NETWORK ADAPTER BASED ZONING ENFORCEMENT
First Claim
1. A method for enforcing network zoning at an end point device connected to a network, the method comprising:
- receiving a set of addresses to which the end-point device has access to by the end point device;
saving the set of addresses in a table at the end point device;
monitoring all communications sent and received by the end point device, the monitoring being performed by the end point device;
discarding communications that are received by the end point device and that do not include an address from the table as a source address; and
discarding communications that are attempted to be sent by the end point device but do not include an address from the table as a destination address.
7 Assignments
0 Petitions
Accused Products
Abstract
Embodiments of the present invention are directed to enforcing zoning at a network adapter of an end point device. Thus, a network adapter can monitor the communications that are sent and/or received by the adapter and discard communications that are prohibited based on the zoning rules applicable to the adapter. In some embodiments, zoning configuration information can be defined and stored at a central entity and sent to the various network adapters. Alternatively, or in addition, each network adapter can also check outgoing communications to ensure that they include a proper source address. More specifically, outgoing communications may be checked to ensure that their source address is the address (or one of the addresses) that are associated with the network adapter. This can be used to detect and/or prevent malfunctions and/or intentional tampering or hacking.
-
Citations
33 Claims
-
1. A method for enforcing network zoning at an end point device connected to a network, the method comprising:
-
receiving a set of addresses to which the end-point device has access to by the end point device; saving the set of addresses in a table at the end point device; monitoring all communications sent and received by the end point device, the monitoring being performed by the end point device; discarding communications that are received by the end point device and that do not include an address from the table as a source address; and discarding communications that are attempted to be sent by the end point device but do not include an address from the table as a destination address. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A method for enforcing network zoning at an end point device connected to a network, the method comprising:
-
receiving a set of addresses to which the end-point device has access to by the end point device; saving the set of addresses in a table at the end point device; monitoring all communications received by the end point device, the monitoring being performed by the end point device; and discarding communications that are received by the end point device and that do not include an address from the table as a source address.
-
-
14. A method for enforcing network zoning at an end point device connected to a network, the method comprising:
-
receiving a set of addresses to which the end-point device has access to by the end point device; saving the set of addresses in a table at the end point device; monitoring all communications sent by the end point device, the monitoring being performed by the end point device; and discarding communications that are attempted to be sent by the end point device but do not include an address from the table as a destination address.
-
-
15. A method for enforcing network zoning at an end point device connected to a network, the method comprising:
-
assigning an one or more addresses to the end point device; monitoring all communications sent by the end point device, the monitoring being performed by the end point device; and discarding communications that are attempted to be sent by the end point device but do not include an address that is among the one or more assigned addresses as a source address. - View Dependent Claims (16, 17)
-
-
18. A network adapter comprising:
-
a network processing module connected to a network, including a memory and configured to process, send and receive network communications; a zoning enforcement module connected to the network processing module and configured to; receive a set of addresses to which the network adapter has access to; save the set of addresses in a table in the memory; monitor all communications sent and received by the network processing module; discard communications that are received by the network processing module and that do not include an address from the table as a source address; and discard communications that are attempted to be sent by the network processing module but do not include an address from the table as a destination address. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
-
-
29. A network adapter comprising:
-
a network processing module connected to a network, including a memory and configured to process, send and receive network communications; a zoning enforcement module connected to the network processing module and configured to; receive a set of addresses to which the network adapter has access to; save the set of addresses in a table in the memory; monitor all communications sent by the network processing module; and discard communications that are attempted to be sent by the network processing module but do not include an address from the table as a destination address.
-
-
30. A network adapter comprising:
-
a network processing module connected to a network, including a memory and configured to process, send and receive network communications; a zoning enforcement module connected to the network processing module and configured to; receive a set of addresses to which the network adapter has access to; save the set of addresses in a table in the memory; monitor all communications received by the network processing module; and discard communications that are received by the network processing module and that do not include an address from the table as a source address.
-
-
31. A network adapter associated with one or more addresses and comprising:
-
a network processing module connected to a network, including a memory and configured to process, send and receive network communications; a self checking module connected to the network processing module and configured to; monitor all communications sent by the network processing module; and discard communications that are attempted to be sent by the network processing module but do not include an address among the one or more addresses associated with the network adapter as a source address.
-
-
32. A method for enforcing network zoning at a network comprising a plurality of end point devices, each end point device being associated with one or more addresses, at least one end point device being associated with two or more addresses, each combination of an end point device and an address associated therewith defining an effective device, the plurality of end point devices thus defining a plurality of effective devices, the method comprising:
-
assigning the plurality of effective devices to a plurality of zones, so that the each effective device is a member of one or more zones; composing a plurality of sets of addresses each set of addresses being associated with a respective effective device and including the addresses of all effective devices which are members of at least one zone the respective effective device is a member of; sending each set of addresses to its respective effective device; and for each effective device receiving a set of addresses to which the effective device has access to, saving the set of addresses in a table, monitoring all communications sent and received by the effective device, discarding communications that are received by the effective device and that do not include an address from the table as a source address, and discarding communications that are attempted to be sent by the effective device but do not include an address from the table as a destination address.
-
-
33. A network comprising:
-
a plurality of end point devices, each end point device being associated with one or more addresses, at least one end point device being associated with two or more addresses, each combination of an end point device and an address associated therewith defining an effective device, the plurality of end point devices thus defining a plurality of effective devices; and a zoning database entity configured to assign the plurality of effective devices to a plurality of zones, so that the each effective device is a member of one or more zones, compose a plurality of sets of addresses each set of addresses being associated with a respective effective device and including the addresses of all effective devices which are members of at least one zone the respective effective device is a member of, and send each set of addresses to its respective effective device, wherein each effective device is configured to; receive a set of addresses to which the effective device has access to, save the set of addresses in a table, monitor all communications sent and received by the effective device, discard communications that are received by effective device and that do not include an address from the table as a source address, and discard communications that are attempted to be sent by the effective device but do not include an address from the table as a destination address.
-
Specification