|
 Secure
FTP Product Highlights
- Automated FTP post processing, controlled from FTP-Client
- Real-time GUI monitoring of complete FTP-session including security monitoring
- All FTP-commands secured per user-id/password, IP-address and FTP-server-port
- Fully integrated with SAF (RACF, ACF2, TSS)
- OS/390 (or z/OS) FTP client monitoring
The Need
An obvious benefit of FTP is that it is available in the
TCP/IP-stack that comes with every single operating system.
FTP operates according to the RFC's on each of these platforms,
and has added specific SITE commands for each platform.
This makes FTP a very powerful tool.
The weakness of FTP lies in its lack of automation, control
and security facilities. Specifically in the OS/390 (or
z/OS) domain, which has a history of tight control and
security, organizations are conscious that they have to
address this weakness.
Automation
Usually data files get transferred to OS/390 (or z/OS) with the intention to perform some processing on this data. It is however difficult to exactly determine when the transfer has been completed and when the post-processing should be started.
Online monitoring
Standard SMF-data can give after-the-facts information about data files that were successfully transferred to or from OS/390 (or z/OS).
Secure \ FTP however provides as well online monitoring as history reporting on complete FTP sessions: which commands have been executed? for which files? As a result of the integration with its security facilities, Secure \ FTP includes all security-related data in its online monitoring and history reporting: which rules have been checked for this command? Which users have tried to execute specific FTP-commands but were not allowed to?
Security
Typically organizations have set up firewall's and/or
VPN's to protect them from unauthorized external TCP/IP
traffic. They also secure access to data files on OS/390
(or z/OS) with SAF-tools (RACF, ACF2, TSS). This type
of protection proves to be insufficient.
Firewall's will provide or deny access to
FTP as a whole, they cannot give authorizations to individual
FTP-(sub)-commands. SAF-tools look at data access, no
matter from where this access originates (TSO, FTP-client,
etc). Secure \ FTP provides the ability to secure every
single FTP-(sub)-command, including all SITE commands,
at the level of user-id/password, combined with originating
IP-address and destination OS/390 (or z/OS) port.
Some data files simply belong on the OS/390
(or z/OS) mainframe and the sole fact that a user has
read-access to these files from TSO or another mainframe
application, shouldn't mean that this user is automatically
allowed to transfer these data files to other environments
(OS/390, z/OS, NT, Unix, etc).
FTP-commands like List, CWD (Change Working Directory), etc do not imply direct access to datasets and cannot be protected by standard SAF-tools. Still companies want to disallow FTP users of even browsing directories and seeing that datasets, originating from or reserved for other users, are available. Like all other FTP-commands, also these can be secured with Secure \ FTP.
In this way, Secure \ FTP allows to provide access to a ‘limited FTP facility’ to each individual user.
Architecture
Secure \ FTP makes use of all available exits in the FTP server of the OS/390 (or z/OS) TCP/IP stack.
It runs as a started task in its own address-space where all data that are communicated from the exits, are written into a set of VSAM files, which can be queried for online monitoring purposes from a GUI Monitor. For historical purposes the information in the VSAM files gets dumped into a workstation environment where statistical data is provided.
Secure \ FTP integrates via the SAF-interface with all popular security tools on OS/390 (or z/OS), which enables OS/390 (or z/OS) security officers to protect FTP traffic with the same type of rules as their other applications.
For further information please visit www.linkmanage.com
|
