Method and apparatus for preventing unauthorized access by a network device

US 7,260,636 B2
Filed: 12/22/2000
Issued: 08/21/2007
Est. Priority Date: 12/22/2000
Status: Active Grant

First Claim

Patent Images

1. A method for use in a computer system including a plurality of devices each having a first identifier that uniquely identifies the respective device, a shared resource shared by the plurality of devices, and a network that couples the plurality of devices to the shared resource, the network assigning a second identifier to each of the plurality of devices, the second identifier indicating a port of at least one network component through which the respective device accesses the network, the method including acts of:

(a) in response to one of the plurality of devices attempting to access the shared resource and representing itself to the shared resource as a first device using the first identifier, determining, using the second identifier, whether the one of the plurality of devices is attempting to access the shared resource through a port of the at least one network component that is different than a first port of the at least one network component used by the first device to access the shared resource; and

(b) when it is determined in the act (a) that the one of the plurality of devices is attempting to access the shared resource through a port of the at least one network component that is different than the first port, denying the attempted access by the one of the plurality of devices to the shared resource.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for a networked computer system including a plurality of devices and a shared resource. In response to one of the devices attempting to access the shared resource and representing itself to the shared resource as a first device, determining whether the device is attempting to access the shared resource through a physical connection through the network that is different than a physical connection used by the first device to access the shared resource, and when it is, denying the attempted access.

86 Citations

View as Search Results

66 Claims

1. A method for use in a computer system including a plurality of devices each having a first identifier that uniquely identifies the respective device, a shared resource shared by the plurality of devices, and a network that couples the plurality of devices to the shared resource, the network assigning a second identifier to each of the plurality of devices, the second identifier indicating a port of at least one network component through which the respective device accesses the network, the method including acts of:
- (a) in response to one of the plurality of devices attempting to access the shared resource and representing itself to the shared resource as a first device using the first identifier, determining, using the second identifier, whether the one of the plurality of devices is attempting to access the shared resource through a port of the at least one network component that is different than a first port of the at least one network component used by the first device to access the shared resource; and
  
  (b) when it is determined in the act (a) that the one of the plurality of devices is attempting to access the shared resource through a port of the at least one network component that is different than the first port, denying the attempted access by the one of the plurality of devices to the shared resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 56)
- - 2. The method of claim 1, wherein the attempted access by the one of the plurality of devices is an attempt to login to the shared resource, and wherein the act (b) includes an act of:
    - when it is determined in the act (a) that the one of the plurality of devices is attempting to login to the shared resource through a port of the at least one network component that is different than the first port, denying the attempted login by the one of the plurality of devices to the shared resource.
  - 3. The method of claim 1, wherein the network is a Fibre Channel fabric, wherein the one of the plurality of devices and the first device each has an assigned world wide name (WWN) as the first identifier and a fabric identifier (fabric ID) as the second identifier;
    - wherein the method further includes a step of storing the WWN and the fabric ID of the first device in response to an access by the first device to the shared resource; and
      
      wherein the act (a) is performed in response to an access, that occurs after the access by the first device, by the one of the plurality of devices to the shared resource and includes acts of;
      
      examining a value of the WWN presented by the one of the plurality of devices to the shared resource to determine that the one of the plurality of devices is representing itself as being the first device;
      
      comparing a value of the fabric ID presented by the one of the plurality of devices to the stored fabric ID for the first device; and
      
      determining that the one of the plurality of devices is attempting to access the shared resource through a port of the at least one network component that is different than the first port when the value of the fabric ID presented by the one of the plurality of devices mismatches the stored fabric ID for the first device.
  - 4. The method of claim 1, wherein the network employs a protocol wherein the first identifier uniquely identifies the device in a manner that is independent of a physical configuration of the computer system and the second identifier uniquely identifies the device in a manner that is dependent upon the physical configuration of the computer system;
    - wherein the method further includes a step of storing the first and second identifiers of the first device in response to an access by the first device to the shared resource; and
      
      wherein the act (a) is performed in response to an access, that occurs after the access by the first device, by the one of the plurality of devices to the shared resource and includes acts of;
      
      examining a value of the first identifier presented by the one of the plurality of devices to the shared resource to determine that the one of the plurality of devices is representing itself to be the first device;
      
      comparing a value of the second identifier presented by the one of the plurality of devices to the stored value of the second identifier for the first device; and
      
      determining that the one of the plurality of devices is attempting to access the shared resource through a port of the at least one network component that is different than the first port when the value of the second identifier presented by the one of the plurality of devices mismatches the stored value of the second identifier for the first device.
  - 5. The method of claim 1, wherein the shared resource is a storage system;
    - wherein the act (a) includes an act of, in response to the one of the plurality of devices attempting to access the storage system and representing itself to the storage system as the first device, determining whether the one of the plurality of devices is attempting to access the storage system through a port of the at least one network component that is different than a first port of the at least one network component that the first device uses to access the storage system; and
      
