I think the logon credentials flow over the control channel. I guess you could negotiate in the dark, then have the control channel drop out of encryption and expose itself.
But Wait! There's More! PCI DSS also requires NAT'ing. To do that, the firewall has to inspect the data packet. Now what? Another question: does anyone know the PCI DSS definition of an '..open, public network" ? The context seems to be a web server connected to the Internet, so a private, local network should not qualify. Thoughts? Curious that TN3270 does not seem to present these issues. Could it be that FTP's use of two ports/channels vs TN3270's one may be its saving grace? -----Original Message----- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Scott Sent: Tuesday, January 05, 2010 12:09 PM To: IBM-MAIN@bama.ua.edu Subject: Re: PCI and Auditors perceptions thereof The way FTPS (FTP+TLS) works is that you connect on port 21, issuing the "STARTTLS" command (or some such). You then perform your handshake over an encrypted channel. FTP requires the use of ports 20 (data) and 21 (control). Though, in practice, 21 is the important port as the one used for data is often negotiated to something above 1024, as well as the new port used by the control channel. >From that point, you may issue commands to increase or decrease the level of encryption as you see fit. If you experience firewall issues, you often need to have your control channel transmit "in the clear" so your firewall can observe it and dynamically open ports on demand. You may also drop out of encryption for the data channel, which will increase the speed of transmission and reduce the load on your CPU. The unfortunate side effect, however, is that I will kill you in your sleep for doing that. I haven't bothered to look into the TELNET side of things because I only use it for 3270 and within our private network. - Scott NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html