Avaya™ Toll Fraud and Security Handbook 555-025-600 Issue 9 May 2003
Copyright 2003, Avaya Inc. All Rights Reserved Notice Every effort was made to ensure that the information in this document was complete and accurate at the time of printing. However, information is subject to change. Warranty Avaya Inc. provides a limited warranty on this product. Refer to your sales agreement to establish the terms of the limited warranty.
Safety of Information Technology Equipment, CAN/CSA-C22.2 No. 60950-00 / UL 60950, 3rd Edition Safety Requirements for Customer Equipment, ACA Technical Standard (TS) 001 - 1997 One or more of the following Mexican national standards, as applicable: NOM 001 SCFI 1993, NOM SCFI 016 1993, NOM 019 SCFI 1998 The equipment described in this document may contain Class 1 LASER Device(s). These devices comply with the following standards: • EN 60825-1, Edition 1.1, 1998-01 • 21 CFR 1040.10 and CFR 1040.11.
Means of Connection Connection of this equipment to the telephone network is shown in the following tables. For MCC1, SCC1, G600, and CMC1 Media Gateways: A plug and jack used to connect this equipment to the premises wiring and telephone network must comply with the applicable FCC Part 68 rules and requirements adopted by the ACTA. A compliant telephone cord and modular plug is provided with this product. It is designed to be connected to a compatible modular jack that is also compliant.
European Union Declarations of Conformity Avaya Inc. declares that the equipment specified in this document bearing the “CE” (Conformité Europeénne) mark conforms to the European Union Radio and Telecommunications Terminal Equipment Directive (1999/5/EC), including the Electromagnetic Compatibility Directive (89/336/EEC) and Low Voltage Directive (73/23/EEC).
Contents 1 About this document ■ Overview 1-1 ■ Reason for reissue 1-3 ■ Intended audience 1-3 ■ How this guide is organized 1-4 ■ Avaya’s statement of direction 1-5 ■ Avaya/customer security roles and responsibilities 1-7 Avaya’s roles and responsibilities 1-8 Customer roles and responsibilities 1-8 ■ Downloading this book and updates from the Web 1-9 ■ Related resources 1-9 ■ 2 1-1 Product documentation 1-9 Avaya security offerings 1-10 Avaya toll fraud and technical a
Contents 3 4 IP security 3-1 ■ Introduction 3-1 ■ Overview 3-1 ■ Mission-critical assets 3-2 ■ Physical security 3-2 ■ Control networks 3-2 ■ Firewalls and routing 3-2 ■ Customer-managed applications 3-2 ■ Administration and management 3-3 ■ Software patches and upgrades 3-3 ■ Additional information 3-4 Security risks ■ Overview 4-1 ■ Remote access 4-2 ■ Automated attendant 4-3 ■ Other port security risks 4-3 ■ Voice messaging systems 4-4 ■ Administration /
Contents 5 Large business communications systems ■ ■ 5-1 Keeping unauthorized third parties from entering the system 5-2 Protecting the Remote Access feature 5-2 Security tips 5-2 Disabling/removing the Remote Access feature 5-3 Tools to protect the Remote Access feature 5-3 Barrier codes 5-5 Authorization codes 5-8 Feature access code administration 5-9 Trunk administration 5-9 Remote access dial tone 5-10 Night service 5-10 Call vectoring (Communication Manager, MultiVantage Sof
Contents Restrictions — individual and group-controlled (Communication Manager, MultiVantage Software, DEFINITY ECS, DEFINITY G1, G3, and System 75) 5-21 Central office restrictions 5-22 Restricting incoming tie trunks 5-22 Authorization codes 5-22 Trunk-to-trunk transfer 5-23 Forced entry of account code 5-24 World class routing (Communication Manager, MultiVantage Software, DEFINITY ECS and DEFINITY G2.
Contents ■ Disable facility test calls 5-40 Suppress remote access dial tone 5-42 Disallow trunk-to-trunk transfer 5-43 Disable transfer outgoing trunk to outgoing trunk 5-44 Disallow outgoing calls from tie trunks 5-45 Limit access to tie trunks 5-45 Monitor trunks 5-46 Use terminal translation initialization 5-46 Require account codes 5-47 Assign COR restrictions to adjuncts when using expert agents 5-48 Disable distinctive audible alert 5-48 Remove data origination code 5-48 Use
Contents 6 Recent Change History report (Communication Manager, MultiVantage Software, DEFINITY ECS, and DEFINITY G1 and G3) 5-68 Malicious call trace 5-68 Service observing 5-69 Busy verification 5-70 List call-forwarding command 5-70 Small business communications systems ■ Features for the MERLIN systems 6-2 ■ MERLIN II Communications System 6-5 Protecting direct inward system access Security tips ■ MERLIN LEGEND Communications System 6-5 6-7 6-8 Protection via star codes and allowed/
Contents Toll fraud prevention 6-19 Physical security, social engineering, and general security measures 6-19 Security risks associated with transferring through voice messaging systems 6-21 Security risks associated with the Automated Attendant feature of voice messaging systems 6-22 Security risks associated with the Remote Access feature 6-24 Other security hints 6-24 Detecting toll fraud 6-26 Magix R1.
Contents ■ PARTNER Plus Communications System 6-61 ■ System 25 6-62 Protecting remote access Security tips Protecting remote system administration Security tips 7 Voice messaging systems ■ Protecting voice messaging systems Security tips ■ Communication Manager, MultiVantage Software, DEFINITY ECS, DEFINITY communications systems, System 75,and System 85 Tools that prevent unauthorized calls 6-63 6-64 7-1 7-2 7-3 7-4 7-5 7-6 Station-to-trunk restrictions 7-6 Class of restriction 7-7 Clas
Contents Unauthorized system use 7-16 Traffic reports (AUDIX Voice Mail System only) 7-19 Call detail recording (AUDIX Voice Mail System only) 7-19 Protecting passwords 7-22 Security features 7-23 Security measures 7-26 Security tips 7-30 Protecting the AUDIX Voice Power System 7-30 Traffic reports 7-30 Protecting passwords 7-31 Security tips 7-31 Security measures 7-32 Protecting the CONVERSANT Voice Information System Protecting passwords ■ 7-33 Security measures 7-34 Securit
Contents Security tips 7-46 Additional MERLIN MAIL R3 and MERLIN LEGEND Mail Voice Messaging System security features 7-49 ■ ■ Messaging 2000 System Maintaining Message 2000 system security 7-50 Security recommendations for remote access 7-55 PARTNER II Communications System Protecting the PARTNER MAIL and PARTNER MAIL VS systems ■ Security tips 7-56 PARTNER Plus Communications System 16 7-57 7-58 Protecting passwords 7-58 Security tips 7-58 System 25 7-60 7-60 Protecting passwords 7-
Contents Class of service 8-4 Toll analysis 8-5 Security measures 8-5 Limit transfers to internal destinations 8-5 Prevent calls to certain numbers 8-6 Allow calling to specified numbers 8-6 Detecting automated attendant toll fraud 8-8 Call detail recording / station message detail recording Call Traffic report 8-10 Trunk Group report 8-10 SAT, Manager I, and G3-MT reporting 8-10 ARS measurement selection 8-11 Automatic circuit assurance 8-11 Busy verification 8-12 Call Traffic re
Contents ■ ■ ■ ■ MERLIN LEGEND Communications System AUDIX Voice Power System 8-20 MERLIN MAIL, MERLIN MAIL-ML, and MERLIN MAIL R3 voice messaging systems 8-20 MERLIN Attendant 8-20 PARTNER II Communications System 8-21 PARTNER Attendant 8-21 PARTNER Plus Communications System ■ 8-22 PARTNER Attendant 8-22 System 25 Call Management System (R3V4) ■ 18 9-1 9-2 CallMaster PC 9-3 9-3 Multipoint Conferencing Unit (MCU)/Conference Reservation and Control System (CRCS) 9-4 PassageWay T
Contents 11 12 13 Blocking calls ■ Country codes ■ Blocking toll fraud destinations 11-1 11-1 11-10 Blocking ARS calls on DEFINITY G1 and System 75 11-11 Blocking ARS calls on G2.1 and System 85 11-15 Blocking WCR calls on DEFINITY G2.
Contents ■ Administering barrier code aging 13-11 ■ Administering customer logins and forced password aging 13-13 ■ 14 13-13 Changing a login’s attributes 13-15 Administering login command permissions 13-16 Display a specified login 13-17 List logins 13-17 Remove a login 13-18 Administering the security violations reports Changing your password 13-18 14-1 ■ AUDIX Voice Mail System 14-1 ■ AUDIX Voice Power System 14-2 ■ CONVERSANT Voice Information System 14-2 ■ DEFINITY AUD
Contents 15 16 Toll fraud job aids 15-1 ■ Toll fraud warning signs 15-1 ■ System security action plan 15-3 ■ Ten tips to help prevent phone fraud 15-4 Special security product and service offers ■ ■ 16-1 Remote port security device 16-1 Key and lock features 16-2 Securing DEFINITY Systems (prior to Release 7.2) with the remote port security device 16-3 Avaya support 16-4 Securing DEFINITY systems (Release 7.
Contents Displaying ASG login information 16-13 Disabling ASG authentication 16-13 Setting and resolving violation warnings 17 22 16-13 Setting notification limits 16-13 Resolving ASG violation alarms 16-14 ■ Avaya support 16-15 ■ HackerTracker 16-15 ■ Security Tune-Up Service 16-15 ■ Toll fraud contact list 16-16 Product security checklists 17-1 ■ General security procedures 17-2 ■ AUDIX, DEFINITY AUDIX and INTUITY AUDIX voice messaging systems 17-4 ■ AUDIX Voice Power Sys
Contents PARTNER, PARTNER II, and PARTNER Plus communications systems, and PARTNER Advanced Communications System (ACS) 17-56 PARTNER MAIL, PARTNER MAIL VS, and PARTNER Voice Mail (PVM) systems 17-61 ■ System 25 17-63 ■ PassageWay Telephony Services 17-66 ■ ■ 18 19 20 Large business communications systems security tools by release 18-1 Non-supported products 19-1 ■ As of December 31, 2002 19-1 ■ As of December 31, 2001 19-1 ■ As of December 31, 2000 19-1 ■ As of September 30, 2
Contents GL Glossary IN Index 24 Issue 9 May 2003 GL-1 IN-1
About this document 1 Overview This handbook discusses security risks and measures that can help prevent external telecommunications fraud involving the following Avaya products: IP and IP-enabled servers: ■ Avaya™ S8100, S8300, and S8700 Media Servers ■ DEFINITY® Enterprise Communications Server (ECS) Release 5 and later PBX systems: ■ DEFINITY® Generic 1, 2, and 3 communications systems ■ MERLIN® II Communications System ■ MERLIN LEGEND® Communications System ■ MERLIN® Plus Communications Sys
About this document ■ MERLIN MAIL® Voice Messaging System ■ MERLIN MAIL®-ML Voice Messaging System ■ MERLIN MAIL® R3 Voice Messaging System ■ PARTNER MAIL® System ■ PARTNER MAIL VS® System Other products and services: ■ Call Management System (R3V2) ■ CallMaster® PC ■ Multipoint Conferencing Unit (MCU) ■ PassageWay® Telecommunications Interface ■ TransTalk™ 9000 Digital Wireless System ■ Telephony Services for Netware® NOTE: Unless specifically stated otherwise, references in this doc
Reason for reissue Reason for reissue This issue, Issue 9 of the Avaya™ Toll Fraud and Security Handbook, refocuses this document to be about toll fraud and related security issues. This update also includes a new section, Chapter 20, ‘‘Links to additional security information’’. Minor edits and other additions have also been included in this issue.
About this document How this guide is organized The Avaya™ Toll Fraud and Security Handbook has the following chapters: Chapter 1: About this document Describes the scope, intended audience, and contents of this handbook. Contains Avaya’s Statement of Direction. Also defines Avaya’s and the customer’s roles and responsibilities. Chapter 2: Introduction Provides a background for toll fraud.
Avaya’s statement of direction Chapter 12: Remote Access example (G1, G3, and System 75) Offers an example of how to set up Remote Access and an example of how to disable it. Chapter 13: Administering features of the DEFINITY G3V3 and later Provides information on administering features available in DEFINITY Releases G3V3 and later, including the DEFINITY ECS Release 5 and 6. Chapter 14: Changing your password Tells how to change passwords for systems in the handbook.
About this document To help customers use and manage their systems in light of the trade-off decisions they make and to ensure the greatest security possible, Avaya commits to the following: ■ Avaya products and services will offer the widest range of options available in the industry to help customers secure their communications systems in ways consistent with their telecommunications needs.
Avaya/customer security roles and responsibilities Avaya/customer security roles and responsibilities The purchase of a telecommunications system is a complicated process involving many phases, including system selection, design, ordering, implementation, and assurance testing. Throughout these phases customers, vendors, and their agents each have specific roles and responsibilities.
About this document Avaya’s roles and responsibilities ■ Avaya, as a manufacturer, has the responsibility to provide the customer with securable technology, the information resources (product documentation) to understand the capabilities of the technology, and the configuration of the equipment when it shipped from the factory.
Downloading this book and updates from the Web Downloading this book and updates from the Web You can download the latest version of the Avaya™ Toll Fraud and Security Handbook, 555-025-600, from the Avaya Web site. You must have access to the Internet, and a copy of Acrobat Reader must be installed on your personal computer. Avaya makes every effort to ensure that the information in this book is complete and accurate. However, information can change after we publish this book.
About this document Avaya security offerings Avaya has developed a variety of offerings to assist in maximizing the security of your system. These offerings include: ■ Security Tune-up Service (see Chapter 16). ■ Toll Fraud Crisis Intervention Service (see ‘‘Avaya toll fraud and technical assistance’’ in this section). ■ The Product Security Kit, 555-025-601, includes this document (Avaya™ Toll Fraud and Security Handbook).
Avaya toll fraud and technical assistance Avaya toll fraud and technical assistance Avaya provides the following resources for technical assistance. Within the US Toll Fraud Intervention Hotline 1 800 643-2353 Call this number if you suspect you are being victimized by toll fraud or theft of service, call the appropriate Avaya service. Avaya Corporate Security 1 800 822-9009 Call this number for assistance with other security issues.
About this document Trademarks All trademarks identified by the ® or TM are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners. Sending us comments Avaya welcomes your comments about this book. To reach us by: ■ Mail, send your comments to: Avaya Inc. Product Documentation Group Room B3-H13 1300 W. 120 St. Westminster, CO 80234 USA ■ E-mail, send your comments to: document@avaya.
Introduction 2 NOTE: Unless specifically stated otherwise, references in this document to “G3Vx and later” include the specified DEFINITY G3 (and more recent) versions, DEFINITY ECS, MultiVantage™ Software, and Communication Manager. Background Telecommunications fraud is the unauthorized use of a company’s telecommunications service. This type of fraud has been in existence since the 1950s when Direct Distance Dialing (DDD) was first introduced.
Introduction Who is the enemy? Hackers and phreakers Hackers and “phreakers” (phone freaks) use personal computers, random number generators, and password-cracking programs to break into even the most sophisticated customer premises equipment-based system if it has not been adequately secured. Once a hacker penetrates a network and provides instructions to toll call sellers, large volumes of unauthorized calls can be made from the switch.
What is in a loss? Call sell operations are dependent on calling card numbers or other means to fraudulently use a customer premises equipment-based system. The major calling card vendors monitor calling card usage and shut down in a matter of minutes after detecting the fraud. However, call sell operators know that the traffic on most customer premises equipment-based systems is not monitored. That is why a calling card on the street sells for $30.
Introduction Known toll fraud activity Understanding how hackers penetrate your system is the first step in learning what to do to protect your company. Be aware that hackers communicate very well, are extremely resourceful, and are persistent. The following is a list of known methods hackers use to break into systems. ■ PBX-based activity — Maintenance port Maintenance ports are the most recent target of abuse.
Known toll fraud activity — Voice mail There are two types of voice mail fraud. The first type, which is responsible for the bulk of equipment-related toll fraud loss, relies on misuse of the call transfer capabilities of voice mail systems. Once thieves transfer to dial tone, they may dial a Trunk Access Code (TAC), Feature Access Code or Facility Access Code (FAC), or extension number.
Introduction If the system allows uninterrupted, continuous access, a war dialer can crack a 6-digit code within 6 hours. The codes are then distributed via bulletin boards or pirated voice mailboxes, or are sold to call sell operators. Some systems hang up after a specified number of invalid access attempts, thereby extending the amount of time required to crack the code. However even if a hacker is disconnected, he or she may call back repeatedly in an attempt to crack the code.
Known toll fraud activity — Looping Looping is a method that call sell operators use to circumvent restrictions that IXCs (Interexchange Carriers) put in the networks to control calling card fraud. All carriers block calling card calls bound for the 809 area code (to the Dominican Republic) that originate in New York, NY. This is because the Dominican Republic is a common destination for stolen phone calls.
Introduction This same scam could also easily apply to messages left on voice mail. The person could state, “I’m John Doe calling from XYZ. Please return my call at 212-540-xxxx.” When you return the call, you are charged $50.00. Another slant to this scam is carried out by messengers who deliver parcels to your office. They will ask to use your company’s phone to call their office. Then they call one of these 976-look-alike numbers and stay on the line for a minute or two.
IP security 3 NOTE: Unless specifically stated otherwise, references in this document to “G3Vx and later” include the specified DEFINITY G3 (and more recent) versions, DEFINITY ECS, MultiVantage™ Software, and Communication Manager. Introduction This section summarizes some of the security issues that arise in a converged data and telephony network environment. It also recommends some of the practices that can minimize the risk of toll fraud and other security breaches in a converged network.
IP security Mission-critical assets Unlike a regular PC or print server on the network, the telephony server represents a mission-critical piece of equipment to the enterprise. As such, it needs to be treated in a manner that is commensurate with any other piece of equipment on the network that is needed for the ongoing operation of the enterprise. Physical security The telephony server should be kept in secure environment.
Administration and management Although Avaya appreciates the benefits of installing software that conforms to a company’s security policy, we strongly recommend that no additional software be loaded onto the Avaya telephony server that could potentially disrupt the performance or operation of the server. The addition of third-party software could even provide for an opportunity compromise that was not previously present.
IP security Additional information For more information on update practices, recommendations or security advisories, please visit http://www.avaya.com/support. Also refer to Chapter 20, ‘‘Links to additional security information’’ for information about security-related white papers, websites, and reference books.
Security risks 4 NOTE: Unless specifically stated otherwise, references in this document to “G3Vx and later” include the specified DEFINITY G3 (and more recent) versions, DEFINITY ECS, MultiVantage™ Software, and Communication Manager. Overview In order for your system to be secure against toll fraud, you need to address access, egress, and system administration. This handbook addresses those concerns.
Security risks Remote access Remote access, or direct inward system access (DISA), permits callers from the public network to access a customer premises equipment-based system to use its features and services. Callers dial into the system using CO, FX, DID, or 800 service trunks. After accessing the feature, the user hears system dial tone, and, for system security, may be required to dial a barrier code, depending on the system.
Automated attendant Automated attendant Automated attendant systems direct calls to pre-designated stations by offering callers a menu of available options. Automated attendant devices are connected to a port on the main system and provide the necessary signaling to the switch when a call is being transferred. When hackers connect to an automated attendant system, they try to find a menu choice (even one that is unannounced) that leads to an outside facility.
Security risks Voice messaging systems Voice messaging systems provide a variety of voice messaging applications; operating similarly to an electronic answering machine. Callers can leave messages for employees (subscribers) who have voice mailboxes assigned to them. Subscribers can play, forward, save, repeat, and delete the messages in their mailboxes. Many voice messaging systems allow callers to transfer out of voice mailboxes and back into the PBX system.
