Avaya Products Security Handbook 555-025-600 Comcode 108074378 Issue 7 June 2001
Copyright 2001, Avaya Inc. All Rights Reserved Printed in U.S.A. Notice While reasonable efforts were made to ensure that the information in this document was complete and accurate at the time of printing, Avaya can assume no responsibility for any errors. Changes and corrections to the information contained in this document may be incorporated into future reissues.
Contents 1 About This Document Scope of this Handbook 1-1 Reason for Reissue 1-3 Intended Audience 1-3 How this Guide is Organized 1-4 Avaya’s Statement of Direction 1-5 Avaya/Customer Security Roles and Responsibilities 1-7 Avaya’s Roles and Responsibilities 1-8 Customer Roles and Responsibilities 1-8 Avaya Security Offerings Avaya Toll Fraud Crisis Intervention Helplines 2 1-9 1-10 1-11 Related Documentation 1-11 Introduction 2-1 Background 2-1 Who is the E
Contents Automated Attendant 3-3 Other Port Security Risks 3-3 Voice Messaging Systems 3-4 Administration / Maintenance Access 3-4 Passwords 4 Changing Default Passwords Choosing Passwords 3-4 3-5 Increasing Adjunct Access Security 3-6 Increasing Product Access (Port) Security 3-6 General Security Measures 3-8 Educating Users 3-8 Establishing a Policy 3-9 Physical Security 3-9 Security Goals Tables 3-10 Large Business Communications Systems 4-1 Keeping Unauthorized
Contents Tools that Restrict Unauthorized Outgoing Calls 4-12 Class of Restriction 4-13 Calling Party and Called Party Restrictions COR-to-COR Restrictions/Calling Permissions Restriction Override (3-way COR Check) 4-14 4-15 4-15 Class of Service 4-16 Facility Restriction Level (FRL) 4-17 Alternate Facility Restriction Levels 4-18 Toll Analysis (G3 only) 4-18 Free Call List 4-18 AAR/ARS Analysis 4-18 ARS Dial Tone 4-19 Station Restrictions 4-19 Recall Signaling (Switchhook Flash) 4
Contents Provide Individualized Calling Privileges Using FRLs 4-30 Prevent After-Hours Calling Using Time of Day Routing or Alternate FRLs 4-32 Block International Calling 4-33 Limit International Calling 4-34 Select Authorization Code Time-Out to Attendant 4-35 Restrict Calls to Specified Area Codes 4-36 Allow Calling to Specified Numbers 4-36 Use Attendant Control of Remote Access Calls (DEFINITY G2 and System 85 only) 4-37 Use Attendant Control of Specific Extensions 4-37 Disable Direc
Contents Call Detail Recording (CDR) / Station Message Detail Recording (SMDR) 4-52 Traffic Measurements and Performance 4-53 Monitor I SAT, Manager I, and G3-MT Reporting ARS Measurement Selection 5 4-54 4-54 4-55 Automatic Circuit Assurance (ACA) 4-55 BCMS Measurements (DEFINITY ECS and DEFINITY G1 and G3 only) 4-56 CMS Measurements 4-57 Security Violation Notification Feature (DEFINITY ECS and DEFINITY G3 only) 4-57 Security Violations Measurement Report 4-60 Remote Access Barrier Code
Contents Protecting Remote Access Security Tips Protecting Remote System Programming Security Tips Protecting Remote Call Forwarding MERLIN LEGEND/MAGIX Toll Fraud 5-12 5-14 5-14 5-15 5-15 Why Toll Fraud happens 5-15 Tool Fraud Warning Signs 5-15 TIPS to Prevent Toll Fraud 5-16 Responsibility 5-17 Programming Tools to Prevent Fraud 5-17 Security of Your System: Preventing Toll Fraud 5-17 Toll Fraud Prevention 5-19 Physical Security, Social Engineering, and General Security Measures Securi
Contents MERLIN Mail/MERLIN LEGEND Mail/MERLIN Messaging Toll Fraud at a Glance 5-46 LEGEND/MAGIX Toll Fraud Check List 5-46 LEGEND TOLL FRAUD INTERVENTION FORM 5-52 MERLIN Plus Communications System 5-60 Protecting Remote Line Access (R2 only) 5-60 Security Tips 5-60 Protecting Remote Call Forwarding (R2 only) 5-61 PARTNER II Communications System 5-62 PARTNER Plus Communications System 5-62 System 25 5-63 Protecting Remote Access 5-63 Security Tips 5-64 Protecting Remote S
Contents Call Traffic Report Trunk Group Report SAT, Manager I, and G3-MT Reporting ARS Measurement Selection Automatic Circuit Assurance Busy Verification 6-13 6-13 6-13 6-14 6-14 6-15 Protecting the AUDIX, DEFINITY AUDIX, and Avaya INTUITY Voice Mail Systems 6-15 Unauthorized System Use Traffic Reports (AUDIX Voice Mail System Only) Call Detail Recording (AUDIX Voice Mail System Only) Protecting Passwords Security Features Security Measures Security Tips Protecting the AUDIX Voice Power System Traffi
Contents Protecting the MERLIN MAIL, MERLIN MAIL-ML, MERLIN MAIL R3, and MERLIN LEGEND Mail Voice Messaging Systems 6-44 Protecting Automated Attendant Protecting Passwords Security Tips Additional MERLIN MAIL R3 and MERLIN LEGEND Mail Voice Messaging System Security Features Messaging 2000 Voice Mail System 6-48 6-49 Maintaining Message 2000 System Security 6-49 Security Recommendations for Remote Access 6-54 PARTNER II Communications System 6-54 Protecting the PARTNER MAIL and PARTNER MAIL
Contents Class of Service Toll Analysis Security Measures 7-5 Limit Transfers to Internal Destinations Prevent Calls to Certain Numbers Allow Calling to Specified Numbers 7-5 7-6 7-6 Detecting Automated Attendant Toll Fraud 7-8 Call Detail Recording (CDR) / Station Message Detail Recording (SMDR) Call Traffic Report Trunk Group Report SAT, Manager I, and G3-MT Reporting ARS Measurement Selection Automatic Circuit Assurance Busy Verification Call Traffic Report Trunk Group Report Traffic Reports Call
Contents PARTNER II Communications System 7-21 PARTNER MAIL and PARTNER MAIL VS Systems 7-21 PARTNER Attendant 7-21 PARTNER Plus Communications System PARTNER MAIL and PARTNER MAIL VS Systems 7-22 PARTNER Attendant 7-22 System 25 AUDIX Voice Power System 8 Other Products and Services Call Management System (R3V4) 7-22 7-22 8-1 8-1 Security Tips 8-1 CMS Helplines 8-2 CallMaster PC Security Tips 8-3 8-3 Multipoint Conferencing Unit (MCU)/Conference Reservation and Control Sys
Contents 10 11 12 Blocking Calls Country Codes 10-1 Blocking Toll Fraud Destinations 10-9 Blocking ARS Calls on DEFINITY G1 and System 75 10-10 Blocking ARS Calls on G2.1 and System 85 10-14 Blocking WCR Calls on DEFINITY G2.
Contents Changing a Login’s Attributes 12-15 Administering Login Command Permissions 12-16 Display a Specified Login List Logins Remove a Login 13 14 12-17 12-17 12-17 Administering the Security Violations Reports 12-18 Changing Your Password 13-1 AUDIX Voice Mail System 13-1 AUDIX Voice Power System 13-2 CONVERSANT Voice Information System 13-2 DEFINITY AUDIX System 13-4 DEFINITY ECS and DEFINITY G1 and G3 13-5 DEFINITY G2 13-6 Avaya INTUITY System 13-6 MERLIN M
Contents 15 Special Security Product and Service Offers 15-1 Remote Port Security Device (RPSD) 15-1 Key and Lock Features 15-2 Securing DEFINITY Systems (Prior to Release 7.2) with the Remote Port Security Device (RPSD) 15-3 Avaya Support 15-3 Securing DEFINITY Systems (Release 7.
Contents 16 Product Security Checklists 16-1 General Security Procedures 16-2 AUDIX, DEFINITY AUDIX and INTUITY AUDIX Voice Messaging Systems 16-4 AUDIX Voice Power System 16-6 BasicWorks 16-8 CONVERSANT Voice Information System 16-12 DEFINITY ECS, DEFINITY G1 and G3, and System 75 16-14 DEFINITY G2 and System 85 16-20 DIMENSION PBX System 16-24 MERLIN II Communications System 16-27 MERLIN LEGEND Communications System 16-29 MERLIN MAIL Voice Messaging System 16
Contents 17 Large Business Communications Systems Security Tools by Release 17-1 18 Non-supported Products 18-1 Products No Longer Supported 18-1 Non-supported Products as of Dec. 31, 1999 18-1 Non-supported Products as of Sept. 30, 2000 18-2 Non-supported Products as of Dec. 31, 2000 18-2 Non-supported Products as of Dec. 31, 2001 18-2 Non-supported Products as of Dec.
About This Document 1 Scope of this Handbook This handbook discusses security risks and measures that can help prevent external telecommunications fraud involving the following Avaya products: Communications Server: DEFINITY® Enterprise Communications Server (ECS) Release 5 and later PBX systems: DEFINITY® Generic 1, 2, and 3 Communications Systems MERLIN® II Communications System MERLIN LEGEND® Communications System MERLIN® Plus Communications System PARTNER® II Communications System PART
About This Document MERLIN MAIL®-ML Voice Messaging System MERLIN MAIL® R3 Voice Messaging System PARTNER MAIL® System PARTNER MAIL VS® System Other products and services: Call Management System (R3V2) CallMaster® PC Multipoint Conferencing Unit (MCU) PassageWay® Telecommunications Interface TransTalk™ 9000 Digital Wireless System Telephony Services for Netware® NOTE: Although the DIMENSION® Call Management System is not covered explicitly in this handbook, the information supplied for
Reason for Reissue Reason for Reissue This issue, Issue 7 of the Avaya Security Handbook, updates information to include the following: General content update Avaya services agreement indemnity enhancement Minor edits and other additions have also been included in this issue. Intended Audience Telecommunications managers, console operators, and security organizations within a company should be aware of the information in Chapters 1 and 2.
About This Document How this Guide is Organized The Avaya Security Handbook has the following chapters: Chapter 1: About This Document Describes the scope, intended audience, and contents of this handbook. Contains Avaya’s Statement of Direction. Also defines Avaya’s and the customer’s roles and responsibilities. Chapter 2: Introduction Provides a background for toll fraud.
Avaya’s Statement of Direction Chapter 12: Administering Features of the DEFINITY G3V3 and Later Provides information on administering features available in DEFINITY Releases G3V3 and later, including the DEFINITY ECS Release 5 and 6. Chapter 13: Changing Your Password Tells how to change passwords for systems in the handbook. Chapter 14: Toll Fraud Job Aids Provides job aids to help prevent toll fraud.
About This Document To help customers use and manage their systems in light of the trade-off decisions they make and to ensure the greatest security possible, Avaya commits to the following: Avaya products and services will offer the widest range of options available in the industry to help customers secure their communications systems in ways consistent with their telecommunications needs.
Avaya/Customer Security Roles and Responsibilities Avaya/Customer Security Roles and Responsibilities The purchase of a telecommunications system is a complicated process involving many phases, including system selection, design, ordering, implementation, and assurance testing. Throughout these phases customers, vendors, and their agents each have specific roles and responsibilities.
About This Document Avaya’s Roles and Responsibilities 1. Avaya, as a manufacturer, has the responsibility to PROVIDE the customer with securable technology, the information resources (product documentation) to understand the capabilities of the technology, and the configuration of the equipment when it shipped from the factory. 2.
Avaya Security Offerings Avaya Security Offerings Avaya has developed a variety of offerings to assist in maximizing the security of your system. These offerings include: Security Tune-up Service (see Chapter 15). Toll Fraud Crisis Intervention Service (see ‘‘Avaya Toll Fraud Crisis Intervention’’ in this section). The Product Security Kit, 555-025-601, includes this Security Handbook. This provides customers with valuable information on recognizing and defending against toll fraud.
About This Document Avaya Toll Fraud Crisis Intervention If you suspect you are being victimized by toll fraud or theft of service, call the appropriate Avaya service: Toll Fraud Intervention Hotline 800 643-2353 All systems and products; DEFINITY ECS and DEFINITY Communications Systems, System 75, System 85, MERLIN II, MERLIN LEGEND, MERLIN Plus, PARTNER II, PARTNER Plus, and System 25 Communications Systems (including associated voice mail systems and other adjuncts) Avaya Technical Services: 800 62
Related Documentation Helplines For technical assistance or support with DEFINITY ECS, DEFINITY Communications System, System 75, and System 85, contact the Technical Service Center: 800 242-2121 If you require application support assistance or have questions regarding feature functions for the DEFINITY ECS, DEFINITY G1, G2, and G3, System 75, or System 85 Communications Systems, contact the DEFINITY Helpline: 800 225-7585 For assistance with the DEFINITY AUDIX System, call: 800 562-8349 For assis
About This Document 1-12 Issue 7 June 2001
Introduction 2 Background Telecommunications fraud is the unauthorized use of a company’s telecommunications service. This type of fraud has been in existence since the 1950s when Direct Distance Dialing (DDD) was first introduced. In the 1970s Remote Access became a target for individuals seeking unauthorized network access. Now, with the added capabilities of voice mail and automated attendant services, customer premises equipment-based toll fraud has expanded as a new type of communications abuse.
Introduction Who is the Enemy? Hackers and Phreakers Hackers and “phreakers” (phone freaks) use personal computers, random number generators, and password cracking programs to break into even the most sophisticated customer premises equipment-based system if it has not been adequately secured. Once a hacker penetrates a network and provides instructions to toll call sellers, large volumes of unauthorized calls can be made from the switch.
What is in a Loss? Call sell operations are dependent on calling card numbers or other means to fraudulently use a customer premises equipment-based system. The major calling card vendors monitor calling card usage and shut down in a matter of minutes after detecting the fraud. However, call sell operators know that the traffic on most customer premises equipment-based systems is not monitored. That is why a calling card on the street sells for $30.
Introduction Known Toll Fraud Activity Understanding how hackers penetrate your system is the first step in learning what to do to protect your company. Be aware that hackers communicate very well, are extremely resourceful, and are persistent. The following is a list of known methods hackers use to break into systems. PBX-Based Activity — Maintenance Port Maintenance ports are the most recent target of abuse.
Known Toll Fraud Activity — Voice Mail There are two types of voice mail fraud. The first type, which is responsible for the bulk of equipment-related toll fraud loss, relies on misuse of the call transfer capabilities of voice mail systems. Once thieves transfer to dial tone, they may dial a Trunk Access Code (TAC), Feature Access Code or Facility Access Code (FAC), or extension number.
Introduction If the system allows uninterrupted, continuous access, a war dialer can crack a 6-digit code within 6 hours. The codes are then distributed via bulletin boards or pirated voice mailboxes, or are sold to call sell operators. Some systems hang up after a specified number of invalid access attempts, thereby extending the amount of time required to crack the code. However even if a hacker is disconnected, he or she may call back repeatedly in an attempt to crack the code.
Known Toll Fraud Activity — Looping Looping is a method that call sell operators use to circumvent restrictions that IXCs (Interexchange Carriers) put in the networks to control calling card fraud. All carriers block calling card calls bound for the 809 area code (to the Dominican Republic) that originate in New York, NY. This is because the Dominican Republic is a common destination for stolen phone calls.
Introduction This same scam could also easily apply to messages left on voice mail. The person could state, “I’m John Doe calling from XYZ. Please return my call at 212-540-xxxx.” When you return the call, you are charged $50.00. Another slant to this scam is carried out by messengers who deliver parcels to your office. They will ask to use your company’s phone to call their office. Then they call one of these 976-look-alike numbers and stay on the line for a minute or two.
Security Risks 3 Overview In order for your system to be secure against toll fraud, you need to address access, egress, and system administration. This handbook addresses those concerns.
Security Risks Remote Access Remote Access, or Direct Inward System Access (DISA), permits callers from the public network to access a customer premises equipment-based system to use its features and services. Callers dial into the system using CO, FX, DID, or 800 service trunks. After accessing the feature, the user hears system dial tone, and, for system security, may be required to dial a barrier code, depending on the system.
Automated Attendant Automated Attendant Automated attendant systems direct calls to pre-designated stations by offering callers a menu of available options. Automated attendant devices are connected to a port on the main system and provide the necessary signaling to the switch when a call is being transferred. When hackers connect to an automated attendant system, they try to find a menu choice (even one that is unannounced) that leads to an outside facility.
Security Risks Voice Messaging Systems Voice messaging systems provide a variety of voice messaging applications; operating similarly to an electronic answering machine. Callers can leave messages for employees (subscribers) who have voice mailboxes assigned to them. Subscribers can play, forward, save, repeat, and delete the messages in their mailboxes. Many voice messaging systems allow callers to transfer out of voice mailboxes and back into the PBX system.
Administration / Maintenance Access The following is a list of customer logins for systems in this handbook that provide login capabilities. For information on password parameters, see the applicable system chapter. For information on how to change passwords, see Chapter 13.
Security Risks Increasing Adjunct Access Security Since system adjuncts can be used to log in to otherwise “protected” systems, you also should secure access to the following products: G3 Management Applications (G3-MA) CSM (Centralized System Management) CMS (Call Management System) Manager III/IV Trouble Tracker VMAAP Logins and passwords should be changed and managed in the same manner as the system being managed (for example, the switch or the AUDIX Voice Mail System).
Administration / Maintenance Access Another area that may be vulnerable to toll fraud is the System 75 and the DEFINITY ECS, DEFINITY G1 and G3 (except G3r) NETCON data channel — the internal extension number that can be used for administration and maintenance access.
Security Risks General Security Measures General security measures can be taken systemwide to discourage unauthorized use. Educating Users Everyone in your company who uses the telephone system is responsible for system security. Users and attendants need to be aware of how to recognize and react to potential hacker activity. Informed people are more likely to cooperate with security measures that often make the system less flexible and more difficult to use.
General Security Measures Establishing a Policy As a safeguard against toll fraud, follow these guidelines: Change passwords frequently (at least quarterly). Set password expiration times and tell users when the changes go into effect. Changing passwords routinely on a specific date (such as the first of the month) helps users to remember to do so. Establish well-controlled procedures for resetting passwords. Limit the number of invalid attempts to access a voice mail to five or less.
Security Risks Security Goals Tables The following tables list the security goals for each communications system, and provide an overview of the methods and steps that are offered through the switches to minimize the risk of unauthorized use of the system. Table 3-1 on page 3-10 provides information for the DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85.
Security Goals Tables Table 3-1.
Security Risks Table 3-1.
Security Goals Tables Table 3-1.
Security Risks Table 3-1.
Security Goals Tables Table 3-2.
Security Risks Table 3-2.
Security Goals Tables Table 3-2.
Security Risks Table 3-2.
Security Goals Tables Table 3-3.
Security Risks Table 3-3. Security Goals: PARTNER II and PARTNER Plus Communications Systems (Continued) Security Goal Method Security Tool Steps Prevent theft of information via Voice Messaging System Assign secure passwords Passwords (PARTNER Plus Communications System R3.
Large Business Communications Systems 4 This chapter provides information on protecting the following: DEFINITY ECS Release 5 and later DEFINITY Communications Systems System 75 System 85 The first section of this chapter, ‘‘Keeping Unauthorized Third Parties from Entering the System’’ details the major ways third parties enter the system and tells how to keep them from doing so.
Large Business Communications Systems Keeping Unauthorized Third Parties from Entering the System How Third Parties Enter the System The major ways in which unauthorized third parties gain entry into the system are as follows: Remote Access Remote Maintenance Port Vectors Transfers from adjunct systems, including voice mail systems, call prompters, and voice response systems.
