Securing Mainframe FTP

File Transfer Protocol (FTP), built on client-server architecture, is a standard method for transferring files between hosts over a TCP-based network on different platforms as Unix, Z/OS, AS/400, Windows etc.

Mainframe FTP features
•z/OS FTP uses get and put commands for downloading and uploading files.
•In a Sysplex to share the system’s workload, FTP can be simultaneously extended to multiple CPUs.
•Mainframe FTP can transfer both MVS datasets and Unix files.

Risks associated with mainframe and FTP
•Exposure of sensitive data like user ID and password, which might lead to unwanted access to the business critical information
•No control over the data after it’s transmitted
•Access to the sensitive data in job output or printouts
•Access to USS files as well as MVS datasets
•Accessing Mainframe DB2 data
•For the execution of programs submission of batch jobs

Available FTP security tools to address the risks
•Control file options for FTP and TCP/IP
•Security software rules like System Authorization Facility (SAF)
•Exits for modifying the FTP logic
•Encryption
•Policy agent software like firewall

Functionalities of the tools
•Controls the data access based on both mainframe server IP address and client computer IP address
•Controls the data access based on port number. Each TCP program at an IP address is assigned with a separate port number. In general, ports 20 and 21 are used for FTP. Based on the port number in any message TCP decides to which program on that computer the received message should be sent. These ports are called Ephemeral Ports and the programs are called daemons. The daemon for FTP is named FTPD.
•Uses System Authorization Facility (SAF) to invoke security software in mainframe. SAF helps to verify user identity and in turn file and resource access.
•Controls Unix and MVS files access
•Modifies FTP logic through Exit programs by adding additional security checks
•Encrypts user ID, password and critical information

FTP security tools in detail
•Control file options for TCP/IP and FTP
•IPSEC for IPSEC secure tunnel creation
•PORT and PORTRANGE for controlling access to specific ports
•NETACCESS for controlling access to specific IP addresses in a network
•TCPCONFIG for blocking particular ports to prevent unauthorized FTP programs
•DB2 and DB2PLAN to specify the DB2 subsystem and plan
•ANONYMOUS to control anonymous logins
•CIPHERSUITE to specify encryption algorithm
•KEYRING to specify the keyring for digital certificates
•JES2INTERFACELEVEL for submitting batch jobs and accessing the print outputs

•Security Software Rules
TCP/IP and FTP call the security software through SAF. The security software rules are defined into the resource classes such as APPL, TERMINAL and SERVAUTH. Resource Descriptor Table (RDT) contains the class names and different options.

•APPL controls login to FTP daemon
•TERMINAL, used with IPV4, controls login from any specified IP address
•SERVAUTH controls access to Unix file system, specified IP addresses, ports and the network

•Exits
•FTCHKIP controls a new connection
•FTCHKCMD controls the processing of an FTP command
•FTCHKJES controls the submission of a batch job
•FTCHKPWD controls the new passwords
•FTPOSTPR controls the completion of certain commands

•Encryption
The Mainframe supported encryption protocols are Secure Sockets Layer (SSL), Transport Layer Security (TLS), IPSEC and Kerberos. All these protocols are used to encrypt data as well as passwords. They protect the files to be transmitted, against sniffer programs. SSL and TLS are used to create and manage digital certificates and encryption keys.

•Policy Agent
Policy Agent is a mainframe software used to filter messages and for Intrusion detection services. For the filtration of messages IP address, port number and content play an important role.

Leave a Reply

Your email address will not be published. Required fields are marked *