Dealing with Mainframe FTP Security Issues on z/OS

File Transfer Protocol (FTP) is one of the most widely used network protocols to transfer files from one host to another over a TCP/IP-based network. The main advantage of FTP is that it is widely available and can be used across all popular platforms: z/OS, Windows, Unix, Linux, etc. There are many concerns over the security of FTP, especially on z/OS. But there are ways to make FTP a secure resource for your mainframe.

FTP on z/OS – how it operates
For z/OS, FTP server and clients are made to support both hierarchical file systems and MVS data sets (Multiple Virtual Storage). For data transfers, the receiver interprets the transmitted octets based on their specified data type: ASCII, EBDIC, binary text, and bytes. Conversion between ASCII and EBDIC occurs while copying text files or data sets in or out of z/OS.

Security risks of FTP on z/OS
Lack of automation, control and security with respect to the communication stand as major weaknesses of FTP. Also, data compression is not native to the FTP protocol and is rarely available. FTP transmissions are clear; any eavesdropper can easily see user IDs, passwords, and data files. As FTP transfers require two connections to operate – one for data and the other for commands, it takes special effort to overcome issues with active and passive FTP and to use FTP in a firewall-secured network. Finally the data can be altered or damaged in transit without the receiver knowing: FTP does not provide any application-level verification of data integrity.

Security options for mainframe FTP
Fortunately, there are options for securing FTP operations. In the control files for TCP/IP on z/OS, see the operands such as IPSEC, NETACCESS, PORT, PORTRANGE, and TCPCONFIG. In the control file for FTP, see the operands ANONYMOUS, CIPHERSUITE, DB2, DB2PLAN, JES2INTERFACELEVEL, KEYRIN, and PORTOFENTRY4.

Using Security Software
Software products are available for securing FTP on z/OS. Security software provides access control and auditing functionality. It enables restriction, monitoring and auditing of resources. It also provides an option to authenticate users and control their levels of access to FTP resources.

Encrypting data before transfer
Encrypting data locally before any file transfer means only the people with the right credentials and keys can extract and read the data – before, during and after the data transfers. The encrypted data can also be transferred using any transportation method, without any security concerns. On z/OS, the encryption can be done almost effortlessly using the PGP encryption protocol.

Intrusion detection with policy agent
Policy agent software runs in a z/OS address space and manages components of the Communications Server’s network infrastructure. Because a policy agent provides intrusion detection based on a remote computer’s IP address, it can only work if the address in the IP packet is accurate. Data in encrypted packets cannot be processed by policy agents and intrusion detection software.

Using exit points to write exit programs
Exit programs are used to customize the logic of file transfers. An FTP server and client communicate with an exit program through a specific exit point. Exit programs enable more granular control over z/OS FTP.

Monitoring data transfer
During an FTP operation on z/OS, both server and client record successful and completed transfers to the System Management Facility (SMF). You can use those logs to monitor most of the data transfers occurring by FTP.

Each of the above strategies has its own advantages, costs, and limitations. It is not possible to take care of all your needs using any single strategy. You will require a mixture of these solutions to make FTP on z/OS secure.