The File Transfer Protocol (FTP) is a common, well-known, and easy-to-use application for moving data. The big advantage of FTP is that it is already available in so many places: z/OS, Windows, Unix, Linux, you name it. Almost every system comes with FTP. The client and server are both simple to use.
FTP has been the de facto standard for so long that most implementations come with platform-appropriate extensions. The z/OS FTP client and server, for example, handle MVS datasets and ASCII to EBCDIC conversion without skipping a beat. Even JES support is available for submitting jobs and extracting reports.
So it’s too bad FTP deals with privacy and security so poorly. FTP was designed back when the electronic world was small and safe. It transmits clear text. Eavesdroppers can see user IDs, passwords, data files. In a closed, secure environment, FTP simplicity can save a lot of hassles, but that type of environment is more the exception than the rule.
Firewalls, a common precaution, let safe traffic pass. But FTP is troublesome with firewalls because it uses two connections, one for commands, one for data transfers. That second, data, connection, starts with a connection request from outside the firewall, from a server trying to reply to a client request (that’s active FTP). Or it starts with the client asking to connect to a previously unknown, ephemeral port chosen by the server and passed in reply to the client request (that’s passive FTP). In either case, it takes a special effort to tell a firewall it can trust that outside server. And it’s near impossible if the FTP commands are encrypted (see FTPS, below).
FTP has three other shortcomings worth noting.
Data compression is not native to the FTP protocol and is rarely available. Some implementations have a MODE Z extension that supplies compression, but you can’t count on it.
FTP does not provide any application-level verification of data integrity. It relies on the TCP checksum, a minimal check that is easily fooled.
FTP sends user IDs and passwords in clear text, as well as data. So if the FTP server requires authentication, your IDs and passwords may become public along with your data.
So simple FTP is useful, but only so long your use of it passes the “anonymity test:” Is it OK for the data to become public knowledge? Accuracy is not a big deal? Authentication isn’t necessary? If yes, yes, yes, then FTP makes good sense.
In the end, far too many secrets are being passed via FTP, and a review of what FTP users are moving into, and especially out of, your z/OS machines is probably a good idea.