testimony taken from a real hacker, and 
interviews with toll fraud victims. Covered topics include hacker access 
techniques, toll fraud issues, safeguard features, effective system 
management, security plans, and security monitoring solutions. To order, 
call the Lucent Technologies Sourcebook Catalog at 1 800 635-8866, then 
select prompt #1, PEC 1469-021. 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
About This Document 
Page xv Reason for Reissue 
nEnroll in Lucent Technologies BCS Advanced Security for DEFINITY 
ECS
This advanced 2-day training course provides additional technical methods 
and procedures in recognizing and preventing toll fraud for the DEFINITY 
user. To enroll, call 1 800 255-8988, PEC 1460-095.
Reason for Reissue
This issue, Issue 6 of the GBCS Products Security Handbook, updates 
information to include the following:
nChanges in the text to reflect the addition of the DEFINITY Enterprise 
Communications Server Release 5 and Release 6
nThe Security Violations Measurement Reports used with the DEFINITY 
switch
nMERLIN LEGEND Release 3.1, 4.0, 4.1, 4.2, and 5.0
nMERLIN LEGEND MAIL
nPARTNER MAIL Release 3
nINTUITY AUDIX® used with MERLIN LEGEND
Minor edits and other additions have also been included in this issue.
Intended Audience
Telecommunications managers, console operators, and security organizations 
within a company should be aware of the information in Chapters 1 and 2. 
Chapter 3 introduces more technical information and is directed at people 
responsible for implementing and administering the security aspects of systems.
Appendices A through D expand upon technical information in the handbook and 
are intended for use by the system administrator. Appendices E, F, H, and I have 
application throughout the organization. Appendix G is specifically intended for 
telecommunications management personnel with responsibilities for implementing 
a security policy. 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
About This Document 
Page xvi How this Guide is Organized 
How this Guide is Organized
The GBCS Products Security Handbook has the following chapters and 
appendices:
Chapter 1: Introduction Provides a background for toll fraud.
Chapter 2: Security 
RisksDiscusses the major areas in which customer 
premises equipment-based systems are vulnerable, 
and introduces available security measures.
Chapter 3: Large 
Business 
Communications 
SystemsProvides information on protecting the DEFINITY 
ECS Release 5 and later, DEFINITY 
Communications System Generic 1, Generic 2, and 
Generic 3, System 75, and System 85. Details how 
Remote Access is vulnerable to toll fraud, explains 
numerous system security features, and provides 
detailed procedures.
Chapter 4: Small 
Business 
Communications 
SystemsProvides information on protecting the MERLIN II, 
MERLIN LEGEND, MERLIN Plus, PARTNER II, 
PARTNER Plus, and System 25 Communications 
Systems. Details product features that are 
vulnerable to toll fraud, such as Remote Access 
and Remote Call Forwarding, and recommends 
security measures.
Chapter 5: Voice 
Messaging SystemsProvides information on protecting voice messaging 
systems. Explains the tools available and 
recommends security measures.
Chapter 6: Automated 
AttendantProvides information on protecting Automated 
Attendant systems. Explains the features available 
and recommends security measures.
Chapter 7: Other 
Products and ServicesProvides information to protect other Lucent 
Technologies products and services from toll fraud.
Appendix A: Call 
RoutingDetails call flow through a customer premises 
equipment-based system.
Appendix B: Blocking 
CallsProvides procedures for blocking calls to common 
toll fraud destinations.
Appendix C: Remote 
Access Example (G1, 
G3, and System 75)Offers an example of how to set up Remote Access 
and an example of how to disable it.
Appendix D: 
Administering Features 
of the DEFINITY G3V3 
and LaterProvides information on administering features 
available in DEFINITY Releases G3V3 and later, 
including the DEFINITY ECS Release 5 and 6. 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
About This Document 
Page xvii Lucent Technologies’ Statement of Direction 
Lucent Technologies’ Statement of 
Direction
The telecommunications industry is faced with a significant and growing problem 
of theft of customer services. To aid in combating these crimes, Lucent 
Technologies intends to strengthen relationships with its customers and its 
support of law enforcement officials in apprehending and successfully prosecuting 
those responsible.
