Home
>
Lucent Technologies
>
Communications System
>
Lucent Technologies BCS Products Security Handbook
Lucent Technologies BCS Products Security Handbook
Have a look at the manual Lucent Technologies BCS Products Security Handbook online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 413 Lucent Technologies manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Large Business Communications Systems Page 3-35 Security Measures 3 nSpecify the type of intercept treatment (announcement, attendant, extension, or tone) the controlled stations will receive. nEnter change COS to display the Class of Service screen. nEnter y in the Console Permissions field. nEnter change station or change attendant to assign the COS to the station handling the controlled restrictions. For DEFINITY G2 and System 85: nEnter PROC000 WORDD2 FIELD5 to assign an extension to a group that can be placed under attendant control. nHave the attendant activate restrictions on these phones as part of the business day closing procedure. Disable Direct Access to Trunks All outside calling should be done through AAR/ARS/WCR and never with direct trunk access via DACs. To disable the ability to use DACs for outgoing calls system-wide, use the following procedures. For DEFINITY ECS, DEFINITY G1, G3, and System 75: For each trunk group in the system: nEnter change trunk group n (where n is the trunk group number) to display the Trunk Group screen. nEnter n in the Dial Access field. For DEFINITY G2 and System 85 R2V2: nEnter PROC100 WORD1 FIELD7 to deny DAC access to all trunks. For System 85 R2V3: nEnter PROC100 WORD1 to deny DAC access to all trunks. To allow individual stations to use DACs, but deny DAC access to others, use the following procedure. For DEFINITY ECS, DEFINITY G1, G3, and System 75: nPlace the trunk group in a separate COR. nUse COR-to-COR restrictions to deny stations with specified CORs from directly accessing the trunk group. For DEFINITY G2 and System 85: nUse PROC102 WORD1 to assign trunk groups with dial access allowed to a MTRG.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Large Business Communications Systems Page 3-36 Security Measures 3 nUse PROC010 WORD3 FIELD2-10 to deny access to the MTRG. nIf DACs are required by switch users, use PROC275 WORD1 FIELD15 to disable Tandem Tie Trunk calls. Use Attendant Control of Trunk Group Access If direct access to trunk groups must be allowed, consider making them attendant-controlled trunk groups. The attendant can then screen the calls. Up to 12 trunk groups can be controlled. For DEFINITY ECS, DEFINITY G1, G3, and System 75: nEnter change attendant to display the Attendant screen. In the Feature Button Assignment field, enter act-tr-grp and deact-tr-grp to activate and deactivate attendant control of a trunk group. nEnter the corresponding Trunk Access Code in the Direct Trunk Group Select Button Assignment field. nPress the act-tr-grp button to activate Attendant Control of the trunk group. NOTE: This affects all users, not just Remote Access users. If calls are dialed via AAR/ARS/WCR, these trunks will be skipped in the routing pattern. For DEFINITY G2 and System 85: nEnter PROC350 WORD2 FIELD1 = 20 to assign a FAC (System 85) or a Dial Access Code (DAC) (G2) that activates the attendant control feature. nOn the attendant console, press the deactivate button to deactivate the code. nEach controlled trunk group requires a console key with trunk status indicators. NOTE: ARS/WCR skips over a trunk group under attendant control. Only when no other route is available will ARS/WCR select an attendant-controlled trunk group. Disable Facility Test Calls The Facility Test Call feature provides the ability to make test calls to four types of facilities to ensure the facility is operating properly. The following types of calls are available to both local voice terminal users and Initialization and Administration System (INADS) terminal users: nTrunk test call — Accesses specific tie or CO trunks, but not DID trunks.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Large Business Communications Systems Page 3-37 Security Measures 3 nTouch-tone receiver test call — Accesses and tests the four touch-tone receivers located on a Tone Detector circuit pack or the eight receivers if a TN744 Call Classifier circuit pack is used. nTime slot test call — Connects the voice terminal user to a specific time slot located on the Time Division Multiplex buses or out-of-service time slots. nSystem tone test call — Connects the voice terminal user to specific system tones. To activate the feature, the Facility Test Calls access code must be assigned. It is recommended that the access code be left blank except when actually testing trunks. (Do not use the default of 197.) The COR of the station user needs to have the Facility Access Trunk Test activated on the COR form. When properly administered by the customer, the feature enables users to minimize the ability of unauthorized persons to gain access to the network. However, it is the customer’s responsibility to take the appropriate steps to properly implement the features, evaluate and administer the various restriction levels, and protect access codes. !CAUTION: In rare instances, unauthorized