Establish strong OS security to ward off FTP hackers

First, there are lots of good reasons why you want to allow FTP access to your system. It is an easy way to upload and download data to and from your system from remote locations. You can also use it for program maintenance from one System i to another by moving save files between systems. Many System i software vendors, including my company, distribute software updates using some form of an FTP connection to your system. So, don't be afraid of it, but use it wisely.

User profiles and FTP on iSeries

One thing to keep in mind when thinking about FTP is that all the rules of OS security apply to someone connecting to your system. In order to gain access, they must have a valid user profile and password. Once they sign on, your current OS security plan will be in place. So, having a good security implementation tied in to your established user profiles will go a long way toward keeping your data safe.

One additional fact to add into your mix is that in order for data to be accessible to FTP, it must have a minimum security setting of *USE. If you have a user profile that is regularly using FTP and there are concerns about access, make sure that they do not have a minimum setting of *USE for any objects you do not want them working with.

A problem can easily come up, however, when a user profile is used in

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT iSeries security tips Checking in on your IBM i authorization lists PCI data security standards and the System i Securing the integrated file system on IBM System i Contextual security on IBM i: Limit user profile access Time for a security checkup for your i Security monitoring on IBM i: Watching your super users Tracking System i program object changes Recovering your AS/400 security configuration System values on i: Setting them up and locking i down A guide to System i security, Part 3: Digging in to the System i security environment Profile and ID control on System i Is your AS/400 secure?: How a hacker could get valuable information from your system A guide to System i security, part 2: Landing and establishing access New password-control security features for i5/OS V6R1 Script kiddie FTP attacks on System i iSeries user accountability help from Search400.com reader Gaining control over use of SST profiles Preventing password hacking Establishing user accountability in AS400 How to make secure iSeries connections Maintaining user profiles boosts iSeries security

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

different contexts. By this, I mean when a user has access to certain sensitive objects for their daily work flow that are accessed by program control. But, that user is also an FTP user and logs in to do file transfers using FTP. Having different contexts could create a security exposure. When this user signs on using FTP, he will still have access to the sensitive data files for which he is authorized from his daily work flow. If this situation exists, you need to address a way to deal with it.

One method, as discussed last time around, might be addressed by implementing controls through the FTP server exit point. You might also think to issue a second user profile to the user for FTP use. This solution is not great since the user can still, by choice, establish an FTP connection under his primary user profile and gain access to sensitive data that way. Far and away, the best solution is through additional exit point controls. This could be set up to disallow an FTP connection under certain known profiles, thereby forcing the user to make his FTP connection through a secondary profile that you provide.

The Sytem i OS also supports profile swapping, which could be another solution to this problem. Using swapping, the user signs on with one profile, but then the OS swaps his profile to look and act like a different profile. Information about this technique can be found at the IBM Information Center and has been a part of the OS since V4R5.

If you have any questions about this topic, send me an email. I'll try to answer any questions you may have. All email messages will be answered.

ABOUT THE AUTHOR: Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.

Rate this Tip To rate tips, you must be a member of Search400.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.