No telecommunications system can be entirely free from the risk of unauthorized 
use. However, diligent attention to system management and to security can 
reduce that risk considerably. Often, a trade-off is required between reduced risk 
and ease of use and flexibility. Customers who use and administer their systems 
make this trade-off decision. They know how to best tailor the system to meet their 
unique needs and, necessarily, are in the best position to protect the system from 
unauthorized use. Because the customer has ultimate control over the 
configuration and use of Lucent Technologies services and products it purchases, 
the customer properly bears responsibility for fraudulent uses of those services 
and products.
To help customers use and manage their systems in light of the trade-off 
decisions they make and to ensure the greatest security possible, Lucent 
Technologies commits to the following:
nLucent Technologies products and services will offer the widest range of 
options available in the industry to help customers secure their 
communications systems in ways consistent with their telecommunications 
needs. Appendix E: Changing 
Your PasswordTells how to change passwords for systems in the 
handbook.
Appendix F: Toll Fraud 
Job AidsProvides job aids to help prevent toll fraud.
Appendix G: Special 
Security Product and 
Service OffersDetails special product and service offers and 
provides a toll fraud contact list.
Appendix H: Product 
Security ChecklistsLists the available security features and tips by 
product.
Appendix I: Large 
Business 
Communications 
Systems Security Tools 
by ReleaseDetails security tools referenced in this guide, for 
the System 75, System 85, DEFINITY ECS, and 
DEFINITY Communications Systems by release. 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
About This Document 
Page xviii Lucent Technologies/Customer Security Roles and Responsibilities 
nLucent Technologies is committed to develop and offer services that, for a 
fee, reduce or eliminate customer liability for PBX toll fraud, provided the 
customer implements prescribed security requirements in its 
telecommunications systems.
nLucent Technologies’ product and service literature, marketing information 
and contractual documents will address, wherever practical, the security 
features of our offerings and their limitations, and the responsibility our 
customers have for preventing fraudulent use of their Lucent Technologies 
products and services.
nLucent Technologies sales and service people will be the best informed in 
the industry on how to help customers manage their systems securely. In 
their continuing contact with customers, they will provide the latest 
information on how to do that most effectively.
nLucent Technologies will train its sales, installation and maintenance, and 
technical support people to focus customers on known toll fraud risks; to 
describe mechanisms that reduce those risks; to discuss the trade-offs 
between enhanced security and diminished ease of use and flexibility; and 
to ensure that customers understand their role in the decision-making 
process and their corresponding financial responsibility for fraudulent use 
of their telecommunications system.
nLucent Technologies will provide education programs for internal and 
external customers to keep them apprised of emerging technologies, 
trends, and options in the area of telecommunications fraud.
nAs new fraudulent schemes develop, Lucent Technologies will promptly 
initiate ways to impede those schemes, share our learning with our 
customers, and work with law enforcement officials to identify and 
prosecute fraudulent users whenever possible.
We are committed to meeting and exceeding our customers’ expectations, and to 
providing services and products that are easy to use and high in value. This 
fundamental principle drives Lucent Technologies’ renewed assault on the 
fraudulent use by third parties of our customers’ communications services and 
products.
Lucent Technologies/Customer 
Security Roles and Responsibilities
The purchase of a telecommunications system is a complicated process involving 
many phases, including: system selection, design, ordering, implementation, and 
assurance testing. Throughout these phases, customers, vendors, and their 
agents each have specific roles and responsibilities. Insuring that systems are 
designed, ordered, installed, and maintained in a secure fashion is a responsibility 
each organization must understand.
Lucent Technologies, seeking to be our customers’ Partner of Choice, clearly 
defined its mission in this area in a Statement of Direction issued in May, 1992.  
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
About This Document 
Page xix Lucent Technologies/Customer Security Roles and Responsibilities 
(See the preceding section.) More specifically, Lucent Technologies BCS 
recognized four areas where we or our agents had specific responsibilities to our 
customers. These areas, and our responsibilities in each area, are detailed in the 
next section, “Lucent Technologies’ Roles and Responsibilities.”
