NETWORK SECURITY AND APPLICATIONS TO THE FABRIC ENVIRONMENT
First Claim
1. A method for non-disruptively distributing and activating security parameters in a computer network, comprising the steps of:
- distributing a security parameter to each network element in a set that contains a plurality of network elements; and
after each element in the set has received the security parameter, activating the security parameter by all the network elements in the set, the step of activating including the sub-steps of;
distributing a command to activate the security parameter to all the network elements in the set, sending, by a first network element in the set, security information to a second network element in the set, determining by the second network element whether the security information received from the first network element is compatible with security information of the second network element, and taking corrective action by the second network element if the second network element finds an incompatibility.
4 Assignments
0 Petitions
Accused Products
Abstract
A method and apparatus for securing networks, focusing on application in Fibre Channel networks. A combination of unique security techniques are combined to provide overall network security. Responsibility for security in the network is assigned to one or more designated entities. The designated entities deploy management information throughout the network to enhance security by modifying the capabilities and operational permissions of the devices participating in the network. For example, through network control: logical management access or physical I/O access may be limited on a per device or per I/O basis; and all devices and ports in the network operate only with other approved devices and ports. These designated entities can better manage network security by exploiting a unique link authentication system as well as a unique push-model secure distributed time service. The link authentication involves a multi-phase nonce exchange exploiting various derivations of the nonce and other information such as hashes and encryptions. The push-model secure time distribution departs from the traditional Fibre Channel pull mode time distribution and provides for secure and reliable distributed time so that various security attacks may be defeated.
-
Citations
33 Claims
-
1. A method for non-disruptively distributing and activating security parameters in a computer network, comprising the steps of:
-
distributing a security parameter to each network element in a set that contains a plurality of network elements; and
after each element in the set has received the security parameter, activating the security parameter by all the network elements in the set, the step of activating including the sub-steps of;
distributing a command to activate the security parameter to all the network elements in the set, sending, by a first network element in the set, security information to a second network element in the set, determining by the second network element whether the security information received from the first network element is compatible with security information of the second network element, and taking corrective action by the second network element if the second network element finds an incompatibility. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
-
-
14. An apparatus for non-disruptively distributing and activating security parameters in a computer network, comprising:
-
means for sending a security parameter to each network element in a set of network elements that contains a plurality of network elements;
means for receiving the security parameter by all network elements in the set;
means for activating the security parameter by each network element in the set after all network elements in the set have received the security parameter, wherein activating includes distributing a command to activate the security parameter to all the network elements in the set, sending, by a first network element, security information to a second network element, determining by the second network element whether the security information received from the first network element is compatible with security information of the second network element; and
taking corrective action by the second network element if the second network element finds an incompatibility. - View Dependent Claims (15)
-
-
16. An apparatus for distributing and activating a security parameter in a computer network, comprising:
-
a set including a plurality of network elements;
a transmitter;
a security parameter generator, linked to the transmitter, that transmits a security capability parameter to all network elements in the set, whereupon receiving the security capability parameter each such network element stores the security capability in a pending database;
an instructor, linked to the transmitter, that generates a commit instruction concerning the security capability parameter and transmits the commit instruction to all network elements in the set, whereupon receiving the commit instruction each such network element moves the security capability parameter to an active database; and
an activator, linked to the transmitter, that transmits a command to initialize the security capability parameter to all network elements in the set, which upon receiving the command to initialize, pairwise exchange a security parameter. - View Dependent Claims (17, 18, 19, 20)
-
Specification