Home
>
Lucent Technologies
>
Communications System
>
Lucent Technologies BCS Products Security Handbook
Lucent Technologies BCS Products Security Handbook
Have a look at the manual Lucent Technologies BCS Products Security Handbook online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 413 Lucent Technologies manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Automated Attendant Page 6-3 DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 6 attendant ports can be assigned to a COR with an FRL that is low enough to limit calls to the calling area needed. NOTE: Stations that are outward restricted cannot use AAR/ARS/WCR trunks. Therefore, the FRL level does not matter since FRLs are not checked. Station-to-Trunk Restrictions Station-to-Trunk Restrictions can be assigned to disallow the automated attendant ports from dialing specific outside trunks. By implementing these restrictions, callers cannot transfer out of the automated attendant menu to an outside facility using Trunk Access Codes. For DEFINITY G2 and System 85, if TACs are necessary for certain users to allow direct dial access to specific facilities, such as tie trunks, use the Miscellaneous Trunk Restriction feature to deny access to others. For those stations and all trunk-originated calls, always use ARS/AAR/WCR for outside calling. NOTE: Allowing TAC access to tie trunks on your switch may give the caller access to the Trunk Verification feature on the next switch. If not properly administered, the caller may be able to dial 9 or the TACs in the other switch. Class of Restriction (System 75, DEFINITY G1, and G3, and DEFINITY ECS only) Since automated attendant adjunct equipment is considered an extension to the switch, it should be assigned its own COR. Up to 64 CORs can be defined in the system. For DEFINITY G3rVi, G3i-Global, and G3V2, this has been increased to 96 CORs. The CORs are assigned to stations and trunks to provide or prevent the ability to make specific types of calls, or calls to other specified CORs. For example, the automated attendant extension could be assigned to a COR that prohibits any outgoing calls. Class of Service An automated attendant port can be assigned a COS. The following COS options relate to toll fraud prevention: nCall Forward Off-Net: allows a user to call forward outside the switch to non-toll locations. nCall Forward Follow Me: allows a user to forward calls outside the switch when other options are set. nMiscellaneous Trunk Restrictions: restricts certain stations from calling certain trunk groups via dial access codes.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Automated Attendant Page 6-4 DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 6 nOutward Restriction: restricts the user from placing calls over CO, FX, or WATS trunks using dial access codes to trunks. Outward Restriction also restricts the user from placing calls via ARS/WCR. Use ARS/WCR with WCR toll restrictions instead. nToll Restriction: prevents users from placing toll calls over CO, FX, or WATS trunks using dial access codes to trunks. Use ARS/WCR with WCR toll restrictions instead. nWCR Toll Restriction: restricts users from dialing the ARS or WCR Network I Toll Access Code, or from completing a toll call over ARS/WCR. nTerminal-to-Terminal Restrictions: restricts the user from placing or receiving any calls except from and to other stations on the switch. In addition, the following COS options are available on System 85 and G2: nCode Restriction Level: allows restriction of calls, by selected extension numbers, to areas defined by specific area codes and/or office codes. The switch returns intercept tone whenever the caller dials a code that is not allowed to the caller. nDID Restriction: denies DID access to specified terminals; preventing these terminals from receiving private network inward dialed calls. nTerminal-to-Terminal Only Calling Restriction: restricts the user from placing or receiving any calls except to and from other stations on the switch. nInward Restriction: prevents voice terminal users at specified extensions from receiving public network calls (DID and CO trunk calls). nManual Terminating Line Restriction: prevents voice terminal users at specified extensions from receiving calls other than direct or extended calls from a local attendant (or an attendant within the DCS network). nOrigination Restriction: prevents callers on specified extensions from directly accessing outgoing trunks to the public network. nOutward Restriction: restricts the user from placing calls over the CO, FX, or WATS trunks using dial access codes to trunks. Outward restriction also restricts the user from placing calls via ARS/WCR. Use ARS/WCR with WCR toll restrictions instead. nTermination Restriction: prevents voice terminal users on specified extensions from receiving calls, but not from originating calls. nToll Restriction: prevents users from placing toll calls over CO, FX, or WATS trunks using dial access codes to trunks. Use ARS/WCR with WCR toll restrictions instead. nARS/WCR Toll Restriction: restricts users from dialing the ARS or WCR Network I Toll Access Code or from completing a toll call over ARS/WCR. nFRL: establishes the user’s access to AAR/ARS/WCR routes.