48
Securing File Transfers from the IBM i

Securing File Transfers from the IBM i - Schedschd.ws/hosted_files/commons17/82/COMMON_Securing Your File...Securing File Transfers from the IBM i. Bob Luebbe, CISSP ... Algorithm

Embed Size (px)

Citation preview

Page 1: Securing File Transfers from the IBM i - Schedschd.ws/hosted_files/commons17/82/COMMON_Securing Your File...Securing File Transfers from the IBM i. Bob Luebbe, CISSP ... Algorithm

Securing File Transfers from the IBM i

Page 2: Securing File Transfers from the IBM i - Schedschd.ws/hosted_files/commons17/82/COMMON_Securing Your File...Securing File Transfers from the IBM i. Bob Luebbe, CISSP ... Algorithm

Bob Luebbe, CISSP

Chief Architect

Ron Byrd

Director of Professional Services

Introductions

www.LinomaSoftware.com

Page 3: Securing File Transfers from the IBM i - Schedschd.ws/hosted_files/commons17/82/COMMON_Securing Your File...Securing File Transfers from the IBM i. Bob Luebbe, CISSP ... Algorithm

Agenda

Key pitfalls of using standard FTP

File-level encryption options (Open PGP and ZIP/AES)

Secure FTP (SFTP and FTPS) for encrypting “the pipe”

Advantages/disadvantages between SFTP and FTPS

Modern authentication techniques

Key and certificate management

Implementation using IBM utilities

What to look for in a commercial solution

Feel free to ask any questions

Page 4: Securing File Transfers from the IBM i - Schedschd.ws/hosted_files/commons17/82/COMMON_Securing Your File...Securing File Transfers from the IBM i. Bob Luebbe, CISSP ... Algorithm

The 3 Truths about Standard FTP

1. You cannot always be sure that the entity with whom you are communicating is really who you think it is.

2. FTP data can be intercepted, so it is possible that it can be read by an unauthorized third party (attacker)

3. If an attacker can intercept the data, they may be able to modify the data before sending it on to the receiver.

Page 5: Securing File Transfers from the IBM i - Schedschd.ws/hosted_files/commons17/82/COMMON_Securing Your File...Securing File Transfers from the IBM i. Bob Luebbe, CISSP ... Algorithm

How can your transmissions be monitored?

Network sniffer tools

Non-switched “shared” hubs (which pass traffic around the network)

Unsecured wireless networks

PC remote access software (e.g. gotomypc) to gain access to internal network

IP spoofing (hacker pretends to be a “trusted” partner)

Router vulnerabilities

Internet Service Providers (ISPs)

Page 6: Securing File Transfers from the IBM i - Schedschd.ws/hosted_files/commons17/82/COMMON_Securing Your File...Securing File Transfers from the IBM i. Bob Luebbe, CISSP ... Algorithm

Sniffing FTP using WireShark (capturing user/password)

User and password in the clear

Page 7: Securing File Transfers from the IBM i - Schedschd.ws/hosted_files/commons17/82/COMMON_Securing Your File...Securing File Transfers from the IBM i. Bob Luebbe, CISSP ... Algorithm

Sniffing FTP using WireShark (capturing data)

Data in the clear

File name in the clear

Page 8: Securing File Transfers from the IBM i - Schedschd.ws/hosted_files/commons17/82/COMMON_Securing Your File...Securing File Transfers from the IBM i. Bob Luebbe, CISSP ... Algorithm

Cost of a Data Breach study conducted by the Ponemon Institute each year

Costs include admin and IT labor, notifications to customers, public relations, credit monitoring, lost business and regaining trust

$6.5 million average cost per data breach in 2015.

Approximately $217 per lost record.

Cost

in M

illio

ns

of

Dolla

rs

www.LinomaSoftware.com

Cost of a Data Breach

Page 9: Securing File Transfers from the IBM i - Schedschd.ws/hosted_files/commons17/82/COMMON_Securing Your File...Securing File Transfers from the IBM i. Bob Luebbe, CISSP ... Algorithm

Encryption Basics

Encryption is the process transforming understandable text (plaintext) into an unintelligible piece of data (ciphertext).

