As a programmer that can do socket level programming, you cannot stop me
from creating a program to connect to a ftp server. There is not a
state full firewall on the iSeries. You can keep user from using IBM's
built in FTP client. If you want to stop all FTP outbound from your
site, do it on your firewall. Hopefully you have one of those between
your network and the internet.
FYI just because I cannot ftp from the iSeries, does not me I cannot
copy to stream file and then FTP from my PC. There is just so many ways
at getting data off of the iSeries. 8GB+ USB keys can take a lot of
data home. 1TB external HD can take your whole system home for under
$200 dollars US.
You must start at restricting access to the data itself. Only allow
access via authorized programs. Do not allow OBDC, JDBC, CPYTOSTMF,
CPYTOIMPF, or any of the other methods to download data to a PC. Forget
about the FTP client, though that can stop an immediate threat from a
smart user.
Look at the whole picture. Start securing your data access and logging
those who have a legitimate reason to access outside of your
applications.
Chris Bipes
Director of Information Services
CrossCheck, Inc.
-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Pete Hall
Sent: Thursday, April 02, 2009 3:34 PM
To: Midrange Systems Technical Discussion
Subject: Re: FTP outbound
Dave Snyder wrote:
How can I easily turn off all outbound FTP capabilities for all
users but
not shut down TCPIP?
Dave
NOTICE - This e-mail message is intended only for use by the
addressee(s)
named herein and may contain legally privileged and/or confidential
information. If you are not the intended recipient of this message,
you
are hereby notified that any dissemination, distribution or copying
of
this message is strictly prohibited. If you have received this
message in
error, please notify the sender by e-mail or telephone and delete
the
original and all copies of this message immediately.
www.ephratanationalbank.com
I think you can use CHGFCNUSG, function ID QIBM_QTMF_CLIENT_REQ_6 to do
that. You can even allow it for specific users or groups of users and
deny it to everyone else. There's a WRKFCNUSG and a DSPFCNUSG command
too.
As an Amazon Associate we earn from qualifying purchases.