File Transfer Protocol (FTP) provides the capability of transferring files between a client (a user on another system) and your server. You need to understand the security risks that you might encounter when you use FTP to ensure that your security policy describes how to minimize the risks.
You can also use the remote command capability to submit commands to the server. Consequently, FTP is useful for working with remote systems or moving files between systems. However, the use of FTP across the Internet, or across other untrusted networks, exposes you to certain security risks. To understand these risks helps you secure your system.
- Your object authority scheme might not provide enough protection when
you allow FTP on your system.
For example, the public authority for your objects might be *USE, but today you are preventing most users from accessing those objects by using menu security. (Menu security prevents users from doing anything that is not one of their menu options.) Because FTP users are not restricted to menus, they can read all objects on your system.Here are some options for controlling this security risk:
- Put into effect full i5/OS object security on the system (in other words, change the system's security model from menu security to object security. This is the best and most secure option).
- Write exit programs for FTP to restrict access
to files that might be transferred through FTP. These exit programs need to
provide security that is at least the equivalent as the security that the
menu program provides. You might want to make the FTP access controls even
more restrictive. This option only covers FTP, not other interfaces such as
open database connectivity (ODBC), distributed data management (DDM), or Distributed
Relational Database Architecture (DRDA). Note: *USE authority to a file allows the user to download the file. *CHANGE authority to a file allows the user to upload the file.
- A hacker can mount a denial of service attack with your FTP server to
disable user profiles on the system. This is done by repeatedly attempting
to log on with an incorrect password for a user profile until the user profile
is disabled. This type of attack disables the profile if it reaches the maximum
sign on count of three.
What you can do to avoid this risk involves analyzing the trade-offs that you are willing to make to increase security to minimize the attack versus providing users with ease of access. The FTP server normally enforces the QMAXSIGN system value to prevent a hacker from having unlimited attempts to guess a password and therefore mount password attacks. Here are some options that you need to consider using:
- Use an FTP server logon exit program to reject logon requests by any system user profiles and those user profiles that you designate not be allowed FTP access. (When using such an exit program, logon attempts rejected by the server logon exit point for the user profiles that you block do not get counted against the profile's QMAXSIGN count.)
- Use an FTP server logon exit program to limit the client machines from which a given user profile is allowed to access the FTP server. For example, if a person from Accounting is allowed FTP access, only allow that user profile FTP server access from computers that have IP addresses in the Accounting department.
- Use an FTP server logon exit program to log the user name and IP address of all FTP logon attempts. Review these logs regularly, and whenever a profile is disabled by maximum password attempts, use the IP address information to identify the perpetrator and take appropriate measures.
- Use the intrusion detection system to detect denial of service attacks on the system.
Additionally, you can use FTP server exit points to provide an anonymous FTP function for guest users. Setting up a secure, anonymous FTP server requires exit programs for both the FTP server logon and FTP server request validation exit points.
You can use the Secure Sockets Layer (SSL) to provide secure communications sessions for your FTP server. Using SSL ensures that all FTP transmissions are encrypted to maintain confidentiality for all data that passes between the FTP server and the client, including user names and passwords. The FTP server supports the use of digital certificates for client authentication also.
In addition to these FTP options, you might want to consider using anonymous FTP to provide a convenient way for users to access non-confidential material easily. Anonymous FTP enables unprotected access (no password required) to selected information about a remote system. The remote site determines what information is made available for general access. Such information is considered to be publicly accessible and can be read by anyone. Before configuring anonymous FTP, weigh the security risks and consider securing your FTP server with exit programs.