Technical information

ManualsBrandsAT&T ManualsNetwork RouterDEFINITY Remote Port Security Device

221

222

223

224

225

226

227

228

229

230

DEFINITY ECS, DEFINITY Communications Systems,

System 75, and System 85

Issue 7 June 2001

6-33

Security Measures

Design applications with toll fraud in mind.

 Make sure the application verifies that long distance numbers are not being

requested, or that only permitted numbers are requested. The Transfer Call

and Call Bridge capabilities of Script Builder, and the “tic” instruction at the

Transaction State Machine (TSM) script level provide network access. If

the ASAI package is loaded, additional TSM instructions and libraries

provide access using the ASAI facility. In addition, a poorly designed

Prompt and Collect action for transfer could let the caller enter any number

for an outside access number.

 If numbers are contained in a database where anyone with database

access can change them, or if they are entered by the caller, fraud is

possible. Build the numbers into the application, or have the application

control them to minimize the possibility of toll fraud.

 The VIS Feature Test (feature_tst) package contains application programs

that can be assigned to channels to test system components that allow any

4-digit number to be dialed, such as transfer and call bridging. The

application should not be assigned to a channel, or the package should not

be loaded except when these tests are being used.

 Anyone with access to application code can hide logic in it that provides

network access and is triggered under specific circumstances. Make sure

that only trusted individuals can access application code.

 An application can be audited using Automatic Number Identification (ANI)

capabilities through PRI and ASAI (or normal call data tools) to set up local

database tables to collect numbers. If a significant number of repeat

inbound calls are identified, an administrator can be notified using the

Netview package, UNIX, or ARU, or an application can be spawned to call

someone to alert the administrator about the calls.

Protect local and remote access.

 Restrict login access to trusted individuals with a need to maintain or

administer the system.

 Restrict remote login access.

 Use the administrative interface and its security classes for logins. Certain

capabilities are restricted for particular classes. For example, the

Operations class cannot modify applications.

 Make sure when you use a modem that it is administered properly to

prevent access by outside users. Make sure the phone is disconnected

from the modem when the modem is not in use, or use the RPSD lock.

 Use standard UNIX tools to monitor login statistics.