Administration / maintenance access ■ AUDIX Voice Mail System: cust ■ AUDIX Voice Power System: audix (or is on the Integrated Solution-equipped system) ■ DEFINITY AUDIX System: cust ■ DEFINITY ECS, DEFINITY G1, G3V1, G3V2, and System 75: cust, rcust, bcms1, browse*, NMS* ■ Avaya INTUITY System: sa, vm ■ MERLIN LEGEND Communications System: admin on Integrated Voice Response platform-supported systems ■ MERLIN MAIL and MERLIN MAIL-ML Voice Messaging Systems: 1234 ■ PARTNER MAIL and PARTNER M
Security risks Increasing adjunct access security Since system adjuncts can be used to log in to otherwise “protected” systems, you also should secure access to the following products: ■ G3 Management Applications (G3-MA) ■ CSM (Centralized System Management) ■ CMS (Call Management System) ■ Manager III/IV ■ Trouble Tracker ■ VMAAP Logins and passwords should be changed and managed in the same manner as the system being managed (for example, the switch or the AUDIX Voice Mail System).
Administration / maintenance access Another area that may be vulnerable to toll fraud is the System 75 and the DEFINITY ECS, DEFINITY G1 and G3 (except G3r) NETCON data channel — the internal extension number that can be used for administration and maintenance access.
Security risks General security measures General security measures can be taken system-wide to discourage unauthorized use. Educating users Everyone in your company who uses the telephone system is responsible for system security. Users and attendants need to be aware of how to recognize and react to potential hacker activity. Informed people are more likely to cooperate with security measures that often make the system less flexible and more difficult to use.
General security measures Establishing a policy As a safeguard against toll fraud, follow these guidelines: ■ Change passwords frequently (at least quarterly). Set password expiration times and tell users when the changes go into effect. Changing passwords routinely on a specific date (such as the first of the month) helps users to remember to do so. ■ Establish well-controlled procedures for resetting passwords. ■ Limit the number of invalid attempts to access a voice mail to five or less.
Security risks Security goals tables The following tables list the security goals for each communications system, and provide an overview of the methods and steps that are offered through the switches to minimize the risk of unauthorized use of the system. ■ Table 4-1 on page 4-10 provides information for the DEFINITY ECS, DEFINITY communications systems, System 75, and System 85.
Security goals tables Table 4-1.
Security risks Table 4-1.
Security goals tables Table 4-1.
Security risks Table 4-1.
Security goals tables Table 4-2.
Security risks Table 4-2.
Security goals tables Table 4-2.
Security risks Table 4-2.
Security goals tables Table 4-3.
Security risks Table 4-3. Security Goals: PARTNER II and PARTNER Plus communications systems — Continued Security Goal Method Security Tool Steps Prevent theft of information via voice messaging system Assign secure passwords Passwords (PARTNER Plus Communications System R3.
Large business communications systems 5 NOTE: Unless specifically stated otherwise, references in this document to “G3Vx and later” include the specified DEFINITY G3 (and more recent) versions, DEFINITY ECS, MultiVantage™ Software, and Communication Manager.
Large business communications systems ■ Chapter 8 contains security measures to protect the Automated Attendant feature of your communications system. See ‘‘Unless specifically stated otherwise, references in this document to “G3Vx and later” include the specified DEFINITY G3 (and more recent) versions, DEFINITY ECS, MultiVantage™ Software, and Communication Manager.’’ on page 8-1.
Keeping unauthorized third parties from entering the system ■ If possible, administer remote access (Communication Manager, MultiVantage™ Software, DEFINITY ECS, DEFINITY G1, G3, and System 75) so no dial-tone prompt is supplied for entry of the authorization code. No dial tone after a remote access call is connected discourages most hackers who listen for dial tone or use modems to detect dial tone. ■ Restrict the bands or area code sets when you offer remote access on an 800 number.
Large business communications systems Table 5-1.
Keeping unauthorized third parties from entering the system Table 5-1. Security tools for Remote Access feature — Continued Security Tool Switch Page # Security violation notification (SVN) Communication Manager, MultiVantage™ Software, DEFINITY ECS and DEFINITY G3 5-59 status remote-access command DEFINITY G3V4 and later 5-12 Logoff screen enhancements DEFINITY G3V4 and later 5-12 Continued on next page *For ASAI, see the applicable product feature description.
Large business communications systems Figure 5-1.
Keeping unauthorized third parties from entering the system For Communication Manager, MultiVantage™ Software, DEFINITY ECS, DEFINITY G1, G3, and System 75, you can assign up to 10 barrier codes to provide the first checkpoint. When barrier codes are required for remote access, callers hear a special dial tone, and then must enter a valid barrier code before they can access the PBX system.
Large business communications systems For DEFINITY G2 and System 85, either a barrier code or an authorization code (see below) can be required before callers can access switch features or trunks. There is only one 4-digit barrier code for the Remote Access feature. This can be changed using a feature access code, and is normally assigned by the attendant. When callers enter the wrong barrier code, the calls are given intercept treatment.
Keeping unauthorized third parties from entering the system For DEFINITY G2 and System 85, authorization codes can replace barrier codes on incoming remote access facilities or can be used to screen outgoing calls on AAR/ARS/WCR trunks. Only authorization codes with the Network Access Flag set are permitted to make outgoing calls. The authorization code option requires that the caller enter a valid authorization code to receive switch dial tone.
Large business communications systems Remote access dial tone For Communication Manager, MultiVantage™ Software, DEFINITY ECS, DEFINITY G1, G3, and System 75 R1V3, when a user reaches the remote access port, if authorization codes are administered and barrier codes are not used, the system can be administered so the caller will hear a dial tone, a remote access tone, or silence as a prompt for the authorization code.
Keeping unauthorized third parties from entering the system Protecting vectors that contain call prompting Hackers try to enter unanticipated digit strings and deceive the switch into transferring the call to a dial tone source. The Call Prompting feature can collect digits from the user and route calls to a destination specified by those digits and/or do conditional processing according to the digits dialed.
Large business communications systems Command: status remote-access For DEFINITY G3V4 and later, the status remote-access command provides the status of the Remote Access feature. The display provides data on whether or not a barrier code has expired, the expiration date and time of the barrier code, the cause of the expiration, whether remote access is disabled (SVN or command), the time and date when it was disabled, and barrier codes.
Tools that restrict unauthorized outgoing calls Tools that restrict unauthorized outgoing calls Use the following tools to prevent fraudulent calls and monitor long distance usage. (See Table 5-2.) Table 5-2.
Large business communications systems Table 5-2.
Tools that restrict unauthorized outgoing calls You can use the COR calling permissions (COR-to-COR restrictions) that set calling permissions on the COR to disallow stations to access trunks, and to disallow trunk groups to access other trunk groups. The COR also assigns FRLs for use by WCR/AAR/ARS routing. NOTE: When a call is routed to a VDN, the COR of the VDN determines where the call can be routed.
Large business communications systems ■ Toll Restriction: cannot make toll calls unless the numbers are specified on an unrestricted call list. For G3, you can specify if the restriction applies to all toll calls or only TAC toll calls over CO/FX trunks. NOTE: The switch identifies all public network calls with 0 or 1 as the first or second digit as toll calls. For G3, toll calls and private network calls are defined on the Toll Analysis screen. For G2.
Tools that restrict unauthorized outgoing calls Restriction override (3-way COR check) The Restriction Override feature, which is available only with DEFINITY G3i-Global and G3V2 and later, determines whether or not there is a 3-way COR check made on conference and transfer calls. For DEFINITY G3 systems prior to DEFINITY ECS Release 5, as well as for G1 and System 75 systems, the default value of the Restriction Override field on the COR screen is all.
Large business communications systems ■ ARS/WCR Toll Restriction: restricts users from dialing the ARS or WCR Network I toll access code or from completing a toll call over ARS/WCR. ■ FRL: establishes the user’s access to AAR/ARS/WCR routes. ■ CDR Account Code: requires the entry of an account code before an ARS/WCR call is processed or before completing a TAC call to a toll destination. NOTE: Account code entries are not validated.
Tools that restrict unauthorized outgoing calls Facility restriction level Facility restriction levels (FRLs) provide up to eight levels of restrictions (0 through 7) for users of AAR/ARS/WCR. FRLs identify where calls can be made and what facilities are used. If the FRL of the originating facility is greater than or equal to the FRL of the route pattern selected, the trunk group is accessible.
Large business communications systems Free call list For DEFINITY G2 and System 85, you can identify up to ten 3-digit telephone numbers that can be called on otherwise-toll-restricted ports. This list allows toll restricted phones to call emergency numbers, such as 911. This option can only be used with TAC calls, not AAR/ARS calls. NOTE: This feature should be used only when CO trunks are obtained using TACs. The preferred arrangement is always to use ARS/WCR.
Tools that restrict unauthorized outgoing calls Recall signaling (switchhook flash) Recall signaling allows analog station users to place a call on hold and consult with another party or activate a feature. After consulting with the third party, the user can conference the third party with the original party by another recall signal, or return to the original party by pressing Recall twice or by flashing the switchhook twice.
Large business communications systems To activate the desired controlled restriction, the attendant or voice terminal user with console permission dials the feature access code for either the extension or the group, followed by either 1 for Outward, 2 for Total, 3 for Termination, or 4 for Station-to-Station, and then dials the voice terminal extension number (Attendant Control — Extension) or the COR for a group of voice terminals (Attendant Control — COR).
Tools that restrict unauthorized outgoing calls Trunk-to-trunk transfer Trunk-to-trunk transfer allows a station to connect an incoming trunk to an outgoing trunk and then drop the connection. When this feature is disabled, it prevents stations from transferring an incoming trunk call to an outgoing trunk. Then if the controlling station drops off the call, the call is torn down. NOTE: Hackers use this to convince unsuspecting employees to transfer them to 9# or 900.
Large business communications systems Forced entry of account code To maximize system security, it is recommended that the Forced Entry of Account Code feature be enabled and administered on the system. NOTE: For DEFINITY G2, Call Detail Recording (CDR) is required with this option. See ‘‘Call detail recording/station message detail recording’’ on page 5-53 for more information. Depending on the required length, the account code may replace other data in the CDR report.
Tools that restrict unauthorized outgoing calls Digit conversion Digit conversion allows you to identify numbers, area codes, or countries you do not want called. Whenever the numbers entered correspond to the numbers on the conversion list, the numbers are given a different value, such as 0, and then forwarded to the new destination, such as the attendant console.
Large business communications systems The feature has a pre-administered security feature regarding input entry by the user. Once the user enters his or her extension at the appropriate time, a “no response” feedback is provided whether or not the entered extension is valid. For an invalid extension, the system simply waits, without responding, until it reaches a timeout threshold. As such, an unauthorized user does not know that input entry is the cause of the error.
Tools that restrict unauthorized outgoing calls Extended user administration of redirected calls This feature allows station users to select one of two previously administered call coverage paths assigned to them (for example, a work location coverage path or a remote work location coverage path) from any on-site extension or from a remote location (for example, home).
Large business communications systems Security measures The following procedures explain how to use security tools to create restrictions that help prevent unauthorized access to your PBX system’s facilities. Require passwords For Communication Manager, MultiVantage™ Software, DEFINITY ECS, DEFINITY G1, G3, and System 75, passwords may be up to 7 alphanumeric characters (11 for G3V3 and later). For System 85 and DEFINITY G2, the security code may be up to 6 digits.
Security measures DEFINITY G3V3 and later systems are shipped without any customer logins. Customer logins must be assigned when installing the system. Also, DEFINITY G3V2 and later releases provide additional restrictions on logins. For each login, you can limit up to 20 (40 for DEFINITY G3V3 and later) objects (for example, stations or trunks) from being administered. — For systems covered by warranty, lease, or maintenance contract, Avaya will routinely change Avaya-controlled logins.
Large business communications systems ■ Enter up to 10 barrier codes (use all seven digits) and assign each a COR and COS that allow only necessary calls. The COR should be restricted so that even if a hacker deciphers the barrier code, a valid authorization code is still needed to make a call. NOTE: Use the Remote Access feature only on an as-needed basis, and assign a unique COR to each barrier code. Change the barrier codes periodically.
Security measures ■ Use PROC286 WORD1 FIELD16 to send calls to an intercept tone, a CAS attendant, or a local attendant when the caller does not enter a code. ■ Use PROC289, Programmable Intercept Treatment, to transfer calls to an attendant when the caller enters an invalid trunk access code, feature access code, or extension. ■ Turn on CDR for incoming calls by entering PROC275 WORD1 FIELD14. Also turn on CDR for the remote access trunk group using PROC101 WORD1 FIELD8.
Large business communications systems NOTE: FRLs 1 through 7 include the capabilities of the lower FRLs. Table 5-3. Suggested values for FRLs FRL Suggested Value 0 No outgoing (off-switch) calls permitted. 1 Allow local calls only; deny 0+ and 1 800 calls. 2 Allow local calls, 0+, and 1 800 calls. 3 Allow local calls plus calls on FX and WATS trunks. 4 Allow toll calls within the home NPA. 5 Allow calls to certain destinations within the continental USA.
Security measures Prevent after-hours calling using time of day routing or alternate FRLs You can regulate the days of the week and specific times that outgoing calls can be made. Depending on the time of day and day of the week, calls can be blocked or routed to the least-costly facility available. Since late evenings and weekends are particularly vulnerable times for toll hacking, set up separate plans with the most restrictive plan reserved for evenings and weekends.
Large business communications systems ■ Enter PROC203 WORD1 Button Type 19 to set the alternate FRL button on the attendant console. This allows attendants to manually change to alternate FRLs. Block international calling If your company does not do business overseas, deny everyone the ability to directly dial international calls; in other words, block calling the international dial prefix, for example, 011.
Security measures For Communication Manager, MultiVantage™ Software, DEFINITY ECS and DEFINITY G3: ■ Enter change ars analysis partition to display the ARS Analysis screen. ■ Make the route pattern DEN to deny for the following numbers: — 01 = international operator — 010 = international calls, operator-assisted — 011 = international calls, direct — 101xxxx01 = international operator — 101xxxx011 = international calls, direct For DEFINITY G2 and System 85: ■ For DEFINITY G2.
Large business communications systems For Communication Manager, MultiVantage™ Software, DEFINITY ECS and DEFINITY G3: ■ Enter change ars analysis to display the ARS Analysis screen. ■ Specify the telephone numbers in the Dial String field that you do not want dialed by entering blank in the routing pattern or routing to a pattern that contains a high FRL. ■ Disable TAC/DAC dialing (see ‘‘Disable direct access to trunks’’ on page 5-39).
Security measures Restrict calls to specified area codes If your business does not make calls to certain area codes, you can prevent users from entering numbers within those area codes. For DEFINITY G1 and System 75: See ‘‘Allow calling to specified numbers’’ on page 5-37. For Communication Manager, MultiVantage™ Software, DEFINITY ECS and DEFINITY G3: ■ Enter change ars analysis to display the ARS Analysis screen. ■ Specify the telephone numbers in the Dial String field that you do not want dialed.
Large business communications systems For DEFINITY G2.2: ■ Use WCR with PROC314 WORD1 and WORD2 and permit only certain numbers. Consider using Network 3, which contains only those numbers, to reduce the administrative clutter in your outgoing calling network. Use attendant control of remote access calls (DEFINITY G2 and System 85 only) Instead of allowing remote access callers to dial numbers directly, an attendant can handle the calls.
Security measures For DEFINITY G2 and System 85: ■ Enter PROC000 WORDD2 FIELD5 to assign an extension to a group that can be placed under attendant control. ■ Have the attendant activate restrictions on these phones as part of the business day closing procedure. Disable direct access to trunks All outside calling should be done through AAR/ARS/WCR and never with direct trunk access via DACs. To disable the ability to use DACs for outgoing calls system-wide, use the following procedures.
Large business communications systems Use attendant control of trunk group access If direct access to trunk groups must be allowed, consider making them attendant-controlled trunk groups. The attendant can then screen the calls. Up to 12 trunk groups can be controlled. For Communication Manager, MultiVantage™ Software, DEFINITY ECS, DEFINITY G1, DEFINITY G3, and System 75: ■ Enter change attendant to display the Attendant screen.
Security measures ■ Time slot test call — Connects the voice terminal user to a specific time slot located on the Time Division Multiplex buses or out-of-service time slots. ■ System tone test call — Connects the voice terminal user to specific system tones. To activate the feature, the Facility Test Calls access code must be assigned. It is recommended that the access code be left blank except when actually testing trunks. (Do not use the default of 197.
Large business communications systems For Communication Manager, MultiVantage™ Software, DEFINITY ECS, DEFINITY G1, G3, and System 75: ■ Use change cor to display the Class of Restriction screen. ■ Enter y in the Facility Access Trunk Test field. ■ Use change station to assign the COR with the FAC test permission to the appropriate station. ■ Assign all other stations to a COR with the Facility Access Trunk Test field set to n. ■ Never use the default code of 197.
Security measures For DEFINITY G2.2 and System 85: ■ You cannot eliminate the dial tone prompt for entry of the authorization or barrier code, nor can you eliminate switch dial tone. You can eliminate AAR/ARS dial tone. For DEFINITY G2.2: ■ Use PROC103 WORD1 FIELD15 to suppress WCR dial tone for that trunk group. ■ Use PROC312 WORD1 FIELD2 to suppress a specific network’s dial tone for all users. For DEFINITY G2.
Large business communications systems NOTE: Even if trunk-to-trunk transfer is disallowed, the START 9 RELEASE sequence will supply a dial-tone to the caller, enabling trunk-to-trunk transfer to proceed. Disable transfer outgoing trunk to outgoing trunk The outgoing trunk to outgoing trunk transfer (OTTOTT) (G3r and G3V2 and later) feature allows a controlling party, such as a station user or attendant, to initiate two or more outgoing trunk calls and then transfer the trunks together.
Security measures Disallow outgoing calls from tie trunks If your tie trunks are used solely for office-to-office calling, you can deny access from tie trunks to outgoing AAR/ARS/WCR trunks. This does not affect calls using TACs. For Communication Manager, MultiVantage™ Software, DEFINITY ECS, DEFINITY G1, G3, and System 75: ■ Use change cor to create a new Class of Restriction for the incoming tie line trunk group.
Large business communications systems For DEFINITY G2 and System 85: ■ When DACs are available to users, enter PROC110 to provide Trunk-to-Trunk restrictions. ■ Force the entry of an authorization code with PROC103 WORD1 FIELD6. NOTE: The caller is not prompted for an authorization code on incoming tie trunk calls with a TCM. Set the default FRL to a low value with PROC103 WORD1 FIELD2. ■ NOTE: ETN trunks pass along the originating station’s FRL as a TCM.
Security measures Require account codes You can use the Forced Entry of Account Code (FEAC) feature to require callers to enter an account code (up to 15 digits) before calls to toll numbers are completed. This option can be specified for an originating station COS (G2 only), for an outgoing trunk group, or for access to ARS/WCR trunks. If an account code is not dialed when required, the call is denied.
Large business communications systems Assign COR restrictions to adjuncts when using expert agents In an Expert Agent (EAS) environment, an auto-available split assigned to any adjunct equipment (for example, ICD, CONVERSANT Voice Information System, Voice Mail, or VRU) should have the COR restrictions assigned to the agent login ID. Both the login ID and the extension CORs should have the needed restrictions, but the COR of the login ID takes precedence.
Security measures Use world class routing restrictions For Communication Manager, MultiVantage™ Software, DEFINITY ECS and DEFINITY G2.2 and G3, use the following steps to restrict WCR from unauthorized use. For Communication Manager, MultiVantage™ Software, DEFINITY ECS and DEFINITY G3: ■ Miscellaneous restrictions (COR-to-COR restrictions) are not observed during AAR/ARS call processing. The FRL value is used instead. ■ Use change COR to display the Class of Restriction screen.
Large business communications systems ■ Mark each string and route with an FRL permission value using PROC314 WORD1 FIELD8, and PROC318 WORD1 FIELD4. ■ Use toll checking capabilities as shown: — For WCR, use PROC010 WORD3 FIELD22. — For toll-free tables, use PROC319 and PROC318 WORD1 FIELD6. ■ If needed, define more detail in the numbering plan by using PROC314. Use wildcard digits and variable string lengths with care. ■ Send a # after troublesome call types (0 +, 011 +, etc.).
Detecting toll fraud Table 5-4 shows the reports and monitoring techniques that track system activity and help detect unauthorized use: Table 5-4.
