Storage area network system using internet protocol, security system, security management program and storage device

US 20050210291A1
Filed: 05/25/2004
Published: 09/22/2005
Est. Priority Date: 03/22/2004
Status: Active Grant

First Claim

Patent Images

1. A storage area network system using the Internet Protocol, comprising:

a plurality of servers connected to an Internet Protocol network via a firewall, each having an iSCSI name and portal information;

a storage device connected to said Internet Protocol network via a firewall and having an iSCSI name and portal information;

a name server connected to said Internet Protocol network via a firewall for managing an access range by defining the iSCSI names and portal information of said plurality of servers and said storage device as access source sets; and

a management server connected to said Internet Protocol network for generating a security policy based on said access source set definitions obtained from said name server, and distributing said security policy to said firewalls, wherein, when any one of the firewalls of said plurality of servers, said storage device, and said name server detects unauthorized access on the basis of the security policy distributed by said management server, said management server obtains information regarding the source of the unauthorized access and notifies all of said firewalls of the unauthorized access source information.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In order to remove security vulnerability in an IP-SAN and eliminate unauthorized access by spoofing firewalls are installed in valid user servers and storage devices, and a distributed firewall manager for managing the firewalls integrally is provided in the IP-SAN. The distributed firewall manager obtains discovery domain information from an iSNS server, determines nodes registered in the iSNS server as the nodes of valid users, and autocreates a security policy according to sets consisting of an iSCSI name and portal information. This security policy is distributed to all of the firewalls as a common policy, whereupon access control is executed to deny TCP connection requests from unauthorized access sources.

Citations

23 Claims

1. A storage area network system using the Internet Protocol, comprising:
- a plurality of servers connected to an Internet Protocol network via a firewall, each having an iSCSI name and portal information;
  
  a storage device connected to said Internet Protocol network via a firewall and having an iSCSI name and portal information;
  
  a name server connected to said Internet Protocol network via a firewall for managing an access range by defining the iSCSI names and portal information of said plurality of servers and said storage device as access source sets; and
  
  a management server connected to said Internet Protocol network for generating a security policy based on said access source set definitions obtained from said name server, and distributing said security policy to said firewalls, wherein, when any one of the firewalls of said plurality of servers, said storage device, and said name server detects unauthorized access on the basis of the security policy distributed by said management server, said management server obtains information regarding the source of the unauthorized access and notifies all of said firewalls of the unauthorized access source information.
- View Dependent Claims (2, 3)
- - 2. The storage area network system using the Internet Protocol according to claim 1, wherein said security policy permits access from an access source that is registered in said access source set definitions, and denies access from an unregistered access source.
  - 3. The storage area network system using the Internet Protocol according to claim 1, wherein said access source set definition is a pair consisting of an iSCSI name and portal information defined for each discovery domain.

4. A security system in a storage area network using the Internet Protocol in which a plurality of servers and a storage device are connected to the Internet via a firewall, comprising a manager for managing said firewall, wherein said manager creates a security policy based on access source set definitions and distributes said security policy to said firewall, said firewall refers to the distributed security policy to perform access control for distinguishing between valid access and unauthorized access, and when said manager receives notification from said firewall of the detection of access from an unauthorized access source and information regarding the unauthorized access source as unauthorized access information, said manager informs said firewall of said unauthorized access source information.
- View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 5. The security system according to claim 4, wherein said manager is stored in at least one of said plurality of servers, and said security policy permits access from an access source that is registered in said access source set definitions, and denies access from an unregistered access source.
  - 6. The security system according to claim 4, wherein said access source set definition is a pair consisting of an iSCSI name and portal information defined for each discovery domain, said definitions being managed by at least one of said plurality of servers.
  - 7. The security system according to claim 4, wherein said manager corrects the created security policy upon a correction request from an administrator.
  - 8. The security system according to claim 4, wherein said manager refers to said access source set definitions periodically according to an update interval defined in advance by the administrator, and updates said security policy when said definitions have been updated, or refers to said access source set definitions upon reception of notification issued by a function for managing said access source set definitions indicating that the network has been updated, and updates said security policy in accordance with the update content thereof, or refers to said access source set definitions upon reception of notification issued by a network device indicating reconstruction of the network, and updates said security policy in accordance with the modification content thereof.
  - 9. The security system according to claim 4, wherein, when notifications of unauthorized access source information are transmitted to said firewall regarding the same unauthorized access, said manager aggregates said notifications into one notification.
  - 10. The security system according to claim 4, wherein said manager spoofs originator information attached to a management packet issued by said manager into virtual originator information, the relationship of said virtual originator information between said manager and said firewall being stored in advance, such that during communication from said manager to said firewall, the management packet having said virtual originator information attached is transmitted in a unicast or multicast format, and during communication from said firewall to said manager, said virtual originator information is broadcast as destination information.
  - 11. The security system according to claim 4, wherein said manager performs access control as a firewall in addition to management of said firewall.
  - 12. The security system according to claim 4, further comprising a manager for managing said firewall or said manager hierarchically.
  - 13. The security system according to claim 11, wherein the access control performed by said manager and said firewall comprises either access control of inward access, or access control of outward access, or both.
  - 14. The security system according to claim 4, wherein, during the access control performed by said manager and said firewall, initial setting is implemented to deny access from all access sources.
  - 15. The security system according to claim 4, wherein management of said access source set definitions is performed by managing set definitions constituted only by access sources determined by the administrator to be valid access sources, updating said definitions according to a request from said manager, and providing notification of the latest definitions periodically according to a notification interval defined in advance by the administrator, or providing notification of the latest definitions in accordance with a notification request from the administrator.

