Product
datasheet
(435KB)
Highlights
-
Automated FTP
postprocessing, controlled from FTP-Client
-
Real-time GUI
monitoring of complete FTP-session including security monitoring
-
All FTP-commands
secured per user-id/password, IP-address and FTP-server-port
-
Fully integrated
with SAF (RACF, ACF2, TSS)
-
OS/390 (or z/OS) FTP client
monitoring
The Need
An obvious
benefit of FTP is that it is available in the TCP/IP-stack that comes
with every single operating system. FTP operates according to the RFCs
on each of these platforms, and has added specific SITE commands for
each platform. This makes FTP a very powerful tool.
The weakness of FTP lies in its lack of automation, control and
security facilities. Specifically in the OS/390 (or
z/OS) domain, which has a history of tight control and
security, organisations are conscious that they have to address this
weakness.
Automation
Usually data files
get transferred to OS/390 (or z/OS) with the intention to perform some processing
on this data. It is however difficult to exactly determine when the
transfer has been completed and when the post-processing should be
started.
Online monitoring
Standard SMF-data
can give after-the-facts information about data files that were
successfully transferred to or from OS/390 (or z/OS).
Secure \ FTP however provides as well online monitoring as history reporting on
complete FTP sessions: which commands have been executed? for which
files?
As a result of the integration with its security facilities, Secure \
FTP includes all security-related data in its online monitoring and
history reporting: which rules have been checked for this command?
Which users have tried to execute specific FTP-commands but were not
allowed to?
Security
Typically
organisations have set up firewalls and/or VPNs to protect them from
unauthorized external TCP/IP traffic.
They also secure access to data files on OS/390 (or
z/OS) with SAF-tools
(RACF,
ACF2, TSS).
This type of protection proves to be insufficient.
Firewalls will provide or deny access to FTP as a whole, they cannot
give authorisations to individual FTP-(sub)-commands.
SAF-tools look at data access, no matter from where this access
originates (TSO, FTP-client, etc).
Secure \ FTP provides the ability to secure every single FTP-(sub)-command,
including all SITE commands, at the level of user-id/password,
combined with originating IP-address and destination OS/390
(or z/OS) port.
Some data files simply belong on the OS/390 (or
z/OS) mainframe and the sole
fact that a user has read-access to these files from TSO or another
mainframe application, shouldn’t mean that this user is automatically
allowed to transfer these data files to other environments (OS/390,
z/OS,
NT, Unix, etc).
FTP-commands like List, CWD (Change Working Directory), etc do not
imply direct access to datasets and cannot be protected by standard
SAF-tools. Still companies want to disallow FTP users of even browsing
directories and seeing that datasets, originating from or reserved for
other users, are available. Like all other FTP-commands, also these
can be secured with Secure \ FTP.
In this way, Secure \ FTP allows to provide access to a ‘limited FTP
facility’ to each individual user.
Architecture
Secure \ FTP makes
use of all available exits in the FTP server of the OS/390 (or z/OS) TCP/IP
stack.
It runs as a started task in its own address-space where all data that
are communicated from the exits, are written into a set of VSAM files,
which can be queried for online monitoring purposes from a GUI
Monitor. For historical purposes the information in the VSAM files
gets dumped into a workstation environment where statistical data is
provided.
Secure \ FTP integrates via the SAF-interface with all popular
security tools on OS/390 (or z/OS), which
enables OS/390 (or z/OS) security officers
to protect FTP traffic with the same type of rules as their other
applications.
Top