Securing z/OS FTP TransmissionsMichael W. MossValue-4IT Limited6 November 2019Session EK

Securing z/OS FTP Transmissions: Agenda Communications Server FTP Introduction & OverviewIBM z/OS FTP: Protocols Functional Comparisonz/OS FTP Logs & Analysis Overviewz/OS FTP, FTPS & SFTP Functions Overviewz/OS FTP Method Comparison: Security vs. ComplianceIBM z/OS FTP Security Deployment: General OverviewIBM z/OS FTP: Data Sources For Monitoring FTP ActivityAre FTPS & SFTP GDPR Compliant? Managed File Transfer (MFT)Data Evolution: uring z/OS FTP Transmissions: ConclusionFTP Demo (If Time Allows)06 November 20192

IBM TCP/IP General Availability (GA) RepriseJune 1992 - IBM TCP/IP For MVS Version 2.2 provides the user of MVS (base OS) thecapability to participate in a multivendor network using the TCP/IP protocol set: CICS-TCP/IP Socket Interface: Allow CICS Client or Server applications to interoperate withapplications on processors (platforms) attached to a TCP/IP network. LPR/LPD Printing Support: Remote printing client server support. The line printer client (LPR)sends print data to a line printer daemon (LPD) on a specified server host printer. Telnet & FTP SMF Record Support: The TELNET Server provides SMF records identifying the localuser id, local & remote IP addresses, log-on/off date/time & VTAM LU used for log-on. The FTPserver provides SMF records for the Append, Delete/Mdelete, Get/Mget, Put/Mput & Renameclient services, plus failed login attempts. FTP Security Exits: Check IP & PORT Addresses, Check USER & Password, Check Command &Check JES usage; based on a premise of accepting or rejecting the FTP request. Db2 FTP SQL Query: Remote TCP/IP Db2 SQL query transmission; results retrieved via FTP. FTP Password Change: Allow the user to change the RACF (ACF2, TSS) account password.For 30 years, the Mainframe has been an IP network node, with FTP functionality06 November 20193

IBM z/OS Communications Server FTP IntroductionFTP is a z/OS UNIX System Services (USS) application. It can be started within an z/OS environment,but does not remain, immediately forking into the z/OS USS environment.The z/OS FTP server includes a daemon & server process. The daemon process starts when FTP isstarted (E.g. START FTPD) & listens for connection requests on a specific port (I.E. 21 unlessotherwise specified). When the daemon accepts an incoming connection, it creates a new process(server address space) for the FTP server, which handles the connection for the rest of the FTP loginsession; each FTP login session has its own server process. The server process inherits the acceptedconnection from the daemon process. This connection is called the control connection. The serverreceives commands from the client, sending replies to the client using the control connection. Thecontrol connection port is the same as the daemon's listening port.The client & server use a different connection for transferring data; the data connection. By default,the data port ID is one less than the control connection port (E.g. Control 21, Data 20). An FTP clientcan override the default data port, directing the server to run in passive mode. In passive (PASV)mode, the server uses an ephemeral (transient) data port. Passive mode is requested by firewallfriendly clients & by clients initiating three-way data transfers.06 November 20194

IBM z/OS Communications Server FTP emote FTP ClientJES2Job Submit/Query/OutputNJE Data TransmissionDb2SQL Queriesz/OS FTP Server:Optional SAFSecurity Exitsz/OS USSClear Text (FTP) or Secure Transfersvia SSL/TLS, Kerberos or IPSecz/OS FTP Client:API, Batch Job,TSO, UNIX Shellz/OS USSFiles FilesPipesRemote FTP ServerClientFTP.Data06 November 2019SecurityDatabase5

