Checking system security

Last Updated : Sep 27, 2023 |

About this task

Here’s some of the steps required for indemnification. Use these to analyze your system security.

Procedure

  1. Remove all default factory logins of cust, rcust, browse, nms, and bcms and assign unique logins with 7-character alphanumeric passwords and a 90-day password aging.

    Use the list logins command to find out what logins are there.

  2. If you do not use Remote Access, be sure to disable it permanently.
    Tip:

    You can use the display remote-access command to check the status of your remote access.

    To disable Remote Access, on the Remote Access screen, in the Permanently Disable field, enter y.

    Note:

    Avaya recommends that you permanently disable Remote Access using the change remote-access command. If you do permanently disable Remote Access, the code is removed from the software. Avaya charges a fee to restore the Remote Access feature.

  3. If you use Remote Access, but only for internal calls, change announcements or remote service observing.
    1. Use a 7-digit barrier code.
    2. Assign a unique COR to the 7-digit barrier code.

      The unique COR must be administered where the FRL is 0, the Calling Party Restriction field is outward, and the Calling Permissions field is n on all unique Trunk Group COR.

    3. Assign Security Violation Notification Remote to 10 attempts in 2 minutes.
    4. Set the aging cycle to 90 days with 100 call limit per barrier code.
  4. If you use Remote Access to process calls off-net or in any way access the public network:
    1. Use a 7-digit barrier code.
    2. Assign a unique COR to the barrier code.
    3. Restrict the COR assigned to each barrier code by FRL level to only the required calling areas to conduct business.
    4. Set the aging cycle to 90 days with 100 call limit per barrier code.
    5. Suppress dial tone where applicable.
    6. Administer Authorization Codes.
    7. Use a minimum of 11 digits (combination of barrier codes and authorization codes).
    8. Assign Security Violation Notification Remote to 10 attempts in 2 minutes.
  5. If you use vectors:
    1. Assign all Vector Directory Numbers (VDN) a unique COR.

      For more information, see Avaya Aura® Call Center 5.2 Automatic Call Distribution (ACD) Reference and Avaya Aura® Call Center 5.2 Call Vectoring and Expert Agent selection (EAS) Reference.

      Note:

      The COR associated with the VDN dictates the calling privileges of the VDN/vector. High susceptibility to toll fraud exists on vectors that have collect digits steps. When a vector collects digits, it processes those digits back to Communication Manager and if the COR of the VDN allows it to complete the call off-net, it will do so. For example, the announcement If you know your party’s 4-digit extension number, enter it now results in 4 digits being collected in step 6. If you input 90## or 900#, the 4 digits are analyzed and if 9 points towards ARS and 0 or 00 is assigned in the ARS Analysis Tables and the VDN COR allows it, the call routes out of the server to an outside local exchange or long distance operator. The operator then connects the call to the requested number.

    2. If vectors associated with the VDN do not require routing the call off-net or via AAR, assign a unique COR where the FRL is 0, the Calling Party Restriction field is outward, the Calling Permissions field is n on all unique Trunk Group COR.
    3. If the vector has a route-to step that routes the call to a remote server via AAR, assign a unique COR with a unique ARS/AAR Partition Group, the lowest FRL to complete an AAR call, and n on all unique COR assigned to your public network trunking facilities on the Calling Permissions.

      Assign the appropriate AAR route patterns on the AAR Partition Group using the change aar analysis partition x 2 command.

      Tip:

      You can use the display aar analysis print command to print a copy of your Automatic Alternate Routing (AAR) setup before making any changes. You can use the printout to correct any mistakes.

    4. If the vector has a route-to step that routes the call to off-net, assign a unique COR with a unique ARS/AAR Partition Group, the lowest FRL to complete an ARS call, and n on all unique COR assigned to your public network trunking facilities on the Calling Permissions.

      Assign the appropriate complete dial string in the route-to step of the vector the unique ARS Partition Group using the change ars analysis partition x 2 command.

  6. On the Feature Access Code (FAC) screen, Facility Test Calls Access Code, the Data Origination Access Code, and the Data Privacy Access Code fields, change from the default or remove them.

