Lucent Technologies BCS Products Security Handbook

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Large Business Communications Systems 
Page 3-25 Security Measures 
3
NOTE:
System 75 R1V2 customers should contact the Lucent Technologies 
Technical Service Center for “browse” password administration 
procedures.
— For System 75 R1V3N and the DEFINITY G1.1N and G3V2, 
systems are shipped with the customer logins disabled.
!CAUTION:
Systems upgraded from earlier versions will have the logins 
and passwords of its previous version. This applies to “N” 
loads and DEFINITY ECS and DEFINITY G3.
DEFINITY G3V3 and later systems, which includes DEFINITY ECS, 
are shipped without any customer logins. Customer logins must be 
assigned when installing the system. Also, DEFINITY G3V2 and 
later releases, which includes DEFINITY ECS, provide additional 
restrictions on logins. For each login, you can limit up to 20 (40 for 
DEFINITY G3V3 and later including DEFINITY ECS) objects (for 
example, stations or trunks) from being administered.
— For systems covered by warranty, lease, or maintenance contract, 
Lucent Technologies will routinely change Lucent 
Technologies-controlled logins.
nDEFINITY G2 and System 85 have one security code. Use PROC497 
WORD3 FIELD5 to change it. Customers must notify Lucent Technologies 
prior to changing the code to insure ongoing maintenance.
See Appendix E for information on how to change passwords.
Restrict Who Can Use Remote Access/Track 
its Usage
For maximum security, barrier codes and authorization codes must be given only 
to the people who have a need to use the feature. For DEFINITY ECS, DEFINITY 
G1, G2.2 Release 3.0, G3, and System 75 R1V3, use both codes. For DEFINITY 
G2 and System 85, use a barrier code to access the feature, and then use 
authorization codes to screen outbound calls.
For DEFINITY ECS, DEFINITY G1, G3, and System 75 R1V3:
nUse change system-parameters feature to display the Feature-Related 
System Parameters screen.
nIf the software has been purchased, enter y in the Authorization Code 
Enabled field.
nEnter 7 in the Authorization Code Length field.
nEnter # or 1 in the Authorization Code Cancellation Symbol field. 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Large Business Communications Systems 
Page 3-26 Security Measures 
3
nWhen providing attendant coverage, enter y in the Timeout to Attendant 
field. Invalid entries of authorization codes and failure to enter an 
authorization code result in a transfer to an attendant.
nUse change remote-access to display the Remote Access screen.
nIf not already assigned, enter the appropriate extension number in the 
Remote Access Extension field.
nEnter 7 in the Barrier Code Length field.
nIf you are using authorization codes, enter y in the Authorization Code 
Required field, and then enter n in the Remote Access Dial Tone field.
nEnter up to 10 barrier codes (use all seven digits) and assign each a COR 
and COS that allow only necessary calls. The COR should be restricted so 
that even if a hacker deciphers the barrier code, a valid authorization code 
is still needed to make a call.
NOTE:
Use Remote Access only on an as-needed basis, and assign a 
unique COR to each barrier code. Change the barrier codes 
periodically. See ‘‘
Remote Access Barrier Code Aging/Access Limits 
(DEFINITY G3V3 and Later)’’ on page 3-61.
nWhen assigning authorization codes used only to upgrade FRLs, use an 
outward-restricted COR with the appropriate FRL. Use change 
authorization code to display the Authorization Code-COR Mapping 
screen.
NOTE:
Be sure to remove the authorization code whenever an authorized 
user leaves the company or no longer needs the Remote Access 
feature.
nConsider using a special partition group for the Remote Access COR, and 
then administer the AAR/ARS tables only for those external locations you 
allow Remote Access users to call. Use change cor to specify either the 
Time-of-Day routing or partition group. Use change ars analysis partition 
to define the appropriate partition group.
nMonitor authorization code usage with CDR. See ‘‘Call Detail Recording 
(CDR) / Station Message Detail Recording (SMDR)’’ on page 3-48 for 
further details.
For DEFINITY G2 and System 85:
nUse PROC010 WORD1-4 to set COS 31 for Remote Access.
nUse PROC285 WORD1 FIELD1 to require a barrier code for Remote 
Access. 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Large Business Communications Systems 
Page 3-27 Security Measures 
3
NOTE:
As an alternative, you can require an authorization code. However, 
since only one code can be used to gain access to Remote Access, 
more protection is provided when you require a barrier code to enter 
Remote Access and then an authorization code to dial out of the 
system.
nUse PROC350 WORD2 FIELD1 = 26 to assign an access code that allows 
you to change the barrier code using the attendant console.
nWhen authorization codes are assigned, use PROC282 WORD1 FIELD2 
to administer the lowest FRL you can.
nUse PROC286 WORD1 FIELD16 to send calls to an intercept tone, a CAS 
attendant, or a local attendant when the caller does not enter a code.
nUse PROC289, Programmable Intercept Treatment, to transfer calls to an 
attendant when the caller enters an invalid trunk access code, feature 
access code, or extension.
nTurn on CDR for incoming calls by entering PROC275 WORD1 FIELD14. 