Encryption hides the meaning of the message, but not its existence

Cipher is a pair of algorithms that perform encryption and decryption. Example ciphers are AES, TDES, BLOWFISH and CAST5.

Key controls the detailed operations of the Cipher algorithms. The output (ciphertext) is therefore manipulated by the Key. A Key is represented by bits (i.e. 101001…).

Symmetric Key Cryptology is a form of cryptology in which the sender and receiver share the same key. The key must be kept secret or the security is compromised. Also known as Secret key cryptology.

Asymmetric Key Cryptology is a form of cryptology that implements Key Pairs, in which the Public key portion of the Key Pair is used to encrypt information and the Private key portion is used to decrypt information. Otherwise known as Public Key Cryptology.

Before: The quick brown fox jumped over the lazy dog

After: „Œ \ËKä°BBY ý \åê·Ñ‚C‹Ÿ^{F+rÀJ[1]Ï(54Y3s

Page 10: Securing File Transfers from the IBM i - Schedschd.ws/hosted_files/commons17/82/COMMON_Securing Your File...Securing File Transfers from the IBM i. Bob Luebbe, CISSP ... Algorithm

Options to Securing Data for Transmission

File Encryption only:Encrypt the file with a password (e.g. Zip with AES) or with akey (e.g. OpenPGP), then send over standard FTP or email

Connection Encryption only:Send the unencrypted file over an encrypted connection (e.g. Secure FTP, HTTPS, AS2, SMIME, etc.)

File and Connection Encryption:Encrypt the file with a password or key, then send over anencrypted connection

Page 11: Securing File Transfers from the IBM i - Schedschd.ws/hosted_files/commons17/82/COMMON_Securing Your File...Securing File Transfers from the IBM i. Bob Luebbe, CISSP ... Algorithm

Can encrypt and compress multiple files into a single package

Password protection with AES encryption

Strength of password is critical to avoid brute-force attacks

Need to share passwords with trading partners securely

Number of ZIP compatible tools (PKZIP, WinZip, GoAnywhere…)

Standard ZIP Compression/Encryption

Page 12: Securing File Transfers from the IBM i - Schedschd.ws/hosted_files/commons17/82/COMMON_Securing Your File...Securing File Transfers from the IBM i. Bob Luebbe, CISSP ... Algorithm

TERMS

OpenPGP standard is a non-proprietary and industry-accepted protocol which defines the standard format for encrypted messages, signatures and keys.

Private Key is the portion of a Key Pair which is used by the owner to decrypt information and to encode digital signatures. The Private key, typically protected by a password, should be kept secret by the owner and NOT shared with trading partners. Also known as a Secret Key.

Public Key is the portion of the Key Pair which is used to encrypt information bound for its owner and to verify signatures made by its owner. The owner’s Public key should be shared with its trading partners.

Widely used for protecting files to be sent over the internet.

Encrypt with Public Key -- Decrypt with Private Key (Secret Key)

Many products available that support OpenPGP

Latest standard is RFC4880 (see http://www.ietf.org/rfc/rfc4880.txt)

OpenPGP File Encryption

Caution: If an encrypted file is sent over a standard FTP connection,

the FTP user ids, passwords and commands are still in the clear.

Page 13: Securing File Transfers from the IBM i - Schedschd.ws/hosted_files/commons17/82/COMMON_Securing Your File...Securing File Transfers from the IBM i. Bob Luebbe, CISSP ... Algorithm

OpenPGP Encryption Process

Steps performed during encryption:

1) The plaintext data is compressed

2) A pseudo-random Symmetric “session key” is generated (256 bit or less)

3) The session key is used to encrypt the compressed data

4) The session key is then encrypted with the Asymmetric Public key (up to 4096 bits). This encrypted session key is embedded in the message

Open PGP Message

Steps performed during decryption:

1) The embedded session key is decrypted with the Asymmetric Private key.

2) The decrypted session key is used to decrypt the compressed data

3) The data is uncompressed

DATA(encrypted with

Session Key)

Session Key(encrypted with Public Key)

Public KeyOpenPGP uses a combination of Asymmetric and Symmetric Keys to provide strong data protection and high performance.

