Mainframe FTP

File Transfer Protocol is a standard network protocol, which is used for transferring files between two hosts in a TCP/IP-based network. It is widely available across popular platforms like z/OS, UNIX, Windows, Linux etc. Although there are many security issues of FTP on z/OS, there are ways to handle these issues to make it a secure resource for Mainframe.

FTP server and clients support both MVS datasets and hierarchical file systems for z/OS. For file transfers, based on the data type (ASCII, binary text, EBCDIC or bytes) the transmitted octets are interpreted in the receiver. For copying datasets a conversation takes place between EBCDIC and ASCII.

The major drawbacks of FTP are the lack of communication security, control and automation. FTP protocol doesn’t provide data compression. At the same time the unauthorized access to user IDs, passwords, and data files is easy, as FTP transmissions are clear. Moreover, two different connections for data and commands are required in FTP transfers. This phenomenon makes it difficult to use FTP in firewall-secured network. Finally, FTP lacks the feature of verifying data integrity at application-level, which might lead to alteration or damage of data during the transmission.

To secure the FTP operations few operands are specially designed in control files for TCP/IP and FTP. IPSEC, NETACCESS, PORT, TCPCONFIG are the operands from control files for TCP/IP and ANONYMOUS, DB2, DB2PLAN, JES2INTERFACELEVEL, CIPHERSUITE etc. are the operands from control files for FTP. Security software products are also available to provide the functionalities like access control, auditing and monitoring of resources. They also provide the options of user authentication. The security software solutions include RACF, ACF2 and Top Secret.

Local data encryption before the file transfer ensures the data extraction only by the people with genuine credentials and keys. Any data transportation method can be used for encrypted data. On z/OS, the PGP encryption protocol makes the data encryption easy.

To get more control over z/OS FTP, exit programs are required. The exit programs customize the file-transfer logic. For the intrusion detection policy agent software can be put in place, which runs in the z/OS TCPIP address space. The detection process depends on the remote computer’s IP address. The policy agent and intrusion detection software cannot process encrypted data packets.

The System Management Facility (SMF) in both server and client contains the record of all successfully completed FTP transfers on z/OS. These logs can be used to monitor the FTP data transfers.

Although each of these solutions has its own advantages and limitations, a correct mixture of these strategies should be deployed to secure FTP transfers on z/OS.

Leave a Comment