Solved: Cisco Unity Restriction Tables and Toll Fraud

shikamarunara · ‎12-19-2008

I'd like to know more about Restriction Tables in Unity. By default (in Unity 5 at least), there are some restriction rules set up to prevent a person to dial 9 and a string of digits (they seem to cover local through international dialing.) A couple of questions;

1) In the call patterns, I noticed the the "?" is used. Can someone help me understand what it signifies? Does this character mean "any character" that is part of the string?

2) What is a good test I can do to verify that toll fraud is being prevented? Is it enough to dial into the Greetings Administration and attempting to be transfered to an outside number?

Thanks,

-Shikamaru

Rob Huffman · ‎12-19-2008

Hi Shikamaru,

Yes, this looks very good!

You are looking at this correctly for sure. The Transfer could come from a Caller Input key (logged in) or from the General Greeting where you are testing :) One thing that will make this "fool proof" is if you ensure that the CSS on your Voicemail ports is restricted to local calling only.

Hope this helps!

Rob

View solution in original post

Rob Huffman · ‎12-19-2008

Hi Shikamaru,

Happy Holidays my friend!

You want to have most settings in the Restriction Tables @ Deny this string, especially those that begin with your Outside/Long Distance access code (like "9"). You should take some time to try dialing through some various local and Long Distance numbers.

? Matches exactly one digit. Use ? as a placeholder for a single digit.

To protect Cisco Unity from toll fraud and unauthorized use when subscribers use Caller system transfers, subscribers must log on to Cisco Unity, enter the number that they want to transfer to, and Cisco Unity performs the transfer only when the CS_Default_System_Transfer restriction table permits it.

From this good doc;

http://www.cisco.com/en/US/docs/voice_ip_comm/unity/404/administration/guide/ex/sag0240.html#wpxref46866

Hope this helps!

Rob

shikamarunara · ‎12-19-2008

Hey there Rob :)

Okay, so this is the default configuration for Restriction Tables in Unity 5 for CS_Default_System_Transfer ;

Dial String Call pattern Allow

0 91???????* No

1 9011???????* No

2 9???????????* No

3 900* No

4 * Yes

The way I read this is; don't allow outside dialing of any kind (by virtue of the fact that outside dialing is initiated with a "9") Rule 4, I believe, means "allow anything". So, this looks like it will allow forwarding of anything as long as it does not start with a "9" (which is perfect). Am I looking at this correctly?

Rob, you mentioned that in order for someone to commit toll fraud that they would log. I take this to mean that they log into a voicemail account with a extension and password. Beyond this, does this account have to have a Caller Input key programmed for transferring? I've been testing it by entering outside numbers through the general greeting.

Just trying to understand better. Thanks, Rob.

-Shikamaru

Rob Huffman · ‎12-19-2008

Hi Shikamaru,

Yes, this looks very good!

You are looking at this correctly for sure. The Transfer could come from a Caller Input key (logged in) or from the General Greeting where you are testing :) One thing that will make this "fool proof" is if you ensure that the CSS on your Voicemail ports is restricted to local calling only.

Hope this helps!

Rob

shikamarunara · ‎12-19-2008

Thanks, Rob. Happy holidays to you and yours :)

Rob Huffman · ‎12-19-2008

You are most welcome my friend! Best of the Season to you and yours as well.

Cheers!

Rob

iptuser55 · ‎12-22-2008

Just to add, do not forget the Unity maskes use of the CTI ports to make a calls from itself to CCM and so to Telco so you can restrict within the CCM as well by having a restricted CSS added to the CTI ports for VM.