Page 14: Securing File Transfers from the IBM i - Schedschd.ws/hosted_files/commons17/82/COMMON_Securing Your File...Securing File Transfers from the IBM i. Bob Luebbe, CISSP ... Algorithm

OpenPGP Digital Signatures

A Digital Signature is used to authenticate the Sender

Sign with Private Key

Verify with Public Key

TERMS

Digital Signature is an electronic signature which is encoded into a document using the sender’s Private key. This signature can be authenticated by the recipient using the sender’s Public key. An authenticated signature will ensure the original content of the document has not been altered by an unauthorized party.

Page 15: Securing File Transfers from the IBM i - Schedschd.ws/hosted_files/commons17/82/COMMON_Securing Your File...Securing File Transfers from the IBM i. Bob Luebbe, CISSP ... Algorithm

OpenPGP Algorithms

Encryption Algorithms (Used to encrypt/decrypt the data)

AES-128AES-192AES-256 (recommended)Blowfish CAST5 DES IDEA Triple DESTwofish

Hash Algorithms (Used to ensure the integrity of the data)

MD2MD5RIPEMD160SHA1SHA256SHA384SHA512

Compression Algorithms (Used to compress the data)

ZIPZLIB

Algorithm preferences are stored in the Public key.

Page 16: Securing File Transfers from the IBM i - Schedschd.ws/hosted_files/commons17/82/COMMON_Securing Your File...Securing File Transfers from the IBM i. Bob Luebbe, CISSP ... Algorithm

OpenPGP on IBM i (Open Source or Commercial?)

Open Source - Load GnuPG on PASE environment

• Can be somewhat cryptic to set up (UNIX commands)

• See this article: http://systeminetwork.com/article/using-gnupg-pgp-i

• May require some programming (trapping for errors, etc.)

Commercial Product - Features to Look For:

• Supports RFC4880 standard

• Has a good key management system

• Can encrypt, sign, decrypt and verify files

• Is simple to setup and maintain

• Good error reporting and logs

Page 17: Securing File Transfers from the IBM i - Schedschd.ws/hosted_files/commons17/82/COMMON_Securing Your File...Securing File Transfers from the IBM i. Bob Luebbe, CISSP ... Algorithm

The 3 Main Benefits of Secure FTP

Authentication - Secure FTP allows computer systems to ensure the identity of each other.

Data Privacy - Secure FTP creates an encrypted connection between computer systems, preventing the interception of users, passwords and data.

Data Integrity - Secure FTP implements hash functions to ensure that data was not modified in transit.

Page 18: Securing File Transfers from the IBM i - Schedschd.ws/hosted_files/commons17/82/COMMON_Securing Your File...Securing File Transfers from the IBM i. Bob Luebbe, CISSP ... Algorithm

Two Types of Secure FTP

SFTP = FTP over SSH

FTPS = FTP over SSL/TLS

Page 19: Securing File Transfers from the IBM i - Schedschd.ws/hosted_files/commons17/82/COMMON_Securing Your File...Securing File Transfers from the IBM i. Bob Luebbe, CISSP ... Algorithm

SFTP = FTP over SSH

SSH 2.0 is latest standard

Sometimes referred to as SCP 2.0

SFTP encrypts the entire connection

Popular in UNIX and LINUX systems

Trading partner must have a SFTP server (in order to connect to them)

Most FTP commands are supported (put, get, etc.)

TERMS

SSH is an abbreviation for Secure Shell. SSH is both a computer program and an associated network protocol designed for encrypting communications between two untrusted hosts over a network. It utilizes Public keys to provide asymmetric cryptology.

