Nortel DMS-100 Office Security

General

In today's environment, with the challenge of illegal access to computer systems, the security of our telephone network should be one of the highest priorities within any communications company.  There is a need to safeguard telephone service to the customer, Automatic Message Accounting (AMA) billing records, credit card numbers, communications equipment, and databases by restricting access only to authorized personnel.  These safeguards require constant monitoring and 24 hour year-round commitment.

Some safeguards have been described in previous areas of this manual.  Those safeguards dealt with office images, maintaining office logs for AMA tapes and dial-up access, and retaining hard copies of translation tables, office parameters, and Store File Device (SFDEV) files.  In addition to those safeguards, this subsection describes security features and safeguards for:

All dial-up access ports should be arranged for customer controlled access.  This control may consist of manual answer on the data set, call transfer to a restricted Centrex group, access through a central minicomputer system, or a dial-back feature.  All dial-up accesses should be logged.  Periodic checks should be made to ensure that all dial-up access is being controlled by responsible personnel, whether it is through a control center or within the switch.

LOGINCONTROL Command

It is recommended that the Command Interpreter (CI) level LOGINCONTROL feature be used to provide security for the use of dial-up ports into the switch.  This feature allows the automatic disabling of a port after disconnect by a user, as well as limiting the time and number of attempts at logging into an enabled port.

This can be a valuable enhancement to switch security and reduces the possibility of ports being left in an accessible state.  We suggest LOGINCONTROL responsibility be under control of a security supervisor or manager.  You may consider "privclassing" LOGINCONTROL for additional security.  More is provided on the LOGINCONTROL command later within this subsection.

Human-Machine Access

The following are general security safeguards regarding human-machine access:

Input Command Screening

All commands should be Privilege Classed (PRIVCLASS) to restrict commands to selected users and all commands should be DUMPSAFE or DUMPUNSAFE as required.  It is suggested that the PRIVCLASS screening process be controlled only by the control center (i.e., SCC, NOC, NRC).  More is provided later within this subsection.

Security Log

When the parameter TABLE_ACCESS_CONTROL is set to "Y" and table CUSTPROT (Customer Protection) is datafilled, a security log is generated each time a table is changed.  It records who, when, and what was changed.  See table CUSTPROT later within this subsection.

Access Control for Tables

When equipped with the appropriate software, it is possible to control who may change translation data by using table CUSTPROT.  Three levels of security may be provided: read only, update, and all privileges.  TABLXXX logs produce an audit trail if they are set up in the log system.

Log Trails and Security Alarms

Any security log reports described within this subsection may be alarmed if desired.  Various alarm levels for the SECUXXX and TABLXXX logs may be assigned by using table AUDALARM (Audible Alarm).  The security logs can be used as an audit trail for regular and unauthorized operations.  More is provided later within this subsection.

Security Software Packages

One or more of the following software packages must be present in the switching system to implement enhanced security:

Office Security Parameters

The following office parameters are associated with the Enhanced Office Security software packages NTX292AB, NTX292BA, and NTX293AA.

Table OFCOPT: ENHANCED_COMMAND_SCREENING

This parameter should have a value of "Y" if the switching unit has the Enhanced Security Package (with password encryption - NTX292AB).

The feature associated with this parameter allows commands to be assigned any subset of 31 classes.  Command screening then becomes a matter of ensuring that a user's command classes have a nonempty intersection with the classes of any command they wish to use.

Table OFCOPT: ENHANCED_PASSWORD_CONTROL

This option should be set to "Y" if the switching unit has the Enhanced Password Control Package (NTX292AB/NTX292BA).

If set to "Y", it creates the following parameters in table OFCENG:

Use of the Enhanced Password Control feature disables all automatic login features.

This feature must have a value of "Y" in order for the Automatic Dial-Back Feature (NTX293AA) to function properly.

Table OFCOPT: MONITOR_TABLE_ACCESS

This option specifies whether the switching unit has the Security Table Enhancement Feature (NTX292AB/NTX292BA).

The operating company can activate or deactivate this feature by changing the value of parameter TABLE_ACCESS_CONTROL in table OFCVAR.

The operating company may activate or deactivate this feature on a table basis by changing the value of fields READPROT, UPDTPROT, or ALLPROT in table CUSTPROT.

Table OFCOPT: PASSWORD_ENCRYPTED

This parameter specifies whether the SHOWPW command is to be suppressed or not.  The command SHOWPW is not optional and is available in switching units with the Password Encryption Package (NTX292AB).

Table OFCOPT: DIALBACKPW_ENCRYPTED

This parameter is required in a switching unit with the Automatic Dial-Back Feature (NTX293AA) and specifies whether the SHOWDBPW (Show Dial-Back Password) command is to be suppressed or not.

Table OFCOPT: MODEM_DIALBACK_CONTROL

This option specifies whether automatic dial-back is allowed on modems.

The Enhanced Password Control Package (NTX292AB/BA) is required for dial-back to function properly.

The LOGINCONTROL command is used to specify whether a modem is to be used as an answer modem or a dial-out modem when DIALBACK is active.

