FTP and SFTP Adapter Limitation Policies Overview
When using the FTP Server adapter or the SFTP Server adapter, you can define limitations for their usage. These limitation policies control various types of access. Policies can be applied to all of the server adapters of one protocol type (SFTP or FTP), or just to specific instances that you identify.
-
Bandwidth Limiting enables you to limit the inbound transfer speed from a specific trading partner for an IP address or range or set of users. Limits can be allocated by your system administrator based on your company's performance and tuning requirements. For example, you can set a low bandwidth for all IP addresses except for a few selected ones, which belong to high priority customers. (Both IPv4 and IPv6 are supported.)
-
Command Limiting enables you to limit specific FTP commands or SFTP commands for an IP address or range of addresses or for a set of users. IP addresses define the who, while the command limiting policy define what they can do.
-
Data Limiting enables you to limit the total amount of inbound data that can be sent by a trading partner (IP address or range) or a set of users in a day. By doing this, you can save important resources that could be consumed if there are no restrictions.
-
Lockout enables you to prevent hacking attacks on servers. By locking out users after a certain number of invalid attempts, you prevent them from trying different combinations of passwords as part of a brute force attack. User lockout can be time-based or it can be permanent lockout.
- If TP1 (trading partner) connects, allow TP1 1 MB/s bandwidth.
- But if TP2 or TP3 connects, allow them each 256 KB/s bandwidth.
- For all other trading partners, give only 10 KB/s as default.
- You can only set one lockout policy at the protocol level.
- You can have as many instance level policies defined for a protocol as necessary.
-
You can apply as many instance level policies to a specific instance of an adapter as necessary. The basic criteria to select between protocol level and instance level policies is:
-
If you want to have a restriction put on all instances of an adapter (FTP/SFTP server), you define a protocol level policy. This is a default restriction.
-
If you want to loosen some restrictions on certain instances of the adapter, maybe for a high priority trading partner, you can define a instance level policy applicable for the user Id or IP address for the trading partner
-
-
Once you have defined a protocol level policy, it becomes effective immediately for all instances of the protocol server adapter. After defining an instance level policy, you must add it to the adapter instances that you want covered by the policy. For existing adapters, this is done by editing the adapter configuration in the Admin Console. For new adapters, select the policy during the initial adapter configuration.
Defining or updating policies is done in the Admin Console, Administration Menu, under Deployment > Adapter Utilities > Policy Configuration.
Adapter Limitation Policy Examples
The following are scenarios when you might want to use a limitation policy.
| Scenario | Use this Policy Type: |
|---|---|
| You need to limit the speed at which data comes into your system. | Bandwidth |
|
You want to restrict the amount of data a Trading Partner can send and save your disk/DB space. |
Data Limit |
|
You need to prevent the trading partner from listing or reading files in the FTP server or you want the trading partner to only send you files. Or the other way, you want the trading partner to only read data and prevent the trading partner from changing it in any way |
Command Limit |
|
You want to prevent hacking attacks on your server by locking users permanently or only for 5 minutes every time they make 3 invalid attempts. |
Lockout |
|
You can create policies when you want to restrict a trading partner or any third party client connecting to the servers (Server adapters) from using your resources or executing undesirable commands. |
Command Limit |
Information You Need to Gather Before Defining Adapter Policies
Before you define new policies in the Admin Console, you need to know what type of policy you are defining and then gather the following information (X= information that is required):
| Information Needed for Defining a Policy | Bandwidth Limiting | Lockout | Command Limiting | Data Limit |
|---|---|---|---|---|
|
Which type of policy are you defining: Bandwidth, Command, Data, or Lockout? |
X | X | X | X |
|
Will this policy be applied to an IP address or Users? |
X | X | X | |
|
Which protocol will the policy will be applied to: SFTP or FTP? |
X | X | X | X |
| Is the policy applied to a protocol or instance? | X | X | X | X |
|
What is the maximum number of login attempts before lockout? |
X | |||
| Is the user lockout permanent or time-based? | X | |||
|
Is the policy only applied to specific users? If yes, you need the list of users. |
X | X | X | |
|
Is the policy only applied to specific IP addresses? If yes, you need the list of IP addresses. |
X | X | X | |
|
Does this policy limit commands? If yes, you need to know the commands and the users or IP addresses that will be limited. |
X | |||
|
Does this policy limit the amount of inbound data that can be received per day per IP address? If yes, what is the maximum amount of inbound data for 24 hours? |
X |
IP Address Range for Policies
Three of the policy types support limitation by IP address ranges or patterns. An IP address range is a semicolon separated list of IP ranges and patterns. The following examples illustrate valid IP address formats. These can be semicolon separated and combined into a single IP pattern.
|
Type of IP Address |
Format Example | Notes |
|---|---|---|
| One IP address | 10.20.30.44 | |
| Clear range | 10.20.30.0-10.20.30.45 | |
| Clear range | 10:20::40:10 – 10:20::40:ffff |
Where ffff is a bit hexadecimal number with all bits set to 1. (Decimal value = 65535) |
| Range | 10.20.30.* | Range is 10.20.30.0 – 10.20.30.255 |
| Range | 10:20::* | Range is 10:20:0:0:0:0:0:0-10:20:0:0:0:0:0:ffff |
| Range | 10:20:* |
Range is 10:20:0:0:0:0:0:0-10:20:ffff:ffff:ffff:ffff:ffff:ffff |
| Range | 10:30:40::30:43:* |
Range is 10:30:40:0:0:30:43:0-10:30:40:0:0:30:43:ffff |
How are multiple policies applied to an Adapter Instance?
If there are multiple policies of a single policy type applied to an adapter instance, the following rules are used to select a single policy to be applied to a user or IP address:
-
IP based policy gets priority: The system first selects the policies that are applicable/defined for the address of the client. If none are found, the system selects the policies that are applicable/defined for the User ID used by the client. If none are found, no policies are applied.
Note: The first rule is not applicable to Lockout Policy as it is not IP address or User based. -
Instance level policy gets priority: From the list of IP based or user based policies from the previous rule (IP based policies get priority), the system selects instance level policies. If there are none, the system selects protocol level policies.
Note: At this point the system will have selected either instance level policies or protocol level policies but not both (for evaluation). -
Most restrictive policy gets applied: If the system still has multiple policies after applying the previous rule (instance level policy), the system selects the most restrictive policy. This is possible if the IP address falls in an overlapping range or the same user is selected for many policies.
-
For command limiting policy, the system combines all commands in the command list of each policy and treats this as a single policy.
-
For bandwidth and data limit policies, the system applies the one with the minimum amount of bandwidth/data configured.
-
For lockout policy, since there can be only one instance level policy per instance and only one protocol level policy for the system, there is no conflict at this point.
-