SFTP

SFTP Client SFTP Server

Page 20: Securing File Transfers from the IBM i - Schedschd.ws/hosted_files/commons17/82/COMMON_Securing Your File...Securing File Transfers from the IBM i. Bob Luebbe, CISSP ... Algorithm

Authenticate with a User id and a Password, Key or both a Password and Key (Dual Factor)

Key authentication:

1. Create both a Public and Private key (Key Pair) – RSA or DSA, up to 4096 bits

2. Send the Public key to your trading partners. Don’t send private key/passphrase.

3. Specify the Private key when making the SFTP connection (for authentication)

SFTP - Authentication

SFTP Client SFTP Server

Private Key Public Key

Page 21: Securing File Transfers from the IBM i - Schedschd.ws/hosted_files/commons17/82/COMMON_Securing Your File...Securing File Transfers from the IBM i. Bob Luebbe, CISSP ... Algorithm

The OpenSSH toolkit is available from IBM for no additional charge

Need to be on V5R3 or higher

Need to load the following licensed programs:

• PASE environment (licpgm 5722SS1 option 33)

• IBM Portable Utilities (licpgm 5733SC1 *base)

• OpenSSH, OpenSSL, zlib (5733SC1 option 1)

OpenSSH - SFTP using IBM Portable Utilities

Page 22: Securing File Transfers from the IBM i - Schedschd.ws/hosted_files/commons17/82/COMMON_Securing Your File...Securing File Transfers from the IBM i. Bob Luebbe, CISSP ... Algorithm

Several versions of the OpenSSH toolkit are available. Display the directory of /QOpenSys/QIBM/UserData/SC1/OpenSSH/ to view the versions.

On V6R1 or higher, the Server Keys are automatically created.

On V5R3 or V5R4, create the Server Keys:

1. CALL QP2TERM

2. cd /QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-3.5p1/etc

3. ssh-keygen -N "" -t rsa1 -f ssh_host_key

4. ssh-keygen -N "" -t dsa -f ssh_host_dsa_key

5. ssh-keygen -N "" -t rsa -f ssh_host_rsa_key

In the above example, the “ssh_host_key” file will hold the SSH 1.0 RSA key. The “ssh_host_dsa_key” file will hold the SSH 2.0 DSA key.The “ssh_host_rsa_key” file will hold the SSH 2.0 RSA key.

On V5R3 or V5R4, Start the server by calling the following command on:

SBMJOB CMD(CALL QP2SHELL PARM('/QOpenSys/usr/sbin/sshd')) JOB(SSHD) + JOBQ(QUSRNOMAX)

On V6R1 or higher, IBM made it easier to start and stop the SFTP server.

To start the server: STRTCPSVR SERVER(*SSHD)

To stop the server: ENDTCPSVR SERVER(*SSHD)

OpenSSH – Starting the OpenSSH (SFTP) Server

Server Setup

Page 23: Securing File Transfers from the IBM i - Schedschd.ws/hosted_files/commons17/82/COMMON_Securing Your File...Securing File Transfers from the IBM i. Bob Luebbe, CISSP ... Algorithm

The following steps are only needed on the client side if using public key authentication…

Determine the home directory for your user profile DSPUSRPRF USRPRF(my profile)

Call the PASE command shell program CALL QP2TERM

If a home directory does not exist, you will need to create itmkdir /home/userid

Your user must be the owner of the directory (7 grants your user profile with all authority, 5 grants the group read/execute authority, 0 gives the public no authority)chmod 750 /home/userid

Create the key pair without a passwordssh-keygen -t rsa -N “"

You will see the following messages during the key generation process:

• Generating public/private rsa key pair

• Enter file in which to save the key (/home/userid/.ssh/id_rsa)

By default, the key generator will create a .ssh directory under your home directory and will place the keys (id_rsa and id_rsa.pub) in that directory (unless you overrode it).

You will need to change the authority to the .ssh directorychmod 700 /home/userid/.ssh

OpenSSH – Creating a Client SSH Key Pair

Client Setup

Page 24: Securing File Transfers from the IBM i - Schedschd.ws/hosted_files/commons17/82/COMMON_Securing Your File...Securing File Transfers from the IBM i. Bob Luebbe, CISSP ... Algorithm

The following steps are needed only on the server if using public key authentication…

For each user (client) that connects to the server, you need the following:• An existing user profile (8 or less characters) for the client• A home directory specified on the user profile• A .ssh directory under the home directory• Proper authorities:

