Risks with Unmanaged FTP on Your z/OS Network

The original z/OS FTP does not include basic security safeguards. Its drawbacks include no audit trail and little granularity in access rules. Mainframes being the vital data holders of the organization, one can imagine how catastrophic a security issue with FTP on z/OS can be. Deploying an FTP management software can be the best solution to deal with security issues due to unmanaged z/OS FTP.

Typical FTP functionality on z/OS
On z/OS, the FTP functionality consists of an FTP server and an FTP client. The FTP server handles requests from remote clients, like downstream PCs or distributed Unix systems, while the FTP client enables mainframe end-points to interact with remote FTP servers.

z/OS FTP is unmanaged
Many FTP transfers on z/OS are un-automated, unregulated, unsecured, and unmonitored. The lack of adequate FTP automation, especially programmatic error-handling and retry, needlessly confounds z/OS batch processing, disrupts operational schedules, tests the resolve of help-desk personnel, threatens compliance, and in general hurts both user and enterprise productivity.

Management deficiencies of standard z/OS FTP
A z/OS FTP batch job can fail even because of a simple, one-character typo. However, it does not generate a Network Management Interface (NMI) record. In a typical FTP operation, you only see an NMI record only when a batch job succeeds. This makes it difficult for a user to know the reason for an abnormal termination. In fact, a user may not even know that the FTP operation failed. This is a perfect example of management deficiency of standard z/OS FTP.

Difficulty providing FTP history records makes it difficult for users, system/network operators, and help-desk personnel to quickly and easily determine and rectify any FTP-related operational issues.

Security issues with unmanaged z/OS FTP
The standard z/OS FTP, being unmanaged, is not suitable for use in today’s mainframe environments. Specific security criteria cannot be selectively applied to individual FTP commands or file types, on a per-authorized user basis, in concert with the z/OS SAF security facility (e.g. RACF). Thus there will be constant dangers, such as users with read-only access being able to initiate off-site transfers, or users trying to exploit certain functions of the potent z/OS server SITE command.

Deploy an FTP manager to deal with the issues
FTP management software makes z/OS FTP into a well-managed, mainframe-class service. It can provide standard z/OS FTP with automation, monitoring, security or auditing capabilities expected of a high-volume, mission-critical mainframe utility. Management software can take advantage of the FTP client API to drive the client programmatically. It can use server exit programs to monitor FTP operations on a command-by-command basis. With an FTP manager in place to augment z/OS FTP, there will no longer be any unknowns, security exposures, compliance shortfalls, or operational setbacks due to un-automated transfers.

By enabling monitoring, automation, and control of the standard z/OS FTP, you will eliminate management deficiencies and security vulnerabilities. This is possible by deploying a genuine FTP manager.

Since 1982, Software Diversified Services is providing first-quality software and technical support for IBM mainframes and VM, VSE, zos ftp and other systems. SDS offers VNAC, an ideal Netview replacement, improving most-used components of NetView mainframe software like simple, precise filtering for system logs and session data; robust Netview REXX scripting support.