Also Check These:

BARS 101 - Learn BARS From Gene
Gene's Voice Mail Port Security Using FTOP
About the 90# scam and extension 9000 scam ©GHTROUT

Gene's Meridian 1 Security Audit

An audit of the Meridian 1 telephone system will ensure that every possible "system" precaution has been made to prevent fraud. The first step involves querying data from the system in the form of printouts (or "capturing" the data to a file in a PC). The next step is to analyze the data and confirm the reason for each entry. Please be advised that this procedure is not designed for all "networked" Meridian 1 systems, however, most of the items apply to all systems. Use at your own risk. ©GHTROUT

PRINTOUTS REQUIRED FOR SECURITY AUDIT: It is suggested that you "capture" all of the data from these printouts to separate files. This can be accomplished with a PC and communications program. For the BARS LD90 NET printout, look here ©GHTROUT

LD22 CFN	LD22 PWD	LD21 CDB	LD21 RDB
LD21 LTM	LD23 ACD	LD24 DISA	LD20 SCL
LD86 ESN (Detail)	LD86 RLB (Detail)	LD86 DMI (Detail)	LD87 NCTL (Detail)
LD87 FCAS (Detail)	LD87 CDP (Detail)	LD90 NET (Detail)	LD90 SUM (Detail)
LD20 TNB	LD22 DNB	LD88 AUB

GATHERING DATA FROM LD81 ©GHTROUT

List (LST) the following FEAT entries to form an information base on the telephones. ©GHTROUT

NCOS 00 99	CFXA	UNR	TLD	SRE
FRE	FR1	FR2	CUN	CTD

DATA BLOCK REVIEW ITEMS ©GHTROUT

From the printouts, a review of the following areas must be made. Some of the items may or may not be appropriate depending on the applications of the telephone system. ©GHTROUT

CFN - Configuration	Verify that History File is in use. ©GHTROUT
PWD - Passwords	Verify that FLTH (failed login attempt threshold) is low enough. Verify that PWD1 and PWD2 (passwords) use both alpha and numeric characters and are eight or more characters long. Note any LAPW's (limited access passwords) assigned. Enable audit trails. ©GHTROUT
CDB - Customer Data Block	Verify that CFTA (call forward to trunk access code) is set to NO. Verify NCOS level of console. ©GHTROUT Verify that NIT1 through NIT4 (or other night numbers) are pointing to valid numbers. ©GHTROUT EXTT prompt should be NO to work in conjunction with trunk route disconnect controls (See RDB) ©GHTROUT
RDB - Trunk Route Data Block	Verify that every route has a TARG assigned. ©GHTROUT Confirm that FEDC and NEDC are set correctly. ETH is typical, however for maximum security in blocking trunk to trunk connections, set NEDC to ORG and FEDC to JNT ©GHTROUT Confirm that ACCD's are a minimum of four digits long (unless for paging). ©GHTROUT If ESN signaling is active on trunk routes, verify that it needs to be. ESN signaling, if not required, should be avoided. ©GHTROUT NOTES ON TGAR: For demonstration purposes, this document suggests that sets be a "TGAR 1". The only requirement for TGAR is that it match one of the TARG numbers assigned in the Route Data Block ©GHTROUT
ACD - Automatic Call Distribution	Verify ACD queues and associated NCFW numbers. Verify all referenced extensions. ©GHTROUT
DISA - Direct Inward System Access	Remove DISA if not required. If required, verify that security codes are in use. ©GHTROUT
ESN - Electronic Switched Network	AC1 is typically "9". If there is an AC2 assigned, verify its use. If TOD or ETOD is used - verify what NCOS levels are changed, when they are changed and why they are changed. ©GHTROUT Apply FLEN to your SPNs to insure nobody is ever allowed to be transferred to a partially dialed number, like "Transfer me to 91800" ©GHTROUT Study EQAR (Equal Access Restriction) to insure that users can only follow a "Carrier Access Code" with a zero rather than a one: (1010321-1-414-555-1212 is blocked but 1010321-0-414-555-1212 is allowed with EQAR) ©GHTROUT
NCTL - Network Control	Use LD81 FEAT PRINT to verify all NCOS being used. Does NCOS 0 = FRL 0? Does NCOS X always equal FRL X in the NCTL? ©GHTROUT Does FRL 0 have any capabilities? - It should not be able to dial anything. ©GHTROUT
FCAS - Free Call Area Screening	Confirm the need to use FCAS and remove it if possible. FCAS is usually a waste of system memory and complicates the system without saving money. ©GHTROUT
DGT (DMI) - Digit Manipulation	Confirm all numbers referenced in the "insert" section of each DMI table. ©GHTROUT
RLB - BARS Route List Block	Are any RLB ENTR'S assigned FRL 0 - typically, only the RLB that handles 911 calls should have an FRL 0. ©GHTROUT If DMI is in use, confirm all "inserted" numbers. ©GHTROUT
CDP - BARS Coordinated Dialing Plan	Are all CDP numbers valid? Check the RLBs they point to and see what the DMI value is. Confirm insertions. ©GHTROUT
NET - ALL - BARS Network Numbers	Add 000,001,002,003,004,005,006,007,008,009 as SPNs pointing to a route list block that is set to LTER YES. These entries block transfers to "ext. 9000" and similar numbers. ©GHTROUT Point SPN "0" to a RLI with a high FRL, then consider adding new SPNs of 02, 03, 04, 05, 06, 07, 08, 09 to point to a RLI with a lower FRL so that users cannot dial "0", but can dial "0+NPA credit card calls. ©GHTROUT Check FRL of 0, 00, 011 and confirm that each is pointed to separate NET entry requiring a high FRL. ©GHTROUT Remove all of shore NPAs (Like 1-809 Dominican Republic) if possible. Regulations are almost non-existent in some of those areas and they are hot fraud targets. ©GHTROUT Verify blocking 900 and 976 access. Also consider blocking the NXX of your local radio station contest lines. Users will go nuts calling a radio station to win a free toaster, taking over all the trunks in your phone system. ©GHTROUT Restrict the main numbers and DID range within the BARS system. There is no need to call from an outgoing to an incoming line at the same location. ©GHTROUT
TRUNKS	Confirm that all trunks have TGAR assigned. ©GHTROUT Confirm that all incoming and TIE trunks have class of service SRE assigned. (caution on networked systems) ©GHTROUT Confirm that all trunks have an NCOS of zero. ©GHTROUT NOTES ON TGAR: For demonstration purposes, this document suggests that sets be a "TGAR 1". The only requirement for TGAR is that it match one of the TARG numbers assigned in the Route Data Block ©GHTROUT
SETS-PHONES	Does every phone have a TGAR of 1 assigned? (This must be checked set by set, TN by TN). ©GHTROUT Can you change every phone that is UNR to CTD? Review LD81 FEAT PRINT to find out the UNR sets. CTD class of service is explained below. ©GHTROUT Confirm that all sets are assigned CLS CFXD? ©GHTROUT Confirm that the NCOS is appropriate on each set. ©GHTROUT In Release 20 or above, removing transfer feature may be appropriate. ©GHTROUT Confirm that all sets CFW digit length is set to the system DN length. ©GHTROUT NOTES ON TGAR: For demonstration purposes, this document suggests that sets be a "TGAR 1". The only requirement for TGAR is that it match one of the TARG numbers assigned in the Route Data Block ©GHTROUT Apply Flexible Trunk to Trunk Connections on the set (Such as CLS=FTTR), and FTOP in the CDB if deemed appropriate. These restrictions are done on a set by set basis and allow or deny the ability to transfer incoming calls out of the facility. ©GHTROUT
VOICE MAIL PORTS	Each port should be CLS of SRE ©GHTROUT Apply Flexible Trunk to Trunk Connections on the TNs (CLS=FTTR), and verify FTOP in the CDB ©GHTROUT Each port should be NCOS 0 - NCOS 0 must be known to be too low to pass any call ©GHTROUT Each port should be TGAR 1 (all trunk routes must be TARG 1 also) ©GHTROUT NOTES ON TGAR: For demonstration purposes, this document suggests that sets be a "TGAR 1". The only requirement for TGAR is that it match one of the TARG numbers assigned in the Route Data Block ©GHTROUT NOTE: If you are used to your Mail system doing outcalling, you can forget about that working after applying these restrictions. An alternative that will allow Outcalling but restrict thru-dialing to external numbers is to keep the NCOS and CLS restrictions high enough to place outcalls, but "Apply Flexible Trunk to Trunk Connections on the TNs (CLS=FTTR), and verify FTOP in the CDB" as indicated in point 1 above. ©GHTROUT