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Automated Attendant Page 6-5 DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 6 Toll Analysis When an automated attendant system transfers calls to locations outside the switch, you can use the Toll Analysis form to limit call transfers to the numbers you identify. You can also specify toll calls to be assigned to a restricted call list so automated attendant callers cannot dial the numbers on the list. Call lists can be specified for CO/FX/WATS, TAC, and ARS calls, but not for tie TAC or AAR calls. Security Measures The security measures described in this section use switch restrictions on the automated attendant ports. A disadvantage to this approach is that these restrictions are transparent to the caller; unaware of restrictions, determined toll hackers may keep trying to get through. NOTE: Even if you do not use the Remote Access feature, you should review the security measures found in Chapter 3. Some of the security measures described in that chapter can also be used to help secure your automated attendant system. Limit Transfers to Internal Destinations You can restrict automated attendant menu options to transfer only to internal extension numbers or announcements by making the automated attendant ports outward-restricted. !WARNING: Entering “#” transfers calls to the switch; that is, the transfer feature is always available in AVP Auto Attendant and appropriate outgoing port restrictions must be in place to avoid toll fraud. For DEFINITY ECS, DEFINITY G1, G3, and System 75: nOn the Class of Restriction form, create an outward-restricted COR by entering outward in the Calling Party Restriction field. nAssign the outward-restricted COR to the automated attendant port. nAssign an FRL of 0 and enter n for all trunk group CORs. For DEFINITY G2 and System 85: nUse PROC010 WORD3 FIELD19 to assign outward restriction to the automated attendant port COS. To secure the port, assign toll, ARS toll, and Miscellaneous Trunk Group Restrictions, and an FRL of 0.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Automated Attendant Page 6-6 DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 6 Prevent Calls to Certain Numbers If some menu options transfer to locations off-premises, you can still protect the system from unauthorized calls. You can restrict calls to certain area codes and/or country codes, and even to specific telephone numbers. For DEFINITY ECS and DEFINITY G1 and G3: nOn the Class of Restriction form for the automated attendant ports, enter y in the Restricted Call List field. nOn the Toll Analysis form, specify phone numbers you want to prevent automated attendant callers from dialing. For DEFINITY G2: nFor DEFINITY G2.2, send disallowed destinations to action object “0.” Do not use PROC314 to mark disallowed destinations with a higher FRL value. PROC314 WORD1 assigns a Virtual Nodepoint Identifier to the restricted dial string. PROC317 WORD2 maps the VNI to the pattern, and PROC317 WORD2 shows the pattern preference, with the FRL in field 4. For earlier releases, use PROC313 to enter disallowed destinations in the Unauthorized Call Control table. Allow Calling to Specified Numbers A reverse strategy to preventing calls is to allow outbound calls only to certain numbers. For DEFINITY G1 and System 75, you must specify both the area code and the office code of the allowable numbers. For G3, you can specify the area code or telephone number of calls you allow. For DEFINITY G1 and System 75: nUse change ars fnpa xxx to display the ARS FNPA Table, where xxx is the NPA that will have some unrestricted exchanges. nRoute the NPA to an RHNPA table (for example, r1). nUse change rnhpa r1: xxx to route unrestricted exchanges to a pattern choice with an FRL equal to or lower than the originating FRL of the voice mail ports. nIf the unrestricted exchanges are in the Home NPA, and the Home NPA routes to h on the FNPA Table, use change hnpa xxx to route unrestricted exchanges to a pattern with a low FRL. NOTE: If assigning a low FRL to a pattern preference conflicts with requirements for other callers (it allows calls that should not be allowed), use ARS partitioning to establish separate FNPA/HNPA/RHNPA tables for the voice mail ports.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Automated Attendant Page 6-7 DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 6 For DEFINITY G2 and System 85: nUse PROC311 WORD2 to establish 6-digit translation tables for foreign NPAs, and assign up to 10 different routing designators to each foreign NPA (area code). nUse PROC311 WORD3 to map restricted and unrestricted exchanges to different routing designators. nIf the unrestricted toll exchanges are in the Home NPA, use PROC311 WORD1 to map them to a routing designator. nIf the Tenant Services feature is used, use PROC314 WORD1 to map routing designators to patterns. If Tenant Services is not used, the pattern number will be the same as the routing designator number. nUse PROC309 WORD3 to define the restricted and unrestricted patterns. For DEFINITY G2.2: nUse PROC314 WORD1 to assign a Virtual Nodepoint Identifier (VNI) to the unrestricted dial string. Map the VNI to a routing pattern in PROC317 WORD2, and assign a low FRL to the pattern in PROC318 WORD1. If you permit only certain numbers, consider using Network 3, which contains only those numbers. For DEFINITY ECS and DEFINITY G3: nUse change ars analysis to display the ARS Analysis screen. nEnter the area codes or telephone numbers that you want to allow and assign an available routing pattern to each of them. nUse change routing pattern to give the pattern preference an FRL that is equal to or lower than the FRL of the voice mail ports.