Keeping Unauthorized Third Parties from Entering the System Require maximum length barrier codes and authorization codes. For System 75 R1V1 and R1V2, require the entry of a barrier code. For System 85 and releases of DEFINITY G2.1 and G2.2 prior to 3.0, require either a barrier code or an authorization code. For DEFINITY G2 and System 85, require the entry of 11 digits (4-digit barrier code and 7-digit authorization code). For DEFINITY G1, G2.2 Issue 3.
Large Business Communications Systems Table 4-1.
Keeping Unauthorized Third Parties from Entering the System INCOMING REMOTE ACCESS CALL BARRIER CODE REQUIRED? NO YES SYSTEM DIAL TONE CODE ENTERED DISCONNECT CALL VALID CODE? NO LOG INVALID ATTEMPT YES AUTHORIZATION CODE REQUIRED? APPLY SECURITY VIOLATION NOTIFICATION YES STOP REMOTE ACCESS DIAL TONE? YES SYSTEM DIAL TONE NO SYSTEM DIAL TONE CALL PLACED STOP NO CODE ENTERED NO VALID CODE? ROUTE TO ATTENDANT OR DISCONNECT YES STOP SYSTEM DIAL TONE CALL PLACED STOP Figure 4-1.
Large Business Communications Systems For DEFINITY ECS, DEFINITY G1, G3, and System 75, you can assign up to 10 barrier codes to provide the first checkpoint. When barrier codes are required for Remote Access, callers hear a special dial tone, and then must enter a valid barrier code before they can access the PBX system.
Keeping Unauthorized Third Parties from Entering the System For DEFINITY G2 and System 85, either a barrier code or an authorization code (see below) can be required before callers can access switch features or trunks. There is only one 4-digit barrier code for Remote Access. This can be changed using a Feature Access Code, and is normally assigned by the attendant. When callers enter the wrong barrier code, the calls are given intercept treatment.
Large Business Communications Systems The authorization code option requires that the caller enter a valid authorization code to receive switch dial tone. The authorization code used for Remote Access has an FRL value used by AAR/ARS/WCR trunks for outgoing calls [see ‘‘Facility Restriction Level (FRL)’’ on page 4-17]. Up to 5,000 authorization codes can be issued to System 75 R1V3 and DEFINITY G1 users, and up to 90,000 for System 85, DEFINITY G2, and G3 users.
Keeping Unauthorized Third Parties from Entering the System Night Service You can control the time of day that Remote Access is available by using the night service feature. This limits the amount of time Remote Access is available and thus reduces risks. For DEFINITY ECS, DEFINITY G1, G3, and System 75, trunks translated for Remote Access can be given a night service destination.
Large Business Communications Systems Protecting Vectors That Contain Call Prompting Hackers try to enter unanticipated digit strings and deceive the switch into transferring the call to a dial tone source. The Call Prompting feature can collect digits from the user and route calls to a destination specified by those digits and/or do conditional processing according to the digits dialed.
Keeping Unauthorized Third Parties from Entering the System Status Remote Access Command For DEFINITY G3V4 and later, which includes DEFINITY ECS, the status remote-access command provides the status of remote access. The display provides data on whether or not a barrier code has expired, the expiration date and time of the barrier code, the cause of the expiration, whether Remote Access is disabled (SVN or command), the time and date when it was disabled, and barrier codes.
Large Business Communications Systems Tools that Restrict Unauthorized Outgoing Calls Use the following tools to prevent fraudulent calls and monitor long distance usage. (See Table 4-2.) Table 4-2.
Tools that Restrict Unauthorized Outgoing Calls Class of Restriction For DEFINITY ECS, DEFINITY G1, G3, and System 75, the Class of Restriction (COR) places calling permissions and restrictions on both the calling party and the called extension. Up to 64 CORs can be defined in the system. For DEFINITY ECS, DEFINITY G3rV1, G3i-Global, and G3V2, the number of CORs has been increased to 96. For DEFINITY ECS and DEFINITY G3V3, each COR may be assigned a unique name via the Class of Restriction Form.
Large Business Communications Systems Calling Party and Called Party Restrictions For DEFINITY G3 systems prior to DEFINITY ECS Release 5, as well as for G1 and System 75 systems, the default value of the “Calling Party Restriction” field on the COR form is “none.” Starting with DEFINITY ECS Release 5, the default value of the field is “outward.” This default ensures that the ability to place calls that access public network facilities is assigned only when appropriate.
Tools that Restrict Unauthorized Outgoing Calls COR-to-COR Restrictions/Calling Permissions If it is not practical to dial-access-restrict outgoing or two-way trunk groups, then COR-to-COR restrictions should be used to prevent direct access to those trunk groups. These restrictions can give no calling permissions to CORs assigned to trunk groups or data stations.
Large Business Communications Systems Class of Service For DEFINITY G2 and System 85, station access to various switch features is controlled by options in the Class of Service (COS) associated with the extension number. The following COS options are related to toll fraud prevention: Call Forward Off-Net: allows a user to call forward outside the switch to non-toll locations (G2.1). In G2.
Tools that Restrict Unauthorized Outgoing Calls For DEFINITY G3V2 and later releases, which includes DEFINITY ECS, an additional COS option is available: Call Forward Off/On-Net: allows a user to call forward outside the switch (Off-Net), or inside AND outside the switch to non-toll locations (Off/On-Net). For DEFINITY G3V4, the list call forward command displays all stations with Call Forwarding On/Off Net Call Forwarding and Busy/Don’t Answer (BY/DA).
Large Business Communications Systems Alternate Facility Restriction Levels For DEFINITY G2, G3r, and System 85, this tool is used with or without authorization codes to replace originating FRL values (the COS FRL versus the AAR/ARS/WCR pattern preference FRL) with an alternate set of values. This allows FRLs to be set to a lower value outside of normal business hours so more restrictions are placed on after-hours calling. NOTE: A button is assigned to the attendant console to activate alternate FRLs.
Tools that Restrict Unauthorized Outgoing Calls ARS Dial Tone For all switches, the dial tone after the ARS feature access code is optional and can be eliminated to confuse hackers who listen for it. Conversely, however, its elimination may also confuse authorized users who are accustomed to the second dial tone. Station Restrictions If access to trunks via TACs is necessary for certain users to allow direct dial access to specific facilities, use the appropriate restrictions.
Large Business Communications Systems Restrictions — Individual and Group-Controlled (DEFINITY ECS, DEFINITY G1, G3, and System 75) For DEFINITY ECS, DEFINITY G1, G3, and System 75, individual and group-controlled restrictions allow an attendant or voice terminal user with console permission to activate and deactivate the following restrictions for an individual terminal or a group of voice terminals: Outward — The voice terminals cannot be used for placing calls to the public network.
Tools that Restrict Unauthorized Outgoing Calls Restricting Incoming Tie Trunks You can deny access to AAR/ARS/WCR trunks when the caller is on an incoming tie trunk. For all the switches, you can force the caller to enter an authorization code when AAR/ARS/WCR is used. Use the COR of the incoming tie trunk to restrict calls from accessing the network. Set the calling party restriction to outward, set the FRL to 0, and specify n for all other trunk group CORs on the calling permissions screen.
Large Business Communications Systems DEFINITY G3V3 and later releases, including DEFINITY ECS Release 5 and later, offer three options: all — All trunks are transferred. restricted — Public network trunks are not transferred. none — No trunks are transferred. NOTE: Starting with DEFINITY ECS Release 5, trunk-to-trunk transfer is automatically restricted via administration. To this end, the “Restriction Override” field in the Class of Restriction form is set to none by default.
Tools that Restrict Unauthorized Outgoing Calls World Class Routing (DEFINITY ECS and DEFINITY G2.2 and G3 only) The World Class Routing (WCR) feature replaces and enhances the AAR/ARS feature. Specific digit strings are assigned to either allow or deny calls. The 900 look-alike numbers can be routed for interception. The 800 numbers for ICX carriers can be blocked. This still allows normal 800 numbers to be dialed. Specific international numbers can also be blocked.
Large Business Communications Systems Station Security Codes (SSCs) Station Security Codes (SSCs) are used with two features: Personal Station Access and Extended User Administration of Redirected Calls. Starting with DEFINITY ECS Release 5, the Security Violations Status report shows the 16 most recent invalid attempts of SSC use. The report is refreshed every 16 seconds, and it shows the date, time, port/extension, FAC, and dialed digits for each invalid attempt.
Tools that Restrict Unauthorized Outgoing Calls Security Tips PSA/TTI transactions are recorded in the history log, which can be accessed by entering the list history command at the prompt. If there is a concern about unauthorized PSA/TTI usage, refer to the history log for verification. To enable recording PSA/TTI transactions, access the Feature-Related System Parameters form by entering the change system-parameters features command at the prompt.
Large Business Communications Systems For remote users, an additional security precaution for feature access is provided via the Telecommuting Access Extension. This extension provides access only to this feature; access to any other system features or functions via this extension is denied. Access to the extended forwarding capability provided by this feature is controlled by the “Extended Forwarding All” and “Extended Forwarding B/DA” fields in the COS form.
Security Measures Security Measures The following procedures explain how to use security tools to create restrictions that help prevent unauthorized access to your PBX system’s facilities. Require Passwords For DEFINITY ECS, DEFINITY G1, G3, and System 75, passwords may be up to 7 alphanumeric characters (11 for G3V3 and later). For System 85 and DEFINITY G2, the security code may be up to 6 digits. Change passwords for system logins frequently according to the guidelines listed below.
Large Business Communications Systems DEFINITY G3V3 and later systems, which includes DEFINITY ECS, are shipped without any customer logins. Customer logins must be assigned when installing the system. Also, DEFINITY G3V2 and later releases, which includes DEFINITY ECS, provide additional restrictions on logins. For each login, you can limit up to 20 (40 for DEFINITY G3V3 and later including DEFINITY ECS) objects (for example, stations or trunks) from being administered.
Security Measures Enter up to 10 barrier codes (use all seven digits) and assign each a COR and COS that allow only necessary calls. The COR should be restricted so that even if a hacker deciphers the barrier code, a valid authorization code is still needed to make a call. NOTE: Use Remote Access only on an as-needed basis, and assign a unique COR to each barrier code. Change the barrier codes periodically. See ‘‘Remote Access Barrier Code Aging/Access Limits (DEFINITY G3V3 and Later)’’ on page 4-66.
Large Business Communications Systems Use PROC286 WORD1 FIELD16 to send calls to an intercept tone, a CAS attendant, or a local attendant when the caller does not enter a code. Use PROC289, Programmable Intercept Treatment, to transfer calls to an attendant when the caller enters an invalid trunk access code, feature access code, or extension. Turn on CDR for incoming calls by entering PROC275 WORD1 FIELD14. Also turn on CDR for the Remote Access Trunk Group using PROC101 WORD1 FIELD8.
Security Measures NOTE: FRLs 1 through 7 include the capabilities of the lower FRLs. Table 4-3. Suggested Values for FRLs FRL Suggested Value 0 No outgoing (off-switch) calls permitted. 1 Allow local calls only; deny 0+ and 1 800 calls. 2 Allow local calls, 0+, and 1 800 calls. 3 Allow local calls plus calls on FX and WATS trunks. 4 Allow toll calls within the home NPA. 5 Allow calls to certain destinations within the continental USA. 6 Allow calls throughout the continental USA.
Large Business Communications Systems Prevent After-Hours Calling Using Time of Day Routing or Alternate FRLs You can regulate the days of the week and specific times that outgoing calls can be made. Depending on the time of day and day of the week, calls can be blocked or routed to the least-costly facility available. Since late evenings and weekends are particularly vulnerable times for toll hacking, set up separate plans with the most restrictive plan reserved for evenings and weekends.
Security Measures Block International Calling If your company does not do business overseas, deny everyone the ability to directly dial international calls; in other words, block calling the international dial prefix, for example, 011. However, this will impact your company’s ability to reach the “Telco” operator since 0+ dialing is blocked. This can affect credit card calls, Collect calls, Third Party Calls, and Special Use (0700+) numbers.
Large Business Communications Systems For DEFINITY ECS and DEFINITY G3: Enter change ars analysis partition to display the ARS Analysis screen. Make the route pattern “DEN” to deny for the following numbers: — 01 = international operator — 010 = international calls, operator-assisted — 011 = international calls, direct — 101xxxx01 = international operator — 101xxxx011 = international calls, direct For DEFINITY G2 and System 85: For DEFINITY G2.
Security Measures For DEFINITY ECS and DEFINITY G3: Enter change ars analysis to display the ARS Analysis screen. Specify the telephone numbers in the Dial String field that you do not want dialed by entering blank in the routing pattern or routing to a pattern that contains a high FRL. Disable TAC/DAC dialing (see ‘‘Disable Direct Access to Trunks’’ on page 4-38). To block calls to countries in the North American dial plan, enter the area code plus any required prefix digit (0 and 1).
Large Business Communications Systems Restrict Calls to Specified Area Codes If your business does not make calls to certain area codes, you can prevent users from entering numbers within those area codes. For DEFINITY G1 and System 75: See ‘‘Allow Calling to Specified Numbers’’ on page 4-36. For DEFINITY ECS and DEFINITY G3: Enter change ars analysis to display the ARS Analysis screen. Specify the telephone numbers in the Dial String field that you do not want dialed.
Security Measures For DEFINITY G2.2: Use WCR with PROC314 WORD1 and WORD2 and permit only certain numbers. Consider using Network 3, which contains only those numbers, to reduce the administrative clutter in your outgoing calling network. Use Attendant Control of Remote Access Calls (DEFINITY G2 and System 85 only) Instead of allowing Remote Access callers to dial numbers directly, an attendant can handle the calls.
Large Business Communications Systems For DEFINITY G2 and System 85: Enter PROC000 WORDD2 FIELD5 to assign an extension to a group that can be placed under attendant control. Have the attendant activate restrictions on these phones as part of the business day closing procedure. Disable Direct Access to Trunks All outside calling should be done through AAR/ARS/WCR and never with direct trunk access via DACs.
Security Measures Use Attendant Control of Trunk Group Access If direct access to trunk groups must be allowed, consider making them attendant-controlled trunk groups. The attendant can then screen the calls. Up to 12 trunk groups can be controlled. For DEFINITY ECS, DEFINITY G1, G3, and System 75: Enter change attendant to display the Attendant screen. In the Feature Button Assignment field, enter act-tr-grp and deact-tr-grp to activate and deactivate attendant control of a trunk group.
Large Business Communications Systems Time slot test call — Connects the voice terminal user to a specific time slot located on the Time Division Multiplex buses or out-of-service time slots. System tone test call — Connects the voice terminal user to specific system tones. To activate the feature, the Facility Test Calls access code must be assigned. It is recommended that the access code be left blank except when actually testing trunks. (Do not use the default of 197.
Security Measures For DEFINITY ECS, DEFINITY G1, G3, and System 75: Use change cor to display the Class of Restriction screen. Enter y in the Facility Access Trunk Test field. Use change station to assign the COR with the FAC test permission to the appropriate station. Assign all other stations to a COR with the Facility Access Trunk Test field set to n. Never use the default code of 197. To monitor its use, assign a trunk access alarm button to a voice terminal.
Large Business Communications Systems For DEFINITY G2.2: Use PROC103 WORD1 FIELD15 to suppress WCR dial tone for that trunk group. Use PROC312 WORD1 FIELD2 to suppress a specific network’s dial tone for all users. For DEFINITY G2.1 and System 85: Use PROC103 WORD1 FIELD3=2 to set the Network Trunk field to a value of 2 to suppress AAR/AAS dial tone for that trunk group. Use PROC285 WORD1 FIELD12 to suppress AAR dial tone for all users.
Security Measures Disable Transfer Outgoing Trunk to Outgoing Trunk The outgoing trunk to outgoing trunk transfer (OTTOTT) (G3r and G3V2 and later) feature allows a controlling party, such as a station user or attendant, to initiate two or more outgoing trunk calls and then transfer the trunks together. The transfer removes the controlling party from the connection and conferences the outgoing trunks.
Large Business Communications Systems Disallow Outgoing Calls from Tie Trunks If your tie trunks are used solely for office-to-office calling, you can deny access from tie trunks to outgoing AAR/ARS/WCR trunks. This does not affect calls using TACs. For DEFINITY ECS, DEFINITY G1, G3, and System 75: Use change cor to create a new Class of Restriction for the incoming tie line trunk group. Assign the lowest possible FRL that provides private network calls to tandem tie trunks.
Security Measures Set the default FRL to a low value with PROC103 WORD1 FIELD2. NOTE: ETN trunks pass along the originating station’s FRL as a TCM. Other station permissions are not passed along. Monitor Trunks The monitor command displays internal software state information for diagnosis. For DEFINITY ECS and DEFINITY G3, the monitor command can be used by the cust, rcust, bcms and browse customer logins.
Large Business Communications Systems For DEFINITY ECS, DEFINITY G1, G3, and System 75 R1V3: Use change system-parameters feature to display the Features-Related System Parameters screen. Enter 15 in the SMDR/CDR Account Code Length field. To activate the measure system-wide, enter y in the Force Entry of Account Codes field. To activate the feature on an individual basis, use change cor to display the Class of Restriction screen. Enter y in the Force Entry of Account Code field.
Security Measures Disable Distinctive Audible Alert Distinctive Audible Alert on a 2500 set has the potential of returning stutter dial tone when used in conjunction with Voice Response Units — modems, FAX machines, voice mail ports, and CONVERSANT Voice Information System ports. The stutter dial tone, in turn, converts to steady dial tone and allows a call to be made.
Large Business Communications Systems Use change ars analysis to display the ARS Toll Analysis screen. Limit long distance and international calls permitted by ARS trunks. Use change route-pattern to assign the appropriate FRL for public network trunks in the routing pattern. Use change ars analysis to administer ARS Analysis Tables with at least 3- or 4-digit strings. Use change ars analysis to distinguish between 7- and 10-digit calls.
Detecting Toll Fraud Change Override Restrictions on 3-way COR Check For G3V2 and later releases, the Restriction Override feature is used with the 3-way COR check on transfer and/or conference calls. The default is none. See “Restriction Override” on page 4-14 for more information. Detecting Toll Fraud After you have taken the appropriate security measures, use the monitoring techniques described in this section to routinely review system activity.
Large Business Communications Systems Table 4-4.
Detecting Toll Fraud Forced Password Aging and Administrable Logins DEFINITY G3V3 and later releases, which includes DEFINITY ECS, provide two features for enhanced login/password security. The first, Forced Password Aging, is a feature that the superuser administering the logins may activate. The password for each login can be aged starting with the date the password was created or changed, and continuing for a specified number of days, from 1 to 99.
Large Business Communications Systems Commands for the DEFINITY G3V3 or later, which includes DEFINITY ECS, are grouped into three categories: common, administration, and maintenance. Each category has a group of subcategories, and each subcategory has a list of command objects that the commands act on. A superuser can set a user’s permissions to restrict or block access to any command in these categories.
Detecting Toll Fraud Review CDR/SMDR records for the following symptoms of abuse: Short holding times on one trunk group Patterns of authorization code usage (same code used simultaneously or high activity) Calls to international locations not normal for your business Calls to suspicious destinations High numbers of “ineffective call attempts” indicating attempts at entering invalid barrier codes or authorization codes Numerous calls to the same number Undefined account codes For DEFINITY G1
Large Business Communications Systems Monitor I For DEFINITY G2 and System 85, the optional Monitor I tracks call volume and alerts you when the number of calls exceeds a predetermined threshold. Monitor I is a UNIX software package that collects measurements data from G2 and System 85 switches, stores the results, and produces various types of analysis reports. With Monitor I, you can set up thresholds for expected normal traffic flow on each of your trunk groups.