- chmod 750 /home/userid- chmod 700 /home/userid/.ssh

The id_rsa.pub file (created in the prior slide) needs to be loaded on the server machine and put into a file called authorized_keys. The authorized_keys file needs to be placed in the .sshsubdirectory under your home directory. For example, /home/userid/.ssh/authorized_keys

The authority needs to be changed on this filechmod 600 /home/userid/.ssh/authorized_keys

If the file “authorized_keys” already exists, the best way to add the new key is to use the following command

cat /home/userid/.ssh/id_rsa.pub >> /home/userid/.ssh/authorized_keys

OpenSSH – Loading a Client Public Key on IBM i Server

Server Setup

Page 25: Securing File Transfers from the IBM i - Schedschd.ws/hosted_files/commons17/82/COMMON_Securing Your File...Securing File Transfers from the IBM i. Bob Luebbe, CISSP ... Algorithm

OpenSSH is designed to only trust servers that are in it's "known_hosts" file.

Run the following command to download the server key information (-l means login name)ssh -T –l userid [my ssh server] exit

This command will sign onto the server and download the server’s key. If the key does not existin the “known_hosts” file it will ask you if you want to add it.

The authenticity of host 'ssh.example.com (192.168.0.1)' can't be established. . key fingerprint is DSA.

Are you sure you want to continue connecting (yes/no)?

Enter "yes”. It will automatically add this host to the known_hosts file in your .ssh directory.

Once you have done this, then you can run tools like "scp" or "sftp" without receiving the "Host key verification failed." error.

OpenSSH Client - Establishing the Server as a known Host

Client Setup

Page 26: Securing File Transfers from the IBM i - Schedschd.ws/hosted_files/commons17/82/COMMON_Securing Your File...Securing File Transfers from the IBM i. Bob Luebbe, CISSP ... Algorithm

PGM

DCL VAR(&CMD) TYPE(*CHAR) LEN(500)

DCL VAR(&MSGDTA) TYPE(*CHAR) LEN(4)

DCL VAR(&MSGID) TYPE(*CHAR) LEN(7)

DCL VAR(&NULL) TYPE(*CHAR) LEN(1) VALUE(X'00')

/* Indicate the batch script file to execute */

CHGVAR VAR(&CMD) VALUE(‘/QOpenSys/usr/bin/sftp -b +

/home/rbyrd/batchfile.txt [email protected]' *CAT &NULL)

/* Execute the batch script file */

STRQSH CMD(&CMD)

/* Retrieve the message from the job log */

RCVMSG MSGTYPE(*COMP) MSGDTA(&MSGDTA) MSGID(&MSGID)

/* Failed if not QSH0005 */

IF (&MSGID *NE 'QSH0005' *OR %BIN(&MSGDTA) *NE 0) DO

SNDPGMMSG MSGID(CPF9897) MSGTYPE(*ESCAPE) MSGF(QCPFMSG) +

MSGDTA('SFTP failed!')

ENDDO

/* Success */

ELSE CMD(DO)

SNDPGMMSG MSGID(CPF9898) MSGTYPE(*COMP) MSGF(QCPFMSG) +

MSGDTA('SFTP succeeded!')

ENDDO

ENDPGM

OpenSSH – Running a SFTP batch script from CL

batchfile.txt

put orders1.txt

put orders2.txt

get invoices.txt

Client Example

Page 27: Securing File Transfers from the IBM i - Schedschd.ws/hosted_files/commons17/82/COMMON_Securing Your File...Securing File Transfers from the IBM i. Bob Luebbe, CISSP ... Algorithm

Sniffing SFTP using WireShark (capturing data)

Encrypted Data

Page 28: Securing File Transfers from the IBM i - Schedschd.ws/hosted_files/commons17/82/COMMON_Securing Your File...Securing File Transfers from the IBM i. Bob Luebbe, CISSP ... Algorithm

FTPS = FTP over SSL/TLS

Protects entire connection, including data, userspasswords, commands, etc.