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Automated Attendant Page 6-8 DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 6 Detecting Automated Attendant Toll Fraud Table 6-2 shows the reports that help determine if your automated attendant system is being used for fraudulent purposes. Call Detail Recording (CDR) / Station Message Detail Recording (SMDR) With Call Detail Recording activated for the incoming trunk groups, you can monitor the number of calls into your automated attendant ports. See also ‘‘ Security Violation Notification Feature (DEFINITY ECS and DEFINITY G3 only)’’ on page 3-53. NOTE: Most call accounting packages discard this valuable security information. If you are using a call accounting package, check to see if the information you Table 6-2. Automated Attendant Monitoring Techniques Monitoring TechniqueSwitch Page # Call Detail Recording (SMDR) DEFINITY ECS, DEFINITY G1, G2, G3, System 75, System 856-8 Traffic Measurements and PerformanceDEFINITY ECS, DEFINITY G1, G2, G3, System 75, System 856-10 Automatic Circuit Assurance DEFINITY ECS, DEFINITY G1, G2, G3, System 75, System 856-11 Busy Verification DEFINITY ECS, DEFINITY G1, G2, G3, System 75, System 856-12 Call Traffic Report DEFINITY ECS, DEFINITY G1, G2, G3, System 75, System 856-9 Trunk Group Report /DEFINITY ECS, DEFINITY G1, G3, System 756-10 AUDIX Voice Mail System Traffic ReportsAny with the AUDIX Voice Mail or AUDIX Voice Power Systems6-13 AUDIX Voice Mail System Call Detail RecordingAny with AUDIX Voice Mail System R1V5 and later with digital networking6-13
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Automated Attendant Page 6-9 DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 6 need can be stored by making adjustments in the software. If it cannot be stored, be sure to check the raw data supplied by the CDR. Review CDR for the following symptoms of automated attendant abuse: nShort holding times on any trunk group where automated attendant is the originating endpoint or terminating endpoint nCalls to international locations not normal for your business nCalls to suspicious destinations nNumerous calls to the same number nUndefined account codes NOTE: For DEFINITY G2 and System 85, since the CDR only records the last extension on the call, internal toll abusers transfer unauthorized calls to another extension before they disconnect so that the CDR does not track the originating station. If the transfer is to your automated attendant system, it could give a false indication that your automated attendant system is the source of the toll fraud. For DEFINITY ECS, DEFINITY G1, G3, and System 75: nDisplay the Features-Related System Parameters screen by using change system-parameters feature (G1 and System 75 only) or change system-parameters cdr feature (G3 only). nAdminister the appropriate format to collect the most information. The format depends on the capabilities of your CDR analyzing/recording device. nUse change trunk-group to display the Trunk Group screen. nEnter y in the SMDR/CDR Reports field. For DEFINITY G2: nUse PROC275 WORD1 FIELD14 to turn on CDR for incoming calls. nUse PROC101 WORD1 FIELD8 to specify the trunk groups. Call Traffic Report This report provides hourly port usage data and counts the number of calls originated by each port. By tracking normal traffic patterns, you can respond quickly if an unusually high volume of calls begins to appear, especially after business hours or during weekends, which might indicate hacker activity. For DEFINITY ECS, DEFINITY G1, G3, and System 75, traffic data reports are maintained for the last hour and the peak hour. For DEFINITY G2 and System 85, traffic data is available via Monitor I which can store the data and analyze it over specified periods.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Automated Attendant Page 6-10 DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 6 Trunk Group Report This report tracks call traffic on trunk groups at hourly intervals. Since trunk traffic is fairly predictable, you can easily establish, over time, what is normal usage for each trunk group. Use this report to watch for abnormal traffic patterns, such as unusually high off-hour loading. SAT, Manager I, and G3-MT Reporting Traffic reporting capabilities are built-in and are obtained through the System Administrator Tool (SAT), Manager I, and G3-MT terminals. These programs track and record the usage of hardware and software features. The measurements include peg counts (number of times accessed) and call seconds of usage. Traffic measurements are maintained constantly and are available on demand. However, reports are not archived and should therefore be printed to monitor a history of traffic patterns. For DEFINITY ECS, DEFINITY G1, G3, and System 75: nTo record traffic measurements: —Use change trunk-group to display the Trunk Group screen. — In the Measured field, enter both if you have BCMS and CMS, internal if you have only BCMS, or external if you have only CMS. nTo