× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  • Subject: Setting up FTP to AS/400 for the first time
  • From: jcrowley@xxxxxxxxxx
  • Date: Fri, 29 Sep 2000 09:53:25 -0600



I work for a smallish software company. We are currently using four comm lines
for client support and to send software updates via SNADS. The competition for
these four lines is getting hot, so we're looking at alternatives before going
out and setting up more lines.

We believe we can provide our software updates via FTP, but we don't want to
implement anything until we're fairly sure our security mechanism will work. Can
someone tell me where the holes are in our scheme?

I have set up an FTP user profile that has no special authority, no password, an
initial program of *SIGNOFF, and a library list that contains only one library.
The only objects that definitely will be placed in this library are save files
intended to be available to our clients. (The save files contain program and/or
file updates or additions. They would never contain a complete program or file
library. They would also never contain any implementation procedures or
documentation.)

I have created an FTP logon exit program and a file that contains a very small
list of valid user profiles for FTP. The exit program compares the incoming
profile with the list in the file and either accepts or rejects the logon. If
the logon is accepted, the user profile is changed to the single FTP user
profile described above.

I have a second exit program that looks at incoming FTP requests. All requests
are rejected except for the ability to establish a connection, list the current
library and get a file from that library. We will log all FTP requests from
within these exit programs, but I'm still working on that piece.

We do not have all libraries on our system designated as public *EXCLUDE, and I
know that it's recommended. To date, we have secured our system from the outside
by using our firewall to pretty much shut down anything incoming and keeping
some servers (like FTP) turned off. We know that improving our security for an
internet world is in our immediate future, but we would like to plan it
thoroughly to minimize work disruption. Will the plan being considered for FTP
be fairly secure if we haven't taken this step yet?

What other things should we look at to close any holes into our system that
might occur with this setup? More importantly, are there any security risks for
our clients in this? I can't see that there is any risk for them, but perhaps
I'm missing something major.
Thanks for your help!

Janet Elam Crowley
Systems Analyst
IFA Systems






+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.