NETWORK SECURITY AND APPLICATIONS TO THE FABRIC ENVIRONMENT

US 20080072309A1
Filed: 09/24/2007
Published: 03/20/2008
Est. Priority Date: 01/31/2002
Status: Abandoned Application

First Claim

Patent Images

1. A method for non-disruptively distributing and activating security parameters in a computer network, comprising the steps of:

distributing a security parameter to each network element in a set that contains a plurality of network elements; and

after each element in the set has received the security parameter, activating the security parameter by all the network elements in the set, the step of activating including the sub-steps of;

distributing a command to activate the security parameter to all the network elements in the set, sending, by a first network element in the set, security information to a second network element in the set, determining by the second network element whether the security information received from the first network element is compatible with security information of the second network element, and taking corrective action by the second network element if the second network element finds an incompatibility.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for securing networks, focusing on application in Fibre Channel networks. A combination of unique security techniques are combined to provide overall network security. Responsibility for security in the network is assigned to one or more designated entities. The designated entities deploy management information throughout the network to enhance security by modifying the capabilities and operational permissions of the devices participating in the network. For example, through network control: logical management access or physical I/O access may be limited on a per device or per I/O basis; and all devices and ports in the network operate only with other approved devices and ports. These designated entities can better manage network security by exploiting a unique link authentication system as well as a unique push-model secure distributed time service. The link authentication involves a multi-phase nonce exchange exploiting various derivations of the nonce and other information such as hashes and encryptions. The push-model secure time distribution departs from the traditional Fibre Channel pull mode time distribution and provides for secure and reliable distributed time so that various security attacks may be defeated.

Citations

33 Claims

1. A method for non-disruptively distributing and activating security parameters in a computer network, comprising the steps of:
- distributing a security parameter to each network element in a set that contains a plurality of network elements; and
  
  after each element in the set has received the security parameter, activating the security parameter by all the network elements in the set, the step of activating including the sub-steps of;
  
  distributing a command to activate the security parameter to all the network elements in the set, sending, by a first network element in the set, security information to a second network element in the set, determining by the second network element whether the security information received from the first network element is compatible with security information of the second network element, and taking corrective action by the second network element if the second network element finds an incompatibility.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 2. The method as in claim 1, wherein the first and second network elements are switches.
  - 3. The method as in claim 21, further comprising transmitting the security parameter to the network endpoint element in response to the switch receiving the security parameter.
  - 4. The method as in claim 1, further comprising storing the security parameter in a respective pending database of each network element in the set.
  - 5. The method as in claim 6, wherein each switch in the set, in response to receiving an activate command, distributes the activate command to each network endpoint element in the set to which it is connected.
  - 6. The method as in claim 1, wherein the security information sent by the first network element includes security capability parameters.
  - 7. The method as in claim 6, wherein the security information sent by the first network element includes a network element list.
  - 8. The method as in claim 6, wherein if an incompatibility is found, then a link is shut down.
  - 9. The method as in claim 8, wherein the link is a Inter Switch Link.
  - 10. The method as in claim 1, further comprising identifying a new inter switch link in the computer network, and wherein the security parameter in the step of distributing pertains to the inter switch link.
  - 11. The method as in claim 10, further comprising exchanging security capability parameters (ESCP) among all network elements in the set.
  - 12. The method as in claim 11, wherein if the ESCP is successful, then all network elements in the set exchange a network element list.
  - 13. The method as in claim 11, wherein if the ESCP is not successful, then the new inter switch link is shut down.
  - 21. The method as in claim 1, wherein the first network element is a network endpoint element and the second network element is a switch.
  - 22. The method as in claim 1, wherein the sending step further includes sending, by a third network element, security information to a fourth network element, further comprising:
    - determining by the fourth network element whether the security information received from the third network element is compatible with security information of the fourth network element; and
      