IBM z/OS FTP: Protocols Functional ComparisonFTP Protocol Type:Function DescriptionFTP (No Security):RFC 959FTPS (SSL/TLS):RFC 959/RFC 4217FTP (IPSec):Any RFC StandardSFTP (SSH) RFC 4253:IBM Ported ToolsUser ID & Password SecuredData In-Flight Encryptionz/OS USS File Supportz/OS (MVS) File SupportSystem Z Encryption FeaturesSupport (CPACF, ICSF)Partner Authentication: LocallyStored Public Key CopiesPartner Authentication: X.509Certificates (E.g. SSL/TLS)SAF Key Ring, ICSF UsageNoNoYesYesYesYesYesYesYesYesYesYesYesYesYesNo (3rd Party Support)NoYesYesYesNoNoYes (Pre Shared Key)YesNoYesYesNo (3rd Party Support)NoYesYesYesFIPS 140-2 SupportNoYes (z/OS 1.11)Yes (z/OS 1.12)No (3rd Party Support)Mutual (2-Way) AuthenticationNoYesYes (@ IP Address Level) No (3rd Party Support)Support3rd party support delivered by specialized ISV software (E.g. Co:Z SFTP, VFTP-SSH)NB. TFTP (Trivial File Transfer Protocol) excluded, due to EOS @ z/OS 2.2 & absence of client user identification & authentication.How to choose, FTPS or SFTP? By default the IBM z/OS FTP server doesn’t support SFTP 06 November 20196

z/OS FTP Logs & Analysis: Is SMF Data Good Enough?In theory, by default FTP can collect SMF 118 & 119 records; for performance & usability, only useSMF 119 records, which collect more information with standard formatting: Subtype 3: Client Transfer Completion (Includes cipher protocol, SSL/TLS, DES, FIPS 140, et al)Subtype 70: Server Transfer Completion (Includes cipher specification, SSL/TLS, FIPS 140, et al)Subtype 71: Daemon Configuration (Includes ciphersuite specification, SSL/TLS, DES)Subtype 72: Server Logon Failure (Includes cipher protocol, SSL/TLS, DES, FIPS 140, et al)FTP SMF logging has several blind spots, which could be exploited by savvy users, insiders or hackers: No Data Transfer Initiation: No SMF record created, for trivial reasons such as command syntax,file not found are arbitrary. However, a SAF access failure for a sensitive file is a different matter Batch FTP Transfer Initiation: No SMF record created if the data is transferred successfully, butthe job is cancelled before transfer success notification, a bad actor just needs to act accordingly Mostly, SMF records successful completed transfers. SMF can’t be solely replied upon for suspiciousclient activity, sniffing the FTP server for secrets, requesting unknown files & directories until SMF is a good start, but let’s think about what can go wrong, especially for sensitive data06 November 20197

z/OS FTP Logs & Analysis: Supplementing SMF RecordsIBM introduced a “Check Confidence” feature in z/OS 1.7 allowing users to determine with somecertainty that stream mode file structure transfer completed successfully, with 5 granularity levels: High: No error was detected.NoEOF: An EOF marker was not found in STRUCT R or MODE B or C transfer.Low: The client did not respond following the transfer or another error was reported.Unknown: Only for outbound transfers & only set if checking is active.Inactive: Only reported by the FTPOSTPR user exit.There are three methods for conveying the Check Confidence levels: FTP Server Logging: Via message EZYFS86I (FTP.DATA parameter FTPLOGGING set to TRUE). FTPOSTPR/EZAFCREP: User exit (log replies sent out by FTP Server). FTP Client Messaging: Via message EZA2108I.FTCMDCHK (EZAFCCMD z/OS 2.2 ) is an exit that can connect the server to SAF (ACF2, RACF, TSS) &can also be used to log incoming commands. In conjunction with FTPOSTPR (EZAFCREP z/OS 2.2 ),this supplies a complete “Command & Reply” log, to highlight suspicious client activity.06 November 20198

FTP:Client/ServerAdvantages: Ubiquitous (standard IP protocol) Easy-To-Use (common knowledge) Included In Base z/OS (zero cost)FirewallFile:PlainTextFirewallz/OS FTP Function Overview: IntroductionTypical Usage: Public Information Intranet (beware the insider attack) Anything & Everything tages: Low Security (authentication) Firewall Unfriendly (too many ports) Data Xfer (compression, integrity)Even 30 years ago, a security conscious IBM Mainframe site shouldn’t use basic FTP!06 November 20199

