FTP (File Transfer Protocol) provides the capability of transferring files between a client (a user on another system) and your server.
You can also use the remote command capability to submit commands to the server. Consequently, FTP is very useful for working with remote systems, or to move files between systems. However, the use of FTP across the Internet, or other untrusted networks, exposes you to certain security risks. You must understand these risks to ensure that your security policy describes how you will minimize these risks.
- Your object authority scheme might not provide enough protection when
you allow FTP on your system.
For example, the public authority for your objects may be *USE, but today you are preventing most users from accessing those objects by using "menu security". (Menu security prevents users from doing anything that is not one of their menu options.) Since FTP users are not restricted to menus, they can read all objects on your system.
Here
are some options for controlling this security risk: - Put into effect full iSeries™ object security on the system (in other words, change the system's security model from "menu security" to "object security." This is your best, most secure option.
- Write exit programs for FTP to restrict access to files which may be transferred
through FTP. These exit programs should provide security that is at least
the equivalent as the security that the menu program provide. Many customers
would probably want to make the FTP access controls even more restrictive.
This option only covers FTP, not other interfaces such as ODBC, DDM, or DRDA®. Note: *USE authority to a file allows the user to download the file. *CHANGE authority to a file allows the user to upload the file.
- A hacker can mount a "denial of service" attack with your FTP server to
disable user profiles on the system. This is done by repeatedly attempting
to log on with an incorrect password for a user profile until the user profile
is disabled. This type of attack disables the profile if it reaches the maximum
sign on count of three.
What you can do to avoid this risk involves analyzing the trade-offs that you are willing to make to increase security to minimize the attack versus providing users with ease of access. The FTP server normally enforces the QMAXSIGN system value to prevent a hacker from having unlimited attempts to guess a password and therefore mount password attacks. Here are some options that you should consider using:
- Use an FTP server logon exit program to reject logon requests by any system user profiles and those user profiles that you designate not be allowed FTP access. (When using such an exit program, logon attempts rejected by the server logon exit point for the user profiles that you block do not get counted against the profile's QMAXSIGN count.)
- Use an FTP server logon exit program to limit the client machines from which a given user profile is allowed to access the FTP server. For example, if a person from Accounting is allowed FTP access, only allow that user profile FTP server access from computers which have IP addresses in the Accounting department.
- Use an FTP server logon exit program to log the user name and IP address of all FTP logon attempts. Review these logs regularly, and whenever a profile is disabled by maximum password attempts, use the IP address information to identify the perpetrator and take appropriate measures.
- Use the intrusion detection system to detect "denial of service"
attacks on the system.
Additionally, you can use FTP server exit points to provide an anonymous FTP function for guest users. Setting up a secure, anonymous FTP server requires exit programs for both the FTP server logon and FTP server request validation exit points.
You can use the Secure Sockets Layer (SSL) to provide secure
communications sessions for your FTP server. Using SSL ensures that all FTP
transmissions are encrypted to maintain confidentiality for all data that
passes between the FTP server and the client, including user names and passwords.
The FTP server supports the use of digital certificates for client authentication
also.
In addition to these FTP options, you may want
to consider using Anonymous FTP to provide a convenient way for users to access
non-confidential material easily. Anonymous FTP enables unprotected access
(no password required) to selected information about a remote system. The
remote site determines what information is made available for general access.
Such information is considered to be publicly accessible and can be read by
anyone. Before configure Anonymous FTP, you should weigh the security risks
and consider securing your FTP server with exit programs.