individuals may connect to the telecommunications network through the use of test call features. In such cases, applicable tariffs require that the customer pay all network charges for traffic. For DEFINITY ECS, DEFINITY G1, G3, and System 75, when the user’s COR allows it, test calls can be made to access specific trunks. Do not administer this feature unless you need it, and remove it after the test is completed. To remove the Facility Test Calls Access Code, use the following procedures. For DEFINiTY ECS, DEFINITY G1, G3, and System 75: nEnter change feature-access-codes to display the FAC screen. nLeave the Facility Test Calls Access Code field blank. For DEFINITY G2 and System 85, calls over a dial-repeating tie line or designated maintenance extension can make trunk verification calls. Use the following procedure to disable this feature system-wide. For DEFINITY G2 and System 85: nUse PROC350 WORD2 FIELD1 = 44 to disable the Trunk Verification Feature Dial Access Code. nUse PROC103 WORD1 FIELD7 to disallow bridge-on for the trunk group. To allow stations with a specified COR to perform the test, but deny the ability to others, use the procedure below:
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Large Business Communications Systems Page 3-38 Security Measures 3 For DEFINITY ECS, DEFINITY G1, G3, and System 75: nUse change cor to display the Class of Restriction screen. nEnter y in the Facility Access Trunk Test field. nUse change station to assign the COR with the FAC test permission to the appropriate station. nAssign all other stations to a COR with the Facility Access Trunk Test field set to n. nNever use the default code of 197. nTo monitor its use, assign a trunk access alarm button to a voice terminal. To help secure the Facility Test Call feature from unauthorized use, follow these steps: nRemove the access code when not in use. nNever use the default code. nChange the code frequently. nProtect records of the code. nUse CORs to restrict which users can use the access code. nAlways administer a Trunk Access Alarm button to alert you visually when the feature is enabled. Assign a trk-ac-alm button on the change station form. DEFINITY G3V4 allows the sign off feature to alert the administrator that the code is administered. Suppress Remote Access Dial Tone For DEFINITY ECS, DEFINITY G1, G3, and System 75, when an authorization code is required, you can eliminate the Remote Access Dial Tone that callers hear after they enter the required barrier code. After the barrier code is entered, callers will not be given a prompt for the authorization code. For DEFINITY ECS, DEFINITY G1, G3, and System 75: nUse change remote-access to display the Remote Access form. nTo suppress the Remote Access Dial Tone, enter n in the Remote Access Dial Tone field. For DEFINITY G2.2 and System 85: nYou cannot eliminate the dial tone prompt for entry of the authorization or barrier code, nor can you eliminate switch dial tone. You CAN eliminate AAR/ARS dial tone.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Large Business Communications Systems Page 3-39 Security Measures 3 For DEFINITY G2.2: nUse PROC103 WORD1 FIELD15 to suppress WCR dial tone for that trunk group. nUse PROC312 WORD1 FIELD2 to suppress a specific network’s dial tone for all users. For DEFINITY G2.1 and System 85: nUse PROC103 WORD1 FIELD3=2 to set the Network Trunk field to a value of 2 to suppress AAR/AAS dial tone for that trunk group. nUse PROC285 WORD1 FIELD12 to suppress AAR dial tone for all users. Disallow Trunk-to-Trunk Transfer Trunk-to-trunk transfer is a feature that allows an incoming trunk call to be transferred to an outgoing trunk call. If set to yes, the station can hang up and leave the two trunks still connected. If set to no, then the trunks are disconnected as soon as the station hangs up. For DEFINITY G1, G3V1, G3V2, and System 75: nUse change system-parameters feature to display the Features-Related System Parameters screen. nEnter n in the Trunk-to-Trunk Transfer field. For DEFINITY G2 and System 85: nSet PROC275 WORD4 FIELD3 to 0 to disable trunk-to-trunk transfer. For DEFINITY G3V3 and later releases: nUse change system-parameters to display the Features-Related System Parameters screen. nEnter the following in the Trunk-to-Trunk Transfer field, as appropriate: —Enter a (all) to allow all trunk-to-trunk transfers. —Enter r to restrict all public trunks (CO, WATS, FX, DID, and CPE). —Enter n (none) to restrict all trunks from being transferred except DCS and CAS. NOTE: Even if Trunk-to-Trunk Transfer is disallowed, the START 9 RELEASE sequence will supply a dial-tone to the caller, enabling trunk-to-trunk transfer to proceed.