review the traffic measurements, use list measurements followed by one of the measurement types (trunk-groups, call-rate, call-summary, or outage-trunk) and the timeframe (yesterday-peak, today-peak, or last-hour). nTo review performance, use list performance followed by one of the performance types (summary or trunk-group) and the timeframe (yesterday or today). ARS Measurement Selection The ARS Measurement Selection can monitor up to 20 routing patterns (25 for G3) for traffic flow and usage. For DEFINITY ECS, DEFINITY G1, G3, and System 75: nUse change ars meas-selection to choose the routing patterns you want to track. nUse list measurements route-pattern followed by the timeframe (yesterday, today, or last-hour) to review the measurements. For DEFINITY G2, use Monitor I to perform the same function.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Automated Attendant Page 6-11 DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 6 Automatic Circuit Assurance This monitoring technique detects a number of short holding time calls or a single long holding time call, both of which may indicate hacker activity. Long holding times on Trunk-to-Trunk calls can be a warning sign. The ACA feature allows you to establish time limit thresholds defining what is considered a short holding time and a long holding time. When a violation occurs, a designated station is visually notified. When a notification occurs, determine if the call is still active. If toll fraud is suspected (for example, aca-short or aca-long is displayed on the designated phone), use the busy verification feature (see ‘‘ Busy Verification’’ on page 6-12) to monitor the call in progress. With Remote Access, when hacker activity is present, there is usually a burst of short holding times as the hacker attempts to break the barrier code or authorization code protection, or long holding time calls after the hacker is successful. An ACA alarm on a Remote Access trunk should be considered a potential threat and investigated immediately. If the call is answered by an automated attendant, a hacker may be attempting to gain access to the system facilities using TACs. For DEFINITY ECS, DEFINITY G1, G3, and System 75: nUse change system-parameters feature to display the Features-Related System Parameters screen. nEnter y in the Automatic Circuit Assurance (ACA) Enabled field. nEnter local, primary, or remote in the ACA Referral Calls field. If primary is selected, calls can be received from other switches. Remote applies if the PBX being administered is a DCS node, perhaps unattended, that wants ACA referral calls to an extension or console at another DCS node. nComplete the following fields as well: ACA Referral Destination, ACA Short Holding Time Originating Extension, ACA Long Holding Time Originating Extension, and ACA Remote PBX Identification. nAssign an aca referral button on that station (or the attendant station). nUse change trunk group to display the Trunk Group screen. nEnter y in the ACA Assignment field. nEstablish short and long holding times. The defaults are 10 seconds (short holding time) and one hour (long holding time). nTo review, use list measurements aca. nAdminister an aca button on the console or display station to which the referral will be sent.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Automated Attendant Page 6-12 DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 6 For DEFINITY G2 and System 85: nUse PROC285 WORD1 FIELD5 and PROC286 WORD1 FIELD1 to enable ACA systemwide. nUse PROC120 WORD1 to set ACA call limits and number of calls threshold. nChoose the appropriate option: — To send the alarms and/or reports to an attendant, use PROC286 WORD1 FIELD3. Busy Verification When toll fraud is suspected, you can interrupt the call on a specified trunk group and monitor the call in progress. Callers will hear a long tone to indicate the call is being monitored. For DEFINITY ECS, DEFINITY G1, G3, and System 75: nUse change station to display the Station screen for the station that will be assigned the Busy Verification button. nIn the Feature Button Assignment field, enter verify. nTo activate the feature, press the Verify button and then enter the Trunk Access Code and member number to be monitored. For DEFINITY G2 and System 85: nAdminister a Busy Verification button on the attendant console. nTo activate the feature, press the button and enter the Trunk Access Code and the member number. Call Traffic Report This report provides hourly port usage data and counts the number of calls originated by each port. By tracking normal traffic patterns, you can respond quickly if an unusually high volume of calls begins to appear, especially after business hours or during weekends, which might indicate hacker activity. For DEFINITY ECS, DEFINITY G1, G3, and System 75, traffic data reports are maintained for the last hour and the peak hour. For G2 and System 85, traffic data is available via Monitor I which can store the data and analyze it over specified periods. Trunk Group Report This report tracks call traffic on trunk groups at hourly intervals. Since trunk traffic is fairly predictable, you can easily establish, over time, what is normal usage for each trunk group. Use this report to watch for abnormal traffic patterns, such as unusually high off-hour loading.