S FTPS Function Overview: IntroductionFile:PlainTextFTP:Client/ServerSSL Encrypted Data & Commands via Implicit or Explicit SecurityAdvantages: RACF Key Ring Support X.509 Certificate, Kerberos Support Included In Base z/OS (zero cost)Typical Usage: LPAR to LPAR (CPC/SYSPLEX) In-House System Z to System I Any Other FTPS Platform (in theory)Disadvantages: Is FTPS Active @ Destination? Firewall Unfriendly (passive FTP) Does Destination Use Latest Cipher?For implicit security, the entire connection is SSL/TLS protected. This method is outside normal FTP operations, as the client initiates SSL/TLS connection& the server needs to be made aware & participate. For explicit security, encryption is turned on by special command after the initial plaintext FTPconnection set up. This command requirement adds a separate step for user/client action completion, changing the FTP protocol flow & user workflow.Coming close to a usable & secure solution, but potentially limited to in-house usage 06 November 201910

FirewallFile:PlainTextSSH Client/Server: Authentication Compression EncryptionFirewallz/OS SFTP Function Overview: IntroductionSFTP SubsystemSSH Client/Server: Authentication Compression EncryptionFile:PlainTextSFTP SubsystemSSH Encrypted Command & Data Transfer Tunnel: Binary Packets Advantages:End-to-End EncryptionInbuilt Data Integrity & CompressionDistributed Systems SupportPassword Sniffing & MITM DefenceTypical Usage: Distributed Systems Interchange Default - Anything & Everything:Why Not Use SFTP For All FTP?Disadvantages: Limited Use via z/OS Ported Tools Only Data-in-Flight Encryption Protocol Usability Learning CurveA secure data-in-flight protocol, with potential 3rd party cost & usability considerations 06 November 201911

FTP Ports Consideration: Active vs. Passive Mode ReviewFTP Active ModeRandom Port 1FTP Passive ModePort 21Random Port 11Random Port 21Random Port 2Port 202FTP ClientPort 21Random Port n2FTP Server1. File transfer client request via random port to server port 21,via PORT command, specifying client-side port ID for serverconnection. This is the data channel port, separate from thecommand channel port.2. The server connects from port 20 to the designated datachannel client port. Once connection is established, file transfersprocess via these client & server ports.FTP ClientFTP Server1. File transfer client request via random port to server port 21,via PASV command. The server replies indicating which randomport number has been opened for data transfer.2. The client connects from another random port number to thepreviously assigned server random port. Once connection isestablished, file transfers process via these client & server ports.This simplified review of active vs. passive mode doesn’t consider the pervasive use of a firewall. If passive mode is chosen, the system ismore vulnerable to attacks, as FTP clients connect to multiple random server ports, requiring firewall access. The number of portsrequired for passive FTP is subjective, but FTP data transfers aren’t always processed on a 1:1 basis. One FTP session might have n (E.g.16) files, each requiring its own port. Some FTP clients support multiple data transfer connections, where n (E.g. 8) sessions are openedfor faster transfer. Arguably active mode was designed when IBM Mainframes were more commonplace & cybersecurity attacks less so!Which is simpler to manage; are there any other methods using a one secure port tunnel?06 November 201912

z/OS FTP Method Comparison: Security vs. ComplianceFTP ComparisonFTPFTPSSFTP (SSH FTP)# Channels2: 1 Command 1 Data2: 1 Command 1 Data1 (Command & Data)Default Port #21990 Implicit SSL21 Explicit SSL22AuthenticationUserid & PasswordUserid & PasswordAnd/Or CertificateUserid & PasswordOr SSH Public KeySSH authentication via a public-privatekey pair is considered the most secure.NoneCommand & DataSSL & TLSSSHFTPS security invalid for FTP servers notsupporting SSL/TLS. SFTP is alwayssecure.Data TransferPlain TextImplicit or Explicit:Plain Text (SSL/TLSEncryption)Binary Data PacketsPlain text is human readable; easilyhacked. Data packets are secure &transfer faster.ConnectionUnsecureUnsecure or SecureSecureIn a data privacy & compliance world,data transfers must always be secure.EncryptionSecurity Observations1 secure channel for both data &authentication transfer is optimal.FTP & FTPS require blocks of open portsfor data channel creation (FirewallIssue).GDPR Compliance Requirements: Automation (Transfer Success), Control (Management Console), Logging (Cradle-to-GraveReporting), Data Security (Lifecycle Management, Secure Logs), Authentication (RBAC, MFA), Cryptography (In Flight & At RestEncryption, Key Management), Secure Architecture (SAF Interface, Zero Unencrypted Data), Failover (Secure Business Continuity)06 November 201913