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Large Business Communications Systems Page 3-40 Security Measures 3 Disable Transfer Outgoing Trunk to Outgoing Trunk The outgoing trunk to outgoing trunk transfer (OTTOTT) (G3r and G3V2 and later) feature allows a controlling party, such as a station user or attendant, to initiate two or more outgoing trunk calls and then transfer the trunks together. The transfer removes the controlling party from the connection and conferences the outgoing trunks. Alternatively, the controlling party can establish a conference call with the outgoing trunks and then drop out of the conference, leaving only the outgoing trunks on the conference connection. Since OTTOTT allows calls to be established in which the only parties involved are external to the switch and are on outgoing trunks, it is a perilous enhancement of trunk-to-trunk transfer. To mitigate problems associated with its accidental use, this feature is only administrable on trunk groups on the trunk group form and is enabled using the Disconnect Supervision Out field. This feature is not a system-wide option. Also, OTTOTT is not intended for use in Distributed Communication System (DCS) networks, since DCS Trunk Turnaround provides comparable capabilities in a much safer way. However, use of OTTOTT with DCS is not prohibited, and may be helpful when one or more of the trunks go off the DCS network. !CAUTION: This feature can be used to transfer an outside party to a trunk over which toll calls might be made. To minimize the risk of toll fraud with this feature, follow these steps: nSince trunks have to be specifically administered for OTTOTT, examine the COR and FRL of the trunk group to determine if they are appropriate. nIf the feature is not relevant to your business, do not enable it. If a temporary need for the feature arises, enable it and then turn it off. Disallow Outgoing Calls from Tie Trunks If your tie trunks are used solely for office-to-office calling, you can deny access from tie trunks to outgoing AAR/ARS/WCR trunks. This does not affect calls using TACs. For DEFINITY ECS, DEFINITY G1, G3, and System 75: nUse change cor to create a new Class of Restriction for the incoming tie line trunk group. nAssign the lowest possible FRL that provides private network calls to tandem tie trunks. nAssign COR-to-COR restrictions that give incoming tie lines no direct access calling permissions to CORs of trunk groups that are not dial-access restricted.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Large Business Communications Systems Page 3-41 Security Measures 3 nUse change trunk-group to assign the COR to the tie line trunk group. For G2 and System 85: nUse PROC103 WORD1 FIELD5=0 to deny access to AAR/ARS/WCR trunks from tie trunks [other than Electronic Tandem Network (ETN) trunks]. However, the calls coming in on an access tie line will not be able to access AAR to dial other network numbers, including extensions that terminate in this PBX. A recommended alternative is to assign a low FRL on the access tie line group in PROC103 WORD1 FIELD2. Limit Access to Tie Trunks If you need to make AAR/ARS/WCR calls using tie trunks, you can limit access to the trunks using the following procedures. For DEFINITY ECS, DEFINITY G1, G3, and System 75: nUse change cor to display the Class of Restriction screen. nAssign a higher FRL to provide the calling range required. nUse change station or change trunk-group to assign the COR to the originating stations or trunks. nAssign COR-to-COR restrictions that give no calling permissions to other trunk group CORs. For DEFINITY G2 and System 85: nWhen DACs are available to users, enter PROC110 to provide Trunk-to-Trunk restrictions. nForce the entry of an authorization code with PROC103 WORD1 FIELD6. NOTE: The caller is not prompted for an authorization code on incoming tie trunk calls with a TCM. nSet the default FRL to a low value with PROC103 WORD1 FIELD2. NOTE: ETN trunks pass along the originating station’s FRL as a TCM. Other station permissions are not passed along. Monitor Trunks The monitor command displays internal software state information for diagnosis. For DEFINITY ECS and DEFINITY G3, the monitor command can be used by the cust, rcust, bcms and browse customer logins. For G3V3 and later, the
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Large Business Communications Systems Page 3-42 Security Measures 3 monitor command can be used by any super user or non-super user with permission to display administration and maintenance data. The monitor command also helps locate facilities to which the trunk is communicating, and thus allows you to track hacking activity as it occurs. The monitor command provides 30 second updates on trunk activity. Use Terminal Translation Initialization For DEFINITY ECS and DEFINITY G3, the Terminal Translation Initialization (TTI) feature allows a user to associate a terminal-administered-without-hardware translation to a valid port address by dialing a special digit sequence (feature access code, 1-to-7-digit TTI security code, and extension) from a terminal connected to the port. It also allows a user to disassociate a terminal from its port location by dialing a similar “disassociate” digit sequence. The feature also includes the administration necessary to change unadministered ports in the switch to “TTI Ports,” or ports from which the TTI association sequence can occur. !CAUTION: This feature may be subject to unauthorized use. Because a person could disassociate voice or data terminals, he or she might also be able to associate with another extension and obtain the other extension’s permissions to dial out. Require Account Codes You can use the Forced Entry of Account Code (FEAC) feature to require