Detecting Toll Fraud ARS Measurement Selection The ARS Measurement Selection feature can monitor up to 20 routing patterns (25 for DEFINITY ECS and DEFINITY G3) for traffic flow and usage. For DEFINITY ECS, DEFINITY G1, G3, and System 75: Enter change ars meas-selection to choose the routing patterns you want to track. Enter list measurements route-pattern followed by the timeframe (yesterday, today, or last-hour) to review the measurements.
Large Business Communications Systems To review and verify the entries, enter list aca-parameters. Enter change trunk group to display the Trunk Group screen. Enter y in the ACA Assignment field. Establish short and long holding times. The defaults are 10 seconds (short holding time) and one hour (long holding time). To review an audit trail of the ACA referral call activity, enter list measurements aca.
Detecting Toll Fraud CMS Measurements This monitoring technique measures traffic patterns and times on calls and compares them to traffic counts and time limit thresholds. An exceptions log is maintained whenever the traffic counts or time limits exceed the preset thresholds. For DEFINITY ECS and DEFINITY G1 and G3: Use change trunk-group to display the Trunk Group screen. In the Measured field, enter external if you have only CMS or both if you have BCMS and CMS.
Large Business Communications Systems The SVN time interval selected, in conjunction with the threshold, specifies when a referral call occurs. For example, if the barrier code threshold is set to 10 with a time interval of two minutes, a referral call occurs whenever 10 or more invalid barrier codes are entered within two minutes.
Detecting Toll Fraud Enter the extension number of the person who will monitor violations in the Referral Destination field(s). For releases before DEFINITY G3V3, this destination must be a station equipped with a display module or an attendant console. In DEFINITY G3V3 and later, which includes DEFINITY ECS, if an announcement extension is administered, the referral destination does not require a display module.
Large Business Communications Systems In addition to those SVN features already discussed (SVN Authorization Code Violation Notification, SVN Referral Call With Announcement, and the new/renamed Referral Call Buttons), DEFINITY G3V3 and later releases offer the following SVN features: SVN Remote Access Violation Notification with Remote Access Kill After “n” Attempts This feature disables the Remote Access feature following a Remote Access security violation.
Detecting Toll Fraud For DEFINITY ECS and DEFINITY G3, the report is divided into two sub-reports, a Summary report and a Detail report. The Security Violations Summary Report has the following fields: NOTE: The report header lists the switch name, date and time the report was requested. — Counted Since: The time at which the counts on the report were last cleared and started accumulating again, or when the system was initialized.
Large Business Communications Systems — Login Forced Disconnects: The total number of login processes that were disconnected automatically by the switch because the threshold for consecutive invalid login attempts had been exceeded for the given port type. The threshold is three attempts. — Login Security Violations: The total number of login security violations for the given port type.
Detecting Toll Fraud For DEFINITY ECS and DEFINITY G3: Use monitor security-violations for a real-time report of invalid attempts to log in, either through system administration or through remote access using invalid barrier codes.
Large Business Communications Systems INADS: The INADS (Initialization and Administration System) port EIA: Other EIA ports The following abbreviations are used for DEFINITY G3r: SYSAM-LCL: Local administration to Manager 1 SYSAM-RMT: Dial up port on SYSAM board, typically used by services for remote maintenance, and used by the switch to call out with alarm information. SYS-PORT: System ports accessed through TDM bus.
Detecting Toll Fraud — Auth Code: The invalid authorization code entered — TG No: The trunk group number associated with the trunk where the remote access attempt terminated. It appears only when an authorization code is used to access a trunk. — Mbr: The trunk group member number associated with the trunk where the Remote Access attempt terminated. It appears only when an authorization code is used to access a trunk. — Barrier Code: The incorrect barrier code that resulted in the invalid access attempt.
Large Business Communications Systems Remote Access Barrier Code Aging/Access Limits (DEFINITY G3V3 and Later) For DEFINITY G3V3 and later, including DEFINITY ECS, Remote Access Barrier Code Aging allows the system administrator to specify both the time interval a barrier code is valid, and/or the number of times a barrier code can be used to access the Remote Access feature.
Detecting Toll Fraud Recent Change History Report (DEFINITY ECS and DEFINITY G1 and G3 only) The latest administration changes are automatically tracked for DEFINITY ECS and DEFINITY G1 and G3. For each administration change that occurs, the system records the date, time, port, login, and type of change that was made. For DEFINITY ECS and DEFINITY G1 and G3: To review the report, enter list history. Check for unauthorized changes to security-related features discussed in this handbook.
Large Business Communications Systems If the call originates outside the system, the incoming trunk equipment location is displayed. In this case, the customer must call the appropriate connecting switch. The following is displayed for all calls: called number, activating number, whether the call is active or not, and identification of any additional parties on the call. There are several ways to activate the MCT feature. See the DEFINITY ECS Feature Description book for more information.
Detecting Toll Fraud For DEFINITY G2 and System 85: NOTE: This feature is available only with an ACD split. Use PROC054 WORD2 FIELD8 to assign the Service Observing Custom Calling Button to a multi-appearance terminal. For DEFINITY G3V3 and later, which includes DEFINITY ECS, the Observe Remotely (remote service observing) feature allows monitoring of physical, logical, or VDN extensions from external locations.
Large Business Communications Systems 4-70 Issue 7 June 2001
Small Business Communications Systems 5 This chapter provides information on protecting the following communications systems: MERLIN II Communications System (page 5-5) MERLIN LEGEND Communications System (page 5-7) MERLIN Plus Communications System (page 5-60) PARTNER II Communications System (page 5-62) PARTNER Plus Communications System (page 5-62) System 25 (page 5-63) Other chapters detail additional security measures to protect your equipment: Chapter 6 contains security measures to
Small Business Communications Systems Features for the MERLIN Systems The following table indicates MERLIN II and MERLIN LEGEND security features by release number. Table 5-1. MERLIN II and MERLIN LEGEND Security Features Features Automatic Route Selection (ARS) MII R3 ML R1.0/ 1.1 ML R2.0/ 2.1 ML R3.0/ 3.1 ML R4.0/ 4.1/ 4.2 ML R5.
Features for the MERLIN Systems Table 5-1. MERLIN II and MERLIN LEGEND Security Features (Continued) Features Forced Entry of Account Codes MII R3 ML R1.0/ 1.1 ML R2.0/ 2.1 ML R3.0/ 3.1 ML R4.0/ 4.1/ 4.2 ML R5.0 x x x x x x Affects only outgoing calls x x x x x Whenever Night Service is on and Shared Remote Access is administered, calls normally routed to internal stations are provided remote access treatment.
Small Business Communications Systems Table 5-1. MERLIN II and MERLIN LEGEND Security Features (Continued) MII R3 ML R1.0/ 1.1 ML R2.0/ 2.1 ML R3.0/ 3.1 ML R4.0/ 4.1/ 4.2 ML R5.0 Station Message Detail Recording (SMDR) x x x x x x For ML R3 w/ Call ID, remote access number is recorded if received. For ML R4.2 and later releases, the optional ML Reporter Talk Time feature is disabled.
MERLIN II Communications System MERLIN II Communications System This section provides information on protecting the MERLIN II Communications System. Additional security measures are required to protect adjunct equipment. Chapter 6 contains security measures to protect the attached voice messaging system. For general security measures, refer to ‘‘Protecting Voice Messaging Systems’’ on page 6-2. For product-specific security measures, refer to ‘‘MERLIN II Communications System’’ on page 6-34.
Small Business Communications Systems — With a MERLIN II Communications System display console: 1. From the administration menu, press these buttons: Lines DISA. 2. If callers must dial a password to make DISA calls, dial a 4-digit password. 3. Press Enter. 4. Press NoRestr for no restriction, or InwdOnly for inward restriction. 5.
MERLIN LEGEND Communications System MERLIN LEGEND Communications System This section provides information on protecting the MERLIN LEGEND Communications System. Unauthorized persons concentrate their activities in the following two areas with the MERLIN LEGEND Communications System: Transfer out of the MERLIN LEGEND Communications System to gain access to an outgoing trunk and make long distance calls. Locate unused or unprotected mailboxes and use them as drop-off points for their own messages.
Small Business Communications Systems Unlike the MERLIN II Communications System R3, the MERLIN LEGEND Communications System does not allocate touch-tone receivers for incoming calls, and thus will not interpret touch tones from a caller as an attempt to circumvent toll restriction, and will not disconnect the call. This could leave the MERLIN LEGEND Communications System vulnerable to toll fraud if the ports are not outward restricted.
MERLIN LEGEND Communications System Protection Via Star Codes and Allowed/Disallowed Lists Starting with MERLIN LEGEND Release 3.1, star codes can be added to Allowed and Disallowed Lists to help prevent toll fraud. These codes are dialed usually before an outgoing call, and they allow telephone users to obtain special services provided by the central office (CO).
Small Business Communications Systems Default Disallowed List By default, Disallowed List #7 contains the following entries, which are frequently associated with toll fraud: 0 10 11 976 1809 1700 1900 1ppp976 (where each p represents any digit) * This list is automatically assigned to any port that is programmed as a VMI port. The system manager should assign Disallowed List #7 to any extension that does not require access to the numbers in the list.
MERLIN LEGEND Communications System Security Defaults and Tips The following list identifies features and components that can be restricted by FRLs, identifies the corresponding FRL, and discusses how the FRLs affect these features and components. Voice Mail Integrated (VMI) Ports The default FRL for VMI ports is now 0. This restricts all outcalling. (Refer to Form 7d, “Group Calling.”) Default Local Route Table The default FRL for the Default Local Route Table is now 2.
Small Business Communications Systems Protecting Remote Access The Remote Access feature allows users to call into the MERLIN LEGEND Communications System from a remote location (for example, a satellite office, or while traveling) and use the system to make calls. However, unauthorized persons might learn the Remote Access telephone number and password, call into the system, and make long distance calls. For MERLIN LEGEND R3.
MERLIN LEGEND Communications System Program the Remote Access feature to require the caller to enter a barrier code before the system will allow the caller access. Up to 16 different barrier codes can be programmed, and different restriction levels can be set for each barrier code. For MERLIN LEGEND R3.0, program the Remote Access feature to enter an authorization code of up to 11 digits. For greater security, always use the maximum available digits when assigning authorization codes.
Small Business Communications Systems Protecting Remote System Programming The Remote System Programming feature allows your system administrator to use System Programming and Maintenance (SPM) software to make changes to your MERLIN LEGEND Communications System programming from another location. The system can be accessed remotely either by dialing into it directly using Remote Access or by dialing the system operator and asking to be transferred to the system’s built-in modem.
MERLIN LEGEND/MAGIX Toll Fraud Protecting Remote Call Forwarding The Remote Call Forwarding feature allows a customer to forward an incoming call to another off-premises number. However, a caller could stay on the line and receive another dial tone. At this point, the caller could initiate another toll call.
Small Business Communications Systems Employees receive calls requesting the be transferred for outside “operator assistance” or outbound calls. Employees receive frequent calls from foreign speaking callers, requesting to be transferred, or hanging up. Employees having difficulty obtaining an outside line. The customer is unable to access voice mail, and the system is not down. The customer is unable to administer programming functions within either the Legend/Magix, or the voice mail system.
MERLIN LEGEND/MAGIX Toll Fraud Have only system administrator transfer calls to “*10.” The customer’s long distance carrier may: — Restrict 011 and other “hot spot” area codes. — Restrict access to your toll free area codes from areas you do not wish to receive calls from. — Put after hours restrictions to terminate calls in the network. Restrict third-party billing with your local carrier. Responsibility The customer is responsible for the security of the system.
Small Business Communications Systems The Remote Access features of your system, if you choose to use them, permit off-premises callers to access the system from a remote telephone by using a telephone number with or without a barrier code. The system returns an acknowledgment, signaling the user to key in his or her barrier code, which is selected and administered by the System Manager. After the barrier code is accepted, the system returns dial tone to the user.
MERLIN LEGEND/MAGIX Toll Fraud Frequently monitor system call detail reports for quicker detection of any unauthorized or abnormal calling patterns. Limit Remote Call Forwarding to persons on a need-to-have basis Change access codes every 90 days Use the longest-length barrier codes possible, following the guidelines for passwords Toll Fraud Prevention Toll fraud is the unauthorized use of your telecommunications system by third parties to make long-distance telephone calls.
Small Business Communications Systems Preventive Measures Take the following preventive measures to limit the risk of unauthorized access by hackers: Provide good physical security for the room containing your telecommunications equipment and the room with administrative tools, records, and System Manager information. These areas should be locked when not attended.
MERLIN LEGEND/MAGIX Toll Fraud Security Risks Associated with Transferring through Voice Messaging Systems Toll fraud hackers try to dial into a voice mailbox and then execute a transfer by dialing *T. The hacker then dials an access code (either 9 for Automatic Route Selection or a pooled facility code), followed by the appropriate digit string to either direct dial or access a network operator to complete the call. All extensions are initially, and by default, restricted from dial access to pools.
Small Business Communications Systems WARNING: Each extension should be assigned the appropriate FRL to match its calling requirements. All voice mail port extensions not used for Outcalling should be assigned to FRL 0 (the factory setting). Deny access to pooled facility codes by removing pool dial-out codes 70, 890 899, or any others on your system. Create a Disallowed List or use the pre-prepared Disallowed List number 7 to disallow dialing 0, 11, 10, 1700, 1809, 1900, and 976 or 1 (wildcard) 976.
MERLIN LEGEND/MAGIX Toll Fraud If the Automated Attendant prompts callers to use Remote Call Forwarding (RCF) to reach an outside telephone number, the system may be susceptible to toll fraud. An example of this application is a menu or submenu that says, “To reach our answering service, select prompt number 5,” and transfers a caller to an external telephone number.
Small Business Communications Systems Security Risks Associated with the Remote Access Feature Remote Access allows the MERLIN MAGIX Integrated System owner to access the system from a remote telephone and make an outgoing call or perform system administration using the network facilities (lines/trunks) connected to the MERLIN MAGIX Integrated System.
MERLIN LEGEND/MAGIX Toll Fraud Educating Users Everyone in your company who uses the telephone system is responsible for system security. Users and attendants/operators need to be aware of how to recognize and react to potential hacker activity. Informed people are more likely to cooperate with security measures that often make the system less flexible and more difficult to use. Never program passwords or authorization codes onto Auto Dial buttons.
Small Business Communications Systems Detecting Toll Fraud To detect toll fraud, users and operators should look for the following: Lost voice mail messages, mailbox lockout, or altered greetings Inability to log into voice mail Inability to get an outside line Foreign language callers Frequent hang-ups Touch-Tone sounds Caller or employee complaints that the lines are busy Increases in internal requests for assistance in making outbound calls (particularly international calls or requests
MERLIN LEGEND/MAGIX Toll Fraud Regularly back up your MERLIN MAGIX Integrated System files to ensure a timely recovery should it be required. Schedule regular, off-site backups. Keep the Remote Maintenance Device turned off when not in use by Avaya or your authorized dealer. Limit transfers to registered subscribers only. Use the Security Violations Notification options (Mailbox Lock or Warning Message) to alert you of any mailbox break-in attempts. Investigate all incidents.
Small Business Communications Systems Limiting Outcalling When Outcalling is used to contact subscribers who are off-site, use the MERLIN MAGIX Integrated System Allowed Lists and Disallowed Lists or Automatic Route Selection features to minimize toll fraud. If the Outcalling feature will not be used, outward restrict all voice messaging system ports.
MERLIN LEGEND/MAGIX Toll Fraud Consider the following when you use wild card characters in Allowed and Disallowed Lists: Disallowed List entries can be from 1 to 12 characters in length. Before a dialed number is compared to an entry in the Allowed List, the leading “1” is dropped. Thus, an Allowed List entry of “p67” (where “p” is the wild card character) matches dialed numbers of “267,” “367,” etc., but not “167.
Small Business Communications Systems For example: *67 and 420 are two entries in an Allowed List. If someone at an Outward Restricted extension dials *67 420-1234, the call succeeds. If the person at the same Outward Restricted extension dial *67 431-1234, the call fails (431 is not in the Allowed List). If the person at the same extension dials 420-1234, the call succeeds. This type of processing also applies to Disallowed Lists.
MERLIN LEGEND/MAGIX Toll Fraud If you program the route in the 6-Digit table to absorb N digits, the actual number of digits absorbed will be as follows: If the user dials an 11-digit number (including the leading “1”), ARS absorbs N digits. For example, you program the 6-digit table to absorb 4 digits, and the user dials 1-732-555-1234. In this example, 4 digits are absorbed, and 555-1234 is the number that ARS sends as the dialed number to the central office.
Small Business Communications Systems If you program the route in the 6-Digit table to absorb N digits, the actual number of digits absorbed will be as follows: If the user dials an 11-digit number (including the leading “1”), ARS absorbs N digits. For example, you program the 6-digit table to absorb 4 digits, and the user dials 1-732-555-1234. In this example, 4 digits are absorbed, and 555-1234 is the number that ARS sends as the dialed number to the central office.
MERLIN LEGEND/MAGIX Toll Fraud ****SECURITY ALERT**** The MERLIN MAGIX Integrated System ships with ARS activated with all extensions set to Facility Restriction Level 3, allowing all international calling. To prevent toll fraud, ARS Facility Restriction Levels (FRLs) should be established using: FRL 0 for restriction to internal dialing only. FRL 2 for restriction to local network calling only.
Small Business Communications Systems Additional general security for voice messaging systems: Use a secure password for the General Mailboxes. The default administration mailbox, 9997, must be reassigned to the System Manager’s mailbox/extension number and securely password protected. All voice messaging system users must use secure passwords known only to the user. Magix R1.5: Wild Card Characters in ARS 6-Digit Tables Release 1.
MERLIN LEGEND/MAGIX Toll Fraud Magix R1.5: Disallowed Lists Enhancements Consider the following when you use wild card characters in Disallowed Lists: Disallowed List entries can be from 1 to 12 characters in length. Before a dialed number is compared to an entry in the Allowed List, the leading “1” is dropped. Thus, an Allowed List entry of “p67” (where “p” is the wild card character) matches dialed numbers of “267,” “367,” etc., but not “167.
Small Business Communications Systems For example: *67 and 420 are two entries in an Allowed List. If someone at an Outward Restricted extension dials *67 420-1234, the call succeeds. If the person at the same Outward Restricted extension dial *67 431-1234, the call fails (431 is not in the Allowed List). If the person at the same extension dials 420-1234, the call succeeds. This type of processing also applies to Disallowed Lists. Disallowed List 7 has a new default entry.
MERLIN LEGEND/MAGIX Toll Fraud Disconnect Signaling Reliability 3 Use this procedure to classify the disconnect signal sent by the central office on loop-start trunks as one of the following: Reliable. Signal sent within a short time. Unreliable. Signal may not be provided. **** SECURITY ALERT **** Toll fraud can occur if you have loop-start trunks with unreliable disconnect.
Small Business Communications Systems Outside lines can be assigned to Night Service groups in order for calls received on these lines to receive Night Service treatment.
MERLIN LEGEND/MAGIX Toll Fraud Remote Access Description The Remote Access feature allows people to use the system by dialing the number of a line/trunk designated for remote access. The remote user should be required to dial a barrier code (password) after reaching the system. Beginning with Release 3.0, the systemwide barrier code length is programmed for a minimum of 4 digits and a maximum of 11.
Small Business Communications Systems access code and then publish the information to other hackers. Enormous charges can be run up quickly. It is the customer’s responsibility to take the appropriate steps to properly implement the features, evaluate and program the various restriction levels, protect access codes, and distribute access codes only to individuals who have been fully advised of the sensitive nature of the access information.