Large business communications systems This permission is administered on a login basis. Avaya is responsible for performing the necessary administration for one customer superuser login. If additional customer logins require access to the system via the INADS port, the customer superuser login may perform the necessary administration to grant those permissions. Forced password aging and administrable logins DEFINITY G3V3 and later releases provide two features for enhanced login/password security.
Detecting toll fraud Login permissions for a specified login can be set by the superuser to block any object that can affect the health of the switch. Up to 40 administration or maintenance objects (commands) can be blocked for a specified login. When an object (administrative or maintenance command) is entered in the blocked object list on the Command Permissions Categories Restricted Object List screen, the associated administrative or maintenance actions cannot be performed by the specified login.
Large business communications systems Two optional products, Avaya Cost Allocator and Call Accounting System (CAS) Plus, enhance CDR/SMDR by allowing you to create customized reports. These reports can be used to isolate calls that may be suspicious. NOTE: Only the last extension on the call is reported. Unauthorized users who are aware of this procedure originate calls on one extension, then transfer to another extension before terminating the call.
Detecting toll fraud Traffic measurements and performance By tracking traffic measurements on the trunk groups, you can watch for unexplained increases in call volume, particularly during off-peak hours.
Large business communications systems ■ To review the traffic measurements, enter list measurements followed by one of the measurement types (trunk-groups, call-rate, call-summary, outage-trunk, or security-violations) and the timeframe (yesterday-peak, today-peak, or last-hour). ■ To review performance, enter list performance followed by one of the performance types (summary or trunk-group) and the timeframe (yesterday or today).
Detecting toll fraud For Communication Manager, MultiVantage™ Software, DEFINITY ECS, DEFINITY G1, G3, and System 75: ■ Enter change system-parameters feature to display the Features-Related System Parameters screen. ■ Enter y in the Automatic Circuit Assurance (ACA) Enabled field. ■ Enter local, primary, or remote in the ACA Referral Calls field. If primary is selected, calls can be received from other switches.
Large business communications systems BCMS measurements (Communication Manager, MultiVantage Software, DEFINITY ECS and DEFINITY G1 and G3) For Communication Manager, MultiVantage™ Software, DEFINITY ECS, DEFINITY G1 and G3, BCMS Measurements report traffic patterns for measured trunk groups. For Communication Manager, MultiVantage™ Software, DEFINITY ECS and DEFINITY G1 and G3: ■ Use change trunk-group to display the Trunk Group screen.
Detecting toll fraud Security violation notification (Communication Manager, MultiVantage Software, DEFINITY ECS and DEFINITY G3) For Communication Manager, MultiVantage™ Software, DEFINITY ECS and DEFINITY G3, the Security Violation Notification feature (SVN) provides the capability to immediately detect a possible breach of the System Management, Remote Access, or Authorization Code features; and to notify a designated destination upon detection.
Large business communications systems ■ On a historical basis, the number of security violations of each type is collected and reported in the Security Violations Summary Measurement report. This report shows summary information since the last time the counters were reset. (See ‘‘Security Violations Measurement reports’’ on page 5-62.
Detecting toll fraud ■ In the Feature Button Assignment field, enter rsvn-call for the Remote Access Security Violation Notification button and lsvn-call for the Login Security Violation Notification button. The feature activation buttons do not have to reside on the referral destination station. They can be administered on any station. However, they must be activated before referral calls are sent to the referral destination.
Large business communications systems Security Violations Measurement reports This report identifies invalid login attempts and the entry of invalid barrier codes. It monitors the administration, maintenance, and remote access ports. A login violation is reported when a forced disconnect occurs (after three invalid attempts). Review the report daily to track invalid attempts to log in or to enter barrier codes, both of which may indicate hacker activity.
Detecting toll fraud — Port Type: The type of port used by the measured login process. If break-ins are occurring at this level, the offender may have access to your system administration. With DEFINITY Release 5r, port types can be: ■ SYSAM-LCL (SYSAM local port) ■ SYSAM-RMT (SYSAM remote port) ■ MAINT ■ SYS-PORT (system ports) — Total: Measurements totaled for all the above port types.
Large business communications systems ■ INADS (The Initialization and Administration System port) ■ EPN (The EPN maintenance EIA port) ■ NET — Successful Logins: The total number of times a login was used successfully to log into the system for the given port type. — Invalid Passwords: The total number of login attempts where the attempting person submitted an invalid password for the given port type and login ID.
Detecting toll fraud The Login Violations Status report has the following fields: — Date: The day that the invalid attempt occurred — Time: The time the invalid attempt occurred — Login: The invalid login that was entered as part of the login violation attempt. An invalid password may cause a security violation. If a valid login causes a security violation by entering an incorrect password, the Security Violation Status report lists the login.
Large business communications systems In DEFINITY G3V3 and later, the Authorization Code Violations Status report has the following fields: — Date: The day that the violation occurred — Time: The time the violation occurred — Originator: The type of resource originating the call that generated the invalid authorization code access attempt.
Detecting toll fraud Remote access barrier code aging/access limits (DEFINITY G3V3 and Later) For DEFINITY G3V3 and later, Remote Access Barrier Code Aging allows the system administrator to specify both the time interval a barrier code is valid, and/or the number of times a barrier code can be used to access the Remote Access feature. A barrier code will automatically expire if an expiration date or number of access attempts has exceeded the limits set by the switch administrator.
Large business communications systems Recent Change History report (Communication Manager, MultiVantage Software, DEFINITY ECS, and DEFINITY G1 and G3) The latest administration changes are automatically tracked for Communication Manager, MultiVantage™ Software, DEFINITY ECS and DEFINITY G1 and G3. For each administration change that occurs, the system records the date, time, port, login, and type of change that was made.
Detecting toll fraud ■ If the call originates outside the system, the incoming trunk equipment location is displayed. In this case, the customer must call the appropriate connecting switch. ■ The following is displayed for all calls: called number, activating number, whether the call is active or not, and identification of any additional parties on the call. There are several ways to activate the MCT feature. See the Hardware Guide for Avaya™ Communication Manager for more information.
Large business communications systems For DEFINITY G2 and System 85: NOTE: This feature is available only with an ACD split. ■ Use PROC054 WORD2 FIELD8 to assign the Service Observing Custom Calling Button to a multi-appearance terminal. For DEFINITY G3V3 and later, the Observe Remotely (remote service observing) feature allows monitoring of physical, logical, or VDN extensions from external locations.
Small business communications systems 6 NOTE: Unless specifically stated otherwise, references in this document to “G3Vx and later” include the specified DEFINITY G3 (and more recent) versions, DEFINITY ECS, MultiVantage™ Software, and Communication Manager.
Small business communications systems — ‘‘PARTNER II Communications System’’ on page 8-21 — ‘‘PARTNER Plus Communications System’’ on page 8-22 — ‘‘System 25’’ on page 8-22 Features for the MERLIN systems The following table identifies MERLIN II and MERLIN LEGEND security features by release number. Table 6-1. MERLIN II and MERLIN LEGEND security features Features MII R3 ML R1.0/ 1.1 ML R2.0/ 2.1 ML R3.0/ 3.1 ML R4.0/ 4.1/ 4.2 ML R5.
Features for the MERLIN systems Table 6-1. MERLIN II and MERLIN LEGEND security features — Continued Features Disallowed list MII R3 ML R1.0/ 1.1 ML R2.0/ 2.1 ML R3.0/ 3.1 ML R4.0/ 4.1/ 4.2 ML R5.0 x x x x x x Default is List 7 x x x x x Levels 0 through 6; ARS related x x x x x Affects only outgoing calls x x x x x Whenever Night Service is on and Shared Remote Access is administered, calls normally routed to internal stations are provided remote access treatment.
Small business communications systems Table 6-1. MERLIN II and MERLIN LEGEND security features — Continued MII R3 ML R1.0/ 1.1 ML R2.0/ 2.1 ML R3.0/ 3.1 ML R4.0/ 4.1/ 4.2 ML R5.0 Station message detail recording (SMDR) x x x x x x For ML R3 w/ Call ID, remote access number is recorded if received. For ML R4.2 and later releases, the optional ML Reporter Talk Time feature is disabled.
MERLIN II Communications System MERLIN II Communications System This section provides information on protecting the MERLIN II Communications System. Additional security measures are required to protect adjunct equipment. ■ Chapter 7 contains security measures to protect the attached voice messaging system. For general security measures, refer to ‘‘Protecting voice messaging systems’’ on page 7-2. For product-specific security measures, refer to ‘‘MERLIN II Communications System’’ on page 7-35.
Small business communications systems — With a MERLIN II Communications System display console: 1. From the administration menu, press these buttons: Lines DISA. 2. If callers must dial a password to make DISA calls, dial a 4-digit password. 3. Press Enter. 4. Press NoRestr for no restriction, or InwdOnly for inward restriction. 5.
MERLIN LEGEND Communications System MERLIN LEGEND Communications System This section provides information on protecting the MERLIN LEGEND Communications System. Unauthorized persons concentrate their activities in the following two areas with the MERLIN LEGEND Communications System: ■ Transfer out of the MERLIN LEGEND Communications System to gain access to an outgoing trunk and make long distance calls. ■ Locate unused or unprotected mailboxes and use them as drop-off points for their own messages.
Small business communications systems Unlike the MERLIN II Communications System R3, the MERLIN LEGEND Communications System does not allocate touch-tone receivers for incoming calls, and thus will not interpret touch tones from a caller as an attempt to circumvent toll restriction, and will not disconnect the call. This could leave the MERLIN LEGEND Communications System vulnerable to toll fraud if the ports are not outward restricted.
MERLIN LEGEND Communications System Protection via star codes and allowed/disallowed lists Starting with MERLIN LEGEND Release 3.1, star codes can be added to Allowed and Disallowed Lists to help prevent toll fraud. These codes are dialed usually before an outgoing call, and they allow telephone users to obtain special services provided by the central office (CO).
Small business communications systems Default disallowed list By default, Disallowed List #7 contains the following entries, which are frequently associated with toll fraud: ■ 0 ■ 10 ■ 11 ■ 976 ■ 1809 ■ 1700 ■ 1900 ■ 1ppp976 (where each p represents any digit) ■ * This list is automatically assigned to any port that is programmed as a VMI port. The system manager should assign Disallowed List #7 to any extension that does not require access to the numbers in the list.
MERLIN LEGEND Communications System Security defaults and tips The following list identifies features and components that can be restricted by FRLs, identifies the corresponding FRL, and discusses how the FRLs affect these features and components. ■ Voice Mail Integrated (VMI) ports The default FRL for VMI ports is now 0. This restricts all outcalling. (Refer to Form 7d, “Group Calling.”) ■ Default local route table The default FRL for the default local route table is now 2.
Small business communications systems Protecting the Remote Access feature The Remote Access feature allows users to call into the MERLIN LEGEND Communications System from a remote location (for example, a satellite office, or while traveling) and use the system to make calls. However, unauthorized persons might learn the remote access telephone number and password, call into the system, and make long distance calls. For MERLIN LEGEND R3.
MERLIN LEGEND Communications System ■ Program the Remote Access feature to require the caller to enter a barrier code before the system will allow the caller access. Up to 16 different barrier codes can be programmed, and different restriction levels can be set for each barrier code. ■ For MERLIN LEGEND R3.0, program the Remote Access feature to enter an authorization code of up to 11 digits. For greater security, always use the maximum available digits when assigning authorization codes.
Small business communications systems Protecting remote system programming The Remote System Programming feature allows your system administrator to use system programming and maintenance (SPM) software to make changes to your MERLIN LEGEND Communications System programming from another location. The system can be accessed remotely either by dialing into it directly using remote access or by dialing the system operator and asking to be transferred to the system’s built-in modem.
MERLIN LEGEND/MAGIX toll fraud Protecting remote call forwarding The Remote Call Forwarding feature allows a customer to forward an incoming call to another off-premises number. However, a caller could stay on the line and receive another dial tone. At this point, the caller could initiate another toll call.
Small business communications systems ■ Employees receive calls requesting the be transferred for outside “operator assistance” or outbound calls. ■ Employees receive frequent calls from foreign speaking callers, requesting to be transferred, or hanging up. ■ Employees having difficulty obtaining an outside line. ■ The customer is unable to access voice mail, and the system is not down.
MERLIN LEGEND/MAGIX toll fraud ■ Have only system administrator transfer calls to “*10.” ■ The customer’s long distance carrier may: — Restrict 011 and other “hot spot” area codes. — Restrict access to your toll free area codes from areas you do not wish to receive calls from. — Put after hours restrictions to terminate calls in the network. ■ Restrict third-party billing with your local carrier. Responsibility The customer is responsible for the security of the system.
Small business communications systems The Remote Access features of your system, if you choose to use them, permit off-premises callers to access the system from a remote telephone by using a telephone number with or without a barrier code. The system returns an acknowledgment, signaling the user to key in his or her barrier code, which is selected and administered by the system manager. After the barrier code is accepted, the system returns dial tone to the user.
MERLIN LEGEND/MAGIX toll fraud ■ Frequently monitor system call detail reports for quicker detection of any unauthorized or abnormal calling patterns. ■ Limit remote call forwarding to persons on a need-to-have basis ■ Change access codes every 90 days ■ Use the longest-length barrier codes possible, following the guidelines for passwords Toll fraud prevention Toll fraud is the unauthorized use of your telecommunications system by third parties to make long-distance telephone calls.
Small business communications systems Preventive measures Take the following preventive measures to limit the risk of unauthorized access by hackers: ■ Provide good physical security for the room containing your telecommunications equipment and the room with administrative tools, records, and system manager information. These areas should be locked when not attended.
MERLIN LEGEND/MAGIX toll fraud Security risks associated with transferring through voice messaging systems Toll fraud hackers try to dial into a voice mailbox and then execute a transfer by dialing *T. The hacker then dials an access code (either 9 for ARS or a pooled facility code), followed by the appropriate digit string to either direct dial or access a network operator to complete the call. All extensions are initially, and by default, restricted from dial access to pools.
Small business communications systems ■ Deny access to pooled facility codes by removing pool dial-out codes 70, 890 899, or any others on your system. ■ Create a Disallowed List or use the pre-prepared Disallowed List number 7 to disallow dialing 0, 11, 10, 1700, 1809, 1900, and 976 or 1 (wildcard) 976. Disallowed List number 7 does not include 800, 1800, 411, and 1411, but Avaya recommends that you add them. Assign all voice mail port extensions to this Disallowed List.
MERLIN LEGEND/MAGIX toll fraud “reliable disconnect” (sometimes referred to as forward disconnect or disconnect supervision), which guarantees that the central office does not return a dial tone after the called party hangs up. In most cases, the central office facility is a loop-start line/trunk which does not provide reliable disconnect.
Small business communications systems Security risks associated with the Remote Access feature Remote access allows the MERLIN MAGIX Integrated System owner to access the system from a remote telephone and make an outgoing call or perform system administration using the network facilities (lines/trunks) connected to the MERLIN MAGIX Integrated System.
MERLIN LEGEND/MAGIX toll fraud Educating users Everyone in your company who uses the telephone system is responsible for system security. Users and attendants/operators need to be aware of how to recognize and react to potential hacker activity. Informed people are more likely to cooperate with security measures that often make the system less flexible and more difficult to use. ■ Never program passwords or authorization codes onto auto dial buttons.
Small business communications systems Detecting toll fraud To detect toll fraud, users and operators should look for the following: ■ Lost voice mail messages, mailbox lockout, or altered greetings ■ Inability to log into voice mail ■ Inability to get an outside line ■ Foreign language callers ■ Frequent hang-ups ■ Touch-tone sounds ■ Caller or employee complaints that the lines are busy ■ Increases in internal requests for assistance in making outbound calls (particularly international call
MERLIN LEGEND/MAGIX toll fraud ■ Regularly back up your MERLIN MAGIX Integrated System files to ensure a timely recovery should it be required. Schedule regular, off-site backups. ■ Keep the remote maintenance device turned off when not in use by Avaya or your authorized dealer. ■ Limit transfers to registered subscribers only. ■ Use the security violations notification options (Mailbox Lock or Warning Message) to alert you of any mailbox break-in attempts. Investigate all incidents.
Small business communications systems Limiting outcalling When outcalling is used to contact subscribers who are off-site, use the MERLIN MAGIX Integrated System allowed lists and disallowed lists or ARS features to minimize toll fraud. If outcalling will not be used, outward restrict all voice messaging system ports. If outcalling will be used, for the MERLIN Messaging System, ports to be unrestricted are port 2 on a 2-port system, port 4 on a 4-port system, or port 6 on a 6-port system.
MERLIN LEGEND/MAGIX toll fraud Consider the following when you use wildcard characters in allowed and disallowed lists: ■ Disallowed list entries can be from 1 to 12 characters in length. ■ Before a dialed number is compared to an entry in the allowed list, the leading “1” is dropped. Thus, an allowed list entry of “p67” (where “p” is the wildcard character) matches dialed numbers of “267,” “367,” etc., but not “167.
Small business communications systems Legend through Magix R1 automatic route selection ****SECURITY ALERT**** Do not place remote ARS access codes in the non-local dial plan by specifying, for example, a non-local extension range such as 9000–9050 when the remote ARS access code is 9. Doing so allows DID callers to make outside calls through the remote switch and may allow transferring of outside callers to outside dial tone on a remote switch, possibly resulting in toll fraud. Magix R1.
MERLIN LEGEND/MAGIX toll fraud If you program the route in the 6-Digit table to absorb N digits, the actual number of digits absorbed will be as follows: ■ If the user dials an 11-digit number (including the leading “1”), ARS absorbs N digits. For example, you program the 6-Digit table to absorb 4 digits, and the user dials 1-732-555-1234. In this example, 4 digits are absorbed, and 555-1234 is the number that ARS sends as the dialed number to the central office.
Small business communications systems ****SECURITY ALERT**** The MERLIN MAGIX Integrated System ships with ARS activated with all extensions set to Facility Restriction Level 3, allowing all international calling. To prevent toll fraud, ARS FRLs should be established using: ■ FRL 0 for restriction to internal dialing only. ■ FRL 2 for restriction to local network calling only.
MERLIN LEGEND/MAGIX toll fraud Additional general security for voice messaging systems: ■ Use a secure password for the general mailboxes. ■ The default administration mailbox, 9997, must be reassigned to the system manager’s mailbox/extension number and securely password protected. ■ All voice messaging system users must use secure passwords known only to the user. Magix R1.5: Wildcard characters in ARS 6-digit tables Release 1.
Small business communications systems Magix R1.5: Disallowed lists enhancements Consider the following when you use wildcard characters in disallowed lists: ■ Disallowed list entries can be from 1 to 12 characters in length. ■ Before a dialed number is compared to an entry in the allowed list, the leading “1” is dropped. Thus, an allowed list entry of “p67” (where “p” is the wildcard character) matches dialed numbers of “267,” “367,” etc., but not “167.
MERLIN LEGEND/MAGIX toll fraud For example: *67 and 420 are two entries in an allowed list. If someone at an outward restricted extension dials *67 420-1234, the call succeeds. If the person at the same outward restricted extension dial *67 431-1234, the call fails (431 is not in the allowed list). If the person at the same extension dials 420-1234, the call succeeds. This type of processing also applies to disallowed lists. ■ Disallowed List 7 has a new default entry.
Small business communications systems Disconnect signaling reliability 3 Use this procedure to classify the disconnect signal sent by the central office on loop-start trunks as one of the following: ■ Reliable. Signal sent within a short time. ■ Unreliable. Signal may not be provided. **** SECURITY ALERT **** Toll fraud can occur if you have loop-start trunks with unreliable disconnect.
MERLIN LEGEND/MAGIX toll fraud ■ Outside lines can be assigned to night service groups in order for calls received on these lines to receive night service treatment.
Small business communications systems Remote Access feature The Remote Access feature allows people to use the system by dialing the number of a line/trunk designated for remote access. The remote user should be required to dial a barrier code (password) after reaching the system. Beginning with Release 3.0, the system-wide barrier code length is programmed for a minimum of 4 digits and a maximum of 11.
