FTP to Mainframe

FTP or File Transfer Protocol, is a standard architecture to transfer files in a TCP-based network on various platforms including z/OS, Unix, AS/400 and Windows. As on any other platform the common Mainframe FTP features are –

•For downloading and uploading files get and put commands are used.
•To share system’s workload multiple CPUs come under the scope of FTP simultaneously in a Sysplex.
•Both USS or UNIX files and MVS datasets are transferred through FTP.

Because of network based file transfer FTP is always associated with some risks –

•Exposing the User ID and password might cause unwanted access to critical data.
•Access to MVS datasets as well as USS files.
•Submission of Batch jobs through the JES interface for executing the programs.
•Access to DB2 data.
•Access to sensitive data in Printouts.

To address the above mentioned risks some security tools are developed for FTP. These are –

•System Authorization Facility or SAF for invoking the Mainframe security software RACF, Top Secret or ACF2.
•Control File Options to control the access to MVS datasets and USS files based on both mainframe server IP, client computer IP and port number. In general, FTP uses the ports 20 and 21.
•Exits to modify FTP logic by adding additional security checks.
•Encryption to secure user ID, password and data.
•Policy Agent Software which includes functions like Firewall for filtering messages.

Here the FTP security tools are described in detail –

•System Authorization Facility
•FTP uses System Authorization Facility to call the security software. The resource classes like APPL, TERMINAL and SERVAUTH contain the security software rules. On the other hand the class names and corresponding options are defined in the Resource Descriptor Table (RDT).
•The programs at the receiving computer, which work with received messages are called FTP Daemons. APPL controls login to these FTP Daemons.
•TERMINAL is used to control the login from any specified IP address.
•SERVAUTH is used for the access control to UNIX file system, IP addresses, port numbers and the network itself.

•Control File Options
•The Control file option can be specified either in the TCP/IP Control file or in the FTP Control file.

•TCP/IP Control file options
•IPSEC for creating IPSEC secure tunnel.
•NETACCESS for controlling access to an IP Network, Subnet or host as a RACF resource.
•TCPCONFIG for blocking ports, so that unauthorized FTP access can be prevented.
•PORT, PORTRANGE, RESERVED and DENY for specific port access control.

•FTP Control file options
•ANONYMOUS for controlling anonymous logins.
•JES2INTERFACELEVEL for controlling Batch job execution and access to Printouts.
•DB2 and DB2PLAN for specifying the DB2 subsystem and plan name.
•CIPHERSUITE for specifying encryption algorithm.
•PORTOFENTRY4 for specifying the name of the Port of Entry for any specific FTP.

•FTPCHKIP for controlling new connection.
•FTCHKCMD for controlling the processing of an FTP command.
•FTPOSTPR for controlling the completion of specific commands.
•FTCHKPWD for controlling new passwords.
•FTCHKJES for controlling the submission of batch jobs.

Transport Layer Security (TLS), Secure Sockets Layer (SSL), IPSEC and Kerberos are the mainframe supported encryption protocols. These protocols can be used to identify the user through user ID and password encryption, at the same time it provides data encryption as well. They also protect against sniffer programs, which provides unauthorized access to user ID and password on a LAN. SSL and TLS can create and manage digital certificates and encryption keys, thus providing Public Key Infrastructure support.

•Policy Agent Software
Policy Agent is a free mainframe software, that can filter the messages and also detect unwanted access to the messages. Based on the IP address, Port number and content Policy Agent filters the messages.