Securing Mainframe FTP
File Transfer Protocol (FTP), built on client-server architecture, is a standard method for transferring files between hosts over a TCP-based network on different platforms as Unix, Z/OS, AS/400, Windows etc.
Mainframe FTP features
z/OS FTP uses get and put commands for downloading and uploading files.
In a Sysplex to share the system’s workload, FTP can be simultaneously extended to multiple CPUs.
Mainframe FTP can transfer both MVS datasets and Unix files.
Risks associated with mainframe and FTP
Exposure of sensitive data like user ID and password, which might lead to unwanted access to the business critical information
No control over the data after it’s transmitted
Access to the sensitive data in job output or printouts
Access to USS files as well as MVS datasets
Accessing Mainframe DB2 data
For the execution of programs submission of batch jobs
Available FTP security tools to address the risks
Control file options for FTP and TCP/IP
Security software rules like System Authorization Facility (SAF)
Exits for modifying the FTP logic
Policy agent software like firewall
Functionalities of the tools
Controls the data access based on both mainframe server IP address and client computer IP address
Controls the data access based on port number. Each TCP program at an IP address is assigned with a separate port number. In general, ports 20 and 21 are used for FTP. Based on the port number in any message TCP decides to which program on that computer the received message should be sent. These ports are called Ephemeral Ports and the programs are called daemons. The daemon for FTP is named FTPD.
Uses System Authorization Facility (SAF) to invoke security software in mainframe. SAF helps to verify user identity and in turn file and resource access.
Controls Unix and MVS files access
Modifies FTP logic through Exit programs by adding additional security checks
Encrypts user ID, password and critical information
FTP security tools in detail
Control file options for TCP/IP and FTP
IPSEC for IPSEC secure tunnel creation
PORT and PORTRANGE for controlling access to specific ports
NETACCESS for controlling access to specific IP addresses in a network
TCPCONFIG for blocking particular ports to prevent unauthorized FTP programs
DB2 and DB2PLAN to specify the DB2 subsystem and plan
ANONYMOUS to control anonymous logins
CIPHERSUITE to specify encryption algorithm
KEYRING to specify the keyring for digital certificates
JES2INTERFACELEVEL for submitting batch jobs and accessing the print outputs
Security Software Rules
TCP/IP and FTP call the security software through SAF. The security software rules are defined into the resource classes such as APPL, TERMINAL and SERVAUTH. Resource Descriptor Table (RDT) contains the class names and different options.
APPL controls login to FTP daemon
TERMINAL, used with IPV4, controls login from any specified IP address
SERVAUTH controls access to Unix file system, specified IP addresses, ports and the network
FTCHKIP controls a new connection
FTCHKCMD controls the processing of an FTP command
FTCHKJES controls the submission of a batch job
FTCHKPWD controls the new passwords
FTPOSTPR controls the completion of certain commands
The Mainframe supported encryption protocols are Secure Sockets Layer (SSL), Transport Layer Security (TLS), IPSEC and Kerberos. All these protocols are used to encrypt data as well as passwords. They protect the files to be transmitted, against sniffer programs. SSL and TLS are used to create and manage digital certificates and encryption keys.
Policy Agent is a mainframe software used to filter messages and for Intrusion detection services. For the filtration of messages IP address, port number and content play an important role.