MERLIN LEGEND/MAGIX toll fraud appropriate steps to properly implement the features, evaluate and program the various restriction levels, protect access codes, and distribute access codes only to individuals who have been fully advised of the sensitive nature of the access information. Common carriers are required by law to collect their tariffed charges.
Small business communications systems ■ Whether or not the dialed digits are correct, an inter-digit time-out occurs during the first attempt. The system processes only the valid number of digits. So if a hacker enters four digits and the length is four digits, he or she hears dial tone. If a hacker enters four digits and keeps entering more, the system uses the time-out to hide the correct number of digits from the hacker.
MERLIN LEGEND/MAGIX toll fraud “Pauses” (p =wildcard): Have always been available on Legend disallow lists. “ * “ : Up to R3.1, was not permitted in the disallow lists. (it has always been permitted in an allowed list, if it is not the first character.) R3.1 < releases has a default disallow list which is assigned to all voice mail ports. This list includes: 0, 10, 11, 1809, 1700, 1900, 976, 1ppp976, *.
Small business communications systems 1900 Pay per minute toll call. 1ppp900 Pay per minute toll call with wildcards. 976 Pay per minute toll call. 1976 Pay per minute toll call. 1ppp976 Pay per minute toll call with wildcards. ppp1976 Pay per minute toll call where wildcards are used to access 976. * Programming code for use with rotary phones. Other area codes to include on the disallow lists.
MERLIN LEGEND/MAGIX toll fraud ■ Can the remote access password be changed? ■ From “craftr4” to something else. ■ Does any extension need to be able to dial 0? ■ Can all unused and MFM extensions be restricted? ■ Outward restricted. ■ FRL = 0. LEGEND/MAGIX toll fraud at a glance4 Release and Version of the Legend/Magix. ■ Different releases have different capabilities. Operating Mode. Operator Extension(s). System Set Up. (Print) ■ Password. ■ Type of cards.
Small business communications systems System Directory. (Print) ■ Check for marked system speed dials. Calling Groups. (Print) ■ Identify voice mail extension ports. ■ Identify lines on the IntegratedVMI group. (automated attendant vs live body answering) Extension Directory (Print) ■ Check for voice mail extension ports. — FRL level. — Restriction level. — Remote call forwarding. ■ Check for remote call forwarding of all extensions.
MERLIN LEGEND/MAGIX toll fraud Allow Lists ■ When outcalling is used. Night Service ■ Exclusion list: Are voice mail ports listed? MERLIN Mail/MERLIN LEGEND Mail/MERLIN messaging toll fraud at a glance5 Auto Attendant ■ Program all unused selector codes to go to the general mailbox or operator. ■ Do not program selector codes to ARS pool codes. System administrator extension number. ■ Change the default from 9997 to something else. Delete ALL unused mailboxes.
Small business communications systems Check lines for remote call forwarding. ■ Remove if not needed. ■ If needed: instruct customer of possible toll fraud. Check voice mail ports for Merlin Mail, Merlin Legend Mail, Merlin Messaging, Audix, automated attendant (stand alone), or CPE (customer provided equipment.) ■ ■ ■ If outcalling is not required: ■ Outward restrict voice mail ports. ■ Change ARS restriction to 0. ■ Remove pool dial-out codes (all of them. Ex: 70, 890-899, etc.
MERLIN LEGEND/MAGIX toll fraud ■ Make allowed list for outcalling numbers. ■ Make sure no other ARS tables have FRL of 2 or less. ■ Make allowed list and add to voice ports on: ■ Merlin Mail, Merlin Legend Mail, Merlin Messaging: if a 2 or 4 port system: last port only, the others should be changed to 0. If a 6 port system, the last 2 ports should be changed to FRL=0. ■ Audix – all ports. ■ Automated attendant – not applicable. Make disallowed lists for voice ports. ■ ■ Make disallowed lists.
Small business communications systems ■ Assign all unused automated attendant selector codes to go to either the operator or the general mailbox. ■ See “Check voice mail ports for Merlin Mail, Merlin Legend Mail, Merlin Messaging, Audix, automated attendant (stand alone), or CPE (customer provided equipment),” page 6-46 and “Make disallowed lists for voice ports,” for other restrictions”, page 6-46. Automated attendant – stand-alone. ■ Make ports outward restricted.
MERLIN LEGEND/MAGIX toll fraud DS1 – T1 and/or PRI. ■ WATTS: Customers may restrict 011 and 809 (the Dominican Republic) dialing if they have no need to call overseas or the 809 area code. See Disallow List Information. ■ ISDN – PRI: The way toll restrictions can be bypassed are limited on lines/trunks. 011 Restrictions (International). ■ ■ ■ Make ARS table for 011. ■ If 011 is not needed, make the FRL on 011 table 4 or greater and change FRL on extensions which need access to 011 the same.
Small business communications systems Extension restrictions. ■ Outward restrict MFM extensions not used for calling outside. ■ Outward restrict ALL unused extensions not used for calling outside. ■ Outward or toll restrict extension ports not in use, not used for calling outside, and not used for calling long distance. Passwords. Change all passwords frequently, and use the maximum digits allowed. Remote programming access.
MERLIN LEGEND/MAGIX toll fraud LEGEND TOLL FRAUD INTERVENTION FORM7 DATE: ______________ TIME: _________________ IL#: ___________________________ BUSINESS NAME: ________________________________________________________________ ADDRESS: ___________________________________________________________________ PHONE: _____________________________ FAX: ___________________________________ CONTACT: ______________________________ CBR: _______________________________ MBO: _________________________________ INSTALL
Small business communications systems Port FRL Rstrn D.O.
MERLIN LEGEND/MAGIX toll fraud EXHIBIT 1 8/16/00 Toll Fraud Incident Report Business Name: Business Address: Contact Name: Main Number: System Type: Date Work Started: Work Performed by: Customer Approved Changes: ■ Assigned all voice mail extensions to overseas Disallowed Lists. ■ Created Disallowed List 6, which includes most commonly dialed numbers used by hackers, and assigned to voice mail ports. ■ Blocked calls to 011 (International) from all voice mail ports through Disallowed List 5.
Small business communications systems ■ ■ You may contact your 800 carrier and restrict access to your 800#’s from locations you do not wish to receive 800 calls from, if applicable. You may call your local carrier and restrict 3rd party billing. ■ It is recommended to restrict access to 500 service through Disallowed List 3 and Table 13. ■ Using marked System Speed Dial numbers may leave an opening for toll fraud. ■ Using Remote Line Access may leave an opening for toll fraud.
MERLIN LEGEND/MAGIX toll fraud EXHIBIT 2 8/16/00 Toll Fraud Incident Report Business Name: Business Address: Contact Name: Main Number: System Type: Date Work Started: Work Performed by: Customer Approved Changes: Created Disallowed List 3 & 4: International country codes: 011582 Venezuela 011581 Venezuela 011603 South America (customer not sure where) 011595 Paraguay 011525 Mexico 011573 Columbia 011571 Columbia 011809 Dominican Republic 011372 Estonia 011528 Mexico 011506 Costa Ri
Small business communications systems 2: Created Disallow list 5 when encompasses the Caribbean countries: Puerto Rico Puerto Rico Bahamas Barbados Burmuda Antigua St. Lucia Virgin Islands Granada Camen Islands All voice mail ports, extensions 563, 564, 565, 566, 567, 568, are accessing this list. 3. Created Disallow list 7 which includes operator, international, and pay per minute area codes, in addition to wildcard calls, were included.
MERLIN LEGEND/MAGIX toll fraud All voice mail ports, extensions 563, 564, 565, 566, 567, 568, are accessing this list. ■ Change SPM (system programming and maintenance) password from default to “june6.” ■ Change T1 toll type from Tie-PBX to Toll. ■ Remove remote call forwarding capabilities from extensions 7100, 7116. ■ Remove dial out codes from voice mail port extensions 563 – 568. Recommendations: ■ Update Legend/Magix’s back-up. ■ Transfer calls to known extension numbers only.
Small business communications systems Revised 8/17/00 EXHIBIT 3: Letter from Avaya Dear _____, At your request, Avaya has conducted a toll fraud investigation. Toll fraud was suspected to have occurred. The system is located at the above address. Your main listed telephone number is 775-353-4255. Avaya has now completed its work. The attached Toll Fraud Incident Report documents all changes you approved Avaya to make to your telecommunications systems and additional security recommendations if applicable.
MERLIN Plus Communications System MERLIN Plus Communications System This section provides information on protecting the MERLIN Plus Communications System. Protecting remote line access (R2 only) The Remote Line Access feature allows users to call into the MERLIN Plus Communications System from a remote location (for example, a satellite office, or while traveling) and use the system to make calls.
Small business communications systems ■ Monitor your SMDR records and/or your Call Accounting System reports regularly for signs of irregular calls.
PARTNER II Communications System PARTNER II Communications System This section provides information on protecting the PARTNER II Communications System. Additional security measures are required to protect adjunct equipment. ■ Chapter 7 contains security measures to protect the attached voice messaging system. For general security measures, refer to ‘‘Protecting voice messaging systems’’ on page 7-2. For product-specific security measures, refer to ‘‘PARTNER II Communications System’’ on page 7-55.
Small business communications systems System 25 This section provides information on protecting the System 25. Additional security measures are required to protect adjunct equipment. ■ Chapter 7 contains security measures to protect the attached voice messaging system. For general security measures, refer to ‘‘Protecting voice messaging systems’’ on page 7-2. For product-specific security measures, refer to ‘‘System 25’’ on page 7-60.
System 25 Security tips ■ Evaluate the necessity for remote access. If this feature is not vital to your organization, consider not using it or limiting its use. If you need the feature, use as many of the security measures presented in this section as you can. ■ Program the Remote Access feature to require the caller to enter a password (barrier access code) before the system will allow the caller access.
Small business communications systems Security tips ■ The system administration capability of the system is protected by a password. Passwords can be up to eight characters in length and can be alpha or numeric and include the pound sign (#). See ‘‘Administration / maintenance access’’ on page 4-4 and ‘‘General security measures’’ on page 4-8 for secure password procedures. See Chapter 14 for information on how to change passwords.
Voice messaging systems 7 NOTE: Unless specifically stated otherwise, references in this document to “G3Vx and later” include the specified DEFINITY G3 (and more recent) versions, DEFINITY ECS, MultiVantage™ Software, and Communication Manager. The information in this chapter helps prevent unauthorized users from finding pathways through the voice messaging system and out of the switch. This chapter presents each communications system, and the voice mail systems it may host.
Voice messaging systems Protecting voice messaging systems Voice messaging toll fraud has risen dramatically in recent years. Now more than ever, it is imperative that you take steps to secure your communications systems. Callers into the voice messaging/automated attendant system may transfer to an outgoing trunk if adequate security measures are not implemented (see Figure 7-1).
Protecting voice messaging systems All security restrictions that prevent transfer to these codes should be implemented. The only tool a criminal needs to breach an inadequately secured system is a touch-tone telephone. With the advent of cellular phones, hackers have yet another means of accessing voice mailboxes. If a user calls the voice mail system from a cell phone and inputs his or her password, the voice mailbox becomes vulnerable to toll fraud.
Voice messaging systems ■ If you receive any strange messages on the voice mail system, if your greeting has been changed, or if for any reason you suspect that your voice mail system facilities are being used by someone else, contact the Avaya Toll Fraud Intervention Hotline. ■ Contact your central office to verify that your carrier provides “reliable disconnect” for your host PBX or switch. “Reliable disconnect” is sometimes referred to as a forward disconnect or disconnect supervision.
Communication Manager, MultiVantage Software, DEFINITY ECS, DEFINITY communications systems, System 75,and System 85 Tools that prevent unauthorized calls You can help prevent unauthorized callers who enter the voice messaging system from obtaining an outgoing facility by using the security tools shown in Table 7-1. Table 7-1.
Voice messaging systems Facility restriction levels The switch treats all the PBX ports used by voice mail systems as stations. Therefore, each voice mail port can be assigned a COR/COS with an FRL associated with the COR/COS. FRLs provide eight different levels of restrictions for AAR/ARS/WCR calls. They are used in combination with calling permissions and routing patterns and/or preferences to determine where calls can be made.
Communication Manager, MultiVantage Software, DEFINITY ECS, DEFINITY communications systems, System 75,and System 85 Class of restriction For Communication Manager, MultiVantage™ Software, DEFINITY ECS, DEFINITY G1, G3, and System 75, each voice port on the voice mail adjunct is considered an extension to the switch and should be assigned its own unique COR. Up to 64 CORs can be defined in the system. For DEFINITY G3rV1, G3i-Global, and G3V2 and later, this has been increased to 96 CORs.
Voice messaging systems Security measures in the PBX Security measures in the PBX are designed to prevent criminals from placing fraudulent calls once they have accessed the voice messaging system. However, these security measures do not restrict criminals from reaching the voice mail system, such as by dialing a DID station that is forwarded to the voice mail system. Incoming calls to the voice mail system may transfer to outgoing facilities if proper security measures are not implemented.
Communication Manager, MultiVantage Software, DEFINITY ECS, DEFINITY communications systems, System 75,and System 85 Table 7-2. Suggested values for FRLs FRL Suggested Value 0 No outgoing (off-switch) calls permitted. 1 Allow local calls only; deny 0+ and 1 800 calls. 2 Allow local calls, 0+, and 1 800 calls. 3 Allow local calls plus calls on FX and WATS trunks. 4 Allow calls within the home NPA. 5 Allow calls to certain destinations within the continental USA.
Voice messaging systems For DEFINITY G2 and System 85: ■ Use PROC010 WORD3 FIELD23 to assign FRLs for use with AAR/ARS/WCR trunks. Assign higher FRLs to restricted patterns in PROC309 than the FRL in the COS for the voice mail ports. ■ For DEFINITY G2.2, do not use PROC314 to mark disallowed destinations with a higher FRL value. PROC314 WORD1 assigns a Virtual Nodepoint Identifier (VNI) to the restricted dial string.
Communication Manager, MultiVantage Software, DEFINITY ECS, DEFINITY communications systems, System 75,and System 85 ■ If the Tenant Services feature is used, use PROC314 WORD1 to map routing designators to patterns. If tenant services is not used, the pattern number will be the same as the routing designator number. ■ Use PROC309 WORD3 to define the restricted and unrestricted patterns.
Voice messaging systems Detecting voice mail fraud Table 7-3 shows the reports that help determine if a voice mail system used with the Communication Manager, MultiVantage™ Software, DEFINITY ECS, DEFINITY communications systems, System 75, or System 85 is being used for fraudulent purposes. Table 7-3.
Communication Manager, MultiVantage Software, DEFINITY ECS, DEFINITY communications systems, System 75,and System 85 Call detail recording and / station message detail recording With the Call Detail Recording (CDR) feature activated for the incoming trunk groups, you can check the calls into your voice mail ports. A series of short holding times may indicate repeated attempts to enter voice mailbox passwords.
Voice messaging systems For DEFINITY G2: ■ Use PROC275 WORD1 FIELD14 to turn on the CDR for incoming calls. ■ Use PROC101 WORD1 FIELD8 to specify the trunk groups. Call Traffic report This report provides hourly port usage data and counts the number of calls originated by each port. By tracking normal traffic patterns, you can respond quickly if an unusually high volume of calls begins to appear, especially after business hours or during weekends, which might indicate hacker activity.
Communication Manager, MultiVantage Software, DEFINITY ECS, DEFINITY communications systems, System 75,and System 85 ■ To review performance, use list performance followed by one of the performance types (summary or trunk-group) and the timeframe (yesterday or today). ARS measurement selection The ARS Measurement Selection report can monitor up to 20 routing patterns (25 for G3) for traffic flow and usage.
Voice messaging systems ■ To review, use list measurements aca. ■ Administer an aca button on the console or display station to which the referral will be sent. For DEFINITY G2 and System 85: ■ Use PROC285 WORD1 FIELD5 and PROC286 WORD1 FIELD1 to enable ACA system-wide. ■ Use PROC120 WORD1 to set ACA call limits and number of calls thresholds. ■ Use PROC286 WORD1 FIELD3 to send the alarms and/or reports to an attendant.
Communication Manager, MultiVantage Software, DEFINITY ECS, DEFINITY communications systems, System 75,and System 85 Additionally, the “trusted server” has direct access to AUDIX and its functionality. The same strict adherence to guidelines of trusted server passwords as with administration passwords is strongly recommended. This section discusses security considerations for these topics.
Voice messaging systems Trusted server security A trusted server is a computer or a software application in a domain outside of INTUITY AUDIX that uses its own login and password to launch a Avaya INTUITY Messaging Applications Programming Interface (IMAPI) LAN session and access AUDIX mailboxes.
Communication Manager, MultiVantage Software, DEFINITY ECS, DEFINITY communications systems, System 75,and System 85 Internal security. INTUITY AUDIX F4 allows the transmission between domains of two new message components, including text (e-mail) and binary (software) file attachments. Within the AUDIX system, Message Manager supports these message components as well.
Voice messaging systems The record reveals the routing of the call, including the caller (if internal), recipient, port, community, mailbox IDs (corresponds to the voice mail system subscriber’s extension number input during a login or as input by the calling party), the time and duration of the call, the type of session (voice mail, call answer, guest password, or automated attendant), the message activity, and number of login attempts. Also reported is the session termination method.
Communication Manager, MultiVantage Software, DEFINITY ECS, DEFINITY communications systems, System 75,and System 85 Outgoing voice call detail record (AUDIX Voice Mail System only) An outgoing call record is also created for every outbound call that is originated by the AUDIX Voice Mail System via a voice port. This includes call transfers, outcalling, and message waiting activation and/or deactivation via access codes. A record is also created for call attempts for the Message Delivery feature.
Voice messaging systems Protecting passwords The AUDIX, DEFINITY AUDIX, and Avaya INTUITY Voice Mail Systems offers passwords and password time-out mechanisms that can help restrict unauthorized users. Voice mail systems R1V4 and later allow you to specify the minimum length required. Use a minimum of six digits, and always specify a minimum password length that is greater than the extension length. For example, if the extensions are five digits, require six or more digits for the password.
Communication Manager, MultiVantage Software, DEFINITY ECS, DEFINITY communications systems, System 75,and System 85 Security features Before implementing any security measures to protect the voice mail system, it is important to understand how they work. You need to be aware of the possible trade-offs associated with each security measure listed below. Basic call transfer With the Basic Call Transfer feature, after a voice mail system caller enters *0, the system performs the following steps: 1.
Voice messaging systems Enhanced call transfer With the Enhanced Call Transfer feature, the voice mail system uses a digital control link message to initiate the transfer and the switch verifies that the requested destination is a valid station in the dial plan. With this feature, when voice mail system callers enter *T followed by digits (or *A for name addressing) and #, the following actions take place: 1.
Communication Manager, MultiVantage Software, DEFINITY ECS, DEFINITY communications systems, System 75,and System 85 This restriction may not be acceptable where it is desirable to have the call follow the coverage path of the “transferred-to” station. Enhanced call transfer can be administered to allow this type of transfer. This capability is available in AUDIX Voice Mail System R1V7, the DEFINITY AUDIX System 3.0, and the Avaya INTUITY System.
Voice messaging systems AMIS networking AMIS networking (available on the DEFINITY AUDIX System, the AUDIX Voice Mail System R1V6 and later, and the Avaya INTUITY System) allows voice messages to be sent to and received from subscribers on other vendors’ voice messaging systems. This service is based on the Audio Message Interchange Specification. This feature allows calls to be placed to off-premises voice messaging systems.
Communication Manager, MultiVantage Software, DEFINITY ECS, DEFINITY communications systems, System 75,and System 85 For ALL systems (Communication Manager, MultiVantage™ Software, DEFINITY ECS, DEFINITY G1, G2, G3, System 75, and System 85 R2V4): 1. On the AUDIX Voice Mail System R1 system:appearance screen, enter y in both the Call Transfer Out of AUDIX and Enhanced Call Transfer fields. Then press Change/Run.
Voice messaging systems After you activate the Enhanced Call Transfer feature, test it by following the steps below: 1. Dial into your voice mail system. 2. Press *T. 3. Enter an invalid extension number followed by #. The failed announcement should play, followed by a prompt for another extension number. 4. Enter a valid extension number followed by #. You should notice that the call transfers much faster than with basic call transfer.
