Storage area network (san) security
First Claim
1. A method for Storage Area Network (SAN) security comprising booting, the SAN comprising:
- physical devices comprising a first array of hosts (1) and a second array of storage devices (4), a storage network (5′
) with network links (5), a users network (6′
) with users network links (6), and a SAN Switch (2, 2A) coupled intermediate the first array and the second array and to each physical device via network links and to the users network via a users network link, the SAN Switch routing I/O commands to the physical devices and being configured for accepting zoning commands defining zones for communication between at least one host and at least one storage device, the method being characterized by comprising the steps of;
operating binary zoning for security comprising default zoning and work zoning permitting the creation of, respectively, at least one default zone and at least one work zone, the binary zoning always first residing in default zoning, and in default zoning;
mutually isolating each one of the physical devices, and running a security procedure on each one of the physical devices for legitimacy verification, and in work zoning;
zoning only legitimate physical devices.
4 Assignments
0 Petitions
Accused Products
Abstract
A method for the binary zoning of a Storage Area Network (SAN) for security is disclosed, for a SAN with physical devices consisting of a first array of hosts (1) and a second array of storage devices (4), and a SAN Switch (2, 2A) coupled intermediate the hosts and the storage devices. The SAN Switch routes I/O commands and accepts zoning commands. The method is based on starting operation of the SAN with mutually isolated physical devices and accepting zoning commands only after running security verification procedures requiring that hosts be authenticated and that storage devices be identified. Zoning is dynamically controlled from a workstation (8) operated by a System Administrator entering meta-zoning instructions which are used to automatically program the zoning of the SAN Switch for legitimate physical devices. The method is implemented for security and booting of a SAN.
-
Citations
72 Claims
-
1. A method for Storage Area Network (SAN) security comprising booting, the SAN comprising:
-
physical devices comprising a first array of hosts (1) and a second array of storage devices (4), a storage network (5′
) with network links (5),a users network (6′
) with users network links (6), anda SAN Switch (2, 2A) coupled intermediate the first array and the second array and to each physical device via network links and to the users network via a users network link, the SAN Switch routing I/O commands to the physical devices and being configured for accepting zoning commands defining zones for communication between at least one host and at least one storage device, the method being characterized by comprising the steps of;
operating binary zoning for security comprising default zoning and work zoning permitting the creation of, respectively, at least one default zone and at least one work zone, the binary zoning always first residing in default zoning, and in default zoning;
mutually isolating each one of the physical devices, and running a security procedure on each one of the physical devices for legitimacy verification, and in work zoning;
zoning only legitimate physical devices. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 15, 22, 23, 24, 25, 26, 47)
-
-
14. A method for Storage Area Network (SAN) booting, the SAN comprising:
-
physical devices comprising a first array of hosts (1) and a second array of storage devices (4), a storage network (5′
) with network links (5),a users network (6′
) with users network links (6), anda SAN Switch (2) coupled intermediate the first array and the second array and to each physical device via network links and to the users network via a users network link, the SAN Switch routing I/O commands to the physical devices and being configured for accepting zoning commands defining zones for communication between at least one host and at least one storage device, the method being characterized by comprising the steps of;
operating a binary zoning for booting comprising default zoning and work zoning permitting the creation of, respectively, at least one default zone and at least one work zone, the binary zoning always first residing in default zoning, and in default zoning;
booting the first array of hosts in mutual isolation and starting the second array of storage devices, verifying operation of the physical devices, and in the working mode;
zoning only operative physical devices. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
-
27. A system for operating SAN security and booting, the system comprising:
-
physical devices comprising a first array of hosts (1) and a second array of storage devices (4), a storage network (5′
) with storage network links (5),a users network (6′
) with users network links (6), anda SAN Switch (2) coupled intermediate the first array and the second array and to each physical device via network links, and coupled to the users network via a users network link, the SAN Switch routing I/O commands to the physical devices and being configured for accepting zoning commands defining zones for communication between at least one host and at least one storage device, the SAN Switch comprising a plurality of ports for coupling each one of the physical devices to at least one port out of the plurality of ports by at least one network link (5), the system being characterized in that;
a SAN Firewall (3) is coupled by a storage network link to a SAN-Firewall-port (sf) accommodated in the SAN Switch and coupled by a user network link to the users network, the SAN Firewall being configured to automatically program the SAN Switch into zones, with each zone residing in either one of a binary zoning comprising;