Table DIALBACK stores the dial-back related data.

Table OFCOPT: SUPPRESS_USERNAME

This appears only if ENHANCED_PASSWORD_CONTROL in table OFCOPT is set to "Y".

This parameter specifies if the username is suppressed during MAP VDU and printer sessions.

Set the parameter to "Y" if the username is to be suppressed.

Table OFCENG: EXPIRED_PASSWORD_GRACE

This appears only if ENHANCED_PASSWORD_CONTROL in table OFCOPT is set to "Y".


The number of logons for which a password may be used if the password is older than the value of parameter PASSWORD_LIFETIME:

Minimum : 0 
Maximum : 32,767 
Default : 3

Table OFCENG: MIN_PASSWORD_LENGTH

This parameter appears only if the switching unit has the option ENHANCED_PASSWORD_CONTROL in table OFCOPT set to "Y" and the Enhanced Security Package (NTX292AB) is present.

This parameter specifies the minimum number of characters allowed for logon passwords:

Minimum : 0 
Maximum : 16 
Default : 6

Table OFCENG: PASSWORD_LIFETIME

Appears only if ENHANCED_PASSWORD_CONTROL in table OFCOPT is set to "Y".

Determines the duration, in number of days, for which a password may be used.

Minimum : 0 
Maximum : 32,767 
Default : 30

Table OFCVAR: TABLE_ACCESS_CONTROL

This parameter is required if the switching unit has the Security Table Enhancement Feature (NTX292AB/NTX292BA) office option MONITOR_TABLE_CONTROL set to "Y" in table OFCOPT.

This parameter allows the operating company to activate or deactivate the feature by changing the value of this parameter.

When this parameter has the value of "Y", the operating company can activate or deactivate this feature on a table basis by changing value of fields READPROT, UPDTPROT, or ALLPROT in table CUSTPROT.

Associated Data Tables

The following tables are associated with enhanced security as described in NTP 297-XXXX-350, Translations Guides.

Terminal Device Table (TERMDEV)

This table lists the assignments for terminal devices.  Table TERMDEV provides the ability to PRIVCLAS a terminal device restricting the device to a specific set or class of commands specified in table CMDS.  There can be any combination of classes between 0 through 31 or "ALL".

This table also stipulates the type of modem that is connected to the corresponding port and thus determines which set of procedures are used for controlling the modem.

Where the Enhanced Password Control (Automatic Dial-Back) feature is present, the type of modem must be specified.

Access to table TERMDEV can be restricted by datafilling table CUSTPROT.

WARNING! - Be aware that a lockout condition exists if all the commands are "privclassed" out for all users and terminals.  The only way out is to use the user ID called ADMIN.  An ADMIN user ID is neither displayed nor restricted in any way.  It is always available, provided the ADMIN password is known and the terminal is not in the "autologin" mode.

Command Screening Table (CMDS)

Office parameter ENHANCED_COMMAND_SCREENING determines if the feature is turned on.  This office parameter may be set only once: that is, at datafill time.

When office parameter ENHANCED_COMMAND_SCREENING is turned on, the table is automatically datafilled by the system.

The table is initially datafilled with default values.

WARNING! - If tuples are added to this table through table control, a restart is required to activate the change, particularly if the tuple is deleted and then readded.  To avoid a restart, modify the tuples in table CMDS using the CHANGE or REPLACE command (or via the PRIVCLAS command) instead of the DELETE and ADD commands.

The PRIVCLAS command allows for setting multiple command classes.

Four fields are present in table CMDS that specifies whether command use or command abuse is to be logged or alarmed.  Those fields are:

-----------------------------------------------------------------------------------------
Datafilling Table CMDS

Field            Entry               Explanation and Action
-----------------------------------------------------------------------------------------
LOGONUSE         Y or N              Enter "Y" when a log is to be created on every use of 
                                     this command.  Default value is "N".
-----------------------------------------------------------------------------------------
USEALARM         CR, MJ,             Enter the type of alarm to raise on every use of this
                 MN, or NA           command.  Default value is "NA" (No Alarm).
-----------------------------------------------------------------------------------------
LOGABUSE         Y or N              Enter "Y" when a log is to be created when a user with 
                                     the wrong command set tries to use this command. 
			             Default is "N".
-----------------------------------------------------------------------------------------
ALRMABUS         CR, MJ,             Enter the type of alarm to raise when a user with the 
                 MN, or NA           wrong command set tries to use this command. 
		                     Default value is "NA" (No Alarm).
-----------------------------------------------------------------------------------------

Customer Protection Table (CUSTPROT)

This table defines the command class of users able to read, change, add, or delete tuples respectively for each table assigned in the switching unit.

The initial input for table CUSTPROT is automatically produced by table control, and maintains this value unless changed by the operating company.  The initial values produce by table control for privilege classes are 15.

The privilege class that has the read protect capability is allowed to read, but not allowed to update, add, or delete tuples from the table.

The privilege class that has the update protection capability is allowed to read and update, but not allowed to add or delete tuples from the table.

