GHTROUT http://www.GHTROUT.net/
 

Also Check These:


Gene's Meridian 1 Security Audit

An audit of the Meridian 1 telephone system will ensure that every possible "system" precaution has been made to prevent fraud. The first step involves querying data from the system in the form of printouts (or "capturing" the data to a file in a PC). The next step is to analyze the data and confirm the reason for each entry. Please be advised that this procedure is not designed for all "networked" Meridian 1 systems, however, most of the items apply to all systems. Use at your own risk.  İGHTROUT

PRINTOUTS REQUIRED FOR SECURITY AUDIT: It is suggested that you "capture" all of the data from these printouts to separate files. This can be accomplished with a PC and communications program.   For the BARS LD90 NET printout, look here İGHTROUT

LD22 CFN LD22 PWD LD21 CDB LD21 RDB
LD21 LTM LD23 ACD LD24 DISA LD20 SCL
LD86 ESN (Detail) LD86 RLB (Detail) LD86 DMI (Detail) LD87 NCTL (Detail)
LD87 FCAS (Detail) LD87 CDP (Detail) LD90 NET (Detail) LD90 SUM (Detail)
LD20 TNB LD22 DNB LD88 AUB  

GATHERING DATA FROM LD81 İGHTROUT

List (LST) the following FEAT entries to form an information base on the telephones. İGHTROUT

NCOS 00 99 CFXA UNR TLD SRE
FRE FR1 FR2 CUN CTD

DATA BLOCK REVIEW ITEMS İGHTROUT

From the printouts, a review of the following areas must be made. Some of the items may or may not be appropriate depending on the applications of the telephone system. İGHTROUT

CFN - Configuration
  • Verify that History File is in use. İGHTROUT
PWD - Passwords
  • Verify that FLTH (failed login attempt threshold) is low enough.
  • Verify that PWD1 and PWD2 (passwords) use both alpha and numeric characters and are eight or more characters long.
  • Note any LAPW's (limited access passwords) assigned.
  • Enable audit trails. İGHTROUT
CDB - Customer Data Block
  • Verify that CFTA (call forward to trunk access code) is set to NO.
  • Verify NCOS level of console. İGHTROUT
  • Verify that NIT1 through NIT4 (or other night numbers) are pointing to valid numbers. İGHTROUT
  • EXTT prompt should be NO to work in conjunction with trunk route disconnect controls (See RDB) İGHTROUT
RDB - Trunk Route Data Block
  • Verify that every route has a TARG assigned. İGHTROUT
  • Confirm that FEDC and NEDC are set correctly. ETH is typical, however for maximum security in blocking trunk to trunk connections, set NEDC to ORG and FEDC to JNT İGHTROUT
  • Confirm that ACCD's are a minimum of four digits long (unless for paging). İGHTROUT
  • If ESN signaling is active on trunk routes, verify that it needs to be. ESN signaling, if not required, should be avoided. İGHTROUT
  • NOTES ON TGAR: For demonstration purposes, this document suggests that sets be a "TGAR 1". The only requirement for TGAR is that it match one of the TARG numbers assigned in the Route Data Block İGHTROUT
ACD - Automatic Call Distribution
  • Verify ACD queues and associated NCFW numbers. Verify all referenced extensions. İGHTROUT
DISA - Direct Inward System Access
  • Remove DISA if not required. If required, verify that security codes are in use. İGHTROUT
ESN - Electronic Switched Network
  • AC1 is typically "9". If there is an AC2 assigned, verify its use.
  • If TOD or ETOD is used - verify what NCOS levels are changed, when they are changed and why they are changed. İGHTROUT
  • Apply FLEN to your SPNs to insure nobody is ever allowed to be transferred to a partially dialed number, like "Transfer me to 91800" İGHTROUT
  • Study EQAR (Equal Access Restriction) to insure that users can only follow a "Carrier Access Code" with a zero rather than a one:   (1010321-1-414-555-1212 is blocked but 1010321-0-414-555-1212 is allowed with EQAR) İGHTROUT
NCTL - Network Control
  • Use LD81 FEAT PRINT to verify all NCOS being used.
  • Does NCOS 0 = FRL 0? Does NCOS X always equal FRL X in the NCTL? İGHTROUT
  • Does FRL 0 have any capabilities? - It should not be able to dial anything. İGHTROUT
FCAS - Free Call Area Screening
  • Confirm the need to use FCAS and remove it if possible. FCAS is usually a waste of system memory and complicates the system without saving money. İGHTROUT
DGT (DMI) - Digit Manipulation
  • Confirm all numbers referenced in the "insert" section of each DMI table. İGHTROUT
RLB - BARS Route List Block
  • Are any RLB ENTR'S assigned FRL 0 - typically, only the RLB that handles 911 calls should have an FRL 0. İGHTROUT
  • If DMI is in use, confirm all "inserted" numbers. İGHTROUT
CDP - BARS Coordinated Dialing Plan
  • Are all CDP numbers valid? Check the RLBs they point to and see what the DMI value is. Confirm insertions. İGHTROUT
NET - ALL - BARS Network Numbers
  • Add 000,001,002,003,004,005,006,007,008,009 as SPNs pointing to a route list block that is set to LTER YES. These entries block transfers to "ext. 9000" and similar numbers. İGHTROUT
  • Point SPN "0" to a RLI with a high FRL, then consider adding new SPNs of 02, 03, 04, 05, 06, 07, 08, 09 to point to a RLI with a lower FRL so that users cannot dial "0", but can dial "0+NPA credit card calls. İGHTROUT
  • Check FRL of 0, 00, 011 and confirm that each is pointed to separate NET entry requiring a high FRL. İGHTROUT
  • Remove all of shore NPAs (Like 1-809 Dominican Republic) if possible.   Regulations are almost non-existent in some of those areas and they are hot fraud targets. İGHTROUT
  • Verify blocking 900 and 976 access.  Also consider blocking the NXX of your local radio station contest lines.  Users will go nuts calling a radio station to win a free toaster, taking over all the trunks in your phone system. İGHTROUT
  • Restrict the main numbers and DID range within the BARS system. There is no need to call from an outgoing to an incoming line at the same location. İGHTROUT
TRUNKS
  • Confirm that all trunks have TGAR assigned. İGHTROUT
  • Confirm that all incoming and TIE trunks have class of service SRE assigned. (caution on networked systems) İGHTROUT
  • Confirm that all trunks have an NCOS of zero. İGHTROUT
  • NOTES ON TGAR: For demonstration purposes, this document suggests that sets be a "TGAR 1". The only requirement for TGAR is that it match one of the TARG numbers assigned in the Route Data Block İGHTROUT
SETS-PHONES
  • Does every phone have a TGAR of 1 assigned? (This must be checked set by set, TN by TN). İGHTROUT
  • Can you change every phone that is UNR to CTD? Review LD81 FEAT PRINT to find out the UNR sets. CTD class of service is explained below. İGHTROUT
  • Confirm that all sets are assigned CLS CFXD? İGHTROUT
  • Confirm that the NCOS is appropriate on each set. İGHTROUT
  • In Release 20 or above, removing transfer feature may be appropriate. İGHTROUT
  • Confirm that all sets CFW digit length is set to the system DN length. İGHTROUT
  • NOTES ON TGAR: For demonstration purposes, this document suggests that sets be a "TGAR 1". The only requirement for TGAR is that it match one of the TARG numbers assigned in the Route Data Block İGHTROUT
  • Apply Flexible Trunk to Trunk Connections on the set (Such as CLS=FTTR), and FTOP in the CDB if deemed appropriate.  These restrictions are done on a set by set basis and allow or deny the ability to transfer incoming calls out of the facility. İGHTROUT
VOICE MAIL PORTS
  • Each port should be CLS of SRE İGHTROUT
  • Apply Flexible Trunk to Trunk Connections on the TNs (CLS=FTTR), and verify FTOP in the CDB İGHTROUT
  • Each port should be NCOS 0 - NCOS 0 must be known to be too low to pass any call İGHTROUT
  • Each port should be TGAR 1 (all trunk routes must be TARG 1 also) İGHTROUT
  • NOTES ON TGAR: For demonstration purposes, this document suggests that sets be a "TGAR 1". The only requirement for TGAR is that it match one of the TARG numbers assigned in the Route Data Block İGHTROUT
  • NOTE:  If you are used to your Mail system doing outcalling, you can forget about that working after applying these restrictions.  An alternative that will allow Outcalling but restrict thru-dialing to external numbers is to keep the NCOS and CLS restrictions high enough to place outcalls, but "Apply Flexible Trunk to Trunk Connections on the TNs (CLS=FTTR), and verify FTOP in the CDB" as indicated in point 1 above.  İGHTROUT