Communication Manager, MultiVantage Software, DEFINITY ECS, DEFINITY communications systems, System 75,and System 85 Limit outcalling The measures you can take to minimize the security risk of outcalling depend on how it is used. When outcalling is used only to alert on-premises subscribers who do not have voice mail system message indicator lamps on their phones, you can assign an outward-restricted COR to the voice mail system voice ports.
Voice messaging systems Security tips ■ Require callers to use passwords. ■ Have the application verify that long distance numbers are not being requested, or verify that only permitted numbers are requested. ■ Use appropriate switch translation restrictions. ■ Administer all appropriate switch restrictions on the voice mail system voice ports.
Communication Manager, MultiVantage Software, DEFINITY ECS, DEFINITY communications systems, System 75,and System 85 Protecting passwords The AUDIX Voice Power System offers password protection to help restrict unauthorized access. Subscribers should use a maximum length password and should change it routinely. Passwords can be up to 9 digits. See ‘‘Administration / maintenance access’’ on page 4-4 and ‘‘General security measures’’ on page 4-8 for secure password guidelines.
Voice messaging systems Security measures The security measures described in this section do not apply if you are using Release 1.0 of the AUDIX Voice Power System. In this case, use PBX restrictions to safeguard your system. Transfer only to system subscribers The AUDIX Voice Power System has the ability to allow callers to transfer only to mailbox subscribers.
Communication Manager, MultiVantage Software, DEFINITY ECS, DEFINITY communications systems, System 75,and System 85 NOTE: On AUDIX Voice Power System 2.1.1, mailboxes can be set individually to “1 minute,” reducing the clean-up that these mailboxes require. Protecting the CONVERSANT Voice Information System This section addresses security issues for the CONVERSANT and INTUITY CONVERSANT Voice Information Systems.
Voice messaging systems Security measures Design applications with toll fraud in mind. ■ Make sure the application verifies that long distance numbers are not being requested, or that only permitted numbers are requested. The Transfer Call and Call Bridge capabilities of Script Builder, and the “tic” instruction at the transaction state machine (TSM) script level provide network access. If the ASAI package is loaded, additional TSM instructions and libraries provide access using the ASAI facility.
MERLIN II Communications System Security tips Toll fraud is possible when the application allows the incoming caller to make a network connection with another person. Thus, bridging to an outbound call, call transfer, and 3-way-conferencing should be protected. ■ Require callers to use passwords. ■ Have the application verify that long distance numbers are not being requested, or verify that only permitted numbers are requested. ■ Use appropriate switch translation restrictions.
Voice messaging systems The MERLIN MAIL Voice Messaging System provides automated attendant, call answer, and voice mail functionality. The Automated Attendant feature answers incoming calls and routes them to the appropriate department, person, or mailbox. The Call Answer feature provides call coverage to voice mailboxes. The Voice Mail feature provides a variety of voice messaging features. The area of toll fraud risk associated with the Automated Attendant feature is indicated below.
MERLIN II Communications System To reduce the risk of unauthorized access through your voice messaging system, observe the following procedures: ■ Monitor SMDR reports and/or Call Accounting System reports for outgoing calls that might be originated by internal and external abusers. ■ Create a disallowed list to disallow dialing 0, 70, 011, 809, 1809, 0809, 10, 9999, 411, 1411, 800, 888, 700, 900, 976, 550, 1800, 1888,1700, 1500, 1900, 1976, 1550, 0800, 0888, 0700, 0500, 0900, 0976, and 0550.
Voice messaging systems MERLIN LEGEND Communications System The MERLIN LEGEND Communications System may be used with the following voice messaging systems: ■ AUDIX Voice Power System — the AUDIX Voice Power System is a system that is external to the MERLIN LEGEND Communications System and connected to the switch by station lines and data links. (See ‘‘Protecting the AUDIX Voice Power System’’ on page 7-39.
MERLIN LEGEND Communications System Protecting the AUDIX Voice Power System The AUDIX Voice Power System provides both automated attendant and voice mail functionality. The Automated Attendant feature answers incoming calls and routes them to the appropriate department, person, or mailbox. The voice mail feature provides call coverage to voice mailboxes along with a variety of voice messaging features.
Voice messaging systems ■ Set up automated attendant selection codes so that they do not permit outside line selection. ■ Assign toll restriction levels to the AUDIX Voice Power System ports. ■ If you do not need to use the Outcalling feature of the AUDIX Voice Power System, completely restrict the outward calling capability of the AUDIX Voice Power System ports.
MERLIN LEGEND Communications System Limit transfers out of the system When you need to allow transfers to people who are not AUDIX Voice Power System subscribers, you can add their extension numbers to the AUDIX Voice Power System subscriber database, but restrict access to their voice mailboxes. ■ On the System Parameter Administration screen, enter yes in the Transfer to Subscriber Only field.
Voice messaging systems Protecting passwords The INTUITY AUDIX System offers password protection to help restrict unauthorized access. Subscribers should use the longest feasible password length and should change it routinely. Passwords can be up t o 15 digits, and you can specify the minimum number of digits required. Use a minimum of five digits, and a length at least one digit longer than the extension number length.
MERLIN LEGEND Communications System Basic call transfer With the Basic Call Transfer feature, after a voice mail system caller enters *T, the system performs the following steps: 1. The voice mail system verifies that the digits entered contain the same number of digits administered for extension lengths.
Voice messaging systems ■ Do not create voice mailboxes before they are needed. ■ Avoid or closely monitor the use of “guest” mailboxes (mailboxes without a physical extension that are loaned to outsiders for the duration of a project). If you need a guest mailbox, assign it when it is needed and deactivate or change its password immediately after it is no longer needed. Do not reassign a guest mailbox without changing the password. Restrict outcalling Outcalling uses the voice messaging ports.
MERLIN LEGEND Communications System Protecting the MERLIN MAIL, MERLIN MAIL-ML, MERLIN MAIL R3, and MERLIN LEGEND Mail voice messaging systems The MERLIN MAIL, MERLIN MAIL-ML, MERLIN MAIL R3, and MERLIN LEGEND Mail voice messaging systems provide automated attendant, call answer, and voice mail functionality. The Automated Attendant feature answers incoming calls and routes them to the appropriate department, person, or mailbox. The Call Answer feature provides call coverage to voice mailboxes.
Voice messaging systems Take the following preventative measures to limit the risk of unauthorized use of the Automated Attendant feature by hackers: ■ Do not use automated attendant selector codes for automatic route selection (ARS) codes or pooled facility codes. ■ Assign all unused automated attendant selector codes to zero, so that attempts to dial these will be routed to the system operator or General Mailbox.
MERLIN LEGEND Communications System Hackers may also use a computer to dial an access code and then publish the information for other hackers. Substantial charges can accumulate quickly. It is your responsibility to take appropriate steps to implement the features properly, to evaluate and administer the various restriction levels, and to protect and carefully distribute access codes.
Voice messaging systems ■ Set the maximum number of digits in an extension parameter appropriate to your dial plan. The voice messaging system will not perform transfers to extensions greater than that number. ■ When possible, restrict the off-network capability of callers by using calling restrictions, FRLs, and disallowed list features. ■ Outward restrict all MERLIN LEGEND voice mail port extensions not used for outcalling. This denies access to facilities (lines/trunks). Beginning with Release 3.
MERLIN LEGEND Communications System Additional MERLIN MAIL R3 and MERLIN LEGEND Mail Voice Messaging System security features The MERLIN MAIL R3 and MERLIN LEGEND Mail Voice Messaging System includes the following additional security features: ■ The Transfer to Registered Subscribers Only setting of the Transfer Restrictions feature allows callers to be transferred only to users who have mailboxes in the system. Avaya strongly recommends using this feature to guard against toll fraud.
Voice messaging systems Messaging 2000 System The Messaging 2000 (M2000) System provides voice mail services for the MERLIN Legend Communication System. The system is PC-based and uses the IBM OS-2 operating system. The system is connected to the Legend system via line-side VMI ports. These ports allow access to the voice mailboxes associated with each PBX subscriber. Maintaining Message 2000 system security The M2000 System includes security features.
Messaging 2000 System When Quick Assist is run in Recover Mode from the Quick Assist icon in the Avaya folder, use the Mailbox to Receive Unattached Messages field on the Recover Files dialog box to specify a mailbox in which to place messages with invalid header information.
Voice messaging systems The Uninitialized Mailbox report lists all mailboxes for which the password has not yet been changed from the initially assigned password. It is recommended that this report be regularly reviewed to determine which subscribers have not yet changed their passwords. Subscribers should be reminded that they should change their passwords regularly to prevent anyone but themselves from accessing their mailboxes.
Messaging 2000 System The Mailbox Lock-Out Option on the Class of Service dialog box determines whether this feature is enabled. The Mailbox Lock-Out option on the Subscriber Settings dialog box controls this feature by individual mailbox. The Consecutive Login Failures Before Lock-Out parameter on the Subscriber Parameters tab in the System Setup utility determines the number of failed login attempts allowed before the mailbox is locked, if the Mailbox Lock-Out option is enabled for the mailbox.
Voice messaging systems ■ Securing the M2000 system PC It is imperative that the M2000 system PC be protected from unauthorized system management access. Unauthorized access to the M2000 system PC could result in system setup changes, loss of mailboxes and messages, and database corruption. The best way to prevent unauthorized system management access to the M2000 system PC is to store the PC in a secure area, such as a locked room.
PARTNER II Communications System Security recommendations for remote access Remote access to the system should be secured via the following guidelines: ■ All remote access logins to the system must be administered to require the use of a secondary password ■ The end-user must periodically/frequently change all secondary passwords. After changing the secondary passwords, the end-user should notify the appropriate Avaya support organization(s) that the passwords have been changed.
Voice messaging systems Security tips ■ Monitor SMDR reports and/or Call Accounting System reports for outgoing calls that might be originated by internal and external abusers. ■ For PARTNER MAIL System mailboxes, exercise caution when assigning a class of service (C)OS). — Assign a COS that provides outcalling privileges (for PARTNER MAIL Release 1, assign 4, 5, 6, or 8; for PARTNER MAIL Release 3, assign 3,4, or 6) only to those mailboxes requiring these privileges.
PARTNER Plus Communications System ■ ■ Mailbox Lock — Locks the subscriber’s mailbox and sends a warning message to the mailbox owner’s mailbox and the system administrator’s mailbox. ■ Warning Message — Sends a warning message to the mailbox owner’s mailbox and the system administrator’s mailbox (factory setting). ■ No Security Notification (strongly discouraged).
Voice messaging systems Protecting the PARTNER MAIL and PARTNER MAIL VS systems The PARTNER MAIL and PARTNER MAIL VS Systems provide automated attendant, call answer, and voice mail functionality. The Automated Attendant feature answers incoming calls and routes them to the appropriate department or person. The Call Answer feature provides call coverage to voice mailboxes. The voice mail feature provides a variety of voice messaging features.
PARTNER Plus Communications System ■ Require the system administrator and all voice mailbox owners to change their password from the default. ■ The System Administrator can set the minimum password length to any value from 0-15 digits. The default value is six digits. Every subscriber’s mailbox password and the system administration password must be at least six digits. NOTE: A minimum password length of at least six digits is strongly recommended.
Voice messaging systems System 25 System 25 may be used with the AUDIX Voice Power System. (For information on this system, see ‘‘Protecting the AUDIX Voice Power System’’ on page 7-60.) Also see ‘‘Related documentation’’ in the ‘‘About this document’’ section for a list of manuals on this product. Follow the steps listed below for securing a voice processing system on the System 25. ■ Outward restrict the voice processing ports whenever possible.
System 25 Protecting passwords The AUDIX Voice Power System offers password protection to help restrict unauthorized access. Subscribers should use a maximum length password and should change it routinely. Passwords can be up to 9 digits. See ‘‘Administration / maintenance access’’ on page 4-4 and ‘‘General security measures’’ on page 4-8 for secure password guidelines. See Chapter 14 for information on how to change passwords.
Voice messaging systems Security measures The security measures described in this section do not apply if you are using Release 1.0 of the AUDIX Voice Power System. In this case, use PBX restrictions. Transfer only to system subscribers The AUDIX Voice Power System has the ability to allow callers to transfer only to mailbox subscribers.
Automated attendant 8 NOTE: Unless specifically stated otherwise, references in this document to “G3Vx and later” include the specified DEFINITY G3 (and more recent) versions, DEFINITY ECS, MultiVantage™ Software, and Communication Manager. Communication Manager, MultiVantage Software, DEFINITY ECS, DEFINITY communications systems, System 75, and System 85 Automated attendant is a service that connects to the PBX/communications system to help route calls to the appropriate extension.
Automated attendant ■ AUDIX Voice Mail System owners: use the Enhanced Call Transfer feature. Apply the appropriate security measures described in Chapter 7. Tools that prevent unauthorized calls You can help prevent unauthorized callers who enter the automated attendant system from obtaining an outgoing facility by using the security tools shown in Table 8-1. Table 8-1.
Communication Manager, MultiVantage Software, DEFINITY ECS, DEFINITY communications systems, System 75, and System 85 The higher the station FRL number, the greater the calling privileges. For example, if a station is not permitted to make outside calls, assign it an FRL value of 0. Then ensure that the FRLs on the trunk group preferences in the routing patterns are 1 or higher. For example, when automated attendant ports are assigned to a COR with an FRL of 0, outside calls are disallowed.
Automated attendant Class of service An automated attendant port can be assigned a COS. The following COS options relate to toll fraud prevention: ■ Call Forward Off-Net: allows a user to call forward outside the switch to non-toll locations. ■ Call Forward Follow Me: allows a user to forward calls outside the switch when other options are set. ■ Miscellaneous Trunk Restrictions: restricts certain stations from calling certain trunk groups via dial access codes.
Communication Manager, MultiVantage Software, DEFINITY ECS, DEFINITY communications systems, System 75, and System 85 ■ Termination Restriction: prevents voice terminal users on specified extensions from receiving calls, but not from originating calls. ■ Toll Restriction: prevents users from placing toll calls over CO, FX, or WATS trunks using dial access codes to trunks. Use ARS/WCR with WCR toll restrictions instead.
Automated attendant For Communication Manager, MultiVantage™ Software, DEFINITY ECS, DEFINITY G1, G3, and System 75: ■ On the Class of Restriction screen, create an outward-restricted COR by entering outward in the Calling Party Restriction field. ■ Assign the outward-restricted COR to the automated attendant port. ■ Assign an FRL of 0 and enter n for all trunk group CORs. For DEFINITY G2 and System 85: ■ Use PROC010 WORD3 FIELD19 to assign outward restriction to the automated attendant port COS.
Communication Manager, MultiVantage Software, DEFINITY ECS, DEFINITY communications systems, System 75, and System 85 ■ Use change rnhpa r1: xxx to route unrestricted exchanges to a pattern choice with an FRL equal to or lower than the originating FRL of the voice mail ports. ■ If the unrestricted exchanges are in the Home NPA, and the Home NPA routes to h on the FNPA Table, use change hnpa xxx to route unrestricted exchanges to a pattern with a low FRL.
Automated attendant Detecting automated attendant toll fraud Table 8-2 shows the reports that help determine if your automated attendant system is being used for fraudulent purposes. Table 8-2.
Communication Manager, MultiVantage Software, DEFINITY ECS, DEFINITY communications systems, System 75, and System 85 Call detail recording / station message detail recording With CDR activated for the incoming trunk groups, you can monitor the number of calls into your automated attendant ports. See also ‘‘Security violation notification (Communication Manager, MultiVantage Software, DEFINITY ECS and DEFINITY G3)’’ on page 5-59.
Automated attendant Call Traffic report This report provides hourly port usage data and counts the number of calls originated by each port. By tracking normal traffic patterns, you can respond quickly if an unusually high volume of calls begins to appear, especially after business hours or during weekends, which might indicate hacker activity.
Communication Manager, MultiVantage Software, DEFINITY ECS, DEFINITY communications systems, System 75, and System 85 ARS measurement selection The ARS Measurement Selection feature can monitor up to 20 routing patterns (25 for G3 and later for traffic flow and usage. For Communication Manager and MultiVantage™ Software: ■ Use change meas-selection route-pattern to choose the routing patterns you want to track.
Automated attendant ■ Enter local, primary, or remote in the ACA Referral Calls field. If primary is selected, calls can be received from other switches. Remote applies if the PBX being administered is a DCS node, perhaps unattended, that wants ACA referral calls to an extension or console at another DCS node. ■ Complete the following fields as well: ACA Referral Destination, ACA Short Holding Time Originating Extension, ACA Long Holding Time Originating Extension, and ACA Remote PBX Identification.
Communication Manager, MultiVantage Software, DEFINITY ECS, DEFINITY communications systems, System 75, and System 85 ■ To activate the feature, press the Verify button and then enter the trunk access code and member number to be monitored. For DEFINITY G2 and System 85: ■ Administer a Busy Verification button on the attendant console. ■ To activate the feature, press the button and enter the trunk access code and the member number.
Automated attendant Voice session record A voice session begins whenever a caller attempts to log into the AUDIX Voice Mail System, is redirected to the AUDIX Voice Mail System for call answering, enters *R or **R, transfers from one automated attendant to another automated attendant (nested), or is transferred by the Enhanced Automated Attendant feature.
Communication Manager, MultiVantage Software, DEFINITY ECS, DEFINITY communications systems, System 75, and System 85 Outgoing voice call detail record An outgoing call record is also created for every outbound call that is originated by the AUDIX Voice Mail System via a voice port. This includes call transfers, outcalling, and message waiting activation and/or deactivation via access codes. A record is also created for call attempts for the Message Delivery feature.
Automated attendant The AUDIX Voice Power System tracks traffic data over various timespans. Reviewing these reports on a regular basis helps to establish traffic trends. If increased activity or unusual usage patterns occur, they can be investigated immediately. Protecting automated attendant on the AUDIX Voice Mail System This section discusses security measures implemented directly on the AUDIX Voice Mail System automated attendant.
Communication Manager, MultiVantage Software, DEFINITY ECS, DEFINITY communications systems, System 75, and System 85 For DEFINITY G2 and System 85: 1. On the AUDIX Voice Mail System system:appearance screen, enter y in the Call Transfer Out of AUDIX field. 2. Enter y in the Enhanced Call Transfer field. 3. Press Change/Run. 4. On the AUDIX Voice Mail System maintenance:audits:fp screen, tab to the Service Dispatcher field and enter x. 5. Tab to the Start field and enter x. 6. Press Change/Run. 7.
Automated attendant Protecting automated attendant on the CONVERSANT Voice Information System The CONVERSANT Voice Information System provides automated attendant functionality. Follow all recommendations for protecting the switch in Chapter 6, as well as those for protecting the CONVERSANT Voice Information System for the switch in Chapter 7. In addition, make sure that automated attendant selector codes do not permit outside line selection.
MERLIN II Communications System R3 MERLIN II Communications System R3 MERLIN MAIL Voice Messaging System The MERLIN MAIL Voice Messaging System provides the Automated Attendant feature. Follow all recommendations for protecting the MERLIN MAIL Voice Messaging System in Chapter 7. In addition, make sure that automated attendant selector codes do not permit outside line selection.
Automated attendant MERLIN LEGEND Communications System AUDIX Voice Power System The MERLIN LEGEND Communications System supports the AUDIX Voice Power System, which provides automated attendant functionality. Follow all recommendations for protecting the MERLIN LEGEND Communications System switch in Chapter 6, as well as those for protecting the AUDIX Voice Power System for the MERLIN LEGEND Communications System in Chapter 7.
PARTNER II Communications System PARTNER II Communications System The PARTNER II Communications System supports the PARTNER MAIL System, and the PARTNER MAIL VS System. PARTNER MAIL and PARTNER MAIL VS systems The PARTNER MAIL and PARTNER MAIL VS Systems provide the Automated Attendant feature. Follow all recommendations for protecting these systems in Chapter 7.