Also turn on CDR for the Remote Access Trunk Group using PROC101 
WORD1 FIELD8. See ‘‘
Call Detail Recording (CDR) / Station Message 
Detail Recording (SMDR)’’ on page 3-48 for more information on CDR.
Fully Restrict Service
Fully Restricted Service is assigned to a COR that prevents assigned stations 
from having access to either incoming or outgoing public network calls. Stations 
have access to internal calls only. In addition, fully restricted station users cannot 
use authorization codes to deactivate this feature.
Any calls from the public network to a station with Fully Restricted Service are 
redirected to intercept treatment or to the attendant. If the call is redirected to the 
attendant, the attendant’s display indicates the call is being redirected because of 
Fully Restricted Service. The reason-code displayed is FULL.
When the call is redirected to the attendant, the following may be appropriate 
actions:
nThe attendant connected with a CO may call or intrude on the called station 
user.
nThe attendant cannot extend, conference, or bridge the redirected call.
nThe attendant can place a CO call on hold and call the station with Fully 
Restricted Service for consultation.  
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Large Business Communications Systems 
Page 3-28 Security Measures 
3
Provide Individualized Calling Privileges 
Using FRLs
FRLs are used to allow or deny calls when AAR/ARS/WCR route patterns are 
accessed. An originating FRL assigned to a station or tie-line trunk group must be 
equal to or greater than the terminating route pattern FRL for the call to be 
completed. A COR or COS assigned an FRL of 7 is allowed to complete a call on 
any route pattern. A COR or COS assigned an FRL of 2 can only access route 
patterns assigned an FRL of 0, 1, 2, or 3. A low FRL should be assigned to analog 
stations used for voice mail, remote access barrier codes, VDNs, and tie-lines 
from other systems. Refer to Table 3-3
 for a list of suggested FRL values.
NOTE:
If dial access is allowed for a trunk group, the caller can bypass the FRL 
restrictions and directly access the trunk group.
NOTE:
FRLs 1 through 7 include the capabilities of the lower FRLs.
For DEFINITY ECS, DEFINITY G1, G3 and System 75:
nUse change cor to display the Class of Restriction screen.
nEnter the FRL number (0 through 7) in the FRL field.
nUse change route-pattern to display the Route Pattern screen.
nAssign the appropriate FRL to the route pattern defined by ARS/WCR.
Table 3-3. Suggested Values for FRLs
FRL Suggested Value
0No outgoing (off-switch) calls permitted.
1Allow local calls only; deny 0+ and 1 800 calls.
2Allow local calls, 0+, and 1 800 calls.
3Allow local calls plus calls on FX and WATS trunks.
4Allow toll calls within the home NPA.
5Allow calls to certain destinations within the continental USA.
6Allow calls throughout the continental USA.
7Allow international calling. Assign Attendant Console FRL 7. 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Large Business Communications Systems 
Page 3-29 Security Measures 
3
For DEFINITY G2 and System 85: 
nUse PROC010 WORD3 FIELD23 to assign FRLs to a station originator’s 
COS for use with AAR/ARS/WCR trunks. (COS 31 is used for Remote 
Access.)
nUse PROC103 WORD1 FIELD2 to assign FRLs to an incoming trunk.
nUse PROC309 WORD1 FIELD3 to assign FRLs to an ARS route pattern.
nUse PROC321 WORD1 FIELD4 to assign FRLs to an AAR pattern.
nOn DEFINITY G2.2, use PROC318 WORD1 FIELD4 to assign FRLs on 
WCR.
Prevent After-Hours Calling Using Time of Day
Routing or Alternate FRLs
You can regulate the days of the week and specific times that outgoing calls can 
be made. Depending on the time of day and day of the week, calls can be blocked 
or routed to the least-costly facility available. Since late evenings and weekends 
are particularly vulnerable times for toll hacking, set up separate plans with the 
most restrictive plan reserved for evenings and weekends. If you do not want toll 
calls made after hours, block them during those times. You can also use Call 
Vectoring to route to different trunk groups; for example, after hours you may want 
only 50 trunks available instead of 200. 
