FTP Clear Command Channel Support at V5R4

Resolving The Problem

With the support of FTP with SSL/TLS, a NAT firewall can no longer look at or change the information passed on an FTP control connection. FTP supports the following transmission modes: The clear text mode and the encrypted mode. If you use the clear text mode in an FTP control connection, you take the risk of exposing your sensitive information to an intruder. If you use the encrypted mode, the firewall is not able to monitor or change the information sent within the FTP control connection. Therefore, the firewall cannot perform some functions such as network address translation. Starting at R540 with PTF SI23649, the Clear Command Channel (CCC) subcommand changes the transmission mode in a control connection from the encrypted mode to the clear text mode. Therefore, you can secure sensitive information including your user name and password by sending them in the encrypted mode in the control connection. Then, you can use the CCC subcommand to change to clear text mode to send the port and IP information.

Note: After using the CCC subcommand, you will send all your information in the clear text mode in the control connection. If the names of files or directories on your system contain sensitive information, be aware that any names sent on the control connection after running the CCC subcommand are not protected. However, the data connection transmission mode remains intact and the data transfer that happens afterward is still secure.

FTP Client:
Users can allow or disallow an individual user to use CCC by granting the private authority to QIBM_QTMF_CLIENT_REQ_10 using the CHGFCNUSG command or by using iSeries Navigator Application Administration support.

For example:

CHGFCNUSG FCNID(QIBM_QTMF_CLIENT_REQ_10) USER(user) USAGE(*ALLOWED)


FTP Server:
FTP Server Subcommand CCC

When FTP server receives a Clear Command Channel (CCC) subcommand, it first determines if the current user has the authority to perform the CCC command. If the user has the authority, it then accepts the command by sending a confirm message back to the FTP client side. Then, the FTP server changes the transmission mode in a control connection from the encrypted mode to the clear text mode. The Clear Command Channel (CCC) subcommand changes the transmission mode in a control connection from the encrypted mode to the clear text mode. Therefore, you can secure sensitive information including your user name and password by sending them in the encrypted mode in the control connection. You can then can use the CCC subcommand to change to the clear text mode and send the port and IP information.

Security Concerns

There are potential security and integrity exposures with using the CCC approach as compared to full encryption of the control connection. First, this results in file and directory names on the FTP server to be subject to interception. It is possible that these names could contain sensitive or confidential information. Second, IP address and port information transferred on the control connection is subject to interception by hackers. Finally, some other "direct" TCP attacks on an FTP server, or using an FTP server to attack other systems, are completely eliminated when a secure control connection is used. Some of those attacks are now again possible when the control connection reverts to "clear" mode.

Because of these concerns, usage of the CCC subcommand is controlled using the operating system Function Usage interface, and the default setting for CCC is *DENIED for the FTP server. To allow an individual user logged into the FTP server to use the CCC subcommand for ending protection of the control connection, give *ALLOWED usage to the QIBM_QTMF_SERVER_REQ_10 function using the CHGFCNUSG command or iSeries Navigator Application Administration support. For example:

CHGFCNUSG FCNID(QIBM_QTMF_SERVER_REQ_10) USER(user) USAGE(*ALLOWED)

To allow all users to perform this function, change the default authority of this function to *ALLOWED. RFC 4217 Securing FTP with TLS, talks about Clear Command Channel. This is documented in SE25247 .