Automated attendant PARTNER Plus Communications System The PARTNER Plus Communications System R3.1 and later releases, supports the PARTNER MAIL System, and the PARTNER MAIL VS System. PARTNER MAIL and PARTNER MAIL VS systems The PARTNER MAIL and PARTNER MAIL VS Systems provide the Automated Attendant feature. Follow all recommendations for protecting these systems in Chapter 7.
Other products and services 9 NOTE: Unless specifically stated otherwise, references in this document to “G3Vx and later” include the specified DEFINITY G3 (and more recent) versions, DEFINITY ECS, MultiVantage™ Software, and Communication Manager. This chapter contains security information for Avaya products other than PBXs and adjuncts that have become available since Issue 2 of this handbook. For information on the Avaya INTUITY System and the PARTNER MAIL VS System, see Chapter 7.
Other products and services ■ Switchhook flash and distinctive audible alert should be set to no on the Station screens. ■ Remote users should not have access to UNIX via the CMS application. Restrict access by means of the User Permissions feature of CMS.
CallMaster PC CallMaster PC CallMaster PC, a software application used with Communication Manager, MultiVantage™ Software, and DEFINITY ECS, gives call center agents and supervisors the ability to access and control their CallMaster or CallMaster II telephone sets through a Microsoft Windows™-compatible PC.
Other products and services Multipoint Conferencing Unit (MCU)/Conference Reservation and Control System (CRCS) The MCU has a DEFINITY ECS/MultiVantage™/Communication Manager-based architecture. The primary component of the MCU is the Multimedia Server Module (MSM), which is similar to the most basic version of the DEFINITY ECS Processor Port Network (PPN).
PassageWay Telephony Services for NetWare and Windows NT PassageWay Telephony Services for NetWare and Windows NT NOTE: The following information applies to PassageWay Telephony Services connected to either the Communication Manager, MultiVantage™ Software, DEFINITY ECS or MERLIN LEGEND driver. The PassageWay Telephony Services product provides computer/telephony integration for applications running in a Novell NetWare or a Microsoft Windows NT Local Area Network (LAN) environment.
Other products and services Security tips The following tips are for the PassageWay Telephony Server administrator. When the product is installed, do the following: For Netware only: ■ Use the NetWare Administrator feature (NetWare 4.10 and 4.11) or SYSCON utility (NetWare 3.12) to set the appropriate login and password restrictions (for example, require users to have passwords with a minimum length of 7 characters, enable password aging, and so forth).
PassageWay Telephony Services for NetWare and Windows NT ■ PassageWay Telephony Server administrators should be aware of switch COS and COR assignments and should not define device groups that allow applications to use third party call control to originate from an unrestricted phone and then transfer the call to a restricted phone. Such programs might also act as agents for setting up trunk-to-trunk calls (where permitted by the PBX) from phones other than the requesting user’s phone.
Other products and services ■ Set a maximum number of login attempts per call. ■ Allow time to enter the complete login. ■ Disconnect if inactive. — Configure pcANYWHERE to log remote control and online sessions. (Set the Save Session Statistics in Activity Log File checkbox in the Other Session Parameters group box.) ■ PassageWay Telephony Services communicates with the enterprise communications server through Communication Manager, MultiVantage™ Software, or the DEFINITY ECS LAN Gateway.
TransTalk 9000 Digital Wireless System TransTalk 9000 Digital Wireless System The TransTalk 9000 Digital Wireless System is a flexible wireless adjunct for use with the Communication Manager, MultiVantage™ Software, DEFINITY ECS, MERLIN LEGEND, PARTNER II, PARTNER Plus, System 25, System 75, and System 85 communications systems, as well as the MERLIN MAIL Voice Messaging System.
Other products and services 9-10 Issue 9 May 2003
Call routing 10 NOTE: Unless specifically stated otherwise, references in this document to “G3Vx and later” include the specified DEFINITY G3 (and more recent) versions, DEFINITY ECS, MultiVantage™ Software, and Communication Manager. Call routing call flow The following is the basic call flow through Communication Manager, MultiVantage™ Software, DEFINITY ECS, DEFINITY G1 and G3, or System 75: ■ ■ Endpoint signals switch to start call.
Call routing Example 2: User dials 2. Digit two is defined as a 4-digit extension code on in the dial plan. Three more digits are required to place the call. The three additional digits are dialed. The four digits dialed determine the destination called. The system checks the calling permissions of the originator’s COR to see if the COR of the originator is allowed to call the COR of the destination dialed. If the COR of the originator is set to y for the COR of the destination, the call will complete.
Blocking calls 11 NOTE: Unless specifically stated otherwise, references in this document to “G3Vx and later” include the specified DEFINITY G3 (and more recent) versions, DEFINITY ECS, MultiVantage™ Software, and Communication Manager. Country codes The following is a list of international country codes for direct dialing. In developing your ARS patterns, you may want to consider blocking access to those countries that you do not want users to dial.
Blocking calls 11-2 Issue 9 May 2003 Aruba 297 Ascension Island 247 Australia 61 Austria 43 Azerbaijan 994 Bahamas 1-242* Bahrain 973 Bangladesh 880 Barbados 1-246* Barbuda 1-268* Belarus 375 Belgium 32 Belize 501 Benin 229 Bermuda 1-441* Bhutan 975 Bolivia 591 Bosnia & Herzegovina 387 Botswana 267 Brazil 55 British Virgin Islands 1-284* Brunei 673 Bulgaria 359 Burkina Faso 226 Burundi 257 Cambodia 855 Cameroon 237 Canada 1* Cape Verde Islands 238
Country codes Chatham Island (New Zealand) 64 Chile 56 China (PRC) 86 Christmas Island 61 Cocos-Keeling Islands 61 Colombia 57 Comoros 269 Congo 242 Cook Islands 682 Costa Rica 506 Croatia 385 Cuba 53 Cuba (Guantanamo Bay) 5399 Curacao 599 Cyprus 357 Czech Republic 420 Denmark 45 Diego Garcia 246 Djibouti 253 Dominica 1-767* Dominican Republic 1-809* East Timor 670 Easter Island 56 Ecuador 593 Egypt 20 El Salvador 503 Equatorial Guinea 240 Eritrea 291
Blocking calls 11-4 Issue 9 May 2003 Fiji Islands 679 Finland 358 France 33 French Antilles 596 French Guiana 594 French Polynesia 689 Gabon 241 Gambia 220 Georgia 995 Germany 49 Ghana 233 Gibraltar 350 Global Mobile Satellite System (GMSS) 881 Greece 30 Greenland 299 Grenada 1-473* Guadeloupe 590 Guam 1-671* Guantanamo Bay 5399 Guatemala 502 Guinea-Bissau 245 Guinea (PRP) 224 Guyana 592 Haiti 509 Honduras 504 Hong Kong 852 Hungary 36 Iceland 354 Ind
Country codes Inmarsat (Atlantic Ocean West) 874 Inmarsat (Indian Ocean) 873 Inmarsat (Pacific Ocean) 872 Inmarsat SNAC 870 Iran 98 Iraq 964 Ireland 353 Iridium (under deactivation) 8816, 8817 Israel 972 Italy 39 Ivory Coast 225 Jamaica 1-876* Japan 81 Jordan 962 Kazakhstan 7 Kenya 254 Kiribati 686 Korea (North) 850 Korea (South) 82 Kuwait 965 Kyrgyz Republic 996 Laos 856 Latvia 371 Lebanon 961 Lesotho 266 Liberia 231 Libya 218 Liechtenstein 423 Luxem
Blocking calls 11-6 Issue 9 May 2003 Madagascar 261 Malawi 265 Malaysia 60 Maldives 960 Mali Republic 223 Malta 356 Marshall Islands 692 Martinique 596 Mauritania 222 Mauritius 230 Maayotte Island 269 Mexico 52 Micronesia (Federal States of) 691 Midway Island 808 Moldova 373 Monaco 377 Mongolia 976 Montserrat 1-664* Morocco 212 Mozambique 258 Myanmar 95 Namibia 264 Nauru 674 Nepal 977 Netherlands 31 Netherland Antilles 599 Nevis 1-869* New Caledonia 6
Country codes Niue 683 Norfolk Island 672 Northern Marianas Islands (Saipan, Rota, & Tinian) 1-670 Norway 47 Oman 968 Pakistan 92 Palau 680 Palestine 970 Panama 507 Papua New Guinea 675 Paraguay 595 Peru 51 Philippines 63 Poland 48 Portugal 351 Puerto Rico 1-787* Qatar 974 Reunion Island 262 Romania 40 Russia 7 Rwanda 250 St. Helena 290 St. Kitts/Nevis 1-869* St. Lucia 1-758* St. Pierre and Miquelon 508 St.
Blocking calls 11-8 Issue 9 May 2003 Sierra Leone 232 Singapore 65 Slovak Republic 421 Slovenia 386 Solomon Islands 677 South Africa 27 Spain 34 Sri Lanka 94 Sudan 249 Suriname 597 Swaziland 268 Sweden 46 Switzerland 41 Syria 963 Taiwan 886 Tajikistan 992 Tanzania 255 Thailand 66 Togo 228 Tokelau 690 Tonga Islands 676 Trinidad and Tobago 1-868* Tunisia 216 Turkey 90 Turkmenistan 993 Turks and Caicos Islands 1-649* Tuvalu 688 Uganda 256 Ukraine 380
Country codes Universal Personal Telecommunications (UPT) 878 Uruguay 598 Uzbekistan 998 Vanuatu 678 Vatican CIty 39 Venezuela 58 Vietnam 84 Wake Island 808 Wallis and Futuna Islands 681 Western Samoa 685 Yemen 967 Yugoslavia 381 Zambia 260 Zanzibar 255 Zimbabwe 263 Issue 9 May 2003 11-9
Blocking calls Blocking toll fraud destinations Toll fraud calls are placed to locations all over the world. Table 11-1, used for illustrative purposes only, highlights some of the destinations where fraudulent calls may terminate. In the table, the destination is followed by the country code or Numbering Plan Area (NPA) you can enter to block calls to that location. Table 11-1.
Blocking toll fraud destinations Blocking ARS calls on DEFINITY G1 and System 75 Use the following procedure to block calls to the destinations listed in Table 11-1. This procedure does not prohibit dialing calls via TAC (refer to ‘‘Disable direct access to trunks’’ on page 5-39 for details). 1. Use change ars fnpa 000 to display the ARS FNPA Table screen. 2.
Blocking calls 4.
Blocking toll fraud destinations 5. Use change rhnpa table 31 to display the RHNPA Table 31 screen. 6. Enter the routing pattern changes to RHNPA Table 31 200 to 299, 300 to 399, and 500 to 599.
Blocking calls ARS RHNPA TABLE: 31 OFFICE CODES: 500-599 Pattern Choices 01:2 03: 05: 07: 09: 11: 02: 04: 06: 08: 10: 12: Office Code - Pattern Choice Assignments (from 1 to 12 above) 20:12 30:12 40:12 50:12 60:12 70:1 80:12 90:1 21:12 31:12 41:12 51:12 61:12 71:12 81:12 91:1 22:12 32:12 42:12 52:12 62:12 72:12 82:12 92:12 23:12 33:12 43:12 53:12 63:12 73:12 83:12 93:12 24:12 34:12 44:12 54:12 64:12 74:12 84:12 94:12 25:12 35:12 45:12 55:2 65:12 75:12 85:12 95
Blocking toll fraud destinations Blocking ARS calls on G2.1 and System 85 Use the following procedure to block calls to the destinations listed in Table 11-1 on page 11-10. This procedure does not prohibit dialing calls via TAC (refer to ‘‘Disable direct access to trunks’’ on page 5-39 for details). ■ To block calls to the Dominican Republic, use PROC311 WORD3 (6-digit table for NPA=809) to route each specified NXX combination to an empty pattern.
Blocking calls Blocking WCR calls on DEFINITY G2.2 Use the following procedure to block calls to the destinations listed in Table 11-1 on page 11-10. ■ For calls to the Dominican Republic, specifically add the allowed NXX as 809NXX, length 10, to the appropriate VNI (routing pattern).
Blocking toll fraud destinations Blocking ARS calls on G3 This section contains a sample ARS Digit Analysis Table for G3. In the example, international and operator-assisted numbers are allowed, but 0700 calls are denied, as well as high toll destinations to these countries: Colombia, Pakistan, Jordan, Iraq, Saudi Arabia, United Arab Republic, Israel, Iran, Kuwait, and Puerto Rico. Use the following procedure to block calls to the destinations listed in Table 11-1 on page 11-10.
Blocking calls ARS DIGIT ANALYSIS TABLE — Continued Partitioned Group Number: 1 Dialed Total Route Call Pat Type String Min Max 01198 10 23 int 0700 11 11 op 101xxxx 5 5 op 101xxxx 12 12 hnpa 101xxxx0 6 6 1 op 101xxxx0 16 16 1 op 101xxxx00 7 7 1 op 101xxxx01 15 23 1 iop 101xxxx01157 15 23 int 101xxxx01192 15 23 int 101xxxx011962 15 23 int 101xxxx011962 15 23 int 101xxxx011964 15 23 int 101xxxx011965 15 23 int 101xxxx011966 15 23 int 1
Blocking toll fraud destinations ARS DIGIT ANALYSIS TABLE — Continued Partitioned Group Number: 1 Dialed Total String Min Max 101xxxx0700 16 16 101xxxx1 16 16 101xxxx1809 16 16 180 11 11 1809 11 11 Route Call Pat Type op 1 fnpa fnpa 1 fnpa fnpa Continued on next page Blocking ARS calls on System 25 R3V3 The toll call allowed/disallowed lists, available in System 25 R3V3, permit the administrator to restrict international calling.
Blocking calls 11-20 Issue 9 May 2003
Remote access example (Communication Manager, MultiVantage Software, DEFINITY ECS, DEFINITY G1, G3, and System 75) 12 NOTE: Unless specifically stated otherwise, references in this document to “G3Vx and later” include the specified DEFINITY G3 (and more recent) versions, DEFINITY ECS, MultiVantage™ Software, and Communication Manager.
Remote access example (Communication Manager, MultiVantage Software, DEFINITY ECS, DEFINITY G1, G3, and System 75) 7. Select a unique COS (0 through 15) that is not used for any facility other than remote access, and does not allow console permissions. For this example, we will use 15. 8. Enter the COS in the first COS field corresponding to the barrier code you entered in Step 4. For example, we would enter 15 in the first COS field. 9.
Permanently disabling remote access 17. For DEFINITY G1 and System 75, use change ars fnpa a00 group 8 (a equals 0 through 5), change ars hnpa n00 group 8 (n equals 2 through 9), and change rnx n00 group 8 (n equals 2 through 9) to enter the Route Pattern where you want to allow calls. The dialed string entries are already specified, so enter the Route Pattern number only.
Remote access example (Communication Manager, MultiVantage Software, DEFINITY ECS, DEFINITY G1, G3, and System 75) To permanently disable the Remote Access feature in System 75V3, G3, and the “n” versions of G1: ■ Enter change remote-access to display the Remote Access screen. ■ Make sure the Remote Access Extension field is blank. ■ Enter y in the Permanently Disable field. ■ Enter save translation. You MUST enter this command or the change will be lost if the switch is rebooted.
Administering features of the DEFINITY G3V3 and later 13 NOTE: Unless specifically stated otherwise, references in this document to “G3Vx and later” include the specified DEFINITY G3 (and more recent) versions, DEFINITY ECS, MultiVantage™ Software, and Communication Manager. This chapter provides information on administering these features in Communication Manager, MultiVantage™ Software, DEFINITY ECS and DEFINITY G3.
Administering features of the DEFINITY G3V3 and later Administering the SVN feature This section contains the following subsections: ■ Administering the login component ■ Administering the barrier code security violations parameters of the SVN feature ■ Administering the authorization code component ■ Administering the station security code component Administering the login component To administer system parameters for the login component of the SVN feature, do the following: 1.
Administering the SVN feature ■ Time Interval Enter the time interval within which a login security violation must occur. The range is one minute to eight hours (0:01 to 7:59), and is entered in the form x:xx. For example, if you want the time interval to be 1 minute, enter 0:01. If you want the time interval to be seven and one-half hours, enter 7:30. The system default is 0:03. ■ Announcement Extension Enter an extension that is assigned to the login SVN announcement.
Administering features of the DEFINITY G3V3 and later List the status of a login ID To list the status of a login: 1. Log in to the switch using a login ID with the proper permissions. 2. Enter the command list logins. A display indicating the status of all logins appears. Possible login ID statuses are: ■ disabled — The login was disabled manually using the disable login command. ■ svn-disabled — A security violation was detected for that login and the login was disabled by the SVN feature.
Administering the SVN feature ■ Login Threshold Enter the minimum number of login attempts that will be permitted before a referral call is made. The value assigned to this field, in conjunction with the Time Interval field, determines whether a security violation has occurred. The system default is 5. ■ Time Interval Enter the time interval within which a login security violation must occur. The range is one minute to eight hours (0:01 to 7:59), and is entered in the form x:xx.
Administering features of the DEFINITY G3V3 and later Administering the Remote Access Kill After N Attempts feature Following is an example of how to administer this feature. 1. Enter change system-parameters features security (G3V3 and later) or change system-parameters features (releases prior to G3V3).
Administering the SVN feature If the Remote Access feature is to be dormant for a period of time, the feature can be disabled using the disable remote-access command. Entry of this command will disable the Remote Access feature until it is re-enabled using the enable remote-access command. Administering the Login ID Kill After N Attempts feature Following is an example of how to administer this feature. 1.
Administering features of the DEFINITY G3V3 and later Enter the enable login command to re-enable the login ID. If a login ID is to be dormant for a period of time, the login ID can be disabled using the disable login command. Entry of this command will disable the login ID until it is re-enabled using the enable login command.
Administering the SVN feature ■ Time Interval Enter the time interval within which the authorization code security violations must occur. The range for the time interval is one minute to eight hours (0:01 to 7:59), and is entered in the form x:xx. For example, if you want the time interval to be one minute, enter 0:01. If you want the time interval to be seven and one-half hours, enter 7:30. The system default is 0:03.
Administering features of the DEFINITY G3V3 and later ■ Originating Extension This is a dynamic field that is displayed only whenever the SVN Station Security Code Violation Enabled field is set to y. Whenever a Station Security Code SVN Referral call is made, the extension in this field is internally the originating extension. It has no other significance than that it is not available for use as a normal extension. Enter any unassigned extension containing five digits.
Administering barrier code aging ■ Announcement Extension This field contains an extension corresponding to a recorded announcement that is to be played whenever a station security code SVN referral call is made. This allows the referral destination to be a phone without a display. This is a dynamic field that is displayed whenever the corresponding SVN Violation Notification Enabled field is set to y. Enter a 5-digit extension to be assigned to the appropriate announcement.
Administering features of the DEFINITY G3V3 and later ■ Barrier Code Assign a barrier code that conforms to the number entered in the Barrier Code Length field. All codes must be 4- to 7-digits. The code can be any combination of the digits 0 through 9. If the Barrier Code Length field is blank, the first barrier code field must be specified as none. Duplicate entries are not allowed. The system default for this field is a blank. Assign a 7-digit number in this field for maximum security.
Administering customer logins and forced password aging ■ Calls Used This field is a display-only field that specifies the number of calls that have been placed using the corresponding barrier code. The Calls Used field is incremented each time a barrier code is successfully used to access the Remote Access feature. NOTE: A usage that exceeds the expected rate may indicate improper use. ■ Permanently Disable Enter y to permanently disable the Remote Access feature.
Administering features of the DEFINITY G3V3 and later To add a customer login you must be a superuser, have administrative permissions, and follow these steps: NOTE: Always use your own unique login — never a Avaya customer login or variation thereof (for example, “cust,” “rcust,” “cust1,” “rcust1,” etc.). 1. Access the Login Administration screen by entering add login . The 3- to 6-character login name (numbers 0 to 9, characters a to z or A to Z) you entered is displayed in the Login’s Name field.
Administering customer logins and forced password aging 9. In the Password Aging Cycle Length (Days) field, enter the number of days (from the current day) when you wish the password to expire. If a blank is entered in this field, password aging will not apply to the specified login. Valid entries are from 1 to 99 days or a blank. When a login password is within seven days or less from the expiration date, a warning message is displayed when the user logs in: WARNING: your password will expire in xx days.