In addition, customers have specific responsibilities to insure the system they are 
installing is as secure as their requirements dictate. The following quote is from 
A Cooperative Solution to the Fraud that Targets Telecom Systems, a position 
paper developed by the Toll Fraud Prevention Committee (TFPC) of the Alliance 
for Telecommunications Industry Solutions: 
“It is necessary to stress that the business owner, the owner or lessee of 
the CPE [Customer Premises Equipment], has the primary and paramount 
care, custody, and control of the CPE. The owner has the responsibility to 
protect this asset, the telecommunications system equally as well as other 
financial assets of the business.”
This document attempts to define industry standards for the roles and 
responsibilities of the various organizations involved in a system implementation. 
Portions of this document are applicable to this document and are quoted 
throughout. Customers interested in the entire document can receive copies by 
contacting the Alliance for Telecommunications Industry Solutions, 1200 G Street, 
NW, Suite 500, Washington, DC 20005.
Lucent Technologies’ Roles and Responsibilities
1. Lucent Technologies BCS, as a manufacturer, has the responsibility to 
PROVIDE the customer with securable technology, the information 
resources (product documentation) to understand the capabilities of the 
technology, and the configuration of the equipment when it shipped from 
the factory.
2. Lucent Technologies BCS, as a sales organization, has the responsibility to 
INFORM the customer of potential toll fraud, how it can happen, and what 
roles and responsibilities Lucent Technologies and the customer need to 
accept to work together in reducing the customer’s potential for toll fraud.
3. Lucent Technologies BCS, as a provisioning organization, has the 
responsibility to ASSIST the customer in understanding the risks inherent 
in the use of certain equipment features, and the methods available to 
minimize those risks. Together with the customer Lucent Technologies 
must come to an agreement on the desired configuration, and insure that 
customers’ requests are carried out correctly.
4. Lucent Technologies BCS, as a maintenance provider, has the 
responsibility to ENSURE that no action, taken by us, serves to introduce 
risk to the customer’s system. At the very least we must ensure the 
customer is as secure after our assistance as they were before it. 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
About This Document 
Page xx Lucent Technologies Security Offerings 
Customer Roles and Responsibilities
The customer as the business owner has the responsibility to SELECT AND 
MANAGE the security of their system. Specifically, according to the TFPC of the 
Alliance for Telecommunications:
“The basic responsibility of the business owner is to devote adequate 
resources (time, talent, capital, etc.) to the selection of CPE and to its 
management, including fraud prevention, detection and deterrence. It is an 
essential part of managing the business. The owner must demand that the 
internal staff and supporting external professionals, such as consultants, 
include security concerns in the evaluation, design, and operation of the 
telecommunications environment for his/her business.”
Lucent Technologies Security 
Offerings
Lucent Technologies has developed a variety of offerings to assist in maximizing 
the security of your system. These offerings include:
nSecurity Audit Service of your installed systems (see Appendix G).
nSecurity Tune-up Service (see Appendix G).
nToll Fraud Crisis Intervention Service (see “Lucent Technologies Toll Fraud 
Crisis Intervention” in this section).
nThe BCS Product Security Kit, 555-025-601, includes this Security 
Handbook, a self-paced tutorial that uses diagrams of system 
administration screens to help customers design security into their 
systems, and a training video tape addressing customer needs for tools to 
share within their own companies. The video tape provides customers with 
valuable information on ways to recognize and defend against toll fraud.
nThe HackerTracker™ Call Accounting package that calls you when preset 
types and thresholds of calls are established (see “Lucent Technologies 
HackerTracker” in Appendix G).
nRemote Port Security Device (RPSD) that makes it difficult for computer 
hackers to access the remote maintenance ports (see Appendix G).
nIntegrated Lock for Security Toolkit (or SoftLock) feature (see Appendix G). 
This feature provides many of the same options as the RPSD listed above, 
but whereas the RPSD is a hardware device, the SoftLock feature is a 
software interface that can be installed directly in the DEFINITY ECS 
software base. This software can be used only with the DEFINITY ECS 
Release 6.2 and later.
nSoftware that can identify the exact digits passed through the voice mail 
system (AUDIX Data Acquisition Package [ADAP]). See your account 
representative.