The privilege class that has the all protection capability, is allowed to read, update, add, or delete tuples from the table.

All completed or aborted attempts to access a table is recorded in the form of log reports for examination later.

The log reports are generated on a per table basis when attempting to read a tuple and have it displayed, and on a tuple basis when attempting to write the tuple.

The log TABLXXX that is introduced by this feature is a secret log.  All secret type logs are automatically routed to SYSLOG.

Following are the fields and associated datafill:

-----------------------------------------------------------------------------------------
Datafilling Table CUSTPROT

Field            Entry               Explanation and Action
-----------------------------------------------------------------------------------------
READPROT         0 - 30              Enter the privilege class that is allowed to read this 
                                     table.
-----------------------------------------------------------------------------------------
UPDTPROT         0 - 30              Enter the privilege class that is allowed to read the 
                                     table and update tuples.  Not allowed to add or delete 
				     tuples from the table.
-----------------------------------------------------------------------------------------
ALLPROT          0 - 30              Enter the privilege class that is allowed to read, 
                                     update, add, or delete tuples from the table.
-----------------------------------------------------------------------------------------
VALACC           OFF, ALL,           If the switching unit has the Security Enhancements
                 or WRITE            Feature, and TABL101 logs are required, enter "WRITE", 
		                     if TABL100 and TABL101 logs are required, enter "ALL", 
				     otherwise if the feature is not provided, or logs 
				     TABL100 and TABL101 are not required, enter "OFF".
-----------------------------------------------------------------------------------------
DENACC           OFF, ALL,           If the switching unit has the Security Enhancements
                 or WRITE            Feature, and TABL103 logs are required, enter "WRITE", 
		                     if TABL102 and TABL103 logs are required, enter "ALL", 
				     otherwise if the feature is not provided, or logs 
				     TABL102 and TABL103 are not required, enter "OFF".
-----------------------------------------------------------------------------------------

Audible Alarm Table (AUDALARM)

This table is used to specify the alarm level for security log reports, which are secret.  These reports are secure, that is, seeing them and manipulating them is restricted.  The operating company can specify alarm levels to flag these reports.

Alarms can be specified in the following two ways:

Secret alarms are not printed by log devices.  To aid the operating company in determining the cause of alarms, any time a secret report causes an alarm, a nonsecret log is generated by the alarm system.  This nonsecret log only reports that an alarmed secret report has occurred.

Tuples can not be added or deleted from the table with LOGUTIL.  Tuples are added automatically by the log system at restart time, and each log report has the alarm level set to "No Alarm" by the default.  The only valid user operation on this table is to change the alarm level on an existing tuple.

Following are the fields and associated datafill:

-----------------------------------------------------------------------------------------
Datafilling Table AUDALARM

Field            Entry               Explanation and Action
-----------------------------------------------------------------------------------------
LOGREP           Alphanumeric        This is the key field in the form:
                 (16 characters)     'logname$report number'
	                             Only lognames and report numbers of secret logs are 
				     keys to their table.
-----------------------------------------------------------------------------------------
ALARM            NA, MN,             This sets the alarm to raise whenever the report is
                 MJ, or CR           logged.
-----------------------------------------------------------------------------------------

Automatic Dial-Back Table (DIALBACK)

The table DIALBACK enhances the security of dial-up ports.  Requires feature package NTX293AA.

The special dial-back login sequence is performed only if the correct hardware and firmware are available, and the DIALBACK flag associated with the modem is set.

The LOGINCONTROL command permits the operating company to turn DIALBACK on or off for a specific port as well as change three dial-out related values:

Command DIALBACKPW allows the operating company to change dial-back passwords.  This should be a privileged command to prevent security violations.

Login Control Table (LGINCTRL)

The table LGINCTRL is provided to enable the login control data to be dumped and restored during the software application process.  This enables data to be preserved between software loads.  This table is an extension to table TERMDEV that controls the addition or deletion of tuples for table LGINCTRL.

The operating companies can change the tuples if they so desire, but it is highly recommended that they use the CI command LOGINCONTROL.

Associated Commands

Following are the commands associated with the Enhanced Office Security software packages:

PASSWORD

>PASSWORD [username] [newpw]

Changes a user's own password.  Only the ADMIN user can change another user's password.  (See Note 1)

Where:

Password characteristics are controlled by the following parameters (default values) in table OFCENG:

   MIN_PASSWORD_LENGTH : 6 characters 
     PASSWORD_LIFETIME : 30 days 
EXPIRED_PASSWORD_GRACE : 3 logons (See Notes 2 & 3)

Responses:

PASSWORD: ENTER NEW LOGON PASSWORD

Explanation:  Normal system prompting before [newpw] is entered.

PASSWORD: ENTER YOUR CURRENT PASSWORD TO VERIFY

Explanation:  Normal system prompting after valid [newpw] has been entered.

PASSWORD FOR XXXXXXXX HAS BEEN CHANGED.  IT MUST BE CHANGED AGAIN WITHIN 30 DAYS

Explanation:  Normal response when the new password has replaced the old password.

