Storage area network system using internet protocol, security system, security management program and storage device
First Claim
1. A storage area network system using the Internet Protocol, comprising:
- a plurality of servers connected to an Internet Protocol network via a firewall, each having an iSCSI name and portal information;
a storage device connected to said Internet Protocol network via a firewall and having an iSCSI name and portal information;
a name server connected to said Internet Protocol network via a firewall for managing an access range by defining the iSCSI names and portal information of said plurality of servers and said storage device as access source sets; and
a management server connected to said Internet Protocol network for generating a security policy based on said access source set definitions obtained from said name server, and distributing said security policy to said firewalls, wherein, when any one of the firewalls of said plurality of servers, said storage device, and said name server detects unauthorized access on the basis of the security policy distributed by said management server, said management server obtains information regarding the source of the unauthorized access and notifies all of said firewalls of the unauthorized access source information.
3 Assignments
0 Petitions
Accused Products
Abstract
In order to remove security vulnerability in an IP-SAN and eliminate unauthorized access by spoofing firewalls are installed in valid user servers and storage devices, and a distributed firewall manager for managing the firewalls integrally is provided in the IP-SAN. The distributed firewall manager obtains discovery domain information from an iSNS server, determines nodes registered in the iSNS server as the nodes of valid users, and autocreates a security policy according to sets consisting of an iSCSI name and portal information. This security policy is distributed to all of the firewalls as a common policy, whereupon access control is executed to deny TCP connection requests from unauthorized access sources.
-
Citations
23 Claims
-
1. A storage area network system using the Internet Protocol, comprising:
-
a plurality of servers connected to an Internet Protocol network via a firewall, each having an iSCSI name and portal information;
a storage device connected to said Internet Protocol network via a firewall and having an iSCSI name and portal information;
a name server connected to said Internet Protocol network via a firewall for managing an access range by defining the iSCSI names and portal information of said plurality of servers and said storage device as access source sets; and
a management server connected to said Internet Protocol network for generating a security policy based on said access source set definitions obtained from said name server, and distributing said security policy to said firewalls, wherein, when any one of the firewalls of said plurality of servers, said storage device, and said name server detects unauthorized access on the basis of the security policy distributed by said management server, said management server obtains information regarding the source of the unauthorized access and notifies all of said firewalls of the unauthorized access source information. - View Dependent Claims (2, 3)
-
-
4. A security system in a storage area network using the Internet Protocol in which a plurality of servers and a storage device are connected to the Internet via a firewall, comprising a manager for managing said firewall,
wherein said manager creates a security policy based on access source set definitions and distributes said security policy to said firewall, said firewall refers to the distributed security policy to perform access control for distinguishing between valid access and unauthorized access, and when said manager receives notification from said firewall of the detection of access from an unauthorized access source and information regarding the unauthorized access source as unauthorized access information, said manager informs said firewall of said unauthorized access source information.
-
16. A security system in a storage area network using the Internet Protocol, provided with one or more storage devices connected via one or more firewalls, and one or more servers connected via one or more firewalls, said security system comprising one or more managers for managing said firewalls integrally,
wherein said manager autocreates a security policy on the basis of one or more access source set definitions and distributes said security policy to said firewalls, said firewalls perform access control to distinguish between valid access sources and unauthorized access sources, or access control to distinguish an access source set for a valid access source, and when access from an unauthorized access source or access from a different access source set to the access source sets to which said firewalls or said manager belongs is detected, information sharing is performed by having said firewalls notify said manager of access source information, access destination information, and a damage condition as main unauthorized access information, and by having said manager notify said one or more firewalls of the unauthorized access source information.
-
20. A security management program of a storage area network using the Internet Protocol in which a plurality of servers and a storage device are connected to the Internet via firewalls, said security management program comprising the steps of:
-
creating a security policy based on access source set definitions;
performing a diagnosis of the communication state by determining whether contact can be made with said firewalls;
transmitting said security policy to said firewalls when normal communication is confirmed;
receiving notification from said firewalls of the detection of unauthorized access based on said security policy and information regarding the source of said unauthorized access; and
notifying all of said firewalls of said unauthorized access source information.
-
-
21. A security management program of a storage area network using the Internet Protocol in which a plurality of servers and a storage device are connected to the Internet via firewalls, said security management program comprising the steps of:
-
determining an access source having access source information which belongs to an access source set definition as a valid user;
detecting the firewalls that receive a management packet by broadcasting the management packet within said network;
allocating a firewall ID to said detected firewalls;
creating a security policy for each allocated firewall ID based on said access source set definitions;
allocating said security policies to each of said firewalls, and issuing an access control start request;
receiving notification from said firewalls of the detection of unauthorized access based on said security policy and information regarding the source of said unauthorized access; and
notifying all of said firewalls of said unauthorized access source information.
-
-
22. A security program that is executed by firewalls in a storage area network using the Internet Protocol in which a plurality of servers and a storage device are connected to the Internet via said firewalls, said security program comprising the steps of:
-
receiving a security policy created by a security management program on the basis of access source set definitions;
allocating the received security policy;
determining whether or not access source information is defined in said security policy;
denying access when the access source information is not defined in said security policy; and
notifying said security management program of the detection of unauthorized access and information regarding the source of said unauthorized access.
-
-
23. A storage device connected to an Internet Protocol network via a firewall, comprising a magnetic disk device for storing information,
wherein said firewall distinguishes between normal access and unauthorized access on the basis of a security policy which is distributed from a management server and defined such that access from an access source registered in an access source set definition is permitted and access from an unregistered access source is denied, whereby when unauthorized access is detected, said firewall denies access to said magnetic disk device and notifies said management server of the unauthorized access and information regarding the source of said unauthorized access.
Specification