IBM z/OS FTP: Securing The FTP Server To-Do-List1) Setting Up Security FrameworkSERVAUTH Class, SAF Class APPL, TCPIP Profile PORT Keyword2) Defining User Accessz/OS UNIX UID Allocation, FTP Server Login Access, TLS Authentication, FTP Exits3) Port Of Entry AccessIP V4 via Terminal or SERVAUTH Class, IP V6 via SERVAUTH Class4) Controlling z/OS UNIX File System AccessSERVAUTH Class5) Preventing FTP Server MisuseTCPIP Profile PORTCOMAND* & PASSIVE* Keywords6) Controlling Db2 & JES Subsystem UsageBind Db2 Plan For Package EZAFTPMQ, FTCHKJES, JESINTERFACELEVEL & SDSF Considerations7) Setting UP Reporting InformationFTP Server Logging, SMF & FTP Exits (FTCHKCMD, FTPOSTPR)06 November 201914

IBM z/OS FTP Security: Setting Up Security FrameworkActivate the SERVAUTH Class in RACF:SETROPTS CLASSACT(SERVAUTH) SETROPTS RACLIST(SERVAUTH)SETROPTS GENERIC(SERVAUTH) SETROPTS RACLIST(SERVAUTH) REFRESHPermit the FTPD User Read Access to the TCP/IP Stack (user) Access Control Profile:RDEF SERVAUTH EZB.STACKACCESS.mvsname.tcpname.** UACC(NONE) warn (warning mode optional)PE EZB.STACKACCESS.mvsname.tcpname.** CL(SERVAUTH) ID(FTPD) ACC(READ)Note: If the SAF class APPL is activated & OMVSAPPL resource profile defined, the FTP deamon (user)requires read access, as does any user that performs a logon process to any FTP server originated ASID. Thisis a legacy SAF resource from OpenEdition MVS (4.3) the forerunner to z/OS UNIX Systems Services (USS).Reserve the FTP daemon listening port the FTPD job by a PORT statement in the TCPIP PROFILE:PORT 21 jobname (FTPD) SAFRestrict Access to Port 21 for the FTP Daemon User Only:RDEF SERVAUTH EZB.PORTACCESS.mvsname.tcpname.portname.** UACC(NONE)PE EZB.PORTACCESS.mvsname.tcpname.portname.** CL(SERVAUTH) ID(FTPD) ACC(READ)06 November 201915

IBM z/OS FTP Security: Defining User AccessDefine each user requiring FTP Server Login a z/OS UNIX UID:It is not practical to assign a unique UID or GID for many users defined without OMVS segments who need access to z/OSUSS (E.g. FTP). As of z/OS 1.11, allocate a unique UID for each user & a unique GID for each group that needs access toz/OS USS resources. Manual SC31-8775-20 states “the user ID that is associated with the FTP server STARTED class musthave UID 0”. Don’t get confused with the FTP server itself & users, even so TCPIP PROFILE setting TLSMECHANISM ATTLS(SSL/TLS) can eradicate FTP SUPERUSER requirements Utilize FTP SERVAUTH resource for TLS Level 3 Authentication to control which users can login to FTP:RDEF SERVAUTH EZB.FTPD.*.*.PORT21 UACC(NONE) - FTPD daemon & Port 21PE EZB.FTPD.*.*.PORT21 CL(SERVAUTH) ID(FTPUser) ACC(READ)Verify User access for every FTP session, secured or not in the TCPIP PROFILE:VERIFYUSER TRUEConsider the FTCHKPWD or FTCHKCMD exit to control FTP user access:The FTCHKPWD exit is called after the FTP server receives the user ID & password from the FTP client, & before the serveruses the password for authentication. However, FTCHKCMD is called whenever the FTP server completed any FTP command,where the user ID variable, among many others are passed. Moreover FTCHKCMD shares a scratchpad buffer area (256bytes) with FTPOSTPR, making these two exits great candidates for FTP logging purposes, FTCHKCMD for what commandswere requested & FTPOSTPR for the FTP activity logging.06 November 201916