MERLIN LEGEND/MAGIX Toll Fraud Whether or not the dialed digits are correct, an inter-digit time-out occurs during the first attempt. The system processes only the valid number of digits. So if a hacker enters four digits and the length is four digits, he or she hears dial tone. If a hacker enters four digits and keeps entering more, the system uses the time-out to hide the correct number of digits from the hacker.
Small Business Communications Systems “ * “ : Up to R3.1, was not permitted in the disallow lists. (it has always been permitted in an allowed list, if it is not the first character.) R3.1 < releases has a default disallow list which is assigned to all voice mail ports. This list includes: 0, 10, 11, 1809, 1700, 1900, 976, 1ppp976, *.
MERLIN LEGEND/MAGIX Toll Fraud 1ppp900 Pay per minute toll call with wild cards. 976 Pay per minute toll call. 1976 Pay per minute toll call. 1ppp976 Pay per minute toll call with wild cards. ppp1976 Pay per minute toll call where wild cards are used to access 976. * Programming code for use with rotary phones. Other area codes to include on the disallow lists. Caribbean Islands 242 Bahamas 246 Barbados 268 Antigua 340 Virgin Islands 441 Bermuda 473 Granada 758 St.
Small Business Communications Systems 3. Can the remote access password, be changed? From “craftr4” to something else. 4. Does any extension need to be able to dial 0? 5. Can all unused and MFM extensions be restricted? Outward restricted. FRL = 0. LEGEND/MAGIX Toll Fraud at a Glance4 Release and Version of the Legend/Magix. Different releases have different capabilities. Operating Mode. Operator Extension(s). System Set Up. (Print) Password. Type of cards.
MERLIN LEGEND/MAGIX Toll Fraud System Directory. (Print) Check for marked system speed dials. Calling Groups. (Print) Identify voice mail extension ports. Identify lines on the IntegratedVMI group. (auto attendant vs live body answering) Extension Directory (Print) Check for voice mail extension ports. — FRL level. — Restriction level. — Remote call forwarding. Check for remote call forwarding of all extensions. — Unused extensions including MFMs should be outward restricted, with FRL=0.
Small Business Communications Systems Allow Lists When outcalling is used. Night Service Exclusion list: Are voice mail ports listed? MERLIN Mail/MERLIN LEGEND Mail/MERLIN Messaging Toll Fraud at a Glance5 Auto Attendant Program all unused selector codes to go to the general mailbox or operator. Do not program selector codes to ARS pool codes. System administrator extension number. Change the default from 9997 to something else. Delete ALL unused mailboxes.
MERLIN LEGEND/MAGIX Toll Fraud Check lines for remote call forwarding. 1. Remove if not needed. 2. If needed: instruct customer of possible toll fraud. Check voice mail ports for Merlin Mail, Merlin Legend Mail, Merlin Messaging, Audix, Auto Attendant (stand alone), or CPE (customer provided equipment.) 1. If outcalling is NOT required: a. Outward restrict voice mail ports. b. Change ARS restriction to 0. c. Remove pool dial-out codes (ALL of them. Ex: 70, 890-899, etc.) d.
Small Business Communications Systems d. Make allowed list for outcalling numbers. e. Make sure no other ARS tables have FRL of 2 or less. f. Make allowed list and add to voice ports on: Merlin Mail, Merlin Legend Mail, Merlin Messaging: if a 2 or 4 port system: last port only, the others should be changed to 0. If a 6 port system, the last 2 ports should be changed to FRL=0. Audix – all ports. Auto Attendant – not applicable. Make disallowed lists for voice ports. 1. Make disallowed lists. a.
MERLIN LEGEND/MAGIX Toll Fraud 6. Assign all unused auto attendant selector codes to go to either the operator or the general mailbox. 7. See “Check voice mail ports for Merlin Mail, Merlin Legend Mail, Merlin Messaging, Audix, Auto Attendant (stand alone), or CPE (customer provided equipment.), page 5-47” and Make disallowed lists for voice ports, page 5-47” for other restrictions”. Auto Attendant – stand-alone. 1. Make ports outward restricted. 2.
Small Business Communications Systems DS1 – T1 and/or PRI. 1. WATTS: Customers may restrict 011 and 809 (the Dominican Republic) dialing if they have no need to call overseas or the 809 area code. See Disallow List Information. 2. ISDN – PRI: The way toll restrictions can be bypassed are limited on lines/trunks. 011 Restrictions (International). 1. Make ARS table for 011. a. If 011 is not needed, make the FRL on 011 table 4 or greater and change FRL on extensions which need access to 011 the same. b.
MERLIN LEGEND/MAGIX Toll Fraud Extension restrictions. 1. Outward restrict MFM extensions not used for calling outside. 2. Outward restrict ALL unused extensions not used for calling outside. 3. Outward or toll restrict extension ports not in use, not used for calling outside, and not used for calling long distance. Passwords. Change all passwords frequently, and use the maximum digits allowed. Remote programming access.
Small Business Communications Systems LEGEND TOLL FRAUD INTERVENTION FORM7 DATE: ______________ TIME: _________________ IL#: ___________________________ BUSINESS NAME: ________________________________________________________________ ADDRESS: ___________________________________________________________________ PHONE: _____________________________ FAX: ___________________________________ CONTACT: ______________________________ CBR: _______________________________ MBO: _________________________________
MERLIN LEGEND/MAGIX Toll Fraud Port FRL Rstrn D.O.
Small Business Communications Systems EXHIBIT 1 8/16/00 Toll Fraud Incident Report Business Name: Business Address: Contact Name: Main Number: System Type: Date Work Started: Work Performed by: Customer Approved Changes: Assigned all voice mail extensions to overseas Disallowed Lists. Created Disallowed List 6, which includes most commonly dialed numbers used by hackers, and assigned to voice mail ports. Blocked calls to 011 (International) from all voice mail ports through Disallowed List 5.
MERLIN LEGEND/MAGIX Toll Fraud You may contact your 800 carrier and restrict access to your 800#’s from locations you do not wish to receive 800 calls from, if applicable. You may call your local carrier and restrict 3rd party billing. It is recommended to restrict access to 500 service through Disallowed List 3 and Table 13. Using marked System Speed Dial numbers may leave an opening for Toll Fraud. Using Remote Line Access may leave an opening for Toll Fraud.
Small Business Communications Systems EXHIBIT 2 8/16/00 Toll Fraud Incident Report Business Name: Business Address: Contact Name: Main Number: System Type: Date Work Started: Work Performed by: Customer Approved Changes: Created Disallowed List 3 & 4: International country codes: 011582 Venezuela 011581 Venezuela 011603 South America (customer not sure where) 011595 Paraguay 011525 Mexico 011573 Columbia 011571 Columbia 011809 Dominican Republic 011372 Estonia 011528 Mexico 011506 C
MERLIN LEGEND/MAGIX Toll Fraud 2: Created Disallow list 5 when encompasses the Caribbean countries: Puerto Rico Puerto Rico Bahamas Barbados Burmuda Antigua St. Lucia Virgin Islands Granada Camen Islands All voice mail ports, extensions 563, 564, 565, 566, 567, 568, are accessing this list. 3. Created Disallow list 7 which includes operator, international, and pay per minute area codes, in addition to wild card calls, were included.
Small Business Communications Systems All voice mail ports, extensions 563, 564, 565, 566, 567, 568, are accessing this list. Change SPM (system programming and maintenance) password from default to “june6.” Change T1 toll type from Tie-PBX to Toll. Remove remote call forwarding capabilities from extensions 7100, 7116. Remove dial out codes from voice mail port extensions 563 – 568. Recommendations: Update Legend/Magix’s back-up. Transfer calls to known extension numbers only.
MERLIN LEGEND/MAGIX Toll Fraud Revised 8/17/00 EXHIBIT 3: Letter from Avaya Dear , At your request, Avaya has conducted a toll fraud investigation. Toll fraud was suspected to have occurred. The system is located at the above address. Your main listed telephone number is 775-353-4255. Avaya has now completed its work. The attached Toll Fraud Incident Report documents all changes you approved Avaya to make to your telecommunications systems and additional security recommendations if applicable.
Small Business Communications Systems MERLIN Plus Communications System This section provides information on protecting the MERLIN Plus Communications System. Protecting Remote Line Access (R2 only) The Remote Line Access feature allows users to call into the MERLIN Plus Communications System from a remote location (for example, a satellite office, or while traveling) and use the system to make calls.
MERLIN Plus Communications System Monitor your SMDR records and/or your Call Accounting System reports regularly for signs of irregular calls.
Small Business Communications Systems PARTNER II Communications System This section provides information on protecting the PARTNER II Communications System. Additional security measures are required to protect adjunct equipment. Chapter 6 contains security measures to protect the attached voice messaging system. For general security measures, refer to ‘‘Protecting Voice Messaging Systems’’ on page 6-2. For product-specific security measures, refer to ‘‘PARTNER II Communications System’’ on page 6-54.
System 25 System 25 This section provides information on protecting the System 25. Additional security measures are required to protect adjunct equipment. Chapter 6 contains security measures to protect the attached voice messaging system. For general security measures, refer to ‘‘Protecting Voice Messaging Systems’’ on page 6-2. For product-specific security measures, refer to ‘‘System 25’’ on page 6-59.
Small Business Communications Systems Security Tips Evaluate the necessity for Remote Access. If this feature is not vital to your organization, consider not using it or limiting its use. If you need the feature, use as many of the security measures presented in this section as you can. Program the Remote Access feature to require the caller to enter a password (barrier access code) before the system will allow the caller access.
System 25 Security Tips The System Administration capability of the system is protected by a password. Passwords can be up to eight characters in length and can be alpha or numeric and include the pound sign (#). See ‘‘Administration / Maintenance Access’’ on page 3-4 and ‘‘General Security Measures’’ on page 3-8 for secure password procedures. See Chapter 13 for information on how to change passwords.
Small Business Communications Systems 5-66 Issue 7 June 2001
Voice Messaging Systems 6 The information in this chapter helps prevent unauthorized users from finding pathways through the voice messaging system and out of the switch. This chapter presents each communications system, and the voice mail systems it may host.
Voice Messaging Systems Protecting Voice Messaging Systems Voice messaging toll fraud has risen dramatically in recent years. Now more than ever, it is imperative that you take steps to secure your communications systems. Callers into the voice messaging/auto attendant system may transfer to an outgoing trunk if adequate security measures are not implemented (see Figure 6-1).
Protecting Voice Messaging Systems All security restrictions that prevent transfer to these codes should be implemented. The only tool a criminal needs to breach an inadequately secured system is a touch tone telephone. With the advent of cellular phones, hackers have yet another means of accessing voice mailboxes. If a user calls the voice mail system from a cellular phone and inputs his or her password, the voice mailbox becomes vulnerable to toll fraud.
Voice Messaging Systems If you receive any strange messages on the voice mail system, if your greeting has been changed, or if for any reason you suspect that your voice mail system facilities are being used by someone else, contact the Avaya Toll Fraud Intervention Hotline. Contact your central office to verify that your carrier provides “reliable disconnect” for your host PBX or switch. “Reliable disconnect” is sometimes referred to as a forward disconnect or disconnect supervision.
DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 Tools that Prevent Unauthorized Calls You can help prevent unauthorized callers who enter the voice messaging system from obtaining an outgoing facility by using the security tools shown in Table 6-1. Table 6-1.
Voice Messaging Systems The higher the FRL number, the greater the calling privileges. For example, if a station is not permitted to make outside calls, assign it an FRL value of 0. Then ensure that the FRLs on the trunk group preferences in the routing patterns are 1 or higher. For example, when voice mail ports are assigned to a COR with an FRL of 0, outside calls are disallowed.
DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 Class of Service For DEFINITY G2 and System 85, a voice mail port must be assigned a COS. The following COS options relate to voice mail toll fraud prevention: Call Forward Off-Net: allows a user to call forward outside the switch to non-toll locations. Call Forward Follow Me: allows a user to forward calls outside the switch when other options are set.
Voice Messaging Systems Limit Voice Mail to Internal Calling If outcalling is not activated in the voice mail system, you can restrict voice mail callers from dialing an outside number by making the ports outward restricted. For DEFINITY G1, G3, and System 75: Use change cor to display the Class of Restriction screen, then create an outward restricted COR by entering outward in the Calling Party Restriction field. Assign FRL 0.
DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 NOTE: In Table 6-2, FRLs 1 through 7 include the capabilities of the lower FRLs. For example, FRL 3 allows private network trunk calls and local calls in addition to FX and WATS trunk calls. Verify the route pattern FRLs — no pattern should carry an FRL of 0. For DEFINITY G1, G3, and System 75: Use change cor for the voice mail ports (versus subscribers) to display the Class of Restriction screen.
Voice Messaging Systems Allow Calling Only to Specified Numbers A reverse strategy to preventing calls is to allow outbound calls only to certain numbers. For G1 and System 75, you must specify both the area code and the office code of the allowable numbers. For G3, you can specify the area code or telephone number of calls you allow. For DEFINITY G1 and System 75: Use change ars fnpa xxx to display the ARS FNPA Table, where xxx is the NPA that will have some unrestricted exchanges.
DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 For DEFINITY ECS and DEFINITY G3: Use change ars analysis to display the ARS Analysis screen. Enter the area codes or telephone numbers that you want to allow and assign an available routing pattern to each of them. Use change routing pattern to give the pattern preference an FRL that is equal to or lower than the FRL of the voice mail ports.
Voice Messaging Systems See ‘‘Security Tips’’ on page 6-3 for additional ways to detect voice mail fraud. NOTE: The System Administrator can also view a logfile to see if a mailbox is being hacked. For the AUDIX Voice Mail System R1, the administrator can view the logfile by typing system:log:display. For the DEFINITY AUDIX and Avaya INTUITY Voice Mail Systems, the administrator can view the logfile by typing display administration-log.
DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 Administer the appropriate format to collect the most information. The format depends on the capabilities of your CDR analyzing and recording device. Use change trunk-group to display the Trunk Group screen. Enter y in the SMDR/CDR Reports field. For DEFINITY G2: Use PROC275 WORD1 FIELD14 to turn on the CDR for incoming calls. Use PROC101 WORD1 FIELD8 to specify the trunk groups.
Voice Messaging Systems To review the traffic measurements, use list measurements followed by one of the measurement types (trunk-groups, call-rate, call-summary, or outage-trunk) and the timeframe (yesterday-peak, today-peak, or last-hour). To review performance, use list performance followed by one of the performance types (summary or trunk-group) and the timeframe (yesterday or today).
DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 Establish short and long holding times. The defaults are 10 seconds (short holding time) and one hour (long holding time). To review, use list measurements aca. Administer an aca button on the console or display station to which the referral will be sent. For DEFINITY G2 and System 85: Use PROC285 WORD1 FIELD5 and PROC286 WORD1 FIELD1 to enable ACA system-wide.
Voice Messaging Systems Unauthorized System Use You can minimize the risk of unauthorized people gaining access to your system by strictly following the compliance guidelines for, and using the aging feature of, your Voice Mail (vm) and AUDIX System Administration (sa) passwords. Additionally, a new option — the trusted server — has been introduced in this release. The trusted server has direct access to AUDIX and its functionality.
DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 Trusted Server Security A trusted server is a computer or a software application in a domain outside of INTUITY AUDIX that uses its own login and password to launch a Avaya INTUITY Messaging Applications Programming Interface (IMAPI) LAN session and access AUDIX mailboxes.
Voice Messaging Systems Internal Security. INTUITY AUDIX R4 allows the transmission between domains of two new message components, including text (e-mail) and binary (software) file attachments. Within the AUDIX system, Message Manager supports these message components as well. With these new components come new security considerations, namely the inadvertent delivery of a “virus” that may be embedded in a file attachment. This can occur in any system that supports the delivery of binary files.
DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 The record reveals the routing of the call, including the caller (if internal), recipient, port, community, Mailbox IDs (corresponds to the voice mail system subscriber’s extension number input during a login or as input by the calling party), the time and duration of the call, the type of session (voice mail, call answer, guest password, or automated attendant), the message activity, and number of login attempts.
Voice Messaging Systems Outgoing Voice Call Detail Record (AUDIX Voice Mail System Only) An outgoing call record is also created for every outbound call that is originated by the AUDIX Voice Mail System via a voice port. This includes call transfers, outcalling, and message waiting activation and/or deactivation via access codes. A record is also created for call attempts for the Message Delivery feature.
DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 Protecting Passwords The AUDIX, DEFINITY AUDIX, and Avaya INTUITY Voice Mail Systems offers passwords and password time-out mechanisms that can help restrict unauthorized users. Voice mail systems R1V4 and later allow you to specify the minimum length required. Use a minimum of six digits, and always specify a minimum password length that is greater than the extension length.
Voice Messaging Systems Security Features Before implementing any security measures to protect the voice mail system, it is important to understand how they work. You need to be aware of the possible trade-offs associated with each security measure listed below. Basic Call Transfer With Basic Call Transfer, after a voice mail system caller enters *0, the system performs the following steps: 1.
DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 Enhanced Call Transfer With Enhanced Call Transfer, the voice mail system uses a digital control link message to initiate the transfer and the switch verifies that the requested destination is a valid station in the dial plan. With Enhanced Call Transfer, when voice mail system callers enter *T followed by digits (or *A for name addressing) and #, the following actions take place: 1.
Voice Messaging Systems This restriction may not be acceptable where it is desirable to have the call follow the coverage path of the “transferred-to” station. Enhanced Call Transfer can be administered to allow this type of transfer. This capability is available in AUDIX Voice Mail System R1V7, the DEFINITY AUDIX System 3.0, and the Avaya INTUITY System. Contact your Avaya Sales Representative for additional details and availability.
DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 AMIS Networking AMIS Networking (the DEFINITY AUDIX System, the AUDIX Voice Mail System R1V6 and later, and the Avaya INTUITY System) allows voice messages to be sent to and received from subscribers on other vendors’ voice messaging systems. This service is based on the Audio Message Interchange Specification. This feature allows calls to be placed to off-premises voice messaging systems.
Voice Messaging Systems For ALL systems (DEFINITY ECS, DEFINITY G1, G2, G3, System 75, and System 85 R2V4): 1. On the AUDIX Voice Mail System R1 system:appearance form, enter y in both the Call Transfer Out of AUDIX field and in the Enhanced Call Transfer field. Then press Change/Run. or For the DEFINITY AUDIX System and the Avaya INTUITY System, use the system-parameters features form and enter enhanced in the Transfer Type field. Then press Enter.
DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 After you activate Enhanced Call Transfer, test it by following the steps below: 1. Dial into your voice mail system. 2. Press *T. 3. Enter an invalid extension number followed by #. The failed announcement should play, followed by a prompt for another extension number. 4. Enter a valid extension number followed by #. You should notice that the call transfers much faster than with Basic Call Transfer.
Voice Messaging Systems Limit Outcalling The measures you can take to minimize the security risk of outcalling depend on how it is used. When outcalling is used only to alert on-premises subscribers who do not have voice mail system message indicator lamps on their phones, you can assign an outward-restricted COR to the voice mail system voice ports.
DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 Security Tips Require callers to use passwords. Have the application verify that long distance numbers are not being requested, or verify that only permitted numbers are requested. Use appropriate switch translation restrictions. Administer all appropriate switch restrictions on the voice mail system voice ports.
Voice Messaging Systems Protecting Passwords The AUDIX Voice Power System offers password protection to help restrict unauthorized access. Subscribers should use a maximum length password and should change it routinely. Passwords can be up to 9 digits. See ‘‘Administration / Maintenance Access’’ on page 3-4 and ‘‘General Security Measures’’ on page 3-8 for secure password guidelines. See Chapter 13 for information on how to change passwords.
DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 Security Measures The security measures described in this section do not apply if you are using Release 1.0 of the AUDIX Voice Power System. In this case, use PBX restrictions to safeguard your system. Transfer Only to System Subscribers The AUDIX Voice Power System has the ability to allow callers to transfer only to mailbox subscribers.
Voice Messaging Systems NOTE: On AUDIX Voice Power System 2.1.1, mailboxes can be set individually to “1 minute,” reducing the clean-up that these mailboxes require. Protecting the CONVERSANT Voice Information System This section addresses security issues for the CONVERSANT and INTUITY CONVERSANT Voice Information Systems. These systems provide a platform used to build and execute voice response applications that involve network connections.
DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 Security Measures Design applications with toll fraud in mind. Make sure the application verifies that long distance numbers are not being requested, or that only permitted numbers are requested. The Transfer Call and Call Bridge capabilities of Script Builder, and the “tic” instruction at the Transaction State Machine (TSM) script level provide network access.
Voice Messaging Systems Security Tips Toll fraud is possible when the application allows the incoming caller to make a network connection with another person. Thus, bridging to an outbound call, call transfer, and 3-way-conferencing should be protected. Require callers to use passwords. Have the application verify that long distance numbers are not being requested, or verify that only permitted numbers are requested. Use appropriate switch translation restrictions.
MERLIN II Communications System The MERLIN MAIL Voice Messaging System provides automated attendant, call answer, and voice mail functionality. The automated attendant feature answers incoming calls and routes them to the appropriate department, person, or mailbox. The call answer feature provides call coverage to voice mailboxes. The voice mail feature provides a variety of voice messaging features. The area of toll fraud risk associated with the automated attendant feature is indicated below.
Voice Messaging Systems To reduce the risk of unauthorized access through your voice messaging system, observe the following procedures: Monitor SMDR reports and/or Call Accounting System reports for outgoing calls that might be originated by internal and external abusers. Create a Disallowed List to disallow dialing 0, 70, 011, 809, 1809, 0809, 10, 9999, 411, 1411, 800, 888, 700, 900, 976, 550, 1800, 1888,1700, 1500, 1900, 1976, 1550, 0800, 0888, 0700, 0500, 0900, 0976, and 0550.
MERLIN LEGEND Communications System MERLIN LEGEND Communications System The MERLIN LEGEND Communications System may be used with the following voice messaging systems: AUDIX Voice Power System — the AUDIX Voice Power System is a system that is external to the MERLIN LEGEND Communications System and connected to the switch by station lines and data links. (See ‘‘Protecting the AUDIX Voice Power System’’ on page 6-38.
Voice Messaging Systems Protecting the AUDIX Voice Power System The AUDIX Voice Power System provides both automated attendant and voice mail functionality. The automated attendant feature answers incoming calls and routes them to the appropriate department, person, or mailbox. The voice mail feature provides call coverage to voice mailboxes along with a variety of voice messaging features.
MERLIN LEGEND Communications System Set up auto attendant selection codes so that they do not permit outside line selection. Assign toll restriction levels to the AUDIX Voice Power System ports. If you do not need to use the Outcalling feature of the AUDIX Voice Power System, completely restrict the outward calling capability of the AUDIX Voice Power System ports.
Voice Messaging Systems Enter # in the Subscriber Password field to prevent access to the corresponding voice mail. Enter yes in the Does the subscriber have switch call coverage field. On the switch side, do not specify the AUDIX Voice Power System extension as a coverage point for any of these added extensions. NOTE: Although these restricted voice mailboxes cannot receive Call Answer messages, they do receive broadcast messages and even may receive a misdirected message from another subscriber.
MERLIN LEGEND Communications System Security Tips At the switch, assign toll restrictions to voice message system and automated attendant ports. If you do not use the outcalling features of the voice messaging system, restrict the outward calling capability of all voice ports. Use a dial plan that does not allow extensions beginning with the same digits as ARS, TAC, or verification and test codes. Inform all system operators that they are not to dial outside calls.
Voice Messaging Systems Basic Call Transfer With Basic Call Transfer, after a voice mail system caller enters *T, the system performs the following steps: 1. The voice mail system verifies that the digits entered contain the same number of digits administered for extension lengths.
MERLIN LEGEND Communications System Avoid or closely monitor the use of “guest” mailboxes (mailboxes without a physical extension that are loaned to outsiders for the duration of a project). If you need a guest mailbox, assign it when it is needed and deactivate or change its password immediately after it is no longer needed. Do not reassign a guest mailbox without changing the password. Restrict Outcalling Outcalling uses the voice messaging ports.
Voice Messaging Systems Protecting the MERLIN MAIL, MERLIN MAIL-ML, MERLIN MAIL R3, and MERLIN LEGEND Mail Voice Messaging Systems The MERLIN MAIL, MERLIN MAIL-ML, MERLIN MAIL R3, and MERLIN LEGEND Mail Voice Messaging Systems provide automated attendant, call answer, and voice mail functionality. The automated attendant feature answers incoming calls and routes them to the appropriate department, person, or mailbox. The call answer feature provides call coverage to voice mailboxes.
MERLIN LEGEND Communications System Take the following preventative measures to limit the risk of unauthorized use of the automated attendant feature by hackers: Do not use automated attendant selector codes for Automatic Route Selection (ARS) codes or Pooled Facility codes. Assign all unused automated attendant selector codes to zero, so that attempts to dial these will be routed to the system operator or General Mailbox.
Voice Messaging Systems Hackers may also use a computer to dial an access code and then publish the information for other hackers. Substantial charges can accumulate quickly. It is your responsibility to take appropriate steps to implement the features properly, to evaluate and administer the various restriction levels, and to protect and carefully distribute access codes.
MERLIN LEGEND Communications System Set the maximum number of digits in an extension parameter appropriate to your dial plan. The voice messaging system will not perform transfers to extensions greater than that number. When possible, restrict the off-network capability of callers by using calling restrictions, Facility Restriction Levels, and Disallowed List features. Outward restrict all MERLIN LEGEND voice mail port extensions not used for outcalling.
Voice Messaging Systems Additional MERLIN MAIL R3 and MERLIN LEGEND Mail Voice Messaging System Security Features The MERLIN MAIL R3 and MERLIN LEGEND Mail Voice Messaging System includes the following additional security features: The Transfer to Registered Subscribers Only setting of the Transfer Restrictions feature allows callers to be transferred only to users who have mailboxes in the system. Avaya strongly recommends using this feature to guard against toll fraud.
Messaging 2000 Voice Mail System Messaging 2000 Voice Mail System The Messaging 2000 (M2000) System provides Voice Mail services for the MERLIN Legend Communication System. The system is PC-based and uses the IBM OS-2 operating system. The system is connected to the Legend system via line-side VMI ports. These ports allow access to the voice mailboxes associated with each PBX subscriber.
Voice Messaging Systems When Quick Assist is run in Recover Mode from the Quick Assist icon in the Lucent folder, use the “Mailbox to Receive Unattached Messages” field on the Recover Files dialog box to specify a mailbox in which to place messages with invalid header information.
Messaging 2000 Voice Mail System The Uninitialized Mailbox report lists all mailboxes for which the password has not yet been changed from the initially assigned password. It is recommended that this report be regularly reviewed to determine which subscribers have not yet changed their passwords. Subscribers should be reminded that they should change their passwords regularly to prevent anyone but themselves from accessing their mailboxes.
Voice Messaging Systems Mailbox Lock-Out Option on the Class of Service dialog box determines whether this feature is enabled. The Mailbox Lock-Out option on the Subscriber Settings dialog box controls this feature by individual mailbox. The Consecutive Login Failures Before Lock-Out parameter on the Subscriber Parameters tab in System Setup determines the number of failed login attempts allowed before the mailbox is locked, if the Mailbox Lock-Out option is enabled for the mailbox.
Messaging 2000 Voice Mail System Securing the M2000 System PC It is imperative that the M2000 system PC be protected from unauthorized system management access. Unauthorized access to the M2000 system PC could result in system setup changes, loss of mailboxes and messages, and database corruption. The best way to prevent unauthorized system management access to the M2000 system PC is to store the PC in a secure area, such as a locked room.
Voice Messaging Systems Security Recommendations for Remote Access Remote access to the system should be secured via the following guidelines: All remote access logins to the system must be administered to require the use of a secondary password The end-user must periodically/frequently change all secondary passwords. After changing the secondary passwords, the end-user should notify the appropriate Avaya support organization(s) that the passwords have been changed.
PARTNER II Communications System Protecting Passwords For PARTNER MAIL Release 1 and all releases of PARTNER MAIL VS, passwords can be up to four digits. For PARTNER MAIL Release 3, passwords can be up to 15 digits in length. See ‘‘Administration / Maintenance Access’’ on page 3-4 and ‘‘General Security Measures’’ on page 3-8 for secure password guidelines. See Chapter 13 for information on how to change the passwords.
Voice Messaging Systems Instruct employees not to make a statement, in their recorded greeting, indicating that they will accept collect calls. Have the voice messaging System Administrator delete unneeded voice mailboxes from the system immediately. The Security Violation Notification feature enables the System Administrator to choose to be warned about possible mailbox break-in attempts.
PARTNER Plus Communications System Protecting the PARTNER MAIL and PARTNER MAIL VS Systems The PARTNER MAIL and PARTNER MAIL VS Systems provide automated attendant, call answer, and voice mail functionality. The automated attendant feature answers incoming calls and routes them to the appropriate department or person. The call answer feature provides call coverage to voice mailboxes. The voice mail feature provides a variety of voice messaging features.
Voice Messaging Systems Require the System Administrator and all voice mailbox owners to change their password from the default. The System Administrator can set the Minimum Password Length to any value from 0-15 digits. The default value is six digits. Every subscriber’s mailbox password and the System Administration Password must be at least six digits. NOTE: A Minimum Password Length of at least six digits is strongly recommended.
System 25 System 25 System 25 may be used with the AUDIX Voice Power System. (For information on this system, see ‘‘Protecting the AUDIX Voice Power System’’ on page 6-59.) Also see ‘‘Related Documentation’’ in the ‘‘About This Document’’ section for a list of manuals on this product. Follow the steps listed below for securing a voice processing system on the System 25. Outward restrict the voice processing ports whenever possible.
Voice Messaging Systems Protecting Passwords The AUDIX Voice Power System offers password protection to help restrict unauthorized access. Subscribers should use a maximum length password and should change it routinely. Passwords can be up to 9 digits. See ‘‘Administration / Maintenance Access’’ on page 3-4 and ‘‘General Security Measures’’ on page 3-8 for secure password guidelines. See Chapter 13 for information on how to change passwords.
System 25 Security Measures The security measures described in this section do not apply if you are using Release 1.0 of the AUDIX Voice Power System. In this case, use PBX restrictions. Transfer Only to System Subscribers The AUDIX Voice Power System has the ability to allow callers to transfer only to mailbox subscribers.
Voice Messaging Systems 6-62 Issue 7 June 2001
Automated Attendant 7 DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 Automated attendant is a service that connects to the PBX/communications system to help route calls to the appropriate extension. A menu of options allows callers to choose a predefined destination, such as a department, announcement, or an attendant, or a user-defined destination, such as an extension number. Many automated attendant systems are vulnerable to toll fraud and are easy targets for toll hackers.
Automated Attendant Tools that Prevent Unauthorized Calls You can help prevent unauthorized callers who enter the automated attendant system from obtaining an outgoing facility by using the security tools shown in Table 7-1. Table 7-1. Automated Attendant Security Tools Security Tool Switch Page # Enhanced Call Transfer (see ‘‘Protecting the AUDIX, DEFINITY AUDIX, and Avaya INTUITY Voice Mail Systems’’) DEFINITY ECS, DEFINITY G1, G2, G3, System 75 R1V3 Issue 2.
DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 For example, when automated attendant ports are assigned to a COR with an FRL of 0, outside calls are disallowed. If that is too restrictive, the automated attendant ports can be assigned to a COR with an FRL that is low enough to limit calls to the calling area needed. NOTE: Stations that are outward restricted cannot use AAR/ARS/WCR trunks. Therefore, the FRL level does not matter since FRLs are not checked.
Automated Attendant Outward Restriction: restricts the user from placing calls over CO, FX, or WATS trunks using dial access codes to trunks. Outward Restriction also restricts the user from placing calls via ARS/WCR. Use ARS/WCR with WCR toll restrictions instead. Toll Restriction: prevents users from placing toll calls over CO, FX, or WATS trunks using dial access codes to trunks. Use ARS/WCR with WCR toll restrictions instead.
DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 Toll Analysis When an automated attendant system transfers calls to locations outside the switch, you can use the Toll Analysis form to limit call transfers to the numbers you identify. You can also specify toll calls to be assigned to a restricted call list so automated attendant callers cannot dial the numbers on the list. Call lists can be specified for CO/FX/WATS, TAC, and ARS calls, but not for tie TAC or AAR calls.
Automated Attendant Prevent Calls to Certain Numbers If some menu options transfer to locations off-premises, you can still protect the system from unauthorized calls. You can restrict calls to certain area codes and/or country codes, and even to specific telephone numbers. For DEFINITY ECS and DEFINITY G1 and G3: On the Class of Restriction form for the automated attendant ports, enter y in the Restricted Call List field.
DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 For DEFINITY G2 and System 85: Use PROC311 WORD2 to establish 6-digit translation tables for foreign NPAs, and assign up to 10 different routing designators to each foreign NPA (area code). Use PROC311 WORD3 to map restricted and unrestricted exchanges to different routing designators. If the unrestricted toll exchanges are in the Home NPA, use PROC311 WORD1 to map them to a routing designator.
Automated Attendant Detecting Automated Attendant Toll Fraud Table 7-2 shows the reports that help determine if your automated attendant system is being used for fraudulent purposes. Table 7-2.
DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 Call Detail Recording (CDR) / Station Message Detail Recording (SMDR) With Call Detail Recording activated for the incoming trunk groups, you can monitor the number of calls into your automated attendant ports. See also ‘‘Security Violation Notification Feature (DEFINITY ECS and DEFINITY G3 only)’’ on page 4-57. NOTE: Most call accounting packages discard this valuable security information.
Automated Attendant Call Traffic Report This report provides hourly port usage data and counts the number of calls originated by each port. By tracking normal traffic patterns, you can respond quickly if an unusually high volume of calls begins to appear, especially after business hours or during weekends, which might indicate hacker activity. For DEFINITY ECS, DEFINITY G1, G3, and System 75, traffic data reports are maintained for the last hour and the peak hour.
DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 ARS Measurement Selection The ARS Measurement Selection can monitor up to 20 routing patterns (25 for G3) for traffic flow and usage. For DEFINITY ECS, DEFINITY G1, G3, and System 75: Use change ars meas-selection to choose the routing patterns you want to track. Use list measurements route-pattern followed by the timeframe (yesterday, today, or last-hour) to review the measurements.
Automated Attendant Assign an aca referral button on that station (or the attendant station). Use change trunk group to display the Trunk Group screen. Enter y in the ACA Assignment field. Establish short and long holding times. The defaults are 10 seconds (short holding time) and one hour (long holding time). To review, use list measurements aca. Administer an aca button on the console or display station to which the referral will be sent.
DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 Call Traffic Report This report provides hourly port usage data and counts the number of calls originated by each port. By tracking normal traffic patterns, you can respond quickly if an unusually high volume of calls begins to appear, especially after business hours or during weekends, which might indicate hacker activity.
Automated Attendant Also reported is the session termination method. Each possible termination method is assigned a value as shown in Table 7-3. This information can be downloaded to a PC using ADAP to be available on demand or at scheduled intervals. Table 7-3.
DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 Table 7-4.
Automated Attendant Protecting Automated Attendant on the AUDIX Voice Mail System This section discusses security measures implemented directly on the AUDIX Voice Mail System automated attendant. Disallow Outside Calls The AUDIX Voice Mail System integrated with DEFINITY ECS, DEFINITY G1, G2, and G3, System 85 R2V4, and System 75 R1V3 (Issue 2.0) and later, provide a feature called Enhanced Call Transfer that only transfers AUDIX Voice Mail System calls to valid PBX extension numbers.
DEFINITY ECS, DEFINITY Communications Systems, System 75, and System 85 For DEFINITY G2 and System 85: 1. On the AUDIX Voice Mail System system:appearance form, enter y in the Call Transfer Out of AUDIX field. 2. Enter y in the Enhanced Call Transfer field. 3. Press Change/Run. 4. On the AUDIX Voice Mail System maintenance:audits:fp form, tab to the Service Dispatcher field and enter x. 5. Tab to the Start field and enter x. 6. Press Change/Run. 7.
Automated Attendant Protecting Automated Attendant on the CONVERSANT Voice Information System The CONVERSANT Voice Information System provides automated attendant functionality. Follow all recommendations for protecting the switch in Chapter 5, as well as those for protecting the CONVERSANT Voice Information System for the switch in Chapter 6. In addition, make sure that automated attendant selector codes do not permit outside line selection.
MERLIN II Communications System R3 MERLIN II Communications System R3 MERLIN MAIL Voice Messaging System The MERLIN MAIL Voice Messaging System provides the automated attendant feature. Follow all recommendations for protecting the MERLIN MAIL Voice Messaging System in Chapter 6. In addition, make sure that automated attendant selector codes do not permit outside line selection.
Automated Attendant MERLIN LEGEND Communications System AUDIX Voice Power System The MERLIN LEGEND Communications System supports the AUDIX Voice Power System, which provides automated attendant functionality. Follow all recommendations for protecting the MERLIN LEGEND Communications System switch in Chapter 5, as well as those for protecting the AUDIX Voice Power System for the MERLIN LEGEND Communications System in Chapter 6.
PARTNER II Communications System PARTNER II Communications System The PARTNER II Communications System supports the PARTNER MAIL System, and the PARTNER MAIL VS System. PARTNER MAIL and PARTNER MAIL VS Systems The PARTNER MAIL and PARTNER MAIL VS Systems provide the automated attendant feature. Follow all recommendations for protecting these systems in Chapter 6.
Automated Attendant PARTNER Plus Communications System The PARTNER Plus Communications System R3.1 and later releases, supports the PARTNER MAIL System, and the PARTNER MAIL VS System. PARTNER MAIL and PARTNER MAIL VS Systems The PARTNER MAIL and PARTNER MAIL VS Systems provide the automated attendant feature. Follow all recommendations for protecting these systems in Chapter 6.
Other Products and Services 8 This chapter contains security information for Avaya products other than PBXs and adjuncts that have become available since Issue 2 of this handbook. For information on the Avaya INTUITY System and the PARTNER MAIL VS System, which have also become available since the last issue of the handbook, see Chapter 6.
Other Products and Services For additional information on administering CMS, refer to the following documents: Call Management System R3V4 Administration Call Management System R3V2 Installation and Maintenance CentreVu™ Call Management System Release 3 Version 4 Sun® SPARCserver™ Computers Installation and Maintenance, Issue 1 CMS R3.
CallMaster PC CallMaster PC CallMaster PC, a software application used with the DEFINITY ECS, gives Call Center agents and supervisors the ability to access and control their CallMaster or CallMaster II telephone sets through a Microsoft Windows™-compatible PC.
Other Products and Services Multipoint Conferencing Unit (MCU)/Conference Reservation and Control System (CRCS) The MCU has a DEFINITY ECS-based architecture. The primary component of the MCU is the Multimedia Server Module (MSM), which is similar to the most basic version of the DEFINITY ECS Processor Port Network (PPN). MSM security concerns are similar to those for the DEFINITY ECS (including, for example, trunking, COR, and COS).
PassageWay® Telephony Services for NetWare® and Windows NT® PassageWay® Telephony Services for NetWare® and Windows NT® NOTE: The following information applies to PassageWay Telephony Services connected to either the DEFINITY ECS or MERLIN LEGEND driver. The PassageWay Telephony Services product provides computer/telephony integration for applications running in a Novell NetWare or a Microsoft Windows NT Local Area Network (LAN) environment.
