Securing FTP/iX

ManualsBrandsHP ManualsSoftwareMPE/iX 6.5 Operating System

Executive Summary

This paper explores methods to increase FTP/iX security based on several recent FTP/iX enhancements. These recent

enhancements reflect one of HP’s responses to the growing number of

security related audits facing IT professionals

tasked with implementing modern, robust security.

These FTP/iX enhancements were driven via the (now defunct) System Improvement Ballot (SIB) process whereby

customers nominated and then voted for various MPE/iX enhancements.

Increasing FTP/iX security was voted in the

top two out of over a dozen requests.

This paper discusses the strengths and limitations of FTP/iX with respect to overall security requirements, with

examples covering proper configuration and usage.

In cases where FTP/iX does not satisfy the strictest audit

requirements, non-MPE alternatives are presented in text and example.

Section 5 is geared to the IT manager and

provides an overview of the most significant FTP/iX enhancements, without going into configuration and usage

details. Section 6 is targeted to the System or Security Administrator and describes in-

depth each enhancement

covered in Section 5, with examples of feature usage, configuration, and default settings.

Briefly, these security enhancements are:

•

Restricting unauthorized users from logging on to an FTP server,

•

Restricting unauthorized users from retrieving certain files on an FTP sever,

•

Quarantining certain FTP/iX users to single directory roots,

• Logging all FTP commands and all file transfers from both the server and client side,

•

Preventing FTP users from rename, delete, and overwrite file operations,

•

Disallowing read access of the NETRC configuration file (which contains sensitive logon data),

•

Password hiding when running FTP/iX in debug mode.

Section 7 describes a few methods to enhance security of FTP/iX in addition to the recent security enhancements.

Some of the alternatives discussed are

•

An envelop FTP/iX script that provides encryption of the data transfer between hosts

•

Using non-MPE intermediaries like HP-UX to facilitate secure FTP communication

•

Porting of Open SSH on MPE/iX to provide secure data transfer

•

Use of a firewall for sockisified FTP

•

Hardware solutions for enhanced security

The intended audiences for this paper are MPE/iX system managers, security architects, and IT personnel. HP also

has two FTP/iX Communicator articles on Jazz at: http://jazz.external.hp.com/papers/Communicator/index.html.

See FTP Phase I and Phase II Enhancement articles.

Page

Secure FTP on MPE/iX

7/18/2008

http://jazz.external.hp.com/papers/Securing

FTP

Whitepaper.html