callers to enter an account code (up to 15 digits) before calls to toll numbers are completed. This option can be specified for an originating station COS (G2 only), for an outgoing trunk group, or for access to ARS/WCR trunks. If an account code is not dialed when required, the call is denied. Although there is no verification of the digits, the digits entered must match the specified length (1 to 15 digits). For DEFINITY ECS, DEFINITY G1, G3, and System 75 R1V3: nUse change system-parameters feature to display the Features-Related System Parameters screen. nEnter 15 in the SMDR/CDR Account Code Length field. nTo activate the measure system-wide, enter y in the Force Entry of Account Codes field. nTo activate the feature on an individual basis, use change cor to display the Class of Restriction screen. nEnter y in the Force Entry of Account Code field. nUse change station to assign the COR to the appropriate stations.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Large Business Communications Systems Page 3-43 Security Measures 3 NOTE: Station Message Detail Recording (SMDR) and account codes are only required for toll calls. nFor DEFINITY ECS and DEFINITY G3, use change toll to display the Toll Analysis screen. nEnter dialed strings that require FEAC, and enter x in the Toll and SMDR/CDR FEAC fields. For G3, any dialed string, including 7-digit local numbers, can be identified as “toll.” For DEFINITY G2 and System 85: nUse PROC010 WORD2 FIELD5 to force account code entry for an originating station. nUse PROC101 WORD1 FIELD8 to force account code entry for an outgoing trunk group. nUse PROC312 WORD1 FIELD3 to force account code entry for access to WCR (G2.2). nUse PROC275 WORD1 FIELD12 to force account code entry for access to ARS (G2.1 and System 85). nUse PROC275 WORD1 FIELD13 to set the length of account codes (1to15). Assign COR Restrictions to Adjuncts when Using Expert Agents In an Expert Agent (EAS) environment, an auto-available split assigned to any adjunct equipment (for example, ICD, CONVERSANT Voice Information System, Voice Mail, or VRU) should have the COR restrictions assigned to the agent login ID. Both the login ID and the extension CORs should have the needed restrictions, but the COR of the login ID takes precedence. Disable Distinctive Audible Alert Distinctive Audible Alert on a 2500 set has the potential of returning stutter dial tone when used in conjunction with Voice Response Units — modems, FAX machines, voice mail ports, and CONVERSANT Voice Information System ports. The stutter dial tone, in turn, converts to steady dial tone and allows a call to be made. Analog ports assigned to adjunct equipment should have the Distinctive Audible Alert feature (a field on the 2500 screen) set to no; The default is yes; thus, it should be changed to no. For System 75, DEFINITY ECS, and DEFINITY G1, and G3, use change station to display the station form. Enter n in the distinctive audible alert field.
BCS Products Security Handbook 555-025-600 Issue 6 December 1997 Large Business Communications Systems Page 3-44 Security Measures 3 Remove Data Origination Code The Data Origination feature is used in conjunction with modem pooling. It allows users to bypass many system restrictions and gives them access to outside facilities. It has the potential to be used by hackers to compromise a system. The Data Origination default code is 134. When a voice mail system is set to digits (instead of subscriber), the COR restrictions on the voice ports are not valid when the Data Origination code is used. If a voice mail system is set to digits and 134 is dialed from any phone, the switch returns outside dial tone and allows a call to be processed. It is recommended that the Data Origination code be removed. If this feature is used, then the code should be changed. Use World Class Routing Restrictions (DEFINITY G2.2 and G3 only) For DEFINITY ECS and DEFINITY G2.2 and G3, use the following steps to restrict WCR from unauthorized use. For DEFINITY ECS and DEFINITY G3: nMiscellaneous Restrictions (COR-to-COR restrictions) are not observed during AAR/ARS call processing. The FRL value is used instead. nUse change COR to display the Class of Restriction screen. nAssign the lowest possible FRL to the barrier code, authorization code, VDN, station, or inbound trunk group. Use change trunk-group to assign the COR to all incoming trunks. nUse tandem tie trunks for routing private network calls. nUse change toll to display the Toll screen. Identify what calls are allowed or disallowed. nUse change ars analysis to display the ARS Toll Analysis screen. Limit long distance and international calls permitted by ARS trunks. nUse change route-pattern to assign the appropriate FRL for public network trunks in the routing pattern. nUse change ars analysis to administer ARS Analysis Tables with at least 3- or 4-digit strings. nUse change ars analysis to distinguish between 7- and 10-digit calls. Use the prefix digit instead of the Min/Max fields for long distance calls. nUse wild card characters with care. nPrevent calls by not administering their numbers on the ARS Toll Analysis screen. If the originating endpoint is assigned a toll-restricted COR, this prevents TAC toll calls.