in default zoning, at least one default zone counting only two ports, with a first SAN-Firewall-port coupled to the SAN Firewall and connected to a second device-port (h, d) coupled to and isolating a physical device, the SAN Firewall operating at least one security verification procedure on the isolated physical device, and in work zoning, at least one work zone coupling at least three ports, with a single SAN-Firewall-port (sf), and at least two ports coupling only security verified physical devices counting at least one host port (h), and at least one storage device port (d). - View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45)
-
-
46. A system for SAN booting, the system comprising:
-
physical devices comprising a first array of hosts (1) and a second array of storage devices (4), a storage network (5′
) with storage network links (5),a users network (6′
) with users network links (6), anda SAN Switch (2) coupled intermediate the first array and the second array and to each physical device via network links, and coupled to the users network via a users network link, the SAN Switch routing I/O commands to the physical devices and being configured for accepting zoning commands defining zones for communication between at least one host and at least one storage device, the SAN Switch comprising a plurality of ports for coupling each one of the physical devices to at least one port out of the plurality of ports by at least one network link (5), the system being further characterized by configuring the SAN Switch for default zoning wherein each port out of the plurality of ports for coupling to a physical device is a mutually isolated default zone and the default zoning is burnt-in in the SAN Switch to always start operation in default zoning, whereby the physical device are mutually isolated, verifying the operation of at least one host of the first array, and operatively zoning the at least one operative host with at least one storage device. - View Dependent Claims (48)
-
-
49. A Security Computer Program (SCP) operating with a SAN for security and booting, the SAN comprising:
-
physical devices comprising a first array of hosts (1) and a second array of storage devices (4), a third array of user workstations (7) comprising a System Administrator (SA) workstation (8), wherein each one host of the first array comprises at least one Host Bus Adaptor (HBA), a SAN Switch (2, 2A) intermediate the first array and the second array, for routing I/O commands to the physical devices and for accepting zoning commands, the SAN Switch comprising a plurality of ports, a storage network (5′
) with network links (5) coupling the SAN Switch to each one of the physical devices and to at least one port out of the plurality of ports by at least one network link (5), the SAN Switch routing I/O commands to the physical devices and being configured for accepting zoning commands defining zones for communication between at least one host and at least one storage device,a users network (6′
) with network links (6) coupled to the third array, to the SAN Firewall and to the SAN Switch,the SCP being characterized by comprising;
at least one SAN Agent and a Firewall Software, both being computer programs operating in mutual association, with an at least one SAN Agent operating in each one host out of the first array, and the Firewall Software operating in the SAN Firewall, the Firewall Software comprising;
a binary zoning program comprising default zoning and work zoning, for zoning in response to commands derived from meta zoning instructions, comprising defaults zones and work zones wherein;
a default zone operating on two ports only, the first port being a SAN Firewall port (sf) to which the SAN Firewall is coupled and the second port being either one of a host port (h) and a storage device port (d) to which one physical device is coupled, each default zone mutually isolating the physical device, to perform at least one security and booting procedure in isolation, and a work zone, comprising only physical devices verified by the verification procedure and for coupling at least one host and at least one storage device in associative operation, the default zone comprising at least one host port, one storage device port and the SAN Firewall port. - View Dependent Claims (50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 62, 65, 66, 68, 69, 70, 71, 72)
-
-
61. A Security Computer Program operating with a SAN for booting, the SAN comprising:
-
physical devices comprise a first array of hosts (1) and a second array of storage devices (4), a storage network (5′
) with network links (5),a users network (6′
) with users network links (6), anda SAN Switch (2) coupled intermediate the first array and the second array and to each physical device via network links and to the users network via a users network link, the SAN Switch routing I/O commands to the physical devices and being configured for accepting zoning commands defining zones for communication between at least one host and at least one storage device, the SCP being further characterized by comprising;
operating a binary zoning program for booting comprising default zoning and work zoning permitting the creation of, respectively, at least one default zone and at least one work zone, the binary zoning program always first residing in default zoning, and in default zoning;
booting the first array of hosts in mutual isolation and starting the second array of storage devices, verifying operation of the physical devices, and in the work mode;
zoning only operative physical devices. - View Dependent Claims (63, 64, 67)
-
Specification