Other Products and Services Security Tips The following tips are for the PassageWay Telephony Server administrator. When the product is installed, do the following: For Netware only: Use the NetWare Administrator feature (NetWare 4.10 and 4.11) or SYSCON utility (NetWare 3.12) to set the appropriate login and password restrictions (for example, require users to have passwords with a minimum length of 7 characters, enable password aging, and so forth).
PassageWay® Telephony Services for NetWare® and Windows NT® PassageWay Telephony Server administrators should be aware of switch Class of Service (COS) and Class of Restriction (COR) assignments and should not define Device Groups that allow applications to use Third party call control to originate from an unrestricted phone and then transfer the call to a restricted phone.
Other Products and Services Set a maximum number of login attempts per call Allow time to enter the complete login Disconnect if inactive — Configure pcANYWHERE to log remote control and on-line sessions. (Set the “Save Session Statistics in Activity Log File” checkbox in the “Other Session Parameters” group box.) PassageWay Telephony Services communicates with the DEFINITY Enterprise Communications Server (ECS) through the DEFINITY ECS LAN Gateway.
TransTalk 9000 Digital Wireless System TransTalk 9000 Digital Wireless System The TransTalk 9000 Digital Wireless System is a flexible wireless adjunct for use with the DEFINITY ECS, DEFINITY Communications Systems, MERLIN LEGEND, PARTNER II, PARTNER Plus, System 25, System 75, and System 85 Communications Systems, as well as the MERLIN MAIL Voice Messaging System.
Other Products and Services 8-10 Issue 7 June 2001
Call Routing 9 Call Routing Call Flow The following is the basic call flow through the DEFINITY ECS, DEFINITY G1 and G3, or System 75: Endpoint signals switch to start call. If originating endpoint is a station, the request for service is an off-hook. If originating endpoint is a trunk, the request for service is seizure signal (wink start, off-hook, ground start). The switch signals endpoint to start dialing. If the endpoint is a station, dial tone is played for the caller.
Call Routing The system checks the calling permissions of the originator’s COR to see if the COR of the originator is allowed to call the COR of the destination dialed. If the COR of the originator is set to y for the COR of the destination, the call will complete. If the COR of the originator is set to n for the COR of the destination, the intercept tone is returned to the caller. Example: User dials 2. Digit nine is defined as feature access code for ARS. More digits will follow.
Blocking Calls 10 Country Codes The following is a list of international country codes for direct dialing. In developing your ARS patterns, you may want to consider blocking access to those countries that you do not want users to dial. Keep in mind that calls to Canada and the Caribbean are part of the North American Dialing Plan and should be treated, for ARS purposes, as you would calls to domestic locations. These locations are starred (*) in the following list.
Blocking Calls 10-2 Issue 7 June 2001 Azerbaijan 994 Bahamas 1-242* Bahrain 973 Bangladesh 880 Barbados 1-246* Barbuda 1-268* Belarus 375 Belgium 32 Belize 501 Benin 229 Bermuda 1-441* Bhutan 975 Bolivia 591 Bosnia & Herzogovina 387 Botswana 267 Brazil 55 British Virgin Islands 1-284* Brunei 673 Bulgaria 359 Burkina Faso 226 Burundi 257 Cambodia 855 Cameroon 237 Canada 1* Cape Verde Islands 238 Cayman Islands 1-345* Central African Republic 236 Chad 2
Country Codes Cocos-Keeling Islands 61 Colombia 57 Comoros 269 Congo 242 Cook Islands 682 Costa Rica 506 Croatia 385 Cuba 53 Cuba (Guantanamo Bay) 5399 Curacao 599 Cyprus 357 Czech Republic 420 Denmark 45 Diego Garcia 246 Djibouti 253 Dominica 1-767* Dominican Republic 1-809* East Timor 670 Easter Island 56 Ecuador 593 Egypt 20 El Salvador 503 Equatorial Guinea 240 Eritrea 291 Estonia 372 Ethiopia 251 Faeroe Islands 298 Falkland Islands 500 Fiji Islan
Blocking Calls 10-4 Issue 7 June 2001 French Polynesia 689 Gabon 241 Gambia 220 Georgia 995 Germany 49 Ghana 233 Gibraltar 350 Global Mobile Satellite System (GMSS) 881 Greece 30 Greenland 299 Grenada 1-473* Guadeloupe 590 Guam 1-671* Guantanamo Bay 5399 Guatemala 502 Guinea-Bissau 245 Guinea (PRP) 224 Guyana 592 Haiti 509 Honduras 504 Hong Kong 852 Hungary 36 Iceland 354 India 91 Indonesia 62 Inmarsat (Atlantic Ocean East) 871 Inmarsat (Atlantic Ocean W
Country Codes Iraq 964 Ireland 353 Iridium (under deactivation) 8816, 8817 Israel 972 Italy 39 Ivory Coast 225 Jamaica 1-876* Japan 81 Jordan 962 Kazakhstan 7 Kenya 254 Kiribati 686 Korea (North) 850 Korea (South) 82 Kuwait 965 Kyrgyz Republic 996 Laos 856 Latvia 371 Lebanon 961 Lesotho 266 Liberia 231 Libya 218 Liechtenstein 423 Luxembourg 352 Macau 853 Macedonia (former Yugoslav Republic) 389 Madagascar 261 Malawi 265 Malaysia 60 Maldives 960 Ma
Blocking Calls 10-6 Issue 7 June 2001 Marshall Islands 692 Martinique 596 Mauritania 222 Mauritius 230 Maayotte Island 269 Mexico 52 Micronesia (Federal States of) 691 Midway Island 808 Moldova 373 Monaco 377 Mongolia 976 Montserrat 1-664* Morocco 212 Mozambique 258 Myanmar 95 Namibia 264 Nauru 674 Nepal 977 Netherlands 31 Netherland Antilles 599 Nevis 1-869* New Caledonia 687 New Zealand 64 Nicaragua 505 Niger 227 Nigeria 234 Niue 683 Norfolk Island
Country Codes Palau 680 Palestine 970 Panama 507 Papua New Guinea 675 Paraguay 595 Peru 51 Philippines 63 Poland 48 Portugal 351 Puerto Rico 1-787* Qatar 974 Reunion Island 262 Romania 40 Russia 7 Rwanda 250 St. Helena 290 St. Kitts/Nevis 1-869* St. Lucia 1-758* St. Pierre and Miquelon 508 St.
Blocking Calls 10-8 Issue 7 June 2001 Spain 34 Sri Lanka 94 Sudan 249 Suriname 597 Swaziland 268 Sweden 46 Switzerland 41 Syria 963 Taiwan 886 Tajikistan 992 Tanzania 255 Thailand 66 Togo 228 Tokelau 690 Tonga Islands 676 Trinidad and Tobago 1-868* Tunisia 216 Turkey 90 Turkmenistan 993 Turks and Caicos Islands 1-649* Tuvalu 688 Uganda 256 Ukraine 380 United Arab Emirates 971 United Kingdom 44 United States of America 1 US Virgin Islands 1-340* Univers
Blocking Toll Fraud Destinations Venezuela 58 Vietnam 84 Wake Island 808 Wallis and Futuna Islands 681 Western Samoa 685 Yemen 967 Yugoslavia 381 Zambia 260 Zanzibar 255 Zimbabwe 263 Blocking Toll Fraud Destinations Toll fraud calls are placed to locations all over the world. Table 10-1, used for illustrative purposes only, highlights some of the destinations where fraudulent calls may terminate.
Blocking Calls Blocking ARS Calls on DEFINITY G1 and System 75 Use the following procedure to block calls to the destinations listed in Table 10-1. This procedure does not prohibit dialing calls via TAC (refer to ‘‘Disable Direct Access to Trunks’’ on page 4-38 for details). 1. Use change ars fnpa 000 to display the ARS FNPA Table screen. 2.
Blocking Toll Fraud Destinations 4.
Blocking Calls 5. Use change rhnpa table 31 to display the RHNPA Table 31 screen. 6. Enter the routing pattern changes to RHNPA Table 31 200 to 299, 300 to 399, and 500 to 599.
Blocking Toll Fraud Destinations ARS RHNPA TABLE: 31 OFFICE CODES: 500-599 Pattern Choices 01:2 03: 05: 07: 09: 11: 02: 04: 06: 08: 10: 12: Office Code - Pattern Choice Assignments (from 1 to 12 above) 20:12 30:12 40:12 50:12 60:12 70:1 80:12 90:1 21:12 31:12 41:12 51:12 61:12 71:12 81:12 91:1 22:12 32:12 42:12 52:12 62:12 72:12 82:12 92:12 23:12 33:12 43:12 53:12 63:12 73:12 83:12 93:12 24:12 34:12 44:12 54:12 64:12 74:12 84:12 94:12 25:12 35:12 45:12 55:2 65:12
Blocking Calls Blocking ARS Calls on G2.1 and System 85 Use the following procedure to block calls to the destinations listed in Table 10-1 on page 10-9. This procedure does not prohibit dialing calls via TAC (refer to ‘‘Disable Direct Access to Trunks’’ on page 4-38 for details). To block calls to the Dominican Republic, use PROC311 WORD3 (6-digit table for NPA=809) to route each specified NXX combination to an empty pattern.
Blocking Toll Fraud Destinations Blocking WCR Calls on DEFINITY G2.2 Use the following procedure to block calls to the destinations listed in Table 10-1 on page 10-9. For calls to the Dominican Republic, specifically add the allowed NXX as 809NXX, length 10, to the appropriate VNI (routing pattern).
Blocking Calls Blocking ARS Calls on G3 This section contains a sample ARS Digit Analysis Table for G3. In the example, international and operator-assisted numbers are allowed, but 0700 calls are denied, as well as high toll destinations to these countries: Colombia, Pakistan, Jordan, Iraq, Saudi Arabia, United Arab Republic, Israel, Iran, Kuwait, and Puerto Rico. Use the following procedure to block calls to the destinations listed in Table 10-1 on page 10-9.
Blocking Toll Fraud Destinations ARS DIGIT ANALYSIS TABLE (Continued) Partitioned Group Number: 1 Dialed Total Route Call Pat Type String Min Max 01198 10 23 int 0700 11 11 op 101xxxx 5 5 op 101xxxx 12 12 hnpa 101xxxx0 6 6 1 op 101xxxx0 16 16 1 op 101xxxx00 7 7 1 op 101xxxx01 15 23 1 iop 101xxxx01157 15 23 int 101xxxx01192 15 23 int 101xxxx011962 15 23 int 101xxxx011962 15 23 int 101xxxx011964 15 23 int 101xxxx011965 15 23 int 101xxxx0119
Blocking Calls ARS DIGIT ANALYSIS TABLE (Continued) Partitioned Group Number: 1 Dialed Total String Min Max 101xxxx0700 16 16 101xxxx1 16 16 101xxxx1809 16 16 180 11 11 1809 11 11 Route Call Pat Type op 1 fnpa fnpa 1 fnpa fnpa Continued on next page Blocking ARS Calls on System 25 R3V3 The Toll Call Allowed/Disallowed Lists, available in System 25 R3V3, permit the administrator to restrict international calling.
Remote Access Example (DEFINITY ECS, DEFINITY G1, G3, and System 75) 11 This chapter provides procedures for setting up and disabling Remote Access for DEFINITY ECS, DEFINITY G1, G3, and System 75. Setting Up Remote Access For DEFINITY ECS, DEFINITY G1, G3, and System 75, use the example below to set up Remote Access to help prevent unauthorized use. This example creates a new ARS/AAR networking plan in a separate Partitioned Group Number (PGN) for Remote Access only.
Remote Access Example (DEFINITY ECS, DEFINITY G1, G3, and System 75) 11. Select a PGN (1 through 8) that is not in use in any other COR. This PGN will be reserved for Remote Access only. Enter this number in the Partitioned Group Number field. For this example, we will use PGN 8. NOTE: Do not use the default PGN, which is generally 1.
Permanently Disabling Remote Access 19. For all the Route Patterns assigned to ARS/AAR Partition 8, use change route-pattern to administer an appropriate FRL (1 through 7) in the FRL field. Since the FRL on the COR reserved for Remote Access is 0, the Remote Access caller will always be prompted for an authorization code for outside calls. 20. Assign authorization codes for your Remote Access users that provide the lowest possible FRL to match each user’s calling requirements.
Remote Access Example (DEFINITY ECS, DEFINITY G1, G3, and System 75) 11-4 Issue 7 June 2001
Administering Features of the DEFINITY G3V3 and Later, Including DEFINITY ECS 12 This chapter provides information on administering these features in the following DEFINITY ECS and DEFINITY G3.
Administering Features of the DEFINITY G3V3 and Later, Including DEFINITY ECS Administering the SVN Feature This section contains the following subsections: 1. Administering the login component 2. Administering the Remote Access component 3. Administering the authorization code component 4. Administering the Station Security Code component Administering the Login Component To administer system parameters for the login component of the SVN feature, do the following: 1.
Administering the SVN Feature Time Interval Enter the time interval within which a login security violation must occur. The range is one minute to eight hours (0:01 to 7:59), and is entered in the form x:xx. For example, if you want the time interval to be 1 minute, enter 0:01. If you want the time interval to be seven and one-half hours, enter 7:30. The system default is 0:03. Announcement Extension Enter an extension that is assigned to the login SVN announcement.
Administering Features of the DEFINITY G3V3 and Later, Including DEFINITY ECS List the Status of a Login ID To list the status of a login: 1. Log in to the switch using a login ID with the proper permissions. 2. Enter the command list login. A display indicating the status of the specified login will appear. Possible login ID statuses are: disabled — The login was disabled manually using the disable login command.
Administering the SVN Feature Login Threshold Enter the minimum number of login attempts that will be permitted before a referral call is made. The value assigned to this field, in conjunction with the Time Interval field, determines whether a security violation has occurred. The system default is 5. Time Interval Enter the time interval within which a login security violation must occur. The range is one minute to eight hours (0:01 to 7:59), and is entered in the form x:xx.
Administering Features of the DEFINITY G3V3 and Later, Including DEFINITY ECS Administering Remote Access Kill After N Attempts Following is an example of how to administer this feature. 1. To access the System Parameters Features screen from the command line interface, enter change system-parameters features security (G3V3 and later) or change system-parameters features (releases prior to G3V3).
Administering the SVN Feature If the Remote Access feature is to be dormant for a period of time, the feature can be disabled using the disable remote-access command. Entry of this command will disable the Remote Access feature until it is re-enabled using the enable remote-access command. Administering Login ID Kill After N Attempts Following is an example of how to administer this feature. 1. Enter the change system-parameters features command to assign Security Violation Notification (SVN) parameters.
Administering Features of the DEFINITY G3V3 and Later, Including DEFINITY ECS Enter the enable login command to re-enable the login ID. If a login ID is to be dormant for a period of time, the login ID can be disabled using the disable login command. Entry of this command will disable the login ID until it is re-enabled using the enable login command.
Administering the SVN Feature Time Interval Enter the time interval within which the authorization code security violations must occur. The range for the time interval is one minute to eight hours (0:01 to 7:59), and is entered in the form x:xx. For example, if you want the time interval to be one minute, enter 0:01. If you want the time interval to be seven and one-half hours, enter 7:30. The system default is 0:03.
Administering Features of the DEFINITY G3V3 and Later, Including DEFINITY ECS Originating Extension This is a dynamic field that is displayed only whenever the “SVN Station Security Code Violation Enabled” field is set to y. Whenever a Station Security Code Security Violation Notification Referral call is made, the extension in this field is internally the originating extension. It has no other significance than that it is not available for use as a normal extension.
Administering Barrier Code Aging Announcement Extension This field contains an extension corresponding to a recorded announcement that is to be played whenever a Station Security Code SVN Referral call is made. This allows the referral destination to be a phone without a display. This is a dynamic field that is displayed whenever the corresponding “SVN Violation Notification Enabled” field is set to y. Enter a 5-digit extension to be assigned to the appropriate announcement.
Administering Features of the DEFINITY G3V3 and Later, Including DEFINITY ECS Barrier Code Assign a barrier code that conforms to the number entered in the barrier code length field. All codes must be 4- to 7-digits. The code can be any combination of the digits 0 through 9. If the Barrier Code length field is blank, the first barrier code field must be specified as none. Duplicate entries are not allowed. The system default for this field is a blank.
Administering Customer Logins and Forced Password Aging Calls Used This field is a display-only field that specifies the number of calls that have been placed using the corresponding barrier code. The Calls Used field is incremented each time a barrier code is successfully used to access the Remote Access feature. NOTE: A usage that exceeds the expected rate may indicate improper use. Permanently Disable A y entered in this field will permanently disable the Remote Access feature.
Administering Features of the DEFINITY G3V3 and Later, Including DEFINITY ECS To add a customer login you must be a superuser, have administrative permissions, and follow these steps: NOTE: Always use your own unique login — never a Avaya customer login or variation thereof (for example, “cust,” “rcust,” “cust1,” “rcust1,” etc.). 1. Access the Login Administration form by entering the add login command.
Administering Customer Logins and Forced Password Aging 9. In the Password Aging Cycle Length field, enter the number of days (from the current day) when you wish the password to expire. If a blank is entered in this field, password aging will not apply to the specified login. Valid entries are from 1 to 99 days or a blank. When a login password is within seven days or less from the expiration date, a warning message is displayed when the user logs in: WARNING: your password will expire in xx days. 10.
Administering Features of the DEFINITY G3V3 and Later, Including DEFINITY ECS 6. Enter a password for the new login in the Login’s Password field. A password must be 4 to 11 characters and contain at least 1 alphabetic and 1 numeric symbol; valid characters include numbers, and the following symbols: ! & * ? ; ’ ^ ( ) , : - . The system will not echo the password to the screen as you type. 7. Re-enter the password in the Re-enter Login’s Password field.
Administering Customer Logins and Forced Password Aging If the Maintenance option is set to y on the Customer Options form, the superuser may enter y in the Maintain Switch Circuit Packs or Maintain Process Circuit Packs fields. 3. A superuser with full superuser permissions can restrict additional administrative or maintenance actions for a specified login by entering y in the Additional Restrictions field on the Command Permission Categories form.
Administering Features of the DEFINITY G3V3 and Later, Including DEFINITY ECS Administering the Security Violations Reports The Security Violations reports provide current status information for invalid login or Remote Access (barrier code) or authorization code attempts.
Changing Your Password 13 This chapter provides steps for changing passwords for systems listed in this handbook, where applicable. AUDIX Voice Mail System System administrators: Use the Identification form to change your login password. 1. To access this form, with the cursor on the PATH line, type id (identification) and press F8 (ENTER). 2. Move the cursor to the New Password field and type the password you have selected. 3. Move the cursor to the Old Password field and type CUST. 4.
Changing Your Password AUDIX Voice Power System System administrators: 1. Access the AUDIX Voice Power System main menu. 2. Select Subscriber Administration. 3. On the Subscriber Administration screen, enter a password, a name, and an extension. 4. Press F3 (exit). End users: 1. Enter your extension and password. 2. Press 5. 3. Follow the prompts to change your password. CONVERSANT Voice Information System System administrators: 1.
CONVERSANT Voice Information System 6. When prompted to repeat the new password (re-enter new password), enter the new password again. If the two password entries are the same, the password is assigned. If the two password entries do not match, the following message is displayed: They don’t match; try again. New password: You receive an error message if: — You enter the old password incorrectly. — The new password is not six characters long.