Administering features of the DEFINITY G3V3 and later 3. Enter customer in the Login Type field. The system default for this field is customer. The maximum number of customer logins of all types is 11. 4. Enter super-user or non-super-user in the Service Level field. 5. Enter y in the Disable Following a Security Violation field to disable a login following a login security threshold violation.
Administering customer logins and forced password aging To administer command permissions, log in as superuser and do the following: 1. Enter change permissions login to access the Command Permissions Categories screen. When the screen is displayed for a login, the default permissions for that login type appear on the screen. 2. Select a category for the login and enter y in each field where permission to perform an administrative or maintenance action is needed.
Administering features of the DEFINITY G3V3 and later Remove a login To remove a login from the system, enter the command remove login . The system displays the Login Administration screen. Press Return to remove the login, or select Cancel to exit the remove login procedure without making a change. Administering the security violations reports The security viiolations reports provide current status information for invalid login or remote access (barrier code) or authorization code attempts.
Changing your password 14 NOTE: Unless specifically stated otherwise, references in this document to “G3Vx and later” include the specified DEFINITY G3 (and more recent) versions, DEFINITY ECS, MultiVantage™ Software, and Communication Manager. This chapter provides steps for changing passwords for systems listed in this handbook, where applicable. AUDIX Voice Mail System ■ System administrators: Use the Identification screen to change your login password. 1.
Changing your password AUDIX Voice Power System ■ System administrators: 1. Access the AUDIX Voice Power System main menu. 2. Select Subscriber Administration. 3. On the Subscriber Administration screen, enter a password, a name, and an extension. 4. Press F3 (Exit). ■ End users: 1. Enter your extension and password. 2. Press 5. 3. Follow the prompts to change your password. CONVERSANT Voice Information System ■ System administrators: 1.
CONVERSANT Voice Information System 6. When prompted to repeat the new password (re-enter new password), enter the new password again. If the two password entries are the same, the password is assigned. If the two password entries do not match, the following message is displayed: They don’t match; try again. New password: You receive an error message if: — You enter the old password incorrectly. — The new password is not at least six characters long.
Changing your password DEFINITY AUDIX System ■ System administrators: You can change two passwords: that of the currently logged-in user, and the system password. (You need cust or higher-level login permissions.) — Currently logged-in user’s password Use the Password screen to change the password of the currently logged-in user. 1. To access the Password Administration screen, type change password and press Enter. 2. Type the currently logged-in user’s login ID in the Login ID field. 3.
Communication Manager, MultiVantage Software, DEFINITY ECS and DEFINITY G1 and G3 Communication Manager, MultiVantage Software, DEFINITY ECS and DEFINITY G1 and G3 ■ System administrators: Use the Change Password screen to change the login password. 1. Log in as cust, or for G3V3 or later, as the customer superuser login you have defined. 2. Enter change password , where is the login you want to change.
Changing your password 4. Enter your current password, then press Return. The cursor is now positioned on the New Password for Login Name field. 5. Enter your new password, then press Return. The cursor is now positioned on the New Password (enter again) field. 6. Enter your new password again, then press Return. 7. Verify that the screen displays: command successfully completed DEFINITY G2 For DEFINITY G2, passwords are shared between the customer and Avaya.
MERLIN MAIL or MERLIN MAIL-ML Voice Messaging System 4. Enter your new password at the following prompt: New password Passwords must be at least six characters. 5. Enter the new password again at the following prompt: Re-enter new password 6. Press Cancel to return to the UNIX Management screen. ■ End users: 1. Press 5 at the main AUDIX Voice Mail System menu. 2. Follow the prompts to change your password.
Changing your password MERLIN MAIL R3, MERLIN LEGEND Mail, or PARTNER MAIL R3 Voice Messaging System ■ System administrators: You can change two passwords: 1) the system administrator’s mailbox password, and 2) the system administration password. — The System Administrator’s Mailbox Password 1. Dial the MERLIN MAIL R3, MERLIN LEGEND Mail, or PARTNER MAIL R3 Voice Messaging System or press a programmed button. 2. Enter the system administrator mailbox number (initially 9997) and press #. 3.
PARTNER MAIL System PARTNER MAIL System ■ System administrators: Change your password by means of the Voice Mail menu. 1. To access this menu, press Intercom 777 or a programmed button. 2. Enter your mailbox number (initially 9997) and press #. 3. Enter your password (initially 1234) and press #. 4. Press 5 and follow the prompts to change your password. ■ End users: Change your password by means of the Voice Mail menu. 1. To access this menu, press Intercom 777 or a programmed button. 2.
Changing your password System 25 ■ System administrators: 1. From the Main Menu prompt, enter 4. 2. At Action = enter 75. 3. At Data = enter the new password. For security, the display always shows????????. The default is systemx5. NOTE: The password reverts to the default when the system cold starts. The following message is displayed when a cold start occurs: WARNING: Default Password in effect.
System 85 6. Enter the new password (from the previous step) again, then press Return. 7. Verify that the screen displays: command successfully completed ■ End users: Use the Change Password screen to change the login password. 1. Verify that the screen displays: command: 2. Enter change password , where is the login you want to change. For example, if you want to change the login password for dopg1, enter change password dopg1 and then press Return. 3.
Changing your password 14-12 Issue 9 May 2003
Toll fraud job aids 15 NOTE: Unless specifically stated otherwise, references in this document to “G3Vx and later” include the specified DEFINITY G3 (and more recent) versions, DEFINITY ECS, MultiVantage™ Software, and Communication Manager. The job aids in this appendix are tools for your organization to use in securing your system against toll fraud. Copy them and distribute them to your staff to post or use in any other manner that meets their needs.
Toll fraud job aids ■ Sudden or unexplained inability to access specific administrative functions within the system. ■ Employees complain of difficulty in obtaining an outside line. ■ Simultaneous direct inward system access (DISA) authorization code use coming from two different places at the same time. ■ An upsurge in use on DISA or other trunks. ■ Unusual increase in customer premises equipment-based system memory usage. ■ Unexplained changes in system software parameters.
System security action plan System security action plan Figure 15-1. System security action plan Educate end users The first step customers should take in tightening the security of their systems is to increase end-users’ awareness of the system’s security features and vulnerabilities. Develop and implement a toll fraud detection and reaction plan with all employees. Train users on remote access responsibilities and security procedures.
Toll fraud job aids Ten tips to help prevent phone fraud ■ Protect system administration access Insure secure passwords exist for all logins that allow system administration or maintenance access to the system. Change the passwords frequently. ■ Prevent voice mail system transfer to dial tone Activate “secure transfer” features in voice mail systems. Place appropriate restrictions on voice mail access/egress ports.
Ten tips to help prevent phone fraud ■ Monitor traffic and system activity for normal patterns Activate features that “Turn Off” access in response to unauthorized access attempts. Use Traffic and Call Detail reports to monitor call activity levels. ■ Educate system users to recognize toll fraud activity and react appropriately From safely using calling cards to securing voice mailbox passwords, users need to be trained on how to protect themselves from inadvertent compromises to the system’s security.
Toll fraud job aids 15-6 Issue 9 May 2003
Special security product and service offers 16 NOTE: Unless specifically stated otherwise, references in this document to “G3Vx and later” include the specified DEFINITY G3 (and more recent) versions, DEFINITY ECS, MultiVantage™ Software, and Communication Manager. Remote port security device The remote port security device (RPSD)1 offers enhanced protection for dial-up data access. Communications systems typically consist of a mix of digital PBXs, voice mail systems, and adjunct applications computers.
Special security product and service offers Dial-up ports provide access to data networks and computers that contain critical data and software applications. While these ports help to improve productivity and increase customer satisfaction, they also provide potential access to hackers. The “key and lock” authentication process uses a sophisticated dynamic challenge/response technique to assist you in preventing unauthorized access to your administration and maintenance ports.
Remote port security device ■ A power monitor circuit allows you to fail or bypass calls to the lock during a power failure. ■ An alarm contact closure interface is provided to generate an alarm when the lock loses power. Lock and keys work with all data communications protocols. Securing DEFINITY Systems (prior to Release 7.2) with the remote port security device If your telephones are connected to a DEFINITY switch or DEFINITY ECS prior to Release 7.2 (which is the same as DEFINITY G3V7.
Special security product and service offers Avaya support Avaya provides RPSD keys to their maintenance centers to accommodate access to systems you secure with the RPSD lock. For more information on the RPSD, see the DEFINITY® Communications Systems Remote Port Security Device User’s Manual. Securing DEFINITY systems (Release 7.
Securing DEFINITY systems (Release 7.2 and Later) with Access Security Gateway Administering the Access Security Gateway Use the following procedure to administer the ASG. 1. On the Optional Features (change system-parameters customer-options) screen, do the following: NOTE: Only Avaya technicians can access this screen. ■ Set the G3 Version field to V6 or later configuration. ■ Set the Access Security Gateway (ASG) field to y. 2.
Special security product and service offers Logging in via Access Security Gateway (session establishment) Use the following procedure to log in to the system via the ASG interface: NOTE: The numbers shown as challenges and responses in the procedures below are for example purposes only. They will not be the numbers you actually use or see on your ASG Key. 1. Connect to the system administration/maintenance port. The system responds with the login prompt. 2.
Securing DEFINITY systems (Release 7.2 and Later) with Access Security Gateway Maintaining login IDs Temporarily disabling Access Security Gateway access for login To temporarily disable ASG: 1. At the prompt, type change login xxxx (xxx = alphanumeric login ID) and press Return to log into the Login Administration screen. 2. On page 2 of the Login Administration screen, set the Blocked field to y.
Special security product and service offers Loss of an ASG key Users who lose their ASG key must notify the system administrator immediately. The administrator, in turn, must do the following: ■ Modify any logins associated with the lost ASG key. See the Administrator’s Guide for Avaya™ Communication Manager, 555-233-506. for information on changing your PIN.
Securing DEFINITY systems (Release 7.2 and Later) with Access Security Gateway ■ Security measurements ASG session establishment or reject events do not increment the successful logins, invalid attempts, invalid IDs, forced disconnects, login security violations or trivial attempts counters maintained for the Security Violations Detail report. Additionally, login-specific information maintained by the Security Violations Summary report does not include ASG-related data.
Special security product and service offers Logging in with ASG When you begin a remote session with an Intuity AUDIX system that is ASG-activated, the system prompts you with a challenge. To log in to a system that has ASG activated for your login: 1. At the login: prompt, enter your login ID. The terminal screen displays the following message: Challenge: xxxxxxx Response: 2. Press Enter on the ASG key. The ASG key displays the following message: PIN: 3. On the ASG key, type your PIN and press Enter. 4.
Securing DEFINITY systems (Release 7.2 and Later) with Access Security Gateway Adding an ASG login You must be logged in as sa to add an ASG login for sa or vm. To add a new ASG login to your system: 1. At the INTUITY Main Menu, select ASG Security Administration and then select ASG Security Login Administration. The system displays the ASG Security Login Administration screen. 2. Complete the following fields: ■ Login ID: Type either sa or vm.
Special security product and service offers Blocking or reinstating access privileges for an ASG login If a user will not need access to the system for a long period of time, you can block the ASG login ID’s access temporarily. Perform the following tasks to block or reinstate access for an ASG login. 1. At the INTUITY Main Menu, select ASG Security Administration and then select ASG Security Login Administration. The system displays the ASG Security Login Administration screen. 2.
Securing DEFINITY systems (Release 7.2 and Later) with Access Security Gateway Displaying ASG login information If you need to check on the status of an ASG login, perform the following tasks to display the ASG Display screen. 1. At the INTUITY Main Menu, select ASG Security Administration and then select ASG Security Login Administration. The system displays the ASG Security Login Administration screen. 2. Type the user’s login ID in the Login ID: field. 3.
Special security product and service offers 2. Type a new value in the Number of failed login attempts: field, if needed. This number can be from 1 to 99, and indicates the number of times that the user can incorrectly type the login information before the system places an entry in the alarm log and disallows further login attempts. NOTE: A lower number in this field protects the system more fully. 3. Type a new value in the Failed login measurement window: field, if needed.
Avaya support Avaya support Avaya provides RPSD keys to their maintenance centers to accommodate access to systems you secure with the RPSD lock. With DEFINITY Release 7.2 and Intuity Release 5.0, the services area of Avaya has been modified to accommodate the ASG feature. However, note that, unlike the RPSD lock feature which requires access through a hardware RPSD key at the services site, negotiating the system through ASG is accomplished through a software interface to the INADS “connect” tool.
Special security product and service offers Toll fraud contact list Contact: For: Your Avaya account executive or design specialists General questions related to toll fraud Avaya Toll Fraud Intervention Hotline All systems and products and their adjuncts. 800 643-2353 Immediate crisis intervention if you suspect that your company is experiencing toll fraud.
Product security checklists 17 NOTE: Unless specifically stated otherwise, references in this document to “G3Vx and later” include the specified DEFINITY G3 (and more recent) versions, DEFINITY ECS, MultiVantage™ Software, and Communication Manager.
Product security checklists ■ PARTNER MAIL System (page 17-61) ■ PARTNER MAIL VS System (page 17-61) ■ PARTNER Plus Communications System (page 17-56) ■ System 25 (page 17-63) ■ System 75 (page 17-14) ■ System 85 (page 17-20) ■ PassageWay Telephony Services (page 17-66) General security procedures Customer: ________________________________________ Location: _________________________________________ System & Version: _________________________________________ Date Installed: ___________
General security procedures Table 17-1. General security procedures checklist — Continued Y/N1 Note N/A Adjunct (CAS, AUDIX Voice Mail System, CMS, ISII, G3MA ...
Product security checklists Table 17-1. General security procedures checklist — Continued Y/N1 Note N/A HackerTracker thresholds established Social engineering explained Customer is aware of network-based toll fraud surveillance offerings such as netPROTECT Customer knows how to subscribe to ACCESS security shared folder Continued on next page 1. If “NO” (N), provide Note reference number and explain.
AUDIX, DEFINITY AUDIX and INTUITY AUDIX voice messaging systems ( Table 17-2.
Product security checklists Table 17-2.
AUDIX Voice Power System Table 17-3.
Product security checklists BasicWorks Also see the general security checklist on page 17-2. Table 17-4.
BasicWorks Table 17-4.
Product security checklists Table 17-4.
BasicWorks Table 17-4.
Product security checklists CONVERSANT Voice Information System Also see the general security checklist on page 17-2, and the security checklist for the host communications system.
CONVERSANT Voice Information System Table 17-5.
Product security checklists Communication Manager, MultiVantage Software, DEFINITY ECS, DEFINITY G1 and G3, and System 75 Also see the general security checklist on page 17-2, and the security checklist for any attached voice mail systems or other adjuncts.
Communication Manager, MultiVantage Software, DEFINITY ECS, DEFINITY G1 and G3, and System 75 Table 17-6.
Product security checklists Table 17-6.
Communication Manager, MultiVantage Software, DEFINITY ECS, DEFINITY G1 and G3, and System 75 Table 17-6.
Product security checklists Table 17-6.
Communication Manager, MultiVantage Software, DEFINITY ECS, DEFINITY G1 and G3, and System 75 Table 17-6. Communication Manager, MultiVantage™ Software, DEFINITY ECS, G1, and G3, and System 75 security checklist — Continued Y/N1 Note N/A Switch-hook flash denied on FAX machines, modems, etc.
Product security checklists DEFINITY G2 and System 85 Also see the general security checklist on page 17-2, and the security checklist for any attached voice mail systems or other adjuncts.
DEFINITY G2 and System 85 Table 17-7.
Product security checklists Table 17-7.
DEFINITY G2 and System 85 Table 17-7. DEFINITY G2 and System 85 security checklist — Continued Y/N1 Note N/A Change password from default for new subscribers Voice ports outward restricted if outcalling not used Use of outcalling denied or minimized Invalid automated attendant menu options directed to operator Disable remote maintenance access when not in use Continued on next page 1. If “NO” (N), provide Note reference number and explain.
Product security checklists DIMENSION PBX System Also see the general security checklist on page 17-2, and the security checklist for any attached voice mail systems or other adjuncts. Customer: _________________________________________ FP & Issue: _________________________________________ Location: _________________________________________ System Upgrade: _________________________________________ Major Addition: _________________________________________ Table 17-8.
DIMENSION PBX System Table 17-8.
Product security checklists Table 17-8. DIMENSION PBX System security checklist — Continued Y/N1 Note N/A Product Monitoring SMDR reports monitored daily, including authorization code violations Traffic measurement reports, including remote access history reviewed daily Customer Education Security code changed on a scheduled basis and coordinated with Denver Maintenance Center Blocking 976 look-alikes Continued on next page 1. If “NO” (N), provide Note reference number and explain.
MERLIN II Communications System MERLIN II Communications System Also see the general security checklist on page 17-2, and the security checklist for any attached voice mail systems or other adjuncts.
Product security checklists Table 17-9. MERLIN II Communications System security checklist — Continued Y/N1 Note N/A If outcalling enabled: ■ All voice mail ports except last one toll restricted ■ Last port for voice mail restricted to areas appropriate for outcalling Product Monitoring SMDR reports monitored daily Customer Education Blocking 976 look-alikes Continued on next page 1. 2. If “NO” (N), provide Note reference number and explain.
MERLIN LEGEND Communications System MERLIN LEGEND Communications System Also see the general security checklist on page 17-2, and the security checklist for any attached voice mail systems or other adjuncts.
Product security checklists Table 17-10.
MERLIN LEGEND Communications System Table 17-10. MERLIN LEGEND Communications System security checklist — Continued Y/N1 Note N/A Disallow list created containing 0, 011, 10, 700, 800, 1800, 809, 1809, 411, 1411, 900, and 9999 Access denied to pooled facility codes 70, and 890-899 Product Monitoring SMDR/HackerTracker reports monitored daily Continued on next page 1. 2. If “NO” (N), provide Note reference number and explain.
Product security checklists MERLIN MAIL Voice Messaging System Also see the general security checklist on page 17-2, and the security checklist for the host communications system.
MERLIN MAIL Voice Messaging System Table 17-11. MERLIN MAIL Voice Messaging System security checklist — Continued Y/N1 Note N/A MERLIN LEGEND Communications System voice mail port(s) used for outcalling restricted via allow list to specific areas if outcalling is needed. All other MERLIN LEGEND Communications System voice mail ports outward restricted. Disallow list created containing 0, 011, 10, 700, 800, 1800, 809, 1809, 411, 1411, 900, and 9999.
Product security checklists MERLIN MAIL-ML Voice Messaging System Also see the general security checklist on page 17-2, and the security checklist for the host communications system.
MERLIN MAIL-ML Voice Messaging System Table 17-12. MERLIN MAIL-ML Voice Messaging System security checklist — Continued Y/N1 Note N/A MERLIN LEGEND Communications System voice mail port(s) used for outcalling restricted via allowed list to specific areas if outcalling is needed. All other MERLIN LEGEND Communications System voice mail ports outward restricted. On MERLIN LEGEND Communications System, create disallow list containing 0, 011, 10, 700, 800, 1800, 809, 1809, 411, 1411, 900, and 9999.
Product security checklists MERLIN MAIL R3 Voice Messaging System Also see the general security checklist on page 17-2, and the security checklist for the host communications system.
MERLIN MAIL R3 Voice Messaging System Table 17-13.
Product security checklists Table 17-13. MERLIN MAIL R3 Voice Messaging System security checklist — Continued Y/N1 Note N/A Automated Attendant No pooled facility access codes translated on menus No ARS codes translated on menus Remote call forwarding used offnet only with trunks that provide reliable disconnect (for example, ground-start) End User Education Passwords changed from default for new subscribers Passwords are difficult to guess Passwords are changed quarterly Continued on next page 1.
MERLIN Plus Communications System MERLIN Plus Communications System Also see the general security checklist on page 17-2, and the security checklist for any attached adjuncts.
Product security checklists Messaging 2000 Voice Mail System Also see the general security checklist on page 17-2. Customer: _________________________________________ PBX Type: _________________________________________ Location: _________________________________________ New Install: _________________________________________ System Upgrade: _________________________________________ Port Additions: _________________________________________ Table 17-15.
