Avaya Communication Manager Administrator's Manual page 1655

See Reports for Avaya Communication Manager for more information on how to run reports, and respond
to security violations.
To effectively monitor the security of your system, you need to know how often both valid and invalid
attempts at system entry are normally made. Then you will know if the number of invalid attempts is
unusually high. A significant increase in such attempts can mean the system is being compromised.
NOTE:
Avaya recommends that you print and clear the security-violation measurement reports at
least once a month. In a busy system, once a week is not too frequent.
Security violation thresholds and notification
As an example, you may determine that during a forty-hour week, it's normal for users to submit about
1,000 valid barrier codes and 150 invalid barrier codes; that is, about 3.75 invalid barrier codes are
submitted per hour.
With this information, you may decide to declare that a security violation occurs during any hour in
which 8 invalid barrier codes are submitted. If you know that during an 8-hour period, about 30 invalid
codes are submitted, you might set the threshold to count a security violation when 40 invalid codes are
submitted within eight hours.
You can administer SVN to place a referral call to the location of your choice whenever the established
thresholds are reached. All SVN referral calls are priority calls.
Invalid attempts accumulate at different rates in the various security arenas (login, authorization code,
remote access, and station security code), depending on feature usage and the number of users on a
server. For this reason, you administer thresholds separately for each type of violation.
Sequence of events
The following is the sequence of events that occur when an SVN is enabled and a detects a security
violation:
1
SVN parameters are exceeded (the number of invalid attempts permitted in a specified time
interval is exceeded).
2
An SVN referral call (with announcements, if assigned) is placed to a designated point, and SVN
provides an audit trail containing information about each attempt to access server running
Communication Manager.
3
SVN disables a login ID or Remote Access following the security violation.
4
The login ID or Remote Access remains disabled until re-enabled by an authorized login ID, with
the correct permissions.
Administrator's Guide for Avaya Communication Manager
November 2003
Feature Reference
Security violations notification
1655