Changing Your Password DEFINITY AUDIX System System administrators: You can change two passwords: 1) that of the currently logged-in user, and 2) the system password. (You need cust or higher-level login permissions.) — Currently Logged-in User’s Password Use the Password form to change the password of the currently logged-in user. 1. To access the Password form, type change password and press Enter. 2. Type the currently logged-in user’s login ID in the Login ID field. 3.
DEFINITY ECS and DEFINITY G1 and G3 DEFINITY ECS and DEFINITY G1 and G3 System administrators: Use the Change Password form to change the login password. 1. Log in as cust, or for G3V3 or later, as the customer superuser login you have defined. 2. Enter change password , where is the login you want to change. For example, if you want to change the login password cust, enter change password cust and then press Return. 3. Verify that the screen displays the Change Password Form.
Changing Your Password DEFINITY G2 For DEFINITY G2, passwords are shared between the customer and Avaya. Contact the Database Administration group at the TSC for help in changing your password on these systems. Avaya INTUITY System System administrators: Logins for both the system administrator (sa) and the voice messaging (vm) (AUDIX Voice Mail System) administrator come with a default password.
MERLIN MAIL or MERLIN MAIL-ML Voice Messaging System MERLIN MAIL or MERLIN MAIL-ML Voice Messaging System NOTE: No default password is initially assigned for the system administrator, system administration password, or a new user. When prompted for the password, press #. After you have successfully logged in, the system will prompt you to change the password. Follow the prompts to change the password. System administrators: 1.
Changing Your Password MERLIN MAIL R3, MERLIN LEGEND Mail, or PARTNER MAIL R3 Voice Messaging System System administrators: You can change two passwords: 1) the system administrator’s mailbox password, and 2) the system administration password. — The System Administrator’s Mailbox Password 1. Dial the MERLIN MAIL R3, MERLIN LEGEND Mail, or PARTNER MAIL R3 Voice Messaging System or press a programmed button. 2. Enter the system administrator mailbox number (initially 9997) and press #. 3.
PARTNER MAIL System PARTNER MAIL System System administrators: Change your password by means of the Voice Mail Menu. 1. To access this menu, press Intercom 777 or a programmed button. 2. Enter your mailbox number (initially 9997) and press #. 3. Enter your password (initially 1234) and press #. 4. Press 5 and follow the prompts to change your password. End users: Change your password by means of the Voice Mail Menu. 1. To access this menu, press Intercom 777 or a programmed button. 2.
Changing Your Password System 25 System administrators: 1. From the Main Menu prompt, enter 4. 2. At Action = enter 75. 3. At Data = enter the new password. For security, the display always shows????????. The default is systemx5. NOTE: The password reverts to the default when the system cold starts. The following message is displayed when a cold start occurs: WARNING: Default Password in effect.
System 85 End users: Use the Change Password form to change the login password. 1. Verify that the screen displays: command: 2. Enter change password , where is the login you want to change. For example, if you want to change the login password for dopg1, enter change password dopg1 and then press Return. 3. Verify that the screen displays the Change Password Form. The cursor is positioned on the Your Current Password field. 4. Enter your current password, then press Return.
Changing Your Password 13-12 Issue 7 June 2001
Toll Fraud Job Aids 14 The job aids in this appendix are tools for your organization to use in securing your system against toll fraud. Copy them and distribute them to your staff to post or use in any other manner that meets their needs. Toll Fraud Warning Signs Customers or employees complain that the 800 number is always busy. The busy line could even impact local Direct Inward Dial (DID) lines. Switchboard operators complain of frequent hang-ups or touch-tone sounds when they answer.
Toll Fraud Job Aids An upsurge in use on DISA or other trunks. Unusual increase in customer premises equipment-based system memory usage. Unexplained changes in system software parameters. Unexplained problems related to being “locked out” of the system or Personal Identification Number (PIN) changes in the voice mail system. Significant increase in calls from a single geographic area or from the same Automatic Number Identification (ANI).
System Security Action Plan System Security Action Plan Educate End Users The first step customers should take in tightening the security of their systems is to increase end-users’ awareness of the system’s security features and vulnerabilities. Develop and implement a toll fraud detection and reaction plan with all employees. Train users on remote access responsibilities and security procedures. Establish and maintain security policies regarding password/authorization code protection.
Toll Fraud Job Aids Top 10 Tips to Help Prevent Phone “Phraud” 1. Protect System Administration Access Insure secure passwords exist for all logins that allow System Administration or Maintenance access to the system. Change the passwords frequently. 2. Prevent Voice Mail System Transfer to Dial Tone Activate “secure transfer” features in voice mail systems. Place appropriate restrictions on voice mail access/egress ports. 3.
Top 10 Tips to Help Prevent Phone “Phraud” 9. Monitor Traffic and System Activity for Abnormal Patterns Activate features that “Turn Off” access in response to unauthorized access attempts. Use Traffic and Call Detail reports to monitor call activity levels. 10.
Toll Fraud Job Aids 14-6 Issue 7 June 2001
Special Security Product and Service Offers 15 Remote Port Security Device (RPSD) The Remote Port Security Device (RPSD)1 offers enhanced protection for dial-up data access. Communications systems typically consist of a mix of digital PBXs, voice mail systems, and adjunct applications computers. Dial-up ports on these systems provide remote access for maintenance and administration support.
Special Security Product and Service Offers The Key and Lock use a sophisticated dynamic challenge/response technique to assist you in preventing unauthorized access to your administration and maintenance ports. The Key and Lock authentication process is as follows: The Lock answers the incoming call destined for the dial-up modem port. It generates a dynamic challenge, unique to every call, and transmits it to the RPSD installed at the calling end.
Remote Port Security Device (RPSD) Securing DEFINITY Systems (Prior to Release 7.2) with the Remote Port Security Device (RPSD) If your telephones are connected to a DEFINITY switch or DEFINITY ECS prior to Release 7.2 (which is the same as DEFINITY G3V7.2) you may wish to use a Remote Port Security Device, the RPSD. (Note that this Lock and Key system is available ONLY in the United States.
Special Security Product and Service Offers Securing DEFINITY Systems (Release 7.2 and Later) with Access Security Gateway (ASG) The Access Security Gateway (ASG) integrates challenge/response technology into Avaya products and is available, beginning with the DEFINITY ECS Release 7.2 (that is, DEFINITY G3V7.2), to secure the DEFINITY switch administration and maintenance ports and logins and thus reduce the possibility of unauthorized access to the system.
Securing DEFINITY Systems (Release 7.2 and Later) with Access Security Gateway (ASG) Administering Access Security Gateway Use the following procedure to administer Access Security Gateway. 1. On the System Parameters Customer Option form, do the following: NOTE: Only Avaya technicians can access this form. Set the G3 Version field to V6 or later configuration. Set the Access Security Gateway (ASG) field to y. 2.
Special Security Product and Service Offers Logging in via Access Security Gateway (Session Establishment) Use the following procedure to log in to the system via the Access Security Gateway interface: NOTE: The numbers shown as challenges and responses in the procedures below are for example purposes only. They will not be the numbers you actually use or see on your ASG Key. 1. Connect to the DEFINITY ECS system administration/maintenance port. The system responds with the login prompt. 2.
Securing DEFINITY Systems (Release 7.2 and Later) with Access Security Gateway (ASG) Maintaining Login IDs Temporarily Disabling Access Security Gateway Access for Login To temporarily disable Access Security Gateway, for instance, while users are on vacation or travel: 1. At the prompt, type change login xxxx (xxx = alphanumeric login ID) and press Return to log into the Login Administration form. 2. On page 2 of the Login Administration form, set the Blocked field to y.
Special Security Product and Service Offers Loss of an ASG Key If a user loses their ASG Key, he/she must notify the system administrator immediately. The administrator, in turn, must do the following: Modify any logins associated with the lost ASG Key. See the Access Security Gateway Key User’s Guide for information on changing your PIN. If the login is no longer valid, at the prompt, type remove login xxxx (xxx = alphanumeric login ID) and press Return to remove the invalid login from the system.
Securing DEFINITY Systems (Release 7.2 and Later) with Access Security Gateway (ASG) Security Measurements Access Security Gateway session establishment or reject events do not increment the Successful Logins, Invalid Attempts, Invalid IDs, Forced Disconnects, Login Security Violations or Trivial Attempts counters maintained for the list measurements security-violations detail report.
Special Security Product and Service Offers Logging In With ASG When you begin a remote session with an Intuity AUDIX system that is ASG-activated, the system prompts you with a challenge. To log in to a system that has ASG activated for your login: 1. At the login: prompt, enter your login ID. The terminal screen displays the following message: Challenge: xxxxxxx Response: 2. Press ENTER on the ASG Key to start the ASG Key. The ASG Key displays the following message: PIN: 3.
Securing DEFINITY Systems (Release 7.2 and Later) with Access Security Gateway (ASG) Adding an ASG Login You must be logged in as sa to add an ASG login for sa or vm. To add a new ASG login to your system: 1. At the INTUITY Main Menu, select ASG Security Administration and then select ASG Security Login Administration. The system displays the ASG Security Login Administration Window. 2. Complete the following fields: Login ID: (In this field type either sa or vm.
Special Security Product and Service Offers Blocking or Reinstating Access Privileges for an ASG Login If a user will not need access to the system for a long period of time, you can block the ASG Login ID’s access temporarily. Perform the following tasks to block or reinstate access for an ASG Login. 1. At the INTUITY Main Menu, select ASG Security Administration and then select ASG Security Login Administration. The system displays the ASG Security Login Administration Window. 2.
Securing DEFINITY Systems (Release 7.2 and Later) with Access Security Gateway (ASG) Displaying ASG Login Information If you need to check on the status of an ASG login, perform the following tasks to display the ASG Display Screen. 1. At the INTUITY Main Menu, select ASG Security Administration and then select ASG Security Login Administration. The system displays the ASG Security Login Administration Window. 2. Type the user’s login ID in the Login ID: field. 3.
Special Security Product and Service Offers 2. Type a new value in the Number of failed login attempts: field, if needed. (This number can be from 1 to 99 which indicates the number of times that the user can incorrectly type the login information before the system places an entry in the Alarm Log and disallows further login attempts.) NOTE: A lower number in this field protects the system more fully. 3. Type a new value in the Failed login measurement window: field, if needed.
Avaya Support Avaya Support Avaya provides RPSD Keys to their maintenance centers to accommodate access to systems you secure with the RPSD Lock. With DEFINITY Release 7.2 and Intuity Release 5.0, the services area of Avaya has been modified to accommodate the ASG feature. However, note that, unlike the RPSD Lock feature which requires access through a hardware RPSD key at the services site, negotiating the system through ASG is accomplished through a software interface to the INADS “connect” tool.
Special Security Product and Service Offers Toll Fraud Contact List Contact: For: Your Avaya Account Executive or Design Specialists General questions related to toll fraud Avaya Toll Fraud Intervention Hotline All systems and products— including DEFINITY ECS, DEFINITY Communications Systems, DIMENSION, System 75, System 85, MERLIN II, MERLIN LEGEND, PARTNER II, PARTNER Plus, and System 25 Communications Systems; and their adjuncts: Immediate crisis intervention if you suspect that your company is exp
Product Security Checklists 16 This chapter contains the following security checklists: General Security Procedures (page 16-2) AUDIX Voice Mail System (page 16-4) AUDIX Voice Power System (page 16-6) BasicWorks (page 16-8) CONVERSANT Voice Information System (page 16-12) DEFINITY G1 (page 16-14), G2 (page 16-20), and G3 (page 16-14) DEFINITY AUDIX System (page 16-4) DIMENSION PBX System and DEFINITY ECS(page 16-24) INTUITY AUDIX Voice Messaging System (page 16-4) MERLIN II Communicat
Product Security Checklists System 75 (page 16-14) System 85 (page 16-20) PassageWay Telephony Services (page 16-66) General Security Procedures Customer: ________________________________________ Location: _________________________________________ System & Version: _________________________________________ Date Installed: _________________________________________ Table 16-1.
General Security Procedures Table 16-1.
Product Security Checklists Table 16-1. General Security Procedures (Continued) Y/N1 Note N/A Social Engineering explained Customer is aware of network-based toll fraud surveillance offerings such as netPROTECT Customer knows how to subscribe to ACCESS security shared folder Continued on next page 1. If “NO” (N), provide Note reference number and explain.
AUDIX, DEFINITY AUDIX and INTUITY AUDIX Voice Messaging Systems ( Table 16-2.
Product Security Checklists Table 16-2. AUDIX, DEFINITY AUDIX and INTUITY AUDIX Voice Messaging Systems (Continued) Y/N1 Note N/A Number of digits on outcalling minimized, and/or outcalling destination restricted by host PBX Voice processing ports COR-to-COR restricted from dialing RA barrier codes (when host communications system is System 75, or DEFINITY ECS, or DEFINITY G1 or G3) Product Monitoring Administration Log and Activity Log checked daily Continued on next page 1.
AUDIX Voice Power System Table 16-3.
Product Security Checklists BasicWorks Also see the general security checklist on page 16-2. Table 16-4.
BasicWorks Table 16-4.
Product Security Checklists Table 16-4.
BasicWorks Table 16-4. BasicWorks (Continued) Y/N1 Note N/A Authorization codes used Operator calls restricted Switch-hook flash denied on FAX machines, modems, etc.
Product Security Checklists CONVERSANT Voice Information System Also see the general security checklist on page 16-2, and the security checklist for the host communications system.
CONVERSANT Voice Information System Table 16-5.
Product Security Checklists DEFINITY ECS, DEFINITY G1 and G3, and System 75 Also see the general security checklist on page 16-2, and the security checklist for any attached voice mail systems or other adjuncts.
DEFINITY ECS, DEFINITY G1 and G3, and System 75 Table 16-6.
Product Security Checklists Table 16-6.
DEFINITY ECS, DEFINITY G1 and G3, and System 75 Table 16-6.
Product Security Checklists Table 16-6.
DEFINITY ECS, DEFINITY G1 and G3, and System 75 Table 16-6. DEFINITY ECS, G1, and G3, and System 75 (Continued) Y/N1 Note N/A Switch-hook flash denied on FAX machines, modems, etc.
Product Security Checklists DEFINITY G2 and System 85 Also see the general security checklist on page 16-2, and the security checklist for any attached voice mail systems or other adjuncts.
DEFINITY G2 and System 85 Table 16-7.
Product Security Checklists Table 16-7.
DEFINITY G2 and System 85 Table 16-7. DEFINITY G2 and System 85 (Continued) Y/N1 Note N/A Administration login password changed on regular basis Transfer to Subscribers Only = y (AVP) Change password from default for new subscribers Voice ports outward restricted if outcalling not used Use of outcalling denied or minimized Invalid Auto Attendant menu options directed to operator Disable remote maintenance access when not in use Continued on next page 1.
Product Security Checklists DIMENSION PBX System Also see the general security checklist on page 16-2, and the security checklist for any attached voice mail systems or other adjuncts. Customer: _________________________________________ FP & Issue: _________________________________________ Location: _________________________________________ System Upgrade: _________________________________________ Major Addition: _________________________________________ Table 16-8.
DIMENSION PBX System Table 16-8.
Product Security Checklists Table 16-8. DIMENSION PBX System (Continued) Y/N1 Note N/A Barrier code is a random 4-digit sequence Product Monitoring SMDR reports monitored daily, including authorization code violations Traffic measurement reports, including remote access history reviewed daily Customer Education Security code changed on a scheduled basis and coordinated with Denver Maintenance Center Blocking 976 look-alikes Continued on next page 1.
MERLIN II Communications System MERLIN II Communications System Also see the general security checklist on page 16-2, and the security checklist for any attached voice mail systems or other adjuncts.
Product Security Checklists Table 16-9. MERLIN II Communications System (Continued) Y/N1 Note N/A If outcalling enabled: All voice mail ports except last one toll restricted Last port for voice mail restricted to areas appropriate for outcalling Product Monitoring SMDR reports monitored daily Customer Education Blocking 976 look-alikes Continued on next page 1. 2. If “NO” (N), provide Note reference number and explain.
MERLIN LEGEND Communications System MERLIN LEGEND Communications System Also see the general security checklist on page 16-2, and the security checklist for any attached voice mail systems or other adjuncts.
Product Security Checklists Table 16-10.
MERLIN LEGEND Communications System Table 16-10. MERLIN LEGEND Communications System (Continued) Y/N1 Note N/A Disallow list created containing 0, 011, 10, 700, 800, 1800, 809, 1809, 411, 1411, 900, and 9999 Access denied to pooled facility codes 70, and 890-899 Product Monitoring SMDR/Hacker Tracker reports monitored daily Continued on next page 1. 2. If “NO” (N), provide Note reference number and explain. See also AVP or MERLIN MAIL Voice Messaging System checklists, as appropriate.
Product Security Checklists MERLIN MAIL Voice Messaging System Also see the general security checklist on page 16-2, and the security checklist for the host communications system.
MERLIN MAIL Voice Messaging System Table 16-11. MERLIN MAIL Voice Messaging System (Continued) Y/N1 Note N/A MERLIN LEGEND Communications System voice mail port(s) used for outcalling restricted via allow list to specific areas if outcalling is needed. All other MERLIN LEGEND Communications System voice mail ports outward restricted. Disallow list created containing 0, 011, 10, 700, 800, 1800, 809, 1809, 411, 1411, 900, and 9999.
Product Security Checklists MERLIN MAIL-ML Voice Messaging System Also see the general security checklist on page 16-2, and the security checklist for the host communications system.
MERLIN MAIL-ML Voice Messaging System Table 16-12. MERLIN MAIL-ML Voice Messaging System (Continued) Y/N1 Note N/A MERLIN LEGEND Communications System voice mail port(s) used for outcalling restricted via allowed list to specific areas if outcalling is needed. All other MERLIN LEGEND Communications System voice mail ports outward restricted. On MERLIN LEGEND Communications System, create disallow list containing 0, 011, 10, 700, 800, 1800, 809, 1809, 411, 1411, 900, and 9999.
Product Security Checklists MERLIN MAIL R3 Voice Messaging System Also see the general security checklist on page 16-2, and the security checklist for the host communications system.
MERLIN MAIL R3 Voice Messaging System Table 16-13.
Product Security Checklists Table 16-13. MERLIN MAIL R3 Voice Messaging System (Continued) Y/N1 Note N/A Automated Attendant No pooled facility access codes translated on menus No ARS codes translated on menus Remote call forwarding used offnet only with trunks that provide reliable disconnect (for example, ground-start) End User Education Passwords changed from default for new subscribers Passwords are difficult to guess Passwords are changed quarterly Continued on next page 1.
MERLIN Plus Communications System MERLIN Plus Communications System Also see the general security checklist on page 16-2, and the security checklist for any attached adjuncts.
Product Security Checklists Messaging 2000 Voice Mail System Also see the general security checklist on page 16-2. Customer: _________________________________________ PBX Type: _________________________________________ Location: _________________________________________ New Install: _________________________________________ System Upgrade: _________________________________________ Port Additions: _________________________________________ Table 16-15.
Messaging 2000 Voice Mail System Table 16-15. Messaging 2000 Voice Mail System (Continued) Y/N1 Note N/A [Recommended] Use the Randomly Generated method of assigning passwords to new mailboxes. [Recommended] Regularly monitor the Uninitialized Mailbox report to determine if subscribers have changed their mailboxes passwords. Remind subscribers that have not initialized their mailboxes that they should change their passwords immediately to prevent unauthorized access to their mailboxes.
Product Security Checklists Table 16-15. Messaging 2000 Voice Mail System (Continued) Y/N1 Note N/A [Required] Set the Consecutive Login Failures Before Lock-Out parameter on the Subscriber tab in System Setup to specify how many unsuccessful login attempts are allowed before mailboxes are locked.