Messaging 2000 Voice Mail System Table 17-15. Messaging 2000 Voice Mail System security checklist — Continued Y/N1 Note N/A [Recommended] Use the randomly-generated method of assigning passwords to new mailboxes. [Recommended] Regularly monitor the Uninitialized Mailbox report to determine if subscribers have changed their mailboxes passwords.
Product security checklists Table 17-15. Messaging 2000 Voice Mail System security checklist — Continued Y/N1 Note N/A [Required] Set the Consecutive Login Failures Before Lock-Out parameter on the Subscriber tab in System Setup to specify how many unsuccessful login attempts are allowed before mailboxes are locked.
Messaging 2000 Voice Mail System Table 17-15. Messaging 2000 Voice Mail System security checklist — Continued Y/N1 Note N/A [Recommended] When Quick Assist is run in recover mode from the \CVR prompt in an OS/2 window, or run automatically as part of system maintenance, include the -Mn parameter to specify a mailbox to receive unattached messages.
Product security checklists Table 17-15. Messaging 2000 Voice Mail System security checklist — Continued Y/N1 Note N/A End-User Education [Required] The end-user must periodically/frequently change all secondary passwords. After changing the secondary passwords, the end-user should notify the appropriate Avaya support organization(s) that the passwords have been changed.
Multimedia Communications Exchange Server Multimedia Communications Exchange Server Also see the general security checklist on page page 17-2. Customer: _________________________________________ System & Version: _________________________________________ Location: _________________________________________ New Install: _________________________________________ System Upgrade: _________________________________________ Major Addition: _________________________________________ Table 17-16.
Product security checklists Multipoint Conferencing Unit /Conference Reservation and Control System Also see the general security checklist on page 17-2. Customer: _________________________________________ Location: _________________________________________ MSM SW Version and Install Date: ESM SW Version and Install Date: CRCS SW Version and Install Date: CRCS is Single-User or Multi-User? Table 17-17.
Multipoint Conferencing Unit /Conference Reservation and Control System Table 17-17.
Product security checklists MCU Product Checksheets Attached: (Check all that apply) (__) Multimedia Server Module (MSM) (__) Expansion Services Module (ESM) (__) Conference Reservation and Control System (CRCS) ESM security checklist NOTE: See the appropriate security checklist for the host MSM.
Multipoint Conferencing Unit /Conference Reservation and Control System Table 17-18. ESM security checklist Y/N1 Note N/A System Administration Root login changed from default All other UNIX login passwords changed (INADS) Remote Maintenance Access Remote maintenance board (RMB) installed (if NO, skip to “Using External Modem...
Product security checklists CRCS Security Checklist Customer: _________________________________________ CRCS Type: _________________________________________ Location: _________________________________________ New Install: _________________________________________ System Upgrade: _________________________________________ Port Additions: _________________________________________ Table 17-19.
Multipoint Conferencing Unit /Conference Reservation and Control System Table 17-19. CRCS security checklist — Continued Y/N1 Note N/A End User Education Passwords changed for new subscribers Passwords are difficult to guess Passwords are changed quarterly Continued on next page 1. If “NO” (N), provide Note reference number and explain. MSM security checklist See the appropriate security checklist for the attached ESM or CRCS.
Product security checklists Table 17-20. MSM security checklist Y/N1 Note N/A System Administration Customer advised of all logins under their control. Passwords changed from factory defaults. Passwords are customer-entered, maximum length, unique alphanumeric words. NETCON access restricted by COR-to-COR restrictions.
Multipoint Conferencing Unit /Conference Reservation and Control System Table 17-20.
Product security checklists Table 17-20.
Multipoint Conferencing Unit /Conference Reservation and Control System Table 17-20.
Product security checklists PARTNER, PARTNER II, and PARTNER Plus communications systems, and PARTNER Advanced Communications System (ACS) Also see the general security checklist on page page 17-2.
PARTNER, PARTNER II, and PARTNER Plus communications systems, and PARTNER Advanced Communications System (ACS) Table 17-21.
Product security checklists Table 17-21. PARTNER, PARTNER II, and PARTNER Plus communication systems and PARTNER ACS security checklist — Continued Y/N1 Note N/A Customer is aware of network-based toll fraud surveillance offerings such as netPROTECT Customer knows how to subscribe to ACCESS security shared folder System Features Forced account codes with verification used (PARTNER Plus Communications System 3.1 and later, and PARTNER II Communications System Release 3.
PARTNER, PARTNER II, and PARTNER Plus communications systems, and PARTNER Advanced Communications System (ACS) Table 17-21.
Product security checklists Table 17-21.
PARTNER MAIL, PARTNER MAIL VS, and PARTNER Voice Mail (PVM) systems PARTNER MAIL, PARTNER MAIL VS, and PARTNER Voice Mail (PVM) systems See also the general security checklist on page 17-2 and the security checklist for the host communications system.
Product security checklists Table 17-22.
System 25 System 25 Also see the general security checklist on page 17-2, and the security checklist for any attached voice mail systems or other adjuncts. Customer: _________________________________________ Location: _________________________________________ PBX Type: _________________________________________ New Install: _________________________________________ System Upgrade: _________________________________________ Major Addition: _________________________________________ Table 17-23.
Product security checklists Table 17-23.
System 25 Table 17-23. System 25 security checklist — Continued Y/N1 Note N/A Disable remote maintenance access when not in use Product Monitoring SMDR/CAS reports monitored daily, administration log and activity log checked daily (AVP) End-User Education Only trusted personnel transferred to remote maintenance port Continued on next page 1. If “NO” (N), provide Note reference number and explain.
Product security checklists PassageWay Telephony Services Also see the general security checklist on page 17-2. Customer: _________________________________________ Location: _________________________________________ PassageWay Install Date: Table 17-24. ________________________________________ PassageWay Telephony Services security checklist Y/N1 Note N/A General Telephony server is in a secure location (locked room). Backups of the telephony server machine are made at regular intervals.
PassageWay Telephony Services Table 17-24. PassageWay Telephony Services security checklist — Continued Y/N1 Note N/A System Administration Guidelines followed for logins/passwords for user accounts. (See PassageWay customer documentation.) Customer educated about standard Avaya password recommendations (For example, at least 7 characters and forced password change for new subscribers. See PassageWay customer documentation.) Default administrator login for Tserver changed at installation.
Product security checklists Table 17-24. PassageWay Telephony Services security checklist — Continued Y/N1 Note N/A For NetWare only: Used the NetWare Administrator feature (NetWare 4.10 and 4.11) or SYSCON utility (NetWare 3.12) to set the appropriate login and password restrictions (For example, require users to have passwords with a minimum length of 7 characters, enable password aging, and so forth.) Used the NetWare Administrator feature (NetWare 4.10 and 4.11) or SYSCON utility (NetWare 3.
PassageWay Telephony Services Table 17-24. PassageWay Telephony Services security checklist — Continued Y/N1 Note N/A Access Control To ensure protection of sensitive system files used by Tserver, only System Administrator has access to Tserver, Security Database, and log files. For Windows NT only: Make file system NTFS instead of FAT.
Product security checklists Table 17-24. PassageWay Telephony Services security checklist — Continued Y/N1 ■ Note N/A Configure the following security options: — Require login names for callers — Make passwords case-sensitive — Log failed connection attempts — Maximum login attempts per call — Time to enter complete login — Disconnect if inactive ■ Configure pcANYWHERE to log remote control and on-line sessions.
Large business communications systems security tools by release 18 The following tables contain page references for the available security features for System 75, System 85, DEFINITY G1, G2, G3, DEFINITY ECS, MultiVantage™ Software, and Communication Manager. Information is listed by release. NOTE: MultiVantage™ Software and Communication Manager and bundled into the ECS R5 & later column. Table 18-1.
Large business communications systems security tools by release Table 18-1.
Table 18-1.
Large business communications systems security tools by release Table 18-1.
Table 18-1.
Large business communications systems security tools by release Table 18-1.
Table 18-1.
Large business communications systems security tools by release Table 18-1.
Table 18-1.
Large business communications systems security tools by release Table 18-1.
Non-supported products 19 Below are listed the products Avaya no longer supports as of the given dates.
Non-supported products As of September 30, 2000 As of September 30, 2000, Avaya no longer supports these products: ■ INTUITY Lodging ■ R1.1, QPPCN from R1.0 ■ INTUITY Interchange (pre 5.1) ■ INTUITY High Capacity Option (pre 4.
Links to additional security information 20 About IP and network security As IP and network technology advances, so do ways to abuse the technology. This appendix provides links to various references you can use to enhance your own knowledge of security issues. Avaya products to enhance security Avaya offers a security gateway that can protect your VoIP environment to provide for a 24x7 architecture. Combining VPN access and H.
Links to additional security information ■ RedHat Linux 8 Bible Publisher: John Wiley & Sons ISBN: 0764549685 ■ Anti-Hacker Tool Kit Keith J. Jones, Bradley C.
Glossary GL A AAR Automatic Alternate Routing ACA Automatic Circuit Assurance ACD Automatic Call Distribution ADAP AUDIX Data Acquisition Package AFRL Alternate Facility Restriction Level AMIS Audio Messaging Interface Specification ANI Automatic Number Identification APLT Advanced Private Line Termination ARS Automatic Route Selection, replaced by WCR in DEFINITY G2.2 AUDIX Audio Information Exchange AVP AUDIX Voice Power Access The act of entering into a PBX system.
Glossary AMIS Analog Networking An AUDIX Voice Mail System feature that connects the AUDIX Voice Mail System to other voice mail systems to exchange messages. Call Delivery is a service of AMIS Analog Networking. ARS dial tone The dial tone callers hear after they enter the ARS feature access code. Attendant The operator of the console. Attendant Console An electronic call-handling position with push-button control.
Glossary CDR Call Detail Recording Call Forwarding A set of features that allow calls destined for an extension to be redirected to another extension, designated during activation. Call Forwarding All Calls (Follow Me) A feature that allows calls destined for an extension to be redirected to another extension, designated during activation, regardless of the busy or idle state of the called extension. Intended to redirect calls to the called party when he or she is away from his or her desk.
Glossary Class of Restriction A number (0 through 63) that specifies the calling privileges and limitations assigned to stations, Remote Access users, and trunk groups. For DEFINITY G3rV1, G3i-Global, and G3V2 and later, CORs have been increased to 96; thus, the number is 0 through 95. Class of Service For DEFINITY G2 and System 85, specifies the calling privileges and limitations assigned to the station.
Glossary ETN Electronic Tandem Network Enhanced Call Transfer An AUDIX Voice Mail System feature that provides security by interacting with the PBX system to validate that the number entered by an AUDIX Voice Mail System caller is a valid extension number in the dial plan. Enhanced Private Switched Communications Service A private telecommunications network that provides advanced voice and data telecommunications services to companies with many locations.
Glossary Feature Access Code A code used to access a feature, such as ARS, Data Origination, Priority Calling and Call Pickup. Foreign Exchange A Central Office other than the one providing local access to the public telephone network. Foreign Numbering-Plan Area Code An area code other than the local area code. The FNPAC must be dialed to call outside the local geographic area.
Glossary L LEC Local Exchange Carrier M Manual Terminating Restriction Prevents the station from receiving calls other than those originated by the attendant. MERLIN Attendant An Avaya adjunct that provides voice mail and automated attendant services for use with the MERLIN LEGEND Communications System and MERLIN II Communications System R3. Message Indicator Lamp The light on a voice terminal that is activated by the attendant or a voice mail adjunct when there is a message for the user.
Glossary Outcalling An AUDIX Voice Mail System feature that alerts designated subscribers when a voice mail message is delivered to their voice mailbox. Outgoing Trunk to Outgoing Trunk Transfer Allows a controlling party, such as a station user or attendant, to initiate two or more outgoing trunk calls and then transfer the trunks together. The transfer removes the controlling party from the connection and conferences the outgoing trunks.
Glossary RHNPA Remote Home Numbering Plan Area RPSD Remote Port Security Device Random Number Generators Devices frequently used by hackers to decipher passwords and access codes. Redirect A feature that sends an incoming call to another station for coverage. Referral Call An internally-generated call that terminates to a designated destination and indicates an event such as a security violation. Remote Access A feature that provides remote callers access to most of the PBX features.
Glossary Security Violation An event that occurs when the number of invalid access attempts (login, Remote Access, or authorization code) exceeds the customer-administered threshold of the number of invalid access attempts permitted within a specified time interval. Security Violations Measurement Report Monitors Remote Access and administration ports for invalid login attempts and attempts to enter invalid barrier codes.
Glossary Trunk Group Telecommunications channels assigned as a group for certain functions that can be used interchangeably between two communications systems or Central Offices. Trunk Access Code A digit assignment assigned during trunk administration that identifies the trunk.
Glossary WCR World Class Routing Wide Area Telecommunications Service A service that allows calls to a certain area or areas for a flat-rate charge based on expected usage. World Class Routing For DEFINITY ECS and DEFINITY G2.2 and G3, provides flexible network numbering plans.
Index IN Numerics 0 calls, 5-24, 5-55 00 calls, 5-24 01 calls, 5-35 blocking, 11-15 010 calls, 5-35 011 calls, 5-35, 5-55 10xxx calls, 2-7, 5-24 10xxx01 calls, 5-35 10xxx11 calls, 5-35 2-way trunk groups, 5-16 3-way COR check, 5-17, 5-50 3-way-conferencing, 7-35 6-digit screening, 2-8 800 numbers, 2-7, 4-2, 5-3, 15-1 800 service, 7-55, 7-58 trunks, 4-2 911 number, 5-15 950 numbers, 2-7 976-look-alike numbers, 2-8 A AAR, see Automatic Alternate Routing AAR/ARS analysis, 5-20 Feature Access Code, 5-9 Abbre
Index authorization code, 5-3, 5-19, 5-22, 5-29, 5-30, 7-57, 7-59 invalid login attempts, 5-64 maximum allowed, 5-9 monitoring usage, 5-30 Network Access Flag set, 5-9 removing, 5-30 Time-Out to Attendant, 5-36 usage patterns, 6-13, 6-60 used with barrier code, 5-7 VDN, 5-9 Authorization Code Violations Status Report, 5-64, 5-66 auto dial button, 4-8 programming passwords, 7-3 automated attendant, 2-1, 2-5, 4-3, 7-19, 7-25, 7-28, 7-32, 7-40 adjunct equipment, 8-3 AUDIX Voice Mail System, 8-16 AUDIX Voice P
Index Call Forward Off-Net, 5-17, 7-7, 8-4 Call Forwarding, 2-8, 5-70 Feature Access Code, 5-9 call list, 7-7, 8-5 free, 5-20 specifying, 5-19 unrestricted, 5-19, 7-29 Call Management System helplines, 9-2 log, 5-58 Measurements, 5-58 securing, 4-6 security tips, 9-1 call pager, 7-29 scam, 2-7 Call Prompting, 5-11 call sell operations, 2-2 Call Traffic Report, 7-14, 8-10, 8-13 Call Vectoring, 5-10, 5-11, 5-33 call volume increases, 5-55 calling out-of-hours, 6-6, 6-13, 6-59 restricting by area, 7-8 calling
Index Data Privacy Feature Access Code, 5-9 Data Restriction Feature Access Code, 5-9 DCS, see Distributed Communication System default passwords changing, 4-4 DEFINITY AUDIX Voice Messaging System automated attendant, 8-18 logins, 7-22 password changing, 14-4 protecting, 7-22 protecting the system, 7-16 security checklists, 17-4 security considerations, 7-23 DEFINITY Communications System automated attendant, 8-1 detecting toll fraud, 5-50 restricting unauthorized outgoing calls, 5-13 security goals and t
Index Feature Access Code, 2-5 Abbreviated Dialing, 5-9 ARS/AAR, 5-9 Call Forwarding, 5-9 Data Origination, 5-9 Data Privacy, 5-9 Data Restriction, 5-9 Facility Test Calls, 5-9 firewalls, 3-2 FNPA, see Foreign Numbering Plan Area Forced Entry of Account Code, 5-24, 5-47 Forced Password Aging, 5-52 Foreign Numbering Plan Area, 5-34, 5-35, 5-37 free call list, 5-20 AAR/ARS calls, 5-20 TAC calls, 5-20 FRL, see Facility Restriction Level Fully Restricted Service, 5-16, 5-31 FX trunks, 4-2 international calls,
Index M maintenance access, 4-7 maintenance port, 4-9 target of abuse, 2-4 Malicious Call Trace, 5-68 Manager I, 7-14 reporting, 5-55, 8-10 Manager III/IV, 4-6 Manual Terminating Line Restriction, 8-4 Measurement Selection ARS, 5-56, 7-15, 8-11 measurements BCMS, 5-58 CMS, 5-58 MERLIN Attendant, 8-19, 8-20 MERLIN II Communications System protecting DISA, 6-5 security checklists, 17-27 security goals and tools, 4-14 security tips, 6-5 voice mail, 7-35 MERLIN LEGEND Communications System allowed and disallow
Index outcalling, 7-25, 7-40, 7-57, 7-59, 7-61 limiting, 7-29, 7-44 Outgoing Trunk to Outgoing Trunk Transfer disabling, 5-44 Outward Restriction, 5-15, 5-17, 7-7, 8-4 overlapped sending, 5-49 P Partitioned Group Number, 12-1 PARTNER Attendant, 8-21, 8-22 PARTNER II Communications System protecting the system, 6-61 security checklists, 17-56 security goals and tools, 4-19 voice mail, 7-55 PARTNER MAIL System, 7-55, 7-58 automated attendant, 8-21, 8-22 outcalling, 7-57, 7-59 password changing, 14-9 protect
Index Remote Access, (continued) Status Report, 5-64 status report, 5-64 System 25, 6-62 System 75, 5-2 System 85, 5-2 Violations Status Report, 5-65 Remote Administration Unit, 4-20, 6-61 Remote Call Forwarding, 6-15, 6-60 used with loop-start trunks, 6-15 Remote Home Numbering Plan Area, 5-37 Remote Line Access, 6-59 Remote Maintenance Board, 7-33 Remote Maintenance Device, 6-62 Remote Port Security Device, 16-1 remote service observing, 5-70 Remote System Administration System 25, 6-63 Remote System Pro
Index SMDR reports, 6-6, 6-13, 6-60, 6-63, 7-35, 7-37, 7-47, 7-56, 7-58, 7-60 SMDR, see Station Message Detail Recording social engineering, 2-6 SPM, see System Programming and Maintenance Station Message Detail Recording, 2-4, 5-47, 7-13, 7-44, 8-9, 15-1 station restrictions, 5-20 Station Security Code Violations Report, 5-66 Station Security Violation Status Report, 5-64 Station-to-Trunk Restrictions, 7-6, 8-3 status remote access command, 5-12 SVN, see Security Violation Notification feature switch dial
Index traffic abnormal patterns, 8-10 measurements, 5-55 monitoring flow, 5-56 reports, 7-19, 7-30, 8-13 Trans Talk 9000 Digital Wireless System security tips, 9-9 Transfer Out of AUDIX, 7-25 disabling, 7-28 transfers limiting, 8-5 Traveling Class Mark, 5-46, 5-49 Trouble Tracker, 4-6 trunk 800 service, 4-2 AAR, 5-8 administration, 5-9 ARS, 5-8, 5-47 CO, 4-2, 5-16, 5-17, 5-20, 8-4, 8-5 disabling direct access, 5-39 FX, 4-2, 5-16, 5-17, 8-4, 8-5 loop-start, 6-62 monitoring, 5-46 outgoing, 5-47 public networ
Index voice processing systems, 4-4 voice session record, 7-19, 8-14 voice terminal Public Restriction, 5-16 Termination Restriction, 5-16 voice terminal group attendant-controlled, 5-21 void disabling logins, 5-28 W WCR, see World Class Routing wild card characters, 5-49, 5-50 wiring closets physical security, 4-9 World Class Routing, 5-24, 5-33 restricting, 5-49 Toll Restriction, 5-18 toll restriction, 8-5 Issue 9 May 2003 (draft) IN-11
Index IN-12 Issue 9 May 2003 (draft)