Ingress

Inbound Traffic

Enhanced Definition

Ingress, in the context of z/OS, refers to all network traffic originating from external sources that is directed into the mainframe system. This inbound traffic is processed by the z/OS TCP/IP stack and routed to specific applications or services running on the mainframe, such as CICS, IMS, DB2, or TSO. It represents the flow of data and requests entering the z/OS environment from distributed systems, client applications, or other network devices.

Key Characteristics

- TCP/IP Stack Processing: All inbound traffic is received and managed by the z/OS TCP/IP stack, which acts as the primary network interface for the mainframe.
- Port-Based Routing: Ingress traffic is directed to specific IP addresses and port numbers configured on the z/OS system, each typically associated with a particular application or service.
- Security Controls: Inbound connections are subject to rigorous security checks, including IP Filtering rules, RACF (or equivalent ESM) authentication and authorization, and network-level encryption like AT-TLS or IPSec.
- Diverse Protocols: Can include a wide range of protocols such as TCP, UDP, SNA over IP (EE), HTTP/HTTPS, FTP/SFTP, TN3270, and SSH.
- Workload Management: Inbound requests for critical applications are often managed by z/OS Workload Manager (WLM) to ensure appropriate prioritization and resource allocation.
- Logging and Monitoring: Ingress activity is extensively logged via SMF records and can be monitored using tools like NetView, OMEGAMON, or SYSLOG for performance, security, and auditing purposes.

Use Cases

- Client-Server Applications: Distributed applications connecting to DB2 databases, IMS transactions, or CICS programs to retrieve data or execute business logic.
- Terminal Emulation: Users accessing TSO, CICS, or IMS through TN3270 emulators from their workstations.
- Web Services and APIs: Modern applications consuming RESTful APIs or SOAP web services exposed by mainframe applications via z/OS Connect EE or directly through CICS Web Services.
- File Transfers: Securely transferring files to and from z/OS datasets using FTP, SFTP, or FTPS for data exchange with other systems.
- Remote Administration: System administrators connecting via SSH or SNMP to manage and monitor the z/OS system, its network configuration, or specific applications.

Related Concepts

Ingress traffic is foundational to how z/OS interacts with the broader IT ecosystem. It is intrinsically linked to the TCP/IP stack, which provides the network communication infrastructure. RACF (or other External Security Managers) and IP Filtering are critical for securing ingress by authenticating users and controlling network access. Application subsystems like CICS, IMS, and DB2 are the ultimate destinations for most inbound requests, processing the business logic or data access. z/OS Connect EE acts as a modern gateway, facilitating ingress from cloud-native and distributed applications into traditional mainframe assets.

Best Practices:

Principle of Least Privilege: Configure IP Filtering and RACF rules to allow only necessary inbound connections to specific ports and IP addresses, blocking all others by default.
Encrypt All Sensitive Traffic: Mandate the use of AT-TLS (Application Transparent Transport Layer Security) for all sensitive inbound TCP/IP connections to ensure data encryption in transit.
Regular Security Audits: Periodically review SMF records related to network activity and security events to identify unauthorized access attempts or unusual traffic patterns.
Implement Network Segmentation: Utilize VLANs or IP Filtering to logically segment the z/OS network, isolating critical applications and data from less secure zones.
Monitor for Anomalies: Employ network performance monitors and security information and event management (SIEM) tools to detect and alert on sudden spikes in inbound traffic or suspicious connection attempts, which could indicate a DDoS attack or intrusion.