For DEFINITY ECS and DEFINITY G1 and G3:
nUse change ars analysis partition x to define an ARS Analysis Table to 
be used for after-hours calling.
nUse change time-of-day y to select and define a Time of Day plan.
nAdminister the times you want to offer Remote Access and the times you 
do not.
nUse change cor xx to assign the Time of Day plan to the COR for barrier 
codes or authorization codes.
For DEFINITY G3r:
nUse change attendant to display the Attendant screen.
nIn the Feature Button Assignment field, enter alt-frl to administer an 
alternate FRL button on the attendant console. This button is used to 
activate lower FRLs after business hours so the calling area is limited.
nUse change alternate frl to assign the alternate FRL that will replace each 
original FRL when the attendant activates the feature.
For DEFINITY G2 and System 85:
nThere are three Time of Day plans (seven for G2.2). Use PROC316 
WORD1 to set day, hour and minute, and plan number. 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Large Business Communications Systems 
Page 3-30 Security Measures 
3
nWhen using WCR, enter PROC311 to separate toll and non-toll numbers 
into different routing indices. Use PROC314 for tenant services to separate 
toll and non-toll numbers into different routing indices.
nUse PROC311, PROC316, and PROC317 to shut down toll routes outside 
of business hours.
nUse PROC286 WORD1 FIELD5-12 to lower FRLs after hours to make 
them more restrictive.
nEnter PROC203 WORD1 Button Type 19 to set the alternate FRL button 
on the attendant console. This allows attendants to manually change to 
alternate FRLs.
Block International Calling
If your company does not do business overseas, deny everyone the ability to 
directly dial international calls; in other words, block calling the international dial 
prefix, for example, 011. However, this will impact your company’s ability to reach 
the “Telco” operator since 0+ dialing is blocked. This affects credit card calls, 
Collect calls, Third Party Calls, and Special Use (0700+) numbers.
For DEFINITY G1 and System 75:
nEnter change ars fnpa 000 to display the ARS FNPA Table screen.
ARS Routing Table
Operator 000
Toll Operator 002
International Operator 010
International Direct Dial 011
Toll Operator Direct Dial 003
International Operator 
Assistance012
Operator Assistance 001 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Large Business Communications Systems 
Page 3-31 Security Measures 
3
nLeave the following FNPA fields for international calling blank, or, for older 
versions of software, assign them to an unused route pattern (for example, 
254) with no trunk assignments. 
NOTE:
As a reminder, not all international calls follow this pattern. For example, 
Canada uses standard area codes.
For DEFINITY ECS and DEFINITY G3:
nEnter change ars analysis partition to display the ARS Analysis screen.
nLeave the route pattern blank for the following numbers:
— 01 = international operator
— 010 = international calls
— 011 = international calls
— 10xxx01 = international operator
— 10xxx011 = international calls
For DEFINITY G2 and System 85:
nFor DEFINITY G2.1 and System 85, block international calls by not 
assigning a routing designator in PROC311 WORD1 for office code “1” or 
assign “01”) to Pattern 1.
nFor DEFINITY G2.2, use digit conversion to reroute international calls to an 
attendant or do not administer international calling prefixes. Use PROC314 
WORD1 to route 010 and 011 (7 to 16 digits) to VNI 0.
nFor System 85 R2V4n and DEFINITY G2.12.0, route both 01 and 011 to 
pattern 1 in PROC311 WORD1. Digits Dialed FNPA Translator Table
011 11
010 10
10xxx011 111
001 4
010n 12
10xxx010 110
10xxx01 112 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Large Business Communications Systems 
Page 3-32 Security Measures 
3
Limit International Calling
If your company does business overseas with certain countries, you can allow 
calls to those countries while blocking calls to other countries.
For DEFINITY G1 and System 75:
For 000, 011, and each country code to be blocked:
nEnter change ars fnpa nnn (where nnn is either 000, 011, or the country 
code to be blocked) to display the ARS FNPA Table screen.
nFor each country where calls are allowed, enter the appropriate routing 
pattern (r1 through r32).
nEnter change rhnpa to screen on the next three digits.
nDisable DAC/FAC dialing (see ‘‘Disable Direct Access to Trunks’’ on page 
3-35).
For DEFINITY ECS and DEFINITY G3:
nEnter change ars analysis to display the ARS Analysis screen.
nSpecify the telephone numbers in the Dial String field that you do not want 
dialed by entering blank in the routing pattern or routing to a pattern that 
contains a high FRL.
nDisable TAC/DAC dialing (see ‘‘Disable Direct Access to Trunks’’ on page 
3-35).
nTo block calls to countries in the North American dial plan, enter the area 
code plus any required prefix digit ( and  ). Be sure to define possible 
variations of the number. For example, to block calls to the 809 area code, 
enter 1809 and 0809 with 11 in both the Min and Max fields. If you do not 
include a prefix digit, enter 10 in both the Min and Max fields.