PASSWORD: SORRY THAT PASSWORD SHOULD BE AT LEAST 6 CHARACTERS LONG

Explanation:  A new password has been entered that does not conform to the office parameter MIN_PASSWORD_LENGTH.  Select a proper password and reenter it.

*****WARNING***** 
YOUR LOGON PASSWORD HAS NOT BEEN CHANGED IN 30 DAYS.  YOU HAVE 3 MORE LOGON SESSIONS TO 
CHANGE YOUR PASSWORD AFTER WHICH YOU WILL *NOT* BE ABLE TO LOGON

Explanation:  Reminder to a user at login time that office parameter PASSWORD_LIFETIME has been exceeded, and that EXPIRED_PASSWORD_GRACE parameter is in effect.

Notes:

  1. PASSWORD is only present and active when the Enhanced Office Security software package is provisioned, and the ENHANCED_PASSWORD_CONTROL parameter in table OFCENG is set to "TRUE".
  2. PASSWORD should first be entered alone.  The system then prompts the user to enter [newpw].
  3. PASSWORD must be used periodically to change passwords.  Users are automatically reminded to change their passwords when PASSWORD_LIFETIME has expired.  The new password must be different from the old password.

PERMIT

>PERMIT [username] [password] {priority} {stksize} {language} {cmdclass}

Assigns command classes, previously defined by PRIVCLAS, to specified users.  It also alters previous assignments to a user, or defines new users.

Where:


PRIVCLAS

>PRIVCLAS ALL [cmdname] [modname] [cmdclass] [cmdlist]

Adds, changes, or deletes the privilege class for specified command(s) or program module(s).  Lists all current privilege commands and their classes.  Sets DUMPSAFE state for specified command(s) or module(s).

Where:

Values:


LOGINCONTROL

>LOGINCONTROL [console_name, {ALL}] [option]

Control login access to consoles.

Option Descriptions:

QUERY

Displays the current settings and current state of a console (port).  The BRIEF option causes only the current enable state and the current user to be displayed.  The FULL option displays the state of all options that can be set by the other parameters.

ENABLE

Allows login attempts on a port to be accepted by the system.

DISABLE [disabletime]

Causes the system to refuse any login attempt.  The optional subparameter, [disabletime], specifies how long (in minutes) the port is unavailable for logins.  Range is 1 to 32,767 or FOREVER (default).

Note:  Currently logged in ports cannot be disabled.  If the LOGINCONTROL command is used to set all ports disabled, only those ports that are not currently logged in are disabled.

AUTODISABLETIME [disabletime]

Determines how long a port is disabled if it is disabled automatically by the system.  The optional subparameter, [disabletime], specifies how long (in minutes) the port is unavailable for logins.  Range is 1 to 32,767 or FOREVER (default).


MAXLOGINTIME [seconds]

Determines the maximum time (in seconds) a user may take to login on a specific port.  If the timeout is exceeded, the login sequence is canceled and the port is optionally disabled (see DISABLEON parameter).  Range is 1 to 32,767.  The default is 60 seconds.

MAXIDLETIME [minutes]

Determines the maximum time (in minutes) a user may leave a port unattended.  If timeout is exceeded, the user is forced out and the port is optionally disabled (see DISABLEON parameter).  Range is 2 to 546 or FOREVER (default).

LOGINRETRIES [retries]

Determines the number of times a user has to login correctly before the login sequence is canceled.  If the login sequence is canceled, the port may also be optionally disabled (see DISABLEON parameter).  Range is 1 to 32,767.  The default is 4.

OPENCONDITIONFORCEOUT [true/false]

Indicates that the user at the reported terminal should be logged out when a line open condition is detected.  The port may optionally be disabled.

DISABLEON [add/set/remove] [action]

Determines the events that cause a port to be automatically disabled.  The DISABLEON parameter takes two subparameters.  The first subparameter is either ADD, SET, or REMOVE that specifies what to do with the second [action] subparameter, which is any number of entries from the following list:

DIALBACK [state]

Disables dial-back for specified port or enables the port as a dial-out or answer modem.  Where [state] is: OFF, ANSWER, or DIAL.

DIALOUT [max_calls] [dialtype]

Sets the maximum number of rings the modem is to wait for an answer before aborting the call, the maximum number of dial-back calls that the modem will attempt, and the line type associated with the modem (dial pulse or tone).  Range for [max_calls] is 1 to 7 and [dialtype] is AUTO, PULSE, or TONE.