Explicit FTPS – Normal FTP available, but client canexplicitly request server to switch to SSL/TLS

Implicit FTPS – Server forces client to use SSL/TLS fromthe initial connection (ask your trading partner if they support this first)

Trading partner must have an FTP server enabled for SSL/TLS

TERMS

SSL is an abbreviation for Secure Sockets Layer. SSL is a security protocol for encrypting communications between two hosts over a network. SSL utilizes certificates to establish trust between the two hosts.

TLS is the abbreviation for Transport Layer Security and is the successor to SSL.

FTPS

FTPS Client FTPS Server

Page 29: Securing File Transfers from the IBM i - Schedschd.ws/hosted_files/commons17/82/COMMON_Securing Your File...Securing File Transfers from the IBM i. Bob Luebbe, CISSP ... Algorithm

As a client, you can verify that the partner’s server certificate is trusted

As a server, they can verify if your client certificate is trusted

Dual-factor authentication steps:

1. The certificates are verified (if required)2. The user and password is verified

FTPS - Authentication

FTPS Client FTPS Server

Client Certificate Server Certificate

Page 30: Securing File Transfers from the IBM i - Schedschd.ws/hosted_files/commons17/82/COMMON_Securing Your File...Securing File Transfers from the IBM i. Bob Luebbe, CISSP ... Algorithm

Create/manage certificates using IBM Digital Certificate Manager

• Create a Server Certificate in the Digital Certificate Manager (DCM)

• Update the Certificate Assignment for the FTP Application in the DCM

• Export the Local CA Certificate from the DCM and import it into yourclient Certificate Store.

To start a FTPS explicit connection: FTP SECCNN(*SSL)

To start a FTPS implicit connection: FTP SECCNN(*IMPLICIT)

Either manually enter traditional FTP commands in the terminal window, orwrite FTP scripts and run from CL

FTPS using IBM utilities

open ftp.bank.com

user joe password

ascii

get /inbound/ack837.txt

get /inbound/ack763.txt

lcd /orderfiles

put ord7632.txt /outbound/

put ord9383.txt /outbound/

close

quit

FTP script CL Program

Page 31: Securing File Transfers from the IBM i - Schedschd.ws/hosted_files/commons17/82/COMMON_Securing Your File...Securing File Transfers from the IBM i. Bob Luebbe, CISSP ... Algorithm

IBM i System Values For SSL

QSSLCSL Secure sockets layer cipher specification list

*ECDHE_ECDSA_AES_128_CBC_SHA256 *ECDHE_ECDSA_AES_256_CBC_SHA384 *ECDHE_ECDSA_AES_128_GCM_SHA256 *ECDHE_ECDSA_AES_256_GCM_SHA384*RSA_AES_128_CBC_SHA256 *RSA_AES_256_CBC_SHA256 *RSA_AES_128_GCM_SHA256 *RSA_AES_256_GCM_SHA384

QSSLCSLCTL Secure sockets layer cipher control

Default value: *OPSYSChange to: *USRDFN

QSSLPCL Secure sockets layer protocols

Protocols

Default value: *OPSYS Change to:*TLSV1.2 *TLSV1.1

Disable older hash algorithms like MD4 and SHA1. Only use SHA 2 family of SHA256 and SHA384

Only use TLS versions 1.1 and 1.2

Page 32: Securing File Transfers from the IBM i - Schedschd.ws/hosted_files/commons17/82/COMMON_Securing Your File...Securing File Transfers from the IBM i. Bob Luebbe, CISSP ... Algorithm

FTPS – Sign into the Digital Certificate Manager

http://192.168.1.54:2001/QIBM/ICSS/Cert/Admin/qycucm1.ndm/main0

Page 33: Securing File Transfers from the IBM i - Schedschd.ws/hosted_files/commons17/82/COMMON_Securing Your File...Securing File Transfers from the IBM i. Bob Luebbe, CISSP ... Algorithm

FTPS – Select a Certificate Store

Page 34: Securing File Transfers from the IBM i - Schedschd.ws/hosted_files/commons17/82/COMMON_Securing Your File...Securing File Transfers from the IBM i. Bob Luebbe, CISSP ... Algorithm

FTPS – Enter the Password for the Certificate Store

Page 35: Securing File Transfers from the IBM i - Schedschd.ws/hosted_files/commons17/82/COMMON_Securing Your File...Securing File Transfers from the IBM i. Bob Luebbe, CISSP ... Algorithm

