Previous topic |
Next topic |
Contents |
Glossary |
Contact z/OS |
PDF
More port control Networking on z/OS |
||
Port control is a big topic in the world of network security. Within an organization, an individual or group responsible for a boundary device firewall might have strict rules as to which ports can be used. And, even within the z/OS host, keeping a tight control on which ports are available is a key to a healthy and secure system. With respect to a firewall, one of the most difficult areas is ephemeral port usage of an FTP server.
The FTP server may request an ephemeral port for performing a data transfer. By default, this port number could be anywhere in the range from 1 024 to 65 535. However, it is not desirable to open up such a wide range of ports to a firewall. Using the PORTRANGE statement in the FTP.DATA configuration file, FTP ephemeral port usage can be limited to a low port and high port range. This same range would be reflected in the appropriate port filtering firewall(s). Access to ports below 1 024 should normally be restricted. This is controlled by the RESTRICTLOWPORTS option on the TCPCONFIG and UDPCONFIG statements in the TCP/IP profile; see Figure 1. Figure 1. Controlling
low number ports
TCPCONFIG RESTRICTLOWPORTS IPCONFIG RESTRICTLOWPORTS PORT 20 TCP * NOAUTOLOG ; FTP Server 21 TCP FTPD1 ; FTP Server 23 TCP TN3270D ; Telnet 3270 Server 23 TCP INETD1 BIND 201.2.10.199 ; z/OS UNIX Telnet server 25 TCP SMTP ; SMTP Server 53 TCP NAMED1 ; Domain Name Server 53 UDP NAMED1 ; Domain Name Server If RESTRICTLOWPORTS has been coded, how can an application such as a web server or a FTP access their normal ports? The answer is in the PORT statement shown in Figure 1. A PORT statement entry is required for any application that wants to use a port below 1 024 when RESTRICTLOWPORTS is in effect. The TCP/IP stack reserves ports for the started task (server) name listed on the PORT statement. The PORT statement is a rudimentary form of control: only an application with the assigned task name is allowed to use that port number. The FTP application has the unusual characteristic of using a second connection for the data transfer. It also allows a user to "hop" to a secondary FTP, a process called proxy. Consequently, the FTP environment has some further restrictions possible. Obviously, such controls would be effected using the FTP.DATA configuration data set. For example, the FTP sub-command PORT can be disabled in a proxy environment by using the PORTCOMMAND statement. Or, the IP address of a PORT or PASV command (see RFC 959) can be forced to match the IP address for the remote end of the control session. This is accomplished using the PORTCOMMANDIPADDR and PASSIVEDATACONN statements, respectively. |
Copyright IBM Corporation 1990, 2010
|