CLASS OF SERVICE AND TRUNK GROUP ACCESS RESTRICTIONS: İGHTROUT

EXPLANATION OF CLASS OF SERVICE SRE:  İGHTROUT

  • NTP DEFINITION: Allowed to receive calls from the exchange network. Restricted from all dial access to the exchange network. Allowed to access the exchange network through an attendant or an unrestricted telephone only. İGHTROUT
  • Essentially, an SRE set can do nothing on it's own except dial internal and TIE line extensions. If a trunk is SRE - it will work normally and allow conference calls and transfers. İGHTROUT

EXAMPLES OF 'SRE' IN USE:  İGHTROUT

  • Voice Mail cannot connect to an outgoing line, but can receive incoming calls. İGHTROUT
  • Callers on the far end of a TIE line cannot call out through your end (for their sake, both ends should be SRE). İGHTROUT

EXPLANATION OF CLASS OF SERVICE CTD:  İGHTROUT

  • If a route access code is accessed (if there was no match between the TGAR and TARG), the caller cannot dial 1 or 0 as the leading digits. İGHTROUT
  • If the caller makes a "dial 9" BARS call, the NCOS will control the call. İGHTROUT

EXPLANATION OF TGAR AND TARG:  İGHTROUT

  • The best restriction is to have all trunk routes TARG'd to 1 and all TNs (including actual trunk TNs) TGAR'd to 1. This will block all access to direct trunk route selection. İGHTROUT

BENEFITS OF IMPLEMENTING THESE SECURITY RESTRICTIONS  İGHTROUT

  • No incoming caller will have access to an outside line unless physically transferred or conferenced by an internal party. If voice mail ports are SRE and NCOS 0 and have a TGAR matching the TARG - they will not be able to transfer a call out of the system, regardless of the voice mail system's resident restrictions assigned. İGHTROUT
  • No phone will be able to dial a trunk route access code. Consider allowing telecom staff this ability for testing. İGHTROUT
  • Layered security:  İGHTROUT
    • If in phone programming, TGAR was overlooked on a phone, the CTD class of service would block the user from dialing a 0 or 1 if they stumble upon a route access code.
    • If in programming, the CTD class of service was overlooked, both TGAR and NCOS would maintain the restrictions. İGHTROUT
    • If in programming, the NCOS is overlooked, it will defaults to zero, which is totally restricted if NCTL and RLBs are set up correctly. İGHTROUT