Examples:

To enable a port:

>LOGINCONTROL DIALUP1 ENABLE

To enable all ports:

>LOGINCONTROL ALL ENABLE

To disable a port temporarily:

>LOGINCONTROL DIALUP1 DISABLE MINS 10

To set a port to force out a user if the user has been idle for ten minutes:

>LOGINCONTROL DIALUP1 MAXIDLETIME MINS 10

To set the port to disable if the user does not login in two attempts:

>LOGINCONTROL DIALUP1 LOGINRETRIES 2
>LOGINCONTROL DIALUP1 DISABLEON LOGINFAIL

To turn off disable on IDLETIMEOUT for all terminals:

>LOGINCONTROL ALL DISABLEON REMOVE IDLETIMEOUT

To set the disable options of a port to a specific list:

>LOGINCONTRL DIALUP1 DISABLEON SET LOGINFAIL IDLETIMEOUT LOGOUT

To turn off all disable options for a port:

>LOGINCONTROL DIALUP1 DISABLEON REMOVE LOGINFAIL IDLETIMEOUT LOGOUT LOGINTIMEOUT

To display current settings:

>LOGINCONTROL ALL QUERY

To forceout a terminal when a line open condition is detected:

>LOGINCONTOL DUALUP1 OPENCONDITIONFORCEOUT

To set the terminal to disable if a line open condition exists:

>LOGINCONTROL DIALUP1 OPENCONDITIONFORCEOUT DISABLEON ADD OPENCOND

To turn off all disable options for a terminal:

>LOGINCONTROL DIALUP1 DISABLEON REMOVE LOGINFAIL IDLETIMEOUT LOGOUT LOGINTIMEOUT OPENCOND

Login Banner

The login banner feature (NTXS07AA) displays a banner immediately following a successful login.  The banner will appear after a successful login - on the initial login, not a remote login - and will survive all restarts.  The customer can define the banner by using the SETBANNER command to replace the current login banner with a user-defined banner file.  The user banner file may be no longer than 22 lines, 80 characters per line.  A file that exceeds this limit will be truncated before being copied.  The user banner file must not be blank or have its first 22 lines blank.  A blank file will not be copied.  The device where the user banner file is stored, and the name of that file must be provided.  The device on which the user file is located must be listed so that SETBANNER can locate that file.

It is suggested that the customer PRIVCLAS the SETBANNER command using the CMDS table.  Until the customer replaces the default login banner text, it will read:

This is a private database.  All activity is subject to monitoring.
Any UNAUTHORIZED access or use is PROHIBITED, and may result in PROSECUTION.

Associated Logs

The following SECUXXX, SOSXXX, and TABLXXX logs are associated with the Enhanced Office Security software packages:

-----------------------------------------------------------------------------------------------
Log Report      Description
-----------------------------------------------------------------------------------------------
SECU101         The Security (SECU) subsystem generates this report when a valid user logs
                on or off a terminal using normal login or logoff procedures. 
-----------------------------------------------------------------------------------------------
SECU102         Generated when a user attempts to login on a terminal using an invalid 
                identification or password. 
-----------------------------------------------------------------------------------------------
SECU103         Generated when one user forces another user off their logged-in terminal.
-----------------------------------------------------------------------------------------------
SECU104         Generated when a user changed the commandset class for a privileged 
                command or the automatic logging of command use or abuse in table CMDS. 
-----------------------------------------------------------------------------------------------
SECU105         Generated when one user changes the password for another user. 
-----------------------------------------------------------------------------------------------
SECU106         Generated when a user with the proper command class set issues a command 
                datafilled in table CMDS, and the command is executed. 
-----------------------------------------------------------------------------------------------
SECU108         Generated when a user without the proper command class set attempts to 
                access a table, and the table is not accessed.
-----------------------------------------------------------------------------------------------
SECU109         Generated when a valid user logs on a terminal using Priority Login (PLOGIN)
                procedures. 
-----------------------------------------------------------------------------------------------
SECU110         The security subsystem generates this report when a user attempts a 
                Priority Login (PLOGIN) on a terminal using an invalid identification or 
		password. 
-----------------------------------------------------------------------------------------------
SECU111         The security subsystem generates this report when a user changes the command
                class set for a terminal defined in customer data table TERMDEV. 
-----------------------------------------------------------------------------------------------
SECU112         Generated when one user adds or changes the security profile for another user.
-----------------------------------------------------------------------------------------------
SECU113         Generated when an attempt is made to login on a terminal that is not enabled.
-----------------------------------------------------------------------------------------------