For DEFINITY G2 and System 85:
nFor DEFINITY G2.1 and System 85 R2V4, assign numbers to the 
Unauthorized Call Control feature using PROC313 WORD1. The FRL for 
unauthorized call control is assigned in PROC275 WORD3 FIELD10. It 
should be assigned FRL 7.
nFor DEFINITY G2.2, use digit conversion to reroute abused telephone 
numbers to an attendant or to VNI 0. Enter PROC314 WORD1.
NOTE:
Make sure Remote Access barrier codes have properly assigned CORs with 
FRLs set low to restrict access to the network, and use COR-to-COR 
restrictions to prevent access to trunk groups.
01 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Large Business Communications Systems 
Page 3-33 Security Measures 
3
Select Authorization Code Time-Out to Attendant
For DEFINITY ECS, DEFINITY G1, G3, and System 75, you can send calls to an 
attendant if the caller fails to enter a required authorization code within 10 
seconds. For DEFINITY G2 and System 85, you can route calls to an attendant 
when callers fail to enter a required telephone number or authorization code within 
10 seconds.
For all switches:
nSelect the Timeout to Attendant feature when you administer authorization 
codes.
For DEFINITY ECS, DEFINITY G1, G3, and System 75:
nUse the System-Parameters screen to request authorization code timeout.
Restrict Calls to Specified Area Codes
If your business does not make calls to certain area codes, you can prevent users 
from entering numbers within those area codes.
For DEFINITY G1 and System 75: See ‘‘
Allow Calling to Specified Numbers’’ on 
page 3-33.
For DEFINITY ECS and DEFINITY G3:
nEnter change ars analysis to display the ARS Analysis screen.
nSpecify the telephone numbers in the Dial String field that you do not want 
dialed. Either leave the field blank, enter den (for 
deny) in the routing 
pattern, or use a pattern that contains a high FRL.
nDisable TAC dialing (see ‘‘Disable Direct Access to Trunks’’ on page 3-35).
For DEFINITY G2.1 and System 85: 
nEnter PROC311 WORD1 to send calls for specific area codes to route 
pattern 1.
For DEFINITY G2.2:
nEnter PROC314 to route calls for specific area codes to VNI 0.
Allow Calling to Specified Numbers
A reverse strategy to preventing calls is to allow outbound calls only to certain 
numbers. For DEFINITY G1 and System 75, you must specify both the area code 
and the office code of the allowable numbers. For DEFINITY ECS and 
DEFINITY G3, you can specify the area codes or telephone numbers of calls you 
allow. 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Large Business Communications Systems 
Page 3-34 Security Measures 
3
For DEFINITY G1 and System 75:
nEnter change ars fnpa xxx, where xxx is the area code, to display the 
ARS FNPA Tables screen.
nAssign RHNPA table r1-r32 to the area code. For example, enter change 
ars fnpa r1:, where r1 is NXX.
For DEFINITY ECS and DEFINITY G3:
nEnter change ars analysis to display the ARS Analysis screen.
nEnter the area codes or telephone numbers you want to allow and assign 
an available routing pattern to each of them. Remote HNPAs can also be 
used.
For DEFINITY G2.2:
nUse WCR with PROC314 WORD1 and WORD2 and permit only certain 
numbers. Consider using Network 3, which contains only those numbers, 
to reduce the administrative clutter in your outgoing calling network.
Use Attendant Control of Remote Access Calls
(DEFINITY G2 and System 85 only)
Instead of allowing Remote Access callers to dial numbers directly, an attendant 
can handle the calls. This “shared” option disables the Remote Access feature 
during business hours when an attendant is available to handle the calls.
For DEFINITY G2 and System 85:
nEnter PROC275 WORD2 FIELD10 to specify that the Remote Access 
trunks are shared. In this case, Remote Access is available only when the 
switch is in Unattended Console Service (night mode).
nAssign remote access time-out to the attendant using PROC286 WORD1 
FIELD16.
Use Attendant Control of Specific Extensions
Phones that are in easily-accessible areas (such as lobbies) can be placed in an 
attendant-controlled group. The attendant can change the restrictions on these 
phones from the console. 
For System 75, DEFINITY ECS, and DEFINITY G1, and G3:
nEnter change feature-access-codes to display the FAC screen.
nIn the User-Control Restrict Activation/Deactivation fields, enter a valid 
FAC.
nEnter change system-parameters feature to display the Feature-Related 
System Parameters screen.