      taking corrective action by the fourth network element if an incompatibility exists.
  - 23. The method of claim 1, wherein the corrective action includes closing a communication link between the first and second network elements.
  - 24. The method of claim 1, wherein the security information includes security capability parameters.
  - 25. The method of claim 1, wherein the security information includes network topology information.
  - 26. The method of claim 1, wherein all network elements in the set are switches.
  - 27. The method of claim 1, the step of activating further comprising:
    - checking for uniformity of security information among all network elements by comparison carried out by pairs of connected network elements in the set; and
      
      taking corrective action if any non-uniformity exists.
  - 28. The method of claim 1, wherein the steps of distributing and activating are done without affecting network traffic and without shutting down a network element.
  - 29. The method of claim 1, wherein distributing a security parameter is done by a central component.
  - 30. The method of claim 29, wherein the central component is a network management system upon which a user has set the security parameter.
  - 31. The method of claim 29, wherein the set includes two switches and the security parameter is distributed to the two switches, both switches receiving the security parameter across respective links that do not connect directly to the central component.
  - 32. The method of claim 1, wherein the step of activating includes the sub-steps of:
    - receiving a commit instruction at all network elements in the set, at each network element in the set, moving the security parameter from the pending database to an active database, and receiving an activate instruction at all network elements in the set.
  - 33. The method of claim 4, wherein the step of activating includes the sub-step of transferring the security parameter from the perspective pending database of each network element to a respective active database of each network element.

14. An apparatus for non-disruptively distributing and activating security parameters in a computer network, comprising:
- means for sending a security parameter to each network element in a set of network elements that contains a plurality of network elements;
  
  means for receiving the security parameter by all network elements in the set;
  
  means for activating the security parameter by each network element in the set after all network elements in the set have received the security parameter, wherein activating includes distributing a command to activate the security parameter to all the network elements in the set, sending, by a first network element, security information to a second network element, determining by the second network element whether the security information received from the first network element is compatible with security information of the second network element; and
  
  taking corrective action by the second network element if the second network element finds an incompatibility.
- View Dependent Claims (15)
- - 15. The apparatus as in claim 14, wherein the set includes a switch and a network endpoint element, further comprising means for transmitting the security parameter to the network endpoint element in response to the switch receiving the security parameter.

16. An apparatus for distributing and activating a security parameter in a computer network, comprising:
- a set including a plurality of network elements;
  
  a transmitter;
  
  a security parameter generator, linked to the transmitter, that transmits a security capability parameter to all network elements in the set, whereupon receiving the security capability parameter each such network element stores the security capability in a pending database;
  
  an instructor, linked to the transmitter, that generates a commit instruction concerning the security capability parameter and transmits the commit instruction to all network elements in the set, whereupon receiving the commit instruction each such network element moves the security capability parameter to an active database; and
  
  an activator, linked to the transmitter, that transmits a command to initialize the security capability parameter to all network elements in the set, which upon receiving the command to initialize, pairwise exchange a security parameter.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The apparatus as in claim 16, wherein compatibility of the exchanged security parameter is checked between each pair of network elements in the
  - 18. The apparatus as in claim 16, further comprising a determinator linked to the transmitter.
  - 19. The apparatus as in claim 18, wherein the determinator determines the computer network topology.
  - 20. The apparatus as in claim 17, wherein the determinator determines a current security parameter.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Brocade Communications Systems, Inc. (Broadcom, Inc.)
Original Assignee
Brocade Communications Systems, Inc. (Broadcom, Inc.)
Inventors
Renganararayanan, Vidya, Hammons, Richard, Gunawardena, Dilip, KLEINSTEIBER, JAMES, Nguyen, Hung, Balasubramanian, Shankar

Application Number

US11/860,228
Publication Number

US 20080072309A1
Time in Patent Office

Days
Field of Search
US Class Current

726/14
CPC Class Codes

H04L 2463/102   applying security measure f...

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

H04L 63/0823   using certificates cryptogr...

H04L 63/0869   for achieving mutual authen...

H04L 63/104   Grouping of entities

H04L 63/20   for managing network securi...

NETWORK SECURITY AND APPLICATIONS TO THE FABRIC ENVIRONMENT

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

NETWORK SECURITY AND APPLICATIONS TO THE FABRIC ENVIRONMENT

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links