FTPS - Creating a Server Certificate in the DCM

Page 36: Securing File Transfers from the IBM i - Schedschd.ws/hosted_files/commons17/82/COMMON_Securing Your File...Securing File Transfers from the IBM i. Bob Luebbe, CISSP ... Algorithm

FTPS - Determine who will sign the Certificate

Page 37: Securing File Transfers from the IBM i - Schedschd.ws/hosted_files/commons17/82/COMMON_Securing Your File...Securing File Transfers from the IBM i. Bob Luebbe, CISSP ... Algorithm

FTPS - Fill in Certificate Create Form

Page 38: Securing File Transfers from the IBM i - Schedschd.ws/hosted_files/commons17/82/COMMON_Securing Your File...Securing File Transfers from the IBM i. Bob Luebbe, CISSP ... Algorithm

FTPS - Certificate Creation Message and Assign to Application

Page 39: Securing File Transfers from the IBM i - Schedschd.ws/hosted_files/commons17/82/COMMON_Securing Your File...Securing File Transfers from the IBM i. Bob Luebbe, CISSP ... Algorithm

FTPS - Install the Local CA Certificate on Your PC

Page 40: Securing File Transfers from the IBM i - Schedschd.ws/hosted_files/commons17/82/COMMON_Securing Your File...Securing File Transfers from the IBM i. Bob Luebbe, CISSP ... Algorithm

FTPS - Install the Local CA Certificate on Your PC

Page 41: Securing File Transfers from the IBM i - Schedschd.ws/hosted_files/commons17/82/COMMON_Securing Your File...Securing File Transfers from the IBM i. Bob Luebbe, CISSP ... Algorithm

FTPS – Active vs. Passive

FTP/s communications is split into control and data channels.

• The control channel is used for sending commands, requests and responses

• The data channels are used for transferring data for commands such as ‘ls’, ‘get’ and ‘put’

Active FTP/s steps:

1. The client opens a control channel to the FTP/s server (typically on port 21).

2. The client opens a high port (greater than 1024) and sends a PORT command to the server telling it what IP address and port number it is listening on for active data connections.

3. The client then issues a command like LIST or GET to the server.

4. The server connects back to the client on the port previously opened on step 2 and transfers the data. When complete, the data channel is closed and the status is sent to the client via the control channel.

Passive FTP/s steps:

1. The client opens a control channel to the FTP/s server

2. The client sends a PASV command to the server to indicate passive mode.

3. The server opens a high port (greater than 1024) and replies back to the client with the IP address and port number it is listening on for data connections.

4. The client then issues a command like LIST or GET and connects to the server using this new port number establishing the data channel.

5. The data is transferred and the data channel is closed. The server sends a reply over the control channel to notify the client of the status.

Passive mode works better for clients that are protected by a firewall

Page 42: Securing File Transfers from the IBM i - Schedschd.ws/hosted_files/commons17/82/COMMON_Securing Your File...Securing File Transfers from the IBM i. Bob Luebbe, CISSP ... Algorithm

Both standards offer a high level of data protection

Mainly depends on trading partner’s capabilities

SFTP is simpler to implement authentication (use a key, password or both).

SFTP is very popular in the LINUX/UNIX world

SFTP uses the single port 22 (by default) for all communications, which is easy to

open on your firewall

FTPS uses a random set of port numbers for each listing and data connection, which

your firewall may block (you may have to set up a range of allowable port numbers in your

firewall and configure in the client)

FTPS can use signed certificates (3rd party verification) to establish a chain of trust, in

which you don’t need certificates from each partner

Should I use SFTP or FTPS?

Page 43: Securing File Transfers from the IBM i - Schedschd.ws/hosted_files/commons17/82/COMMON_Securing Your File...Securing File Transfers from the IBM i. Bob Luebbe, CISSP ... Algorithm

Secure FTP does not protect data “at rest”

Is your trading partner protecting your data after it arrives at their site?

