© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Secure IP Telephony Preventing Toll Fraud

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Toll Fraud Toll fraud can occur either from inside or from outside. Misuse of company phone system is done by: –Employees placing private callsno differentiation of business calls versus private calls possible based on the dialed number –External attackers gaining unauthorized access to the system to exploit it –Using telephone features for private calls It is difficult to block all possibilities of toll fraud in most companies.

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Types of Toll Fraud Local PSTN Local PSTN Please transfer my call to extension International, Premium Local PSTN Voice mail, transfer me to 9011xxxxxxx. Toll Fraud 2: Transfer from Voice Mail Toll Fraud 3: Social EngineeringToll Fraud 4: Inside Facilitators Local PSTN Call me at my work number while I am on vacation. Toll Fraud 1: Call Forward All Forward All International, Premium International, Premium International, Premium I will transfer your call.

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Restricting CFA and Voice Mail Using Calling Search Spaces

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Call Forward All Exploitation Forward the office phone number to the home phone number and have others call a toll-free number for the office. Forward the office phone number to a hotel phone number in a foreign country while on vacation there. Forward the office phone number to an international phone number to make an international call. Exploitation can be avoided by CFA restrictions. Local PSTN Call me at my work number while I am on vacation. Forward All International, Premium

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Voic Forwarding Exploitation The voic system can allow a caller to be transferred to an extension. If callers can enter the number to which they want to be transferred, they could try dialing external numbers, such as international or premium. Exploitation can be avoided by voic port restrictions. International, Premium Voice mail, transfer me to 9011xxxxxxx. Local PSTN

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Steps to Restrict Forwarding Steps to restrict Call Forward All: 1. Create partitions. 2. Create calling search spaces. 3. Assign calling search spaces to the IP Phone Forward All field. Steps to restrict voic forwarding: 1. Create a partition for voic ports. 2. Create a calling search space. 3. Assign the calling search space to the IP phone voic ports.

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Call Forward All Restriction Example Calling search spacePartitionAllowed Destinations Executives_and_ManagerInternal Local Long-Distance Internal directory numbers Local directory numbers Long-distance directory numbers GeneralInternalInternal directory numbers

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Call Forward All Restriction ExamplePermitted Call PSTN Executives and managers are allowed to forward calls to external numbers.

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v PSTN Call Forward All Restriction ExampleDenied Call X Normal users are not allowed to forward calls to external numbers. Call forwarding is blocked.

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Voic Port RestrictionsExample Use partitions and calling search spaces to restrict calls to and from voic ports: Partition Voic _Ports allows calls to the voic system only from devices that have this partition in their calling search space. Calling search space Voic defines permitted targets for calls coming from the voic system.

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Block Commonly Exploited Area Codes Create a unique route pattern or general route pattern with a route filter for each area code to block. Use partitions and calling search spaces to create different restriction levels. Block all numbers that are not needed according to company policies or that simply are not used.

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Examples of Commonly Exploited Area Codes Country Area Code Blocked Pattern Anguilla xxxxxxx Antigua/ Barbuda xxxxxxx Bahamas xxxxxxx Barbados xxxxxxx Bermuda xxxxxxx British Virgin Islands xxxxxxx Cayman Islands xxxxxxx Dominica xxxxxxx Dominican Republic xxxxxxx Grenada xxxxxxx Country Area Code Blocked Pattern Jamaica xxxxxxx Montserrat xxxxxxx Puerto Rico xxxxxxx St. Kitts & Nevis xxxxxxx St. Lucia xxxxxxx St. Vincent & the Grenadines xxxxxxx Toll Charge xxxxxxx xxxxxxx Trinidad & Tobago xxxxxxx Turks & Caicos Islands xxxxxxx U.S. Virgin Islands xxxxxxx

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Using Time of Day Routing

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Using Time-of-Day Routing Allows routing of calls to different destinations based on time of day: Can use different gateways, trunks, translation patterns Can block calls X

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Time-of-Day Routing Partitions are extended by a time-configuration attribute: Route patterns and translation patterns are applied to partitions (as before). The partitions in the calling search space are available based on time-of-day settings. Allows different class-of-service configuration based on time or date Can prevent costly (private) calls out of business hours, and so on

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Steps to Configure Time-of-Day Routing 1. Configure a time period. 2. Configure a time schedule. 3. Assign the time schedule to a partition. 4. Assign the partition to a calling search space.

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Time Period Configuration Can be configured at Call Routing > Class of Control on Cisco Unified CallManager Administration Specific time ranges: –Time period name –Time interval –Repetition interval Assigned to partitions via a time schedule

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Time Schedule Configuration The time schedule is a list of one or more time periods. All selected time period configurations are combined to calculate the active time interval. The same time period can be associated with multiple time schedules.

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Partition Configuration A partition can be associated with a time schedule. By default, the partition is not associated with any time schedule. The administrator can specify the time zone to be used. The time schedule ensures that partitions are active or visible only at certain times.