IBM z/OS FTP Security: Port Of Entry AccessPlan ahead for TCPIP V6:For IPv4 port of entry access security can be achieved via the SAF TERMINAL or SERVAUTH resources. For IPv6 connectionpartners automatically establish SERVAUTH access. Therefore for IPv4, use SERVAUTH resources.Consider the yes/no or in/out network configuration options:There are no golden rules or even rules of thumb for defining any kind of policy, but Keep It Simple Stupid (KISS) shouldalways apply. We could define 2 FTP configurations, perhaps based on the FTP daemon server itself (E.g. FTPD1 & FTPD2),2 sets of port ranges or 2 network access security zones. We could then have one set of policies for inside a firewall & theother for outside the firewall; one set of policies for standard file access & the other for sensitive files, & so on Example - Define 2 Network Access Security Zones in the TCPIP TACCESSZONE1ZONE2From a SAF SERVAUTH viewpoint, the Network Access Security Zone is EZB.NETACCESS.sysname.tcpname.zonename, wherein this instance, the choices are either ZONE1 or ZONE2. A user requires read access to this profile for zone access. Keepingit simple, we could just use the default FTP sever port of 21 to eradicate port considerations 06 November 201917

IBM z/OS FTP Security: z/OS UNIX File System & Diagnostics AccessSafeguard the FTP UNIX file system:FTP uses resource profile EZB.FTP.sysname.ftpdaemonname.ACCESS.HFS in the SAF SERVAUTH class, controlling access tothe z/OS UNIX file system. Without profile access control, all users can access the z/OS UNIX file system.Choose the default file system for FTP in the TCPIP Profile:STARTDIRECTORY HFSThe STARTDIRECTORY statement specifies which file system (I.E. HFS or MVS) is initially used when a new FTP user logs in.This is another potential on/off switch for FTP processing; we might choose 2 FTP daemon servers (E.g. FTPD1 & FTPD2),allocating HFS as the default for one & MVS for the other. Please note, for ANONYMOUSFILEACCESS when theANONYMOUSLEVEL is 3 or greater, the file system settings must be the same (I.E. HFS, MVS or BOTH).Permit the FTP User Read Access to the z/OS FTP UNIX File System:RDEFINE SERVAUTH EZB.FTP.sysname.ftpdaemonname.ACCESS.HFSPERMIT EZB.FTP.sysname.ftpdaemonname.ACCESS.HFS CL(SERVAUTH) ID(ftpuser)Control FTP diagnostics to appropriate technical support resources:Use FTP resource EZB.FTP.sysname.ftpdaemonname.SITE.DUMP/DEBUG to control large output DUMP/DEBUG commands:RDEF SERVAUTH EZB.FTP.*.*.SITE.* UACC(NONE)PE EZB.FTP.*.*.SITE.* CLASS(SERVAUTH) ID(NETMGMT SYSPROG) ACCESS(READ)06 November 201918

IBM z/OS FTP Security: Preventing FTP Server MisuseAny FTP server can be used by a client for disruptive purposes. A client can use the server to send random data to other servers, or a client canrequest the server be a passive server in a 3-way transfer. Any FTP client in PROXY mode with the FTP server can establish a data connection to anyserver listening to a port. This could cause severe disruption, the client could send significant amounts of unexpected data. Any malicious FTP clientcan attack or disrupt the server in a normal server-client connection, making the FTP server send a large amount of data to another applicationserver listening to a specific port. Because the client is not sending the disruptive data, it is difficult to identify the client causing the problem:FTP Server StatusAll PORT or ERPT CommandRejectionAll PORT or ERPT CommandRejection specifying typicallow ports (1-1023)All PORT or ERPT CommandRejection specifying analternative, not the client IPaddressAll PORT or ERPT CommandRejection specifyin