Secure FTP – Potential issue

Your System

Plain-text fileSecure FTP Encrypted Tunnel

(Protects user ids, passwords and data)

Trading Partner

Plain-text file

Hacker

Page 44: Securing File Transfers from the IBM i - Schedschd.ws/hosted_files/commons17/82/COMMON_Securing Your File...Securing File Transfers from the IBM i. Bob Luebbe, CISSP ... Algorithm

Trading Partner

Secure FTP will protect your FTP user ids, passwords, commands and data while in transit

OpenPGP will also protect your data in transit, but also “at rest”

Secure FTP and OpenPGP – A One, Two Punch!

Your System

Plain-text file

Secure FTP Encrypted Tunnel(Protects user ids, passwords and data)

Encrypted fileEncrypted file

OpenPGP(Public Key)

Plain-text file

OpenPGP(Private Key)

Note: Assumes that trading partner will decrypt your file only after it is moved to their internal protected network.

Page 45: Securing File Transfers from the IBM i - Schedschd.ws/hosted_files/commons17/82/COMMON_Securing Your File...Securing File Transfers from the IBM i. Bob Luebbe, CISSP ... Algorithm

Programmers traditionally have to write Scripts,CL programs, .BAT files, etc.

Passwords are often stored in the scripts (in the clear)

Scripts need to be maintained by Programmers:- When host names and IP addresses change- When user ids and passwords change- When file names change

Can become very complex and unmanageable, especially as you add more trading partners

Difficult to include/exclude files based on variables, wildcards, timestamps, sizes, etc.

Lacking IF/ELSE controls (commands typically just run in sequential order)

Some organizations use PC Tools for FTP/SFTP/FTPS transfers, in which files have to first be downloaded from the corporate server:- This exposes the file(s) on the PC (vulnerable to hackers)

- Download is often done manually to PC, which consumes time and is subject to errors

open ftp.bank.com

user joe password

ascii

get /inbound/ack837.txt

get /inbound/ack763.txt

lcd /orderfiles

put ord7632.txt /outbound/

put ord9383.txt /outbound/

close

quit

FTP Scripting and Management Issues

Page 46: Securing File Transfers from the IBM i - Schedschd.ws/hosted_files/commons17/82/COMMON_Securing Your File...Securing File Transfers from the IBM i. Bob Luebbe, CISSP ... Algorithm

Difficult to find and analyze FTP logs to determine what problems occurred

Example portion of a traditional FTP log:

Manually or programmatically read through the OUTPUT log to find exact error

Are you notified when problems occur… or do you wait for the trading partner to call you?

> cd testftp

250 "TESTFTP" is current library.

Enter an FTP subcommand.

> lcd testftp

Local working directory is TESTFTP

Enter an FTP subcommand.

> put demodemo

File DEMODEMO in library TESTFTP not found.

Enter an FTP subcommand.

> quit

221 QUIT subcommand received.

Error

Error Trapping and Notification Issues

Page 47: Securing File Transfers from the IBM i - Schedschd.ws/hosted_files/commons17/82/COMMON_Securing Your File...Securing File Transfers from the IBM i. Bob Luebbe, CISSP ... Algorithm

Installs on the IBM i

Supports popular secure protocols such as OpenPGP,ZIP/AES, SFTP and FTPS

Includes Key Management tools for OpenPGP keys, SSH keysand SSL certificates

Has good authorization controls (preferably with role-based access)

Keeps trading partner user credentials separate from OS user profiles

Allows transfers to be initiated from your applications (e.g. RPG, CL) and scheduler

Includes monitors that can “watch” for new files in specified folders

Has centralized audit trails (with good reporting tools)

Can alert you when problems occur via system messages or email

Can be set up and used without programming skills

Commercial Managed File Transfer (MFT) Packages

Features to look for…

Page 48: Securing File Transfers from the IBM i - Schedschd.ws/hosted_files/commons17/82/COMMON_Securing Your File...Securing File Transfers from the IBM i. Bob Luebbe, CISSP ... Algorithm

Web site: www.linomasoftware.com

E-mail: [email protected]

Toll-free: 1-800-949-4696Direct: (402) 944-4242Fax: (402) 944-4243