Discussion:
How to require all secure FTP except to one subnet?
Add Reply
SUBSCRIBE IBM-MAIN Mary Vollmer
2017-08-28 16:58:30 UTC
Reply
Permalink
Raw Message
I am implementing TLS 1.2 via AT-TLS and have a requirement to secure all FTPs using this protocol except for the exchanges occurring via the hipersocket.

I am manually coding the policy since I don't have zOSMF configured. In my policy I have a rule for my unsecure connections, coding both LocalAddr and RemoteAddr with that of our hipersocket subnet. It has a priority of 100 and is first in the policy. I also have a rule for secure connections with no LocalAddr or RemoteAddr with a priority of 10.

In my FTPDATA:
When I specify SECURE_FTP REQUIRED, all unsecure attempts (inbound and outbound) fail - including those via the hipersocket.


When I specify SECURE_FTP ALLOWED, all unsecure attempts (inbound and outbound) are successful - even those NOT using the hipersocket.

I turned on tracing and see the rules selected are as I would have expected but it appears the SECURE_FTP parm in FTP data rules, regardless of what's in the policy.

Does anyone know if it's possible to do what I am trying do to with one TCPIP stack?

Thanks,
Mary Vollmer


----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Nims,Alva John , Al
2017-08-28 17:35:20 UTC
Reply
Permalink
Raw Message
First, I am going to be the one to tell you to go over to the IBM-TCPIP list:
"For IBMTCP-L subscribe / signoff / archive access instructions, send email to ***@VM.MARIST.EDU with the message: INFO IBMTCP-L"

That said:
SECURE_FTP is as simple as it says, "ALLOWED" basically states that clients can log in using a security mechanism, but it is NOT REQUIRED. If you code "REQUIRED" then the client MUST log in using a security mechanism, if the client is another z/OS system then " SECURE_MECHANISM TLS" would be the option to look at, other software, well start digging.

I personally do not know if access via subnet can be controlled at the z/OS TCP/IP level, but that is mostly because we turned that kind of control over to our network personnel.

Al Nims
Systems Admin/Programmer 3
UFIT
University of Florida
(352) 273-1298

-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On Behalf Of SUBSCRIBE IBM-MAIN Mary Vollmer
Sent: Monday, August 28, 2017 12:50 PM
To: IBM-***@LISTSERV.UA.EDU
Subject: How to require all secure FTP except to one subnet?

I am implementing TLS 1.2 via AT-TLS and have a requirement to secure all FTPs using this protocol except for the exchanges occurring via the hipersocket.

I am manually coding the policy since I don't have zOSMF configured. In my policy I have a rule for my unsecure connections, coding both LocalAddr and RemoteAddr with that of our hipersocket subnet. It has a priority of 100 and is first in the policy. I also have a rule for secure connections with no LocalAddr or RemoteAddr with a priority of 10.

In my FTPDATA:
When I specify SECURE_FTP REQUIRED, all unsecure attempts (inbound and outbound) fail - including those via the hipersocket.


When I specify SECURE_FTP ALLOWED, all unsecure attempts (inbound and outbound) are successful - even those NOT using the hipersocket.

I turned on tracing and see the rules selected are as I would have expected but it appears the SECURE_FTP parm in FTP data rules, regardless of what's in the policy.

Does anyone know if it's possible to do what I am trying do to with one TCPIP stack?

Thanks,
Mary Vollmer


----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Cieri, Anthony
2017-08-28 17:43:24 UTC
Reply
Permalink
Raw Message
It is certainly possible with one TCP/IP stack.........We do it!!!

However, we do use two separate FTP tasks, one is secure (FTPS) and one is NOT (FTPD). You could then code a FTCHKIP exit for the non-secure FTP task to only allow login from the hipersocket address range.
If the two FTP tasks run on the same LPAR, then they will need different ports!!

Hth
Tony


-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On Behalf Of SUBSCRIBE IBM-MAIN Mary Vollmer
Sent: Monday, August 28, 2017 12:50 PM
To: IBM-***@LISTSERV.UA.EDU
Subject: How to require all secure FTP except to one subnet?

I am implementing TLS 1.2 via AT-TLS and have a requirement to secure all FTPs using this protocol except for the exchanges occurring via the hipersocket.

I am manually coding the policy since I don't have zOSMF configured. In my policy I have a rule for my unsecure connections, coding both LocalAddr and RemoteAddr with that of our hipersocket subnet. It has a priority of 100 and is first in the policy. I also have a rule for secure connections with no LocalAddr or RemoteAddr with a priority of 10.

In my FTPDATA:
When I specify SECURE_FTP REQUIRED, all unsecure attempts (inbound and outbound) fail - including those via the hipersocket.


When I specify SECURE_FTP ALLOWED, all unsecure attempts (inbound and outbound) are successful - even those NOT using the hipersocket.

I turned on tracing and see the rules selected are as I would have expected but it appears the SECURE_FTP parm in FTP data rules, regardless of what's in the policy.

Does anyone know if it's possible to do what I am trying do to with one TCPIP stack?

Thanks,
Mary Vollmer


----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Mike Wawiorko
2017-08-29 08:57:10 UTC
Reply
Permalink
Raw Message
Suspect you are missing this from your FTP(S) server's FTP.DATA file

TLSMECHANISM ATTLS

It is easy to force security for the z/OS FTPS server as you are in control and can code the likes of :
SECURE_FTP REQUIRED
TLSMECHANISM ATTLS
SECURE_CTRLCONN PRIVATE
SECURE_DATACONN PRIVATE

The big question is what do you do about the anarchy that is batch jobs invoking the z/OS FTP client with whatever they like in their FTP.DATA file.

Mike Wawiorko


-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On Behalf Of SUBSCRIBE IBM-MAIN Mary Vollmer
Sent: 28 August 2017 17:50
To: IBM-***@LISTSERV.UA.EDU
Subject: How to require all secure FTP except to one subnet?


This mail originated from outside our organisation - ***@MGIC.COM

I am implementing TLS 1.2 via AT-TLS and have a requirement to secure all FTPs using this protocol except for the exchanges occurring via the hipersocket.

I am manually coding the policy since I don't have zOSMF configured. In my policy I have a rule for my unsecure connections, coding both LocalAddr and RemoteAddr with that of our hipersocket subnet. It has a priority of 100 and is first in the policy. I also have a rule for secure connections with no LocalAddr or RemoteAddr with a priority of 10.

In my FTPDATA:
When I specify SECURE_FTP REQUIRED, all unsecure attempts (inbound and outbound) fail - including those via the hipersocket.


When I specify SECURE_FTP ALLOWED, all unsecure attempts (inbound and outbound) are successful - even those NOT using the hipersocket.

I turned on tracing and see the rules selected are as I would have expected but it appears the SECURE_FTP parm in FTP data rules, regardless of what's in the policy.

Does anyone know if it's possible to do what I am trying do to with one TCPIP stack?

Thanks,
Mary Vollmer


----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

This e-mail and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from disclosure under applicable law. If you are not the addressee, or have received this e-mail in error, please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this e-mail or its attachments.

Internet communications are not guaranteed to be secure or virus-free. The Barclays Group does not accept responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by any third party, or from the transmission of any viruses. Replies to this e-mail may be monitored by the Barclays Group for operational or business reasons.

Any opinion or other information in this e-mail or its attachments that does not relate to the business of the Barclays Group is personal to the sender and is not given or endorsed by the Barclays Group.

Barclays Bank PLC. Registered in England and Wales (registered no. 1026167). Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom.

Barclays Bank PLC is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority (Financial Services Register No. 122702).

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Loading...