Messaging 2000 Voice Mail System Table 16-15. Messaging 2000 Voice Mail System (Continued) Y/N1 Note N/A [Recommended] When Quick Assist is run in recover mode from the \CVR prompt in an OS/2 window, or run automatically as part of system maintenance, include the -Mn parameter to specify a mailbox to receive unattached messages. [Recommended] Use the Require Password to Proceed to Next Level option to secure V-Trees that provide sensitive information such as pricing data and customer data.
Product Security Checklists Table 16-15. Messaging 2000 Voice Mail System (Continued) Y/N1 Note N/A End-User Education [Required] The end-user must periodically/frequently change all secondary passwords. After changing the secondary passwords, the end-user should notify the appropriate Avaya support organization(s) that the passwords have been changed.
Multimedia Communications Exchange Server Multimedia Communications Exchange Server Also see the general security checklist on page page 16-2. Customer: _________________________________________ System & Version: _________________________________________ Location: _________________________________________ New Install: _________________________________________ System Upgrade: _________________________________________ Major Addition: _________________________________________ Table 16-16.
Product Security Checklists Multipoint Conferencing Unit (MCU)/Conference Reservation and Control System (CRCS) Also see the general security checklist on page 16-2. Customer: _________________________________________ Location: _________________________________________ MSM SW Version and Install Date: ESM SW Version and Install Date: CRCS SW Version and Install Date: CRCS is Single-User or Multi-User? Table 16-17.
Multipoint Conferencing Unit (MCU)/Conference Reservation and Control System (CRCS) Table 16-17.
Product Security Checklists MCU Product Checksheets Attached: (Check all that apply) (__) Multimedia Server Module (MSM) (__) Expansion Services Module (ESM) (__) Conference Reservation and Control System (CRCS) ESM Security Checklist NOTE: See the appropriate security checklist for the host MSM.
Multipoint Conferencing Unit (MCU)/Conference Reservation and Control System (CRCS) Table 16-18. ESM Y/N1 Note N/A System Administration Root Login changed from default All other UNIX login passwords changed (INADS) Remote Maintenance Access Remote Maintenance Board (RMB) installed (if NO, skip to “Using External Modem...
Product Security Checklists CRCS Security Checklist Customer: _________________________________________ CRCS Type: _________________________________________ Location: _________________________________________ New Install: _________________________________________ System Upgrade: _________________________________________ Port Additions: _________________________________________ Table 16-19.
Multipoint Conferencing Unit (MCU)/Conference Reservation and Control System (CRCS) Table 16-19. CRCS (Continued) Y/N1 Note N/A End User Education Passwords changed for new subscribers Passwords are difficult to guess Passwords are changed quarterly Continued on next page 1. If “NO” (N), provide Note reference number and explain. MSM Security Checklist See the appropriate security checklist for the attached ESM or CRCS.
Product Security Checklists Table 16-20. MSM Y/N1 Note N/A System Administration Customer advised of all logins under their control. Passwords changed from factory defaults. Passwords are customer-entered, maximum length, unique alphanumeric words. NETCON access restricted by COR-to-COR restrictions.
Multipoint Conferencing Unit (MCU)/Conference Reservation and Control System (CRCS) Table 16-20.
Product Security Checklists Table 16-20.
Multipoint Conferencing Unit (MCU)/Conference Reservation and Control System (CRCS) Table 16-20.
Product Security Checklists PARTNER, PARTNER II, and PARTNER Plus Communications Systems, and PARTNER Advanced Communications System (ACS) Also see the general security checklist on page page 16-2.
PARTNER, PARTNER II, and PARTNER Plus Communications Systems, and PARTNER Advanced Communications System (ACS) Table 16-21. PARTNER, PARTNER II, and PARTNER Plus Comm.
Product Security Checklists Table 16-21. PARTNER, PARTNER II, and PARTNER Plus Comm. Systems and PARTNER ACS (Continued) Y/N1 Note N/A Customer is aware of network-based toll fraud surveillance offerings such as netPROTECT Customer knows how to subscribe to ACCESS security shared folder System Features Forced account codes with verification used (PARTNER Plus Communications System 3.1 and later, and PARTNER II Communications System Release 3.
PARTNER, PARTNER II, and PARTNER Plus Communications Systems, and PARTNER Advanced Communications System (ACS) Table 16-21. PARTNER, PARTNER II, and PARTNER Plus Comm.
Product Security Checklists Table 16-21. PARTNER, PARTNER II, and PARTNER Plus Comm.
PARTNER MAIL, PARTNER MAIL VS, and PARTNER Voice Mail (PVM) Systems PARTNER MAIL, PARTNER MAIL VS, and PARTNER Voice Mail (PVM) Systems See also the general security checklist on page 16-2 and the security checklist for the host communications system.
Product Security Checklists Table 16-22.
System 25 System 25 Also see the general security checklist on page 16-2, and the security checklist for any attached voice mail systems or other adjuncts. Customer: _________________________________________ Location: _________________________________________ PBX Type: _________________________________________ New Install: _________________________________________ System Upgrade: _________________________________________ Major Addition: _________________________________________ Table 16-23.
Product Security Checklists Table 16-23.
System 25 Table 16-23. System 25 (Continued) Y/N1 Note N/A Disable remote maintenance access when not in use Product Monitoring SMDR/CAS reports monitored daily, administration log and activity log checked daily (AVP) End-User Education Only trusted personnel transferred to remote maintenance port Continued on next page 1. If “NO” (N), provide Note reference number and explain.
Product Security Checklists PassageWay Telephony Services Also see the general security checklist on page 16-2. Customer: _________________________________________ Location: _________________________________________ PassageWay Install Date: Table 16-24. ________________________________________ PassageWay Telephony Services Y/N1 Note N/A General Telephony Server is in a secure location (locked room). Backups of the Telephony Server machine are made at regular intervals.
PassageWay Telephony Services Table 16-24. PassageWay Telephony Services (Continued) Y/N1 Note N/A System Administration Guidelines followed for logins/passwords for user accounts. (See PassageWay customer documentation.) Customer educated about standard Avaya password recommendations (For example, at least 7 characters and forced password change for new subscribers. See PassageWay customer documentation.) Default administrator login for Tserver changed at installation.
Product Security Checklists Table 16-24. PassageWay Telephony Services (Continued) Y/N1 Note N/A For NetWare only: Used the NetWare Administrator feature (NetWare 4.10 and 4.11) or SYSCON utility (NetWare 3.12) to set the appropriate login and password restrictions (For example, require users to have passwords with a minimum length of 7 characters, enable password aging, and so forth.) Used the NetWare Administrator feature (NetWare 4.10 and 4.11) or SYSCON utility (NetWare 3.
PassageWay Telephony Services Table 16-24. PassageWay Telephony Services (Continued) Y/N1 Note N/A Access Control To ensure protection of sensitive system files used by Tserver, only System Administrator has access to Tserver, Security Database, and log files. For Windows NT only: Make file system NTFS instead of FAT.
Product Security Checklists Table 16-24. PassageWay Telephony Services (Continued) Y/N1 Note N/A Configure the following security options: — Require login names for callers — Make passwords case sensitive — Log failed connection attempts — Maximum login attempts per call — Time to enter complete login — Disconnect if inactive Configure pcANYWHERE to log remote control and on-line sessions. (Set the “Save Session Statistics in Activity Log File” checkbox in the “Other Session Parameters” group box.
Large Business Communications Systems Security Tools by Release 17 The following tables contain page references for the available security features for the System 75, System 85, DEFINITY G1, G2, G3, and DEFINITY ECS. Information is listed by release. Table 17-1.
Large Business Communications Systems Security Tools by Release Table 17-1.
Table 17-1.
Large Business Communications Systems Security Tools by Release Table 17-1.
Table 17-1.
Large Business Communications Systems Security Tools by Release Table 17-1.
Table 17-1.
Large Business Communications Systems Security Tools by Release Table 17-1.
Table 17-1.
Large Business Communications Systems Security Tools by Release Table 17-1.
Non-supported Products 18 Products No Longer Supported Below are listed the products Avaya no longer supports as of the given dates. Non-supported Products as of Dec. 31, 1999 As of December 31. 1999, Avaya no longer supports these products: CMS R2 3B2 CMS R3V1, V2, V4 CentreVu Supervisor V1 CONVERSANT V3.0 CONVERSANT V3.1.1, 4.0, 4.0i CONVERSANT V3.1.1 INTRO CONVERSANT V2.1 DEFINITY AUDIX pre 3.1 INTUITY AUDIX 3.3 (IP55), QPPCN from IA 3.2 and prior INTUITY AUDIX 3.
Non-supported Products Non-supported Products as of Sept. 30, 2000 As of September 30, 2000, Avaya no longer supports these products: INTUITY Lodging R1.1, QPPCN from R1.0 INTUITY Interchange (pre 5.1) INTUITY High Capacity Option (pre 4.4) Fax Attendant Fax Attendant w/ Y2k Software Update Auto Attendant Software w/ Y2k Software Update Non-supported Products as of Dec.
Glossary GL A AAR Automatic Alternate Routing ACA Automatic Circuit Assurance ACD Automatic Call Distribution ADAP AUDIX Data Acquisition Package AFRL Alternate Facility Restriction Level AMIS Audio Messaging Interface Specification ANI Automatic Number Identification APLT Advanced Private Line Termination ARS Automatic Route Selection, replaced by WCR in DEFINITY G2.2 AUDIX Audio Information Exchange AVP AUDIX Voice Power Access The act of entering into a PBX system.
Glossary ARS Dial Tone The dial tone callers hear after they enter the ARS feature access code. Attendant The operator of the console. Attendant Console An electronic call-handling position with push-button control. Used by attendants to answer and place calls and to manage and monitor some of the PBX operations. AUDIX Voice Mail System An Avaya adjunct that provides voice mail and automated attendant services.
Glossary Call Forwarding A set of features that allow calls destined for an extension to be redirected to another extension, designated during activation. Call Forwarding All Calls (Follow Me) A feature that allows calls destined for an extension to be redirected to another extension, designated during activation, regardless of the busy or idle state of the called extension. Intended to redirect calls to the called party when he or she is away from his or her desk.
Glossary Class of Restriction A number (0 through 63) that specifies the calling privileges and limitations assigned to stations, Remote Access users, and trunk groups. For DEFINITY G3rV1, G3i-Global, and G3V2 and later, CORs have been increased to 96; thus, the number is 0 through 95. Class of Service For DEFINITY G2 and System 85, specifies the calling privileges and limitations assigned to the station.
Glossary ETN Electronic Tandem Network Enhanced Call Transfer An AUDIX Voice Mail System feature that provides security by interacting with the PBX system to validate that the number entered by an AUDIX Voice Mail System caller is a valid extension number in the dial plan. Enhanced Private Switched Communications Service A private telecommunications network that provides advanced voice and data telecommunications services to companies with many locations.
Glossary Feature Access Code A code used to access a feature, such as ARS, Data Origination, Priority Calling and Call Pickup. Foreign Exchange A Central Office other than the one providing local access to the public telephone network. Foreign Numbering-Plan Area Code An area code other than the local area code. The FNPAC must be dialed to call outside the local geographic area.
Glossary L LEC Local Exchange Carrier Issue 7 June 2001 GL-7
Glossary M Manual Terminating Restriction Prevents the station from receiving calls other than those originated by the attendant. MERLIN Attendant An Avaya adjunct that provides voice mail and automated attendant services for use with the MERLIN LEGEND Communications System and MERLIN II Communications System R3. Message Indicator Lamp The light on a voice terminal that is activated by the attendant or a voice mail adjunct when there is a message for the user.
Glossary Outward Restricted Restricts the station from placing outgoing calls over specified trunks. P PARTNER Attendant An Avaya adjunct that provides voice mail and automated attendant services for use with the PARTNER II Communications System. PBX Private Branch Exchange PC Personal Computer Personal Station Access (PSA) A feature that allows multiple users to work at the same voice terminal location at different times. PSA provides capabilities that are similar to TTI, but for a single station.
Glossary Referral Call An internally-generated call that terminates to a designated destination and indicates an event such as a security violation. Remote Access A feature that provides remote callers access to most of the PBX features. Remote Access Dial Tone A special dial tone for the Remote Access feature that can be used after the caller enters the barrier code.
Glossary Service Observing The monitoring of actual calls in progress for security purposes. Station Message Detail Recording Creates call records for incoming and outgoing calls. System Manager A person responsible for specifying and administering features and services for the PBX system.
Glossary UDP Uniform Dial Plan Uniform Dial Plan A feature that allows a unique 4- or 5-digit number assignment for each terminal in a multi-switch configuration such as a distributed communications system (DCS) or main-satellite tributary configuration. V VDN Vector Directory Number VF Virtual Facility VNI Virtual Nodepoint Identifier Vector Directory Number An extension that provides access to the Call Vectoring feature on the switch.
Index IN Numerics 0 calls, 4-23, 4-53 00 calls, 4-23 01 calls, 4-34 blocking, 10-14 010 calls, 4-34 011 calls, 4-34, 4-53 10xxx calls, 2-7, 4-23 10xxx01 calls, 4-34 10xxx11 calls, 4-34 2-way trunk groups, 4-15 3-way COR check, 4-15, 4-49 3-way-conferencing, 6-34 6-digit screening, 2-8 800 numbers, 2-7, 3-2, 4-2, 14-1 800 service, 6-54, 6-57 trunks, 3-2 911 number, 4-14 950 numbers, 2-7 976-look-alike numbers, 2-8 A AAR, see Automatic Alternate Routing AAR/ARS analysis, 4-18 Feature Access Code, 4-8 Abbre
Index authorization code, 4-3, 4-17, 4-21, 4-28, 4-29, 6-56, 6-58 invalid login attempts, 4-63 maximum allowed, 4-8 monitoring usage, 4-29 Network Access Flag set, 4-7 removing, 4-29 Time-Out to Attendant, 4-35 usage patterns, 5-13, 5-61 used with barrier code, 4-6 VDN, 4-8 Authorization Code Violations Status Report, 4-63, 4-64 auto dial button, 3-8 programming passwords, 6-3 automated attendant, 2-1, 2-5, 3-3, 6-18, 6-24, 6-27, 6-31, 6-39 adjunct equipment, 7-3 AUDIX Voice Mail System, 7-16 AUDIX Voice P
Index Call Forward Off-Net, 4-16, 6-7, 7-3 Call Forwarding, 2-8, 4-69 Feature Access Code, 4-8 call list, 6-7, 7-5 free, 4-18 specifying, 4-18 unrestricted, 4-18, 6-28 Call Management System helplines, 8-2 log, 4-57 Measurements, 4-57 securing, 3-6 security tips, 8-1 call pager, 6-28 scam, 2-7 Call Prompting, 4-10 call sell operations, 2-2 Call Traffic Report, 6-13, 7-10, 7-13 Call Vectoring, 4-9, 4-10, 4-32 call volume increases, 4-53 calling out-of-hours, 5-6, 5-13, 5-60 restricting by area, 6-8 calling
Index Data Restriction Feature Access Code, 4-8 DCS, see Distributed Communication System default passwords changing, 3-4 DEFINITY AUDIX Voice Messaging System automated attendant, 7-18 logins, 6-21 password changing, 13-4 protecting, 6-21 protecting the system, 6-15 security checklists, 16-4 security considerations, 6-22 DEFINITY Communications System automated attendant, 7-1 detecting toll fraud, 4-49 Remote Access, 4-3 restricting unauthorized outgoing calls, 4-12 security goals and tools, 3-10 security
Index Feature Access Code, 2-5 Abbreviated Dialing, 4-8 ARS/AAR, 4-8 Call Forwarding, 4-8 Data Origination, 4-8 Data Privacy, 4-8 Data Restriction, 4-8 Facility Test Calls, 4-8 FNPA, see Foreign Numbering Plan Area Forced Entry of Account Code, 4-22, 4-45 Forced Password Aging, 4-51 Foreign Numbering Plan Area, 4-33, 4-34, 4-36 free call list, 4-18 AAR/ARS calls, 4-18 TAC calls, 4-18 FRL, see Facility Restriction Level Fully Restricted Service, 4-14, 4-30 FX trunks, 3-2 international calls, 4-32, 4-34 dis
Index M maintenance access, 3-7 maintenance port, 3-9 target of abuse, 2-4 Malicious Call Trace, 4-67 Manager I, 6-13 reporting, 4-54, 7-10 Manager III/IV, 3-6 Manual Terminating Line Restriction, 7-4 Measurement Selection ARS, 4-55, 6-14, 7-11 measurements BCMS, 4-56 CMS, 4-57 MERLIN Attendant, 7-19, 7-20 MERLIN II Communications System protecting DISA, 5-5 security checklists, 16-27 security goals and tools, 3-14 security tips, 5-5 voice mail, 6-34 MERLIN LEGEND Communications System allowed and disallow
Index Outgoing Trunk to Outgoing Trunk Transfer disabling, 4-43 Outward Restriction, 4-14, 4-16, 6-7, 7-4 overlapped sending, 4-48 P Partitioned Group Number, 11-1 PARTNER Attendant, 7-21, 7-22 PARTNER II Communications System protecting the system, 5-62 security checklists, 16-56 security goals and tools, 3-19 voice mail, 6-54 PARTNER MAIL System, 6-54, 6-57 automated attendant, 7-21, 7-22 outcalling, 6-56, 6-58 password changing, 13-9 protecting, 6-55, 6-57 protecting, 6-54 security checklist, 16-61 sec
Index Remote Access, (continued) status report, 4-63 System 25, 5-63 System 75, 4-2 System 85, 4-2 Violations Status Report, 4-64 Remote Administration Unit, 3-20, 5-62 Remote Call Forwarding, 5-15, 5-61 used with loop-start trunks, 5-15 Remote Home Numbering Plan Area, 4-36 Remote Line Access, 5-60 Remote Maintenance Board, 6-32 Remote Maintenance Device, 5-63 Remote Port Security Device, 15-1 remote service observing, 4-69 Remote System Administration System 25, 5-64 Remote System Programming, 5-14 Remot
Index service observing, 4-68, 4-69 shoulder surfing, 2-6 six-digit screening, 2-8 SMDR reports, 5-6, 5-13, 5-61, 5-64, 6-34, 6-36, 6-46, 6-55, 6-57, 6-59 SMDR, see Station Message Detail Recording social engineering, 2-6 SPM, see System Programming and Maintenance Station Message Detail Recording, 2-4, 4-46, 4-52, 6-12, 6-43, 7-9, 14-1 station restrictions, 4-19 Station Security Code Violations Report, 4-65 Station Security Violation Status Report, 4-63 Station-to-Trunk Restrictions, 6-6, 7-3 status remot
Index traffic abnormal patterns, 7-10 measurements, 4-53 monitoring flow, 4-55 reports, 6-18, 6-29, 7-13 Trans Talk 9000 Digital Wireless System security tips, 8-9 Transfer Out of AUDIX, 6-24 disabling, 6-27 transfers limiting, 7-5 Traveling Class Mark, 4-44, 4-45, 4-48 Trouble Tracker, 3-6 trunk 800 service, 3-2 AAR, 4-7 administration, 4-8 ARS, 4-7, 4-45 CO, 3-2, 4-14, 4-16, 4-18, 7-4 disabling direct access, 4-38 FX, 3-2, 4-14, 4-16, 7-4 loop-start, 5-63 monitoring, 4-45 outgoing, 4-45 public network, 4
Index voice terminal Public Restriction, 4-15 Termination Restriction, 4-15 voice terminal group attendant-controlled, 4-19 void disabling logins, 4-27 W WCR, see World Class Routing wild card characters, 4-48 wiring closets physical security, 3-9 World Class Routing, 4-23, 4-32 restricting, 4-47 Toll Restriction, 4-16 toll restriction, 7-4 Issue 7 June 2001 IN-11
Index IN-12 Issue 7 June 2001