16. A security system in a storage area network using the Internet Protocol, provided with one or more storage devices connected via one or more firewalls, and one or more servers connected via one or more firewalls, said security system comprising one or more managers for managing said firewalls integrally, wherein said manager autocreates a security policy on the basis of one or more access source set definitions and distributes said security policy to said firewalls, said firewalls perform access control to distinguish between valid access sources and unauthorized access sources, or access control to distinguish an access source set for a valid access source, and when access from an unauthorized access source or access from a different access source set to the access source sets to which said firewalls or said manager belongs is detected, information sharing is performed by having said firewalls notify said manager of access source information, access destination information, and a damage condition as main unauthorized access information, and by having said manager notify said one or more firewalls of the unauthorized access source information.
- View Dependent Claims (17, 18, 19)
- - 17. The security system according to claim 16, wherein said manager stores a list of said firewalls defined in advance by the administrator, or creates a list of said firewalls by detecting said firewalls periodically according to an interval defined in advance by said administrator or by detecting said firewalls upon an instruction from said administrator, and manages said firewalls by allocating a unique identifier to each firewall such that when notification of unauthorized access is received from said firewalls, said manager informs said one or more firewalls of information regarding the source of the unauthorized access.
  - 18. The security system according to claim 16, wherein said firewalls perform said access control upon reception of the identifier and security policy allocated by said manager, and when unauthorized access is detected, said firewalls notify said manager of information regarding the source of the unauthorized access.
  - 19. The security system according to claim 16, wherein said firewalls permit access from an access source only when a condition for a valid access source has been established by a combination of at least one piece of unique information possessed by the access source device and the identifier.

20. A security management program of a storage area network using the Internet Protocol in which a plurality of servers and a storage device are connected to the Internet via firewalls, said security management program comprising the steps of:
- creating a security policy based on access source set definitions;
  
  performing a diagnosis of the communication state by determining whether contact can be made with said firewalls;
  
  transmitting said security policy to said firewalls when normal communication is confirmed;
  
  receiving notification from said firewalls of the detection of unauthorized access based on said security policy and information regarding the source of said unauthorized access; and
  
  notifying all of said firewalls of said unauthorized access source information.

21. A security management program of a storage area network using the Internet Protocol in which a plurality of servers and a storage device are connected to the Internet via firewalls, said security management program comprising the steps of:
- determining an access source having access source information which belongs to an access source set definition as a valid user;
  
  detecting the firewalls that receive a management packet by broadcasting the management packet within said network;
  
  allocating a firewall ID to said detected firewalls;
  
  creating a security policy for each allocated firewall ID based on said access source set definitions;
  
  allocating said security policies to each of said firewalls, and issuing an access control start request;
  
  receiving notification from said firewalls of the detection of unauthorized access based on said security policy and information regarding the source of said unauthorized access; and
  
  notifying all of said firewalls of said unauthorized access source information.

22. A security program that is executed by firewalls in a storage area network using the Internet Protocol in which a plurality of servers and a storage device are connected to the Internet via said firewalls, said security program comprising the steps of:
- receiving a security policy created by a security management program on the basis of access source set definitions;
  
  allocating the received security policy;
  
  determining whether or not access source information is defined in said security policy;
  
  denying access when the access source information is not defined in said security policy; and
  
  notifying said security management program of the detection of unauthorized access and information regarding the source of said unauthorized access.

23. A storage device connected to an Internet Protocol network via a firewall, comprising a magnetic disk device for storing information, wherein said firewall distinguishes between normal access and unauthorized access on the basis of a security policy which is distributed from a management server and defined such that access from an access source registered in an access source set definition is permitted and access from an unregistered access source is denied, whereby when unauthorized access is detected, said firewall denies access to said magnetic disk device and notifies said management server of the unauthorized access and information regarding the source of said unauthorized access.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
Hitachi, Ltd.
Inventors
Ishizaki, Takeshi, Kobayashi, Emiko, Miyawaki, Toui

Granted Patent

US 7,346,924 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/5
CPC Class Codes

H04L 61/4511   using domain name system [DNS]

H04L 61/4541   Directories for service dis...

H04L 63/0209   Architectural arrangements,...

H04L 63/0218   Distributed architectures, ...

H04L 63/102   Entity profiles

H04L 63/1441   Countermeasures against mal...

H04L 67/1097   for distributed storage of ...

Storage area network system using internet protocol, security system, security management program and storage device

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Storage area network system using internet protocol, security system, security management program and storage device

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links