SECU114         Generated when a console is manually enabled or disabled. 
-----------------------------------------------------------------------------------------------
SECU115         Generated when the maximum login time specified by the LOGINCONTROL command is 
                exceeded, and the terminal is disabled. 
-----------------------------------------------------------------------------------------------
SECU116         The security subsystem generates this report when the maximum number of invalid
                login attempts specified by the LOGINCONTROL command is exceeded, and the
		console is disabled. 
-----------------------------------------------------------------------------------------------
SECU117         Generated when a terminal is automatically enabled by the system as specified by
                the LOGINCONTROL command. 
-----------------------------------------------------------------------------------------------
SECU118         Generated when a user is idle too long or a line open condition is detected. 
                The user is automatically logged off the terminal, and the terminal is 
		disconnected, depending on the terminal's security profile defined in table 
		TERMDEV and by LOGINCONTROL. 
-----------------------------------------------------------------------------------------------
SECU119         The security generates this report when a terminal is disabled by the system 
                after the user has logged out, or the terminal has been busied out.
-----------------------------------------------------------------------------------------------
SECU120         Generated when a user attempts to login on a dial-up terminal using an invalid
                identification or password. 
-----------------------------------------------------------------------------------------------
SECU121         Generated when a valid user logs on a dial-up terminal using normal login
                procedures. 
-----------------------------------------------------------------------------------------------
SECU122         Generated when an attempt to logon on a dial-up terminal fails. 
-----------------------------------------------------------------------------------------------
SECU123         Generated when an attempt to login on a dial-up terminal succeeds, the dial-
                back call is successful, and the login is completed. 
-----------------------------------------------------------------------------------------------
SECU124         Generated when a user changes the dial-back password for a user. 
-----------------------------------------------------------------------------------------------
SECU125         Generated when dial-back is enabled for a dial-up terminal. 
-----------------------------------------------------------------------------------------------
SECU126         Generated when dial-back is disabled for a dial-up terminal. 
-----------------------------------------------------------------------------------------------
SECU127         Generated when a START, STOP, REMOVE, or OVERRIDE command is used in the 
                Automatic Line Testing (ALT) MAP levels.  This log is also generated when 
		changes are made to the start field. 
-----------------------------------------------------------------------------------------------
SECU128         Generated when the system of ADMIN user activates of deactivates the AUTOLOG 
                feature. 
-----------------------------------------------------------------------------------------------
SECU129         Generated when the AUTOLOG CLASS command is issued by the ADMIN user. 
-----------------------------------------------------------------------------------------------
SOS600          Informs the customer that a hung login process has been killed.  It captures
                status information of the login process to help debug the hung login process.
-----------------------------------------------------------------------------------------------
TABL100         The table subsystem generates this report to indicate that an authorized user 
                has accessed the customer data table in read mode, and displayed a tuple. 
		It is generated once per table entry. 
-----------------------------------------------------------------------------------------------
TABL101         Generated to indicate that an authorized user has accessed the specified
                customer data table in write mode.  This report is generated once per tuple 
		update.
-----------------------------------------------------------------------------------------------
TABL102         Generated to indicate that an unauthorized user has attempted to access the 
                specified customer data table.  This report is generated once per table entry 
		attempt only. 
-----------------------------------------------------------------------------------------------
TABL103         Generated to indicate that an unauthorized user has accessed the customer data 
                table in write mode.  This report is generated once per tuple update. 
-----------------------------------------------------------------------------------------------

Arrangement of User Classes

Switch users should be organized into classes that define a specific set of functions they are required to perform.  These functional needs in turn dictate the command requirements for each user class.  The assignment of user commands and table access is made flexible to meet telephone company operational requirements.  The rule is: the division of tasks shall provide the purpose for each users' class.

The following are the names and descriptions for some typical users' classes.

Administration (ADMIN)

Provides the user with unlimited access from any device to all command classes (see PRIVCLAS).  ADMIN is assigned the highest priority level.  The password associated with ADMIN cannot be displayed, and cannot be changed by any other user.

Switch Maintenance (SMTCE)

Enables the user to maintain the DMS-100 switch by performing regular maintenance and fault correction for the following:

The SMTCE user also performs all database changes to administer the switch.  SMTCE monitors the switch status, runs diagnostic programs, and replaces equipment.  This class has commands associated with table editor and the Support Operating System (SOS).  SMTCE class also includes control center positions for analyzers and office control responsibilities.

Trunk Maintenance (TMTCE)

Enables the user to perform regular maintenance and fault correction for trunk circuits, trunk facilities, and trunk translations (maintenance and input).  The user monitors the trunk status, runs diagnostic programs, and performs hardware tests.

The TMTCE use is limited to the input commands available only to the user's class.  TMTCE has only those commands associated with testing and maintaining trunks and trunk facilities.  The user has access to the table editor commands, but is restricted in the changing of specific tables as required by the position profile.  The TMTCE functions are performed from a Trunk Test Position (TTP).  This class of user also includes the control center position for trunk analysis control responsibilities.

Network Management (NM)

Enables the user to make optimum use of available facilities and equipment by exercising routing control over traffic oriented switch resources.  The user monitors traffic levels, applies manual controls, adjusts automatic controls, and receives Operational Measurement (OM) traffic reports.

NM has interactive capabilities to execute only those input commands assigned to its class.  The user is allowed data table query capabilities, but is restricted to changes for specific data tables.

Dial Administration (DADMIN)

This class enables the user to monitor OM traffic reports.  DADMIN can alter OM scheduling, assignments, and thresholds.

The DADMIN user has access to the table editor repertoire of commands when altering data associated with OMs.  Full data table query capabilities are also afforded the user (in particular, traffic register assignment and readings).

Service Analysis (SA)

Enables the user to monitor, on a random basis, customer dialed and operation assisted toll calls to obtain information on the quality of service provided by the equipment and personnel.

The SA user has access to the table editor repertoire of commands, but is screened on a table basis to change only those data tables associated with this class.  The SA user has access to the "SAselect" area of the MAPCI commands.