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Time-of-Day Routing Example User A Friday 3:00 pm 1. Phone A dials Cisco Unified CallManager extends call to VoIP gateway. Partition CiscoGW US Hours Time Schedule: US Hours Time Period: Office Hours Time Period: Office Hours 8:00 a.m. – 5:00 p.m., Monday through Friday 12

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Time-of-Day Routing Example (Cont.) Friday 6:00 pm Partition CiscoGW US Hours Time Schedule: US Hours Time Period: Office Hours Time Period: Office Hours 8:00 a.m. – 5:00 p.m., Monday through Friday X User A 1. Phone A dials Cisco Unified CallManager rejects the call because it is made after 5:00 p.m. 3. Cisco Unified CallManager plays a fast busy tone

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Using FAC FAC prevents users from making unauthorized calls. Sensitive destinations can be secured with a FAC. Route patterns configured with FAC play a tone and request a FAC to be entered: –Route pattern configuration specifies minimum level of accepted codes. Usage of FAC is written to CDR. User dials FAC-enabled number. Cisco Unified CallManager asks for authorization code. User enters the code. Call routed

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Configure FAC 1. Design and document the system: –Current dial-plan design –Authorization levels –Updated dial-plan documentation 2. Create authorization codes and assign a level to them. 3. Apply FAC to the desired route patterns. 4. Provide the user with all the necessary information.

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v FAC Configuration Go to FAC configuration window in Cisco Unified CallManager Administration: Call Routing > Forced Authorization Codes. Authorization code name is displayed in the CDRs. Authorization level will have to match or exceed the level requested at the route pattern.

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Configure Route Patterns to Use FAC Choose Call Routing > Route/Hunt > Route Pattern in Cisco Unified CallManager Administration. Check the Required Forced Authorization Code box and insert a FAC level.

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v FAC Example X Dials Directory Number FAC Code FAC Level 100 FAC-Enabled Route Pattern FAC Level of 50 Configured Dials Directory Number FAC Code FAC Level 20 FAC-Enabled Route Pattern FAC Level of 50 Configured The call is blocked and a fast busy tone is played.

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v On-Net and Off-Net Definition PSTN IP WAN On-Net Off-Net On-net and off-net call classification are used by toll fraud prevention features (external transfers, ad hoc conferences).

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v On-Net and Off-Net Classification Trunk or gateway classification applies to incoming calls. Route pattern classification applies to outgoing calls. Route patterns can be configured to use the trunk or gateway classification for outgoing calls by checking the Allow Device Override check box.

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Device Override Examples Off-Net 0.!# Classification: Off-Net Override Checked: No Off-Net Call 4XXX Classification: On-Net Override Checked: Yes Route List: Intercluster Trunk On-Net Off-Net On-Net Call Off-Net Call 4XXX Classification: On-Net Override Checked: No Route List: Intercluster Trunk On-Net Off-Net On-Net Call

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v International, Premium External Transfers Operator or employee can transfer the call to an international or a premium number: –From the inside for destinations that the user cannot call –From the outside Friends or family members can be transferred to international or premium number: –After they place a local call to the users number –After the user called them Local PSTN Please transfer my call to extension International, Premium Local PSTN I will transfer your call.

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Restricting External Transfers Party A calls party B. Party A presses the Transfer softkey and calls party C. Party A cannot transfer party B to party C because off-net-to-off-net transfers are blocked. Party A Berlin Party B Sydney Party C San Jose Off-Net X X Cisco Unified CallManager allows blocking of external transfers Uses on-net and off-net classification PSTN

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Configure Cisco Unified CallManager to Block Off-Net-to-Off-Net Transfers Have on-net and off-net classification in place. Enable feature in Cisco Unified CallManager Administration: Click System > Service Parameters > Cisco CallManager. By default, Block Off- Net-to-Off-Net Transfer parameter is disabled.

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Ad Hoc Conference Security Options Ad hoc conferences can be configured to be dropped in certain situations: –When Conference Creator Drops OutAvailable since Cisco CallManager Release 3.3(4) –When No OnNet Parties Remain in the Conference Available since Cisco Unified CallManager Release 4.1 Ad hoc conferences use on-net and off-net classification.

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Service Parameter Set to When No On-Net Parties Remain in the Conference Example Conference Bridge Phone APhone B Phone C Phone D Phone B Phone A leaves the conference. Phone A is the conference creator. Phone B is an on-net device. Phones C and D are off-net devices. Phones B, C, and D remain in the conference Phone B leaves the conference. 4 Conference ends. 5 Phone C Phone D

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Configuration of the Drop Ad Hoc Conference Parameter In the Cisco Unified CallManager Administration window: Click System > Service Parameters > Cisco CallManager to change the parameter. Parameter can be changed to three different values.

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Summary Sources of toll fraud can be external or internal. Call forwarding can be restricted through partitions and calling search spaces. Block commonly exploited area codes to prevent toll fraud. FAC is used to authorize users to make calls. Time-of-day routing is used to change permission to place calls at special hours or days. Route patterns, trunks, and gateways can be configured as on-net or off-net, allowing calls to be classified as internal or external calls. Cisco Unified CallManager can block external transfers. Cisco Unified CallManager can be configured to drop ad hoc conferences when no on-net parties remain on the call or when the conference creator drops out.

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v