CLASS OF SERVICE AND TRUNK GROUP ACCESS RESTRICTIONS: ©GHTROUT

EXPLANATION OF CLASS OF SERVICE SRE: ©GHTROUT

NTP DEFINITION: Allowed to receive calls from the exchange network. Restricted from all dial access to the exchange network. Allowed to access the exchange network through an attendant or an unrestricted telephone only. ©GHTROUT
Essentially, an SRE set can do nothing on it's own except dial internal and TIE line extensions. If a trunk is SRE - it will work normally and allow conference calls and transfers. ©GHTROUT

Callers on the far end of a TIE line cannot call out through your end (for their sake, both ends should be SRE). ©GHTROUT

If a route access code is accessed (if there was no match between the TGAR and TARG), the caller cannot dial 1 or 0 as the leading digits. ©GHTROUT

The best restriction is to have all trunk routes TARG'd to 1 and all TNs (including actual trunk TNs) TGAR'd to 1. This will block all access to direct trunk route selection. ©GHTROUT

No incoming caller will have access to an outside line unless physically transferred or conferenced by an internal party. If voice mail ports are SRE and NCOS 0 and have a TGAR matching the TARG - they will not be able to transfer a call out of the system, regardless of the voice mail system's resident restrictions assigned. ©GHTROUT
No phone will be able to dial a trunk route access code. Consider allowing telecom staff this ability for testing. ©GHTROUT
Layered security: ©GHTROUT
- If in phone programming, TGAR was overlooked on a phone, the CTD class of service would block the user from dialing a 0 or 1 if they stumble upon a route access code.
- If in programming, the CTD class of service was overlooked, both TGAR and NCOS would maintain the restrictions. ©GHTROUT
- If in programming, the NCOS is overlooked, it will defaults to zero, which is totally restricted if NCTL and RLBs are set up correctly. ©GHTROUT