Technical Assistance Center (TAC)

The TAC, or equivalent technical support group (i.e., Electronic Systems Assistance Center [ESAC]), enables the user to monitor unattended switching units and provide technical assistance to switching center personnel as required.  The TAC is a centralized maintenance group of highly trained and experienced personnel.

This user class has interactive capabilities to execute all input commands that are applicable to switch maintenance.

Emergency Technical Assistance Service (ETAS)

Nortel Network's ETAS provides assistance to customers TAC groups when they are having difficulty correcting switching problems.

This user class is restricted to those input commands required for system interrogation, data dumps, etc.  No machine operating parameters including tables OFCOPT, OFCENG, OFCVAR, OFCSTD, CUSTPROT, TERMDEV, CMDS, AUDALARM, and equipment inventory tables should be allowed to be altered from this position.

Line Maintenance (LMTCE)

Enables the user to monitor the status of line cards, run diagnostics on line cards, sectionalize troubles, test and diagnose troubles with the office, query and change subscriber data, and schedule automatic line card diagnostics.

Repair Service Bureau (RSB)

Enables the user to sectionalize troubles, test and diagnose facility troubles, schedule Automatic Line Insulation Testing (ALIT), receive ALIT outputs, and query or change subscriber data.




Traffic Administration (TA)

Enables the user to receive automatic periodic summary reports of traffic statistics accumulated by the switching system.  These reports reflect traffic peg counts, overflows, usage of the switching units, and OMs.  The TA user can modify the schedule and output of these reports.

Minimum Security Implementation

There are four key areas in implementing minimum security: (1) passwords, (2) ports, (3) tables, and (4) commands.

Listed below is a step-by-step example for implementing minimum security for the DMS-100 family of switches.  The scheme is to reserve classes 1 thru 13 for commands and 15 thru 29 for tables.  Classes 14 and 30 are reserved for the administrator.  Class assignment is flexible and any command or table can be assigned any or all of the 31 allowable classes.

Commands are automatically written into table CMDS, upon their first use, with a class of 0.  Therefore, command class 0 should not be assigned to a user after all user classes have been designated.

Steps 1 & 2 show the office parameters associated with enhanced security.

Step 3 shows the recommended settings for password security.

Steps 4 & 5 shows the use of the command LOGINCONTROL and how to secure port access.

Steps 6 thru 13 show an example of restricting ports and users to table access.

Steps 14 thru 16 show the restriction of specific command to specific users.

Step 17 shows the assignment of an external alarm and log to specific secret logs that are not alarmed in tables CMDS and CUSTPROT.

  1. Check the following parameters in table OFCOPT for correct settings as listed:
  2. ENHANCED_COMMAND_SCREENING = Y
     ENHANCED_PASSWORD_CONTROL = Y
             SUPPRESS_USERNAME = Y
          MONITOR_TABLE_ACCESS = Y
    
  3. Check the following parameter in table OFCVAR for the correct setting as listed:
  4. TABLE_ACCESS_CONTROL = Y
    
  5. The following tuples in table OFCENG set the parameters associated with user passwords, provided are the recommended minimum and maximum values.  These parameters appear only if the table OFCOPT parameter ENHANCED_PASSWORD_CONTROL is set to "Y":
  6.      PASSWORD_LIFETIME = 30
       MIN_PASSWORD_LENGTH = 4
    EXPIRED_PASSWORD_GRACE = 1
    
  7. Review the existing login control parameters set for all ports.  Input the following command to print out these parameters:
  8. >LOGINCONTROL ALL QUERY FULL
    
  9. Set login control parameters for all ports.  For more information on the LOGINCONTROL command, see NTP 297-1001-822, Commands Reference Manual.  The following are the suggested login control parameters:
  10. >LOGINCONTROL ALL DISABLE                 # Disables all idle ports
    >LOGINCONTROL ALL AUTODISABLETIME FOREVER
    >LOGINCONTROL ALL MAXLOGINTIME SECS 60
    >LOGINCONTROL ALL MAXIDLETIME MINS 15 
    >LOGINCONTROL ALL LOGINRETRIES 3 
    >LOGINCONTROL ALL DISABLEON SET LOGINFAIL
    >LOGINTIMEOUT IDLETIMEOUT
    

    Note:  A secret log SECUXXX is generated.