    For information about the Feature Access Code (FAC) screen, see Avaya Aura® Communication Manager Screen Reference.

    Note:

    These codes, when dialed, return system dial tone or direct access to outgoing trunking facilities. Transfers to these codes can take place via an unsecured vector with collect digits steps or an unsecured voice mail system.

  7. Restrict Call Forwarding Off Net on every class of service.

    See Avaya Aura® Communication Manager Screen Reference for more information on Class of Service.

    Note:

    You cannot administer loop-start trunks if Call Forwarding Off Net is required.

  8. If loop start trunks are administered on Communication Manager and cannot be changed by the Local Exchange Company, block all class of service from forwarding calls off-net.

    In the Class of Service screen, Restriction Call Fwd-Off Net field, set to y for the 16 (0-15) COS numbers.

    See Avaya Aura® Communication Manager Screen Reference for more information on Class of Service.

    Note:

    If a station is call forwarded off-net and an incoming call to the extension establishes using a loop-start trunk, incorrect disconnect supervision can occur at the Local Exchange Central Office when the call terminates. This gives the caller recall or transfer dial tone to establish a fraudulent call.

  9. Administer Call Detail Recording on all trunk groups to record both incoming and outgoing calls.

    See Call information collection for more information.

  10. On the Route Pattern screen, be careful assigning route patterns with an FRL of 0; these allow access to outgoing trunking facilities.

    Avaya recommends assigning routes with an FRL of 1 or higher.

    Note:

    An exception might be assigning a route pattern with an FRL of 0 to be used for 911 calls so even restricted users can dial this in emergencies.

    Tip:

    You can use the list route-pattern print command to print a copy of your FRLs and check their status.

  11. On all Trunk Group screens, set the Dial Access field to n.

    If set to y, users can dial Trunk Access Codes, thus bypassing all the ARS call screening functions.

    See the Trunk Group section of Avaya Aura® Communication Manager Screen Reference for more information.

  12. On the AAR and ARS Digit Analysis Table, set all dial strings not required to conduct business to den (deny).

    For information about this screen, see Avaya Aura® Communication Manager Screen Reference.

  13. If you require international calling, on the AAR and ARS Digit Analysis Table, use only the 011+ country codes/city codes or specific dial strings.
  14. Assign all trunk groups or same trunk group types a unique Class of Restriction.

    If the trunk group does not require networking through Communication Manager, administer the Class of Restriction of the trunk group where the FRL is 0, the Calling Party Restriction field is outward, and all unique Class of Restriction assigned to your outgoing trunk groups are n. See Class of Restriction in Avaya Aura® Communication Manager Screen Reference for more information.

    Tip:

    You can use the list trunk-group print command to have a printout of all your trunks groups. Then, you can use the display trunk-group x command (where x is the trunk group) to check the COR of each trunk group.

  15. Avaya recommends you administer the following on all voice mail ports:

    • Assign all voice mail ports a unique COR. See Class of Restriction in Avaya Aura® Communication Manager Screen Reference for more information.

    • If you are not using out calling, fax attendant, or networking, administer the unique COR where the FRL is 0, the Calling Party Restriction field is outward, and all unique trunk group COR on the Calling Permissions are n. See Class of Restriction in Avaya Aura® Communication Manager Screen Reference for more information.

    Note:

    Avaya recommends you administer as many layers of security as possible. You can implement Step 9 and Step 16 as a double layer of security. In the event that the voice mail system becomes unsecured or compromised for any reason, the layer of security on Communication Manager takes over, and vice versa.

  16. Administer all fax machines, modems, and answering machines analog voice ports as follows:

    • Set the Switchhook Flash field to n.

    • Set the Distinctive Audible Alert field to n. See Station in Avaya Aura® Communication Manager Screen Reference for more information.

  17. Install a Call Accounting System to maintain call records.

    In the CDR System Parameters screen, Record Outgoing Calls Only field, set to y. See CDR System Parameters in Avaya Aura® Communication Manager Screen Reference for more information.

  18. Call Accounting Systems produce reports of call records.

    It detects telephones that are being hacked by recording the extension number, date and time of the call, and what digits were dialed.