  11. Print a hard copy of tables CUSTPROT and TERMDEV and the output of the SHOW USERS command.  These will be needed for reference with the remaining implementation examples.
  12. Logout and login as the ADMIN user.
  13. Review table TERMDEV for devices that should be restricted access to tables.
  14. Change field COMCLASS from "ALL" to "0 1 2 3 4 5 6 7 8 9 10 11 12 13 15".
  15. Review the SHOW USERS printout for users to be restricted from accessing tables.
  16. Using the command PERMIT, change the command class of the users to be restricted from "ALL" to "0 1 2 3 4 5 6 7 8 9 10 11 12 13 15".
  17. Enter table CUSTPROT and change the entries for the following tables and fields.  Default values for this table are "15, 15, OFF, OFF":
  18. TABLE     UPDTPROT   ALLPROT   VALACC   DENACC 
    ----------------------------------------------
    OFCENG    28         29        WRITE    WRITE 
    OFCSTD    28         29        WRITE    WRITE 
    OFCOPT    28         29        WRITE    WRITE 
    OFCVAR    28         29        WRITE    WRITE 
    CUSTPROT  30         30        WRITE    WRITE 
    CMDS      30         30        WRITE    WRITE
    AUDALARM  30         30        WRITE    WRITE 
    TERMDEV   30         30        WRITE    WRITE 
    DIALBACK  30         30        WRITE    WRITE
    LGINCTRL  30         30        WRITE    WRITE 
    
  19. Assign class 28 to users that are allowed to update the above tables and assign class 29 to those users allowed complete access to the above tables.
  20. Notes:










  21. Access table CMDS and perform the following changes to fields LOGONUSE, USEALARM, LOGABUSE, and ALRMABUS:
  22. COMMAND      LOGONUSE   USEALARM   LOGABUSE   ALRMABUS   CLASS 
    --------------------------------------------------------------
    ENGWRITE     Y          NA         Y          NA         13 
    JFFREEZE     Y          MJ         Y          CR         14 
    LOGINCONTROL Y          NA         Y          NA         13 
    MODEDIT      Y          MJ         Y          MJ         13 
    PRIORITY     Y          NA         Y          NA         13 
    PROIRITY     Y          NA         Y          NA         13 
    PRIVCLAS     Y          NA         Y          NA         14 
    PRIVERAS     Y          NA         Y          NA         14 
    RESTART      Y          CR         Y          CR         13 
    RESTARTBASE  Y          CR         Y          CR         13
    RWOK         Y          NA         Y          MN         13 
    SHOWDBPW     Y          NA         Y          NA         14 
    SHOWPW       Y          NA         Y          NA         14 
    SLEEP        Y          MJ         Y          MJ         13 
    SLEEPTIL     Y          NA         Y          NA         13 
    PERMIT       Y          NA         Y          NA         14 
    UNPERMIT     Y          NA         Y          NA         14
    LOGUTIL: 
    OPENSECRET   Y          NA         Y          NA         14 
    
  23. Using the command PRIVCLAS, assign the above commands to their respective class:
  24. >PRIVCLAS ENGWRITE $ 13
    >PRIVCLAS OPENSECRET LOGUTIL 14
    
  25. Assign command class 13 to those users allowed the above commands:
  26. >PERMIT [username] [password] 1 4000 ENGLISH 0 1 2 3 4 5 6 7 8 9 10 11 12 13 15
    

    Notes:

  27. Enter table AUDALARM and change the following records:
  28. Log Report   Alarm     Reason
    -------------------------------------------------------------
    SECU103      Minor     One user forces another out.
    SECU107      Major     Command abuse.
    SECU111      Minor     Changes to port class in table TERMDEV.
    SECU124      Major     Dial-back password changed for a user.
    

    Notes:




Security Recommendations

It is extremely difficult to provide specific security recommendations without knowledge of a company's requirements.  Below are general recommendations that provide basic security for DMS-100 family switches.  It is recommended that security measures be implemented to safeguard switch integrity.

  1. PRIVCLASS all devices and user passwords according to the needs of the device and user.
  2. Establish password aging.
  3. Change the password for user ADMIN and it should be known only by the office and/or control center supervisor.
  4. All dial-up modems should be set to "DISABLE" upon logout.
  5. Institute a manual log form of all requests for dial-up access.  When a request for dial-up access is received, the requester should be called back to verify the validity of the their phone number.
  6. PRIVCLASS all sensitive data tables such as: CUSTPROT, OFCENG, OFCVAR, OFCOPT, OFCSTD, TERMDEV, CMDS, and AUDALARM.
  7. Restrict access command use by user need.  The following commands should only be available to the switch administrator (ADMIN): SHOWDBPW, SHOWPW, PERMIT, UNPERMIT, PRIVCLAS, and PRIVERASE.
  8. All I/O devices (MAPS, TTPs, LTPs, etc.) should be logged out during extended periods when not in use and unattended.
  9. User passwords should be changed every three months or more often.
  10. Local procedures should be followed for disposing of printout paper, documentation, and CD-ROMs.  This may require recycling or shredding to meet local and Technical Information Agreement (TIA) security requirements.

Nortel Networks Security Service

To assist operating companies with their switch security, Nortel Networks Global Professional Services Group provides a Standardized Security Service.  There is a nominal charge for this service.  This service provides a review of the operating company's switch security.  If an operating company requests this service, security will be set up based upon information provided by the operating company and recommendations from Nortel Networks.  A special program developed by Nortel Networks will be provided to the operating company for implementation on their switches.  Nortel Networks lab testing and a VO switch designated by the operating company will provide preliminary program testing before implementation.  For further information on this service or obtaining this special service, contact Nortel Networks, Global Professional Services, Manager - Technical Services at 1-(919)-465-0434.