      wherein the act (b) includes an act of, when it is determined in the act (a) that the one of the plurality of devices is attempting to access the storage system through a port of the at least one network component that is different than the first port, denying the attempted access by the one of the plurality of devices to the storage system.
  - 6. The method of claim 5, wherein the acts (a) and (b) are performed by the storage system.
  - 7. The method of claim 5, wherein the acts (a) and (b) are performed outside of the storage system.
  - 8. The method of claim 7, wherein the acts (a) and (b) are performed by a device disposed between the storage system and the network.
  - 9. The method of claim 2, wherein the network is a Fibre Channel fabric, wherein the one of the plurality of devices and the first device each has an assigned world wide name (WWN) as the first identifier and a fabric identifier (fabric ID) as the second identifier;
    - wherein the method further includes a step of storing the WWN and the fabric ID of the first device in response to a login by the first device to the shared resource; and
      
      wherein the act (a) is performed in response to a login attempt, that occurs after the login by the first device, by the one of the plurality of devices to the shared resource and includes acts of;
      
      examining a value of the WWN presented by the one of the plurality of devices to the shared resource to determine that the one of the plurality of devices is representing itself as being the first device;
      
      comparing a value of the fabric ID presented by the one of the plurality of devices to the stored fabric ID for the first device; and
      
      determining that the one of the plurality of devices is attempting to login to the shared resource through a port of the at least one network component that is different than the first port when the value of the fabric ID presented by the one of the plurality of devices mismatches the stored fabric ID for the first device.
  - 10. The method of claim 9, wherein the shared resource is a storage system;
    - wherein the act (a) includes an act of, in response to the one of the plurality of devices attempting to login to the storage system and representing itself to the storage system as the first device, determining whether the one of the plurality of devices is attempting to login to the storage system through a port of the at least one network component that is different than a first port of the at least one network component used by the first device to access the storage system; and
      
      wherein the act (b) includes an act of, when it is determined in the act (a) that the one of the plurality of devices is attempting to login to the storage system through a port of the at least one network component that is different than the first port, denying the attempted login by the one of the plurality of devices to the storage system.
  - 11. The method of claim 10, wherein the acts (a) and (b) are performed by the storage system.
  - 12. The method of claim 10, wherein the acts (a) and (b) are performed by a device disposed between the storage system and the network.
  - 13. The method of claim 2, wherein the network employs a protocol wherein the first identifier uniquely identifies the device in a manner that is independent of a physical configuration of the computer system and the second identifier uniquely identifies the device in a manner that is dependent upon the physical configuration of the computer system;
    - wherein the method further includes a step of storing the first and second identifiers of the first device in response to a login by the first device to the shared resource; and
      
      wherein the act (a) is performed in response to a login request, that occurs after the login by the first device, by the one of the plurality of devices to the shared resource and includes acts of;
      
      examining a value of the first identifier presented by the one of the plurality of devices to the shared resource to determine that the one of the plurality of devices is representing itself to be the first device;
      
      comparing a value of the second identifier presented by the one of the plurality of devices to the stored value of the second identifier for the first device; and
      
      determining that the one of the plurality of devices is attempting to login to the shared resource through a port of the at least one network component that is different than the first port when the value of the second identifier presented by the one of the plurality of devices mismatches the stored value of the second identifier for the first device.
  - 14. The method of claim 13, wherein the shared resource is a storage system;
    - wherein the act (a) includes an act of, in response to the one of the plurality of devices attempting to login to the storage system and representing itself to the storage system as the first device, determining whether the one of the plurality of devices is attempting to login to the storage system through a port of the at least one network component that is different than a first port of the at least one network component used by the first device to access the storage system; and
      
      wherein the act (b) includes an act of, when it is determined in the act (a) that the one of the plurality of devices is attempting to login to the storage system through a port of the at least one network component that is different than the first port, denying the attempted login by the one of the plurality of devices to the storage system.
  - 15. The method of claim 14, wherein the acts (a) and (b) are performed by the storage system.
  - 16. The method of claim 14, wherein the acts (a) and (b) are performed by a device disposed between the storage system and the network.
  - 17. The method of claim 3, wherein the shared resource is a storage system;
    - wherein the act (a) includes an act of, in response to the one of the plurality of devices attempting to access the storage system and representing itself to the storage system as a first device, determining whether the one of the plurality of devices is attempting to access the storage system through a physical connection to the at least one network component that is different than a first physical connection through the network used by the first device to access the storage system; and
      
      wherein the act (b) includes an act of, when it is determined in the act (a) that the one of the plurality of devices is attempting to access the storage system through a port of the at least one network component that is different than the first port, denying the attempted access by the one of the plurality of devices to the storage system.
  - 18. The method of claim 17, wherein the acts (a) and (b) are performed by the storage system.
  - 19. The method of claim 17, wherein the acts (a) and (b) are performed by a device disposed between the storage system and the network.
  - 20. The method of claim 4, wherein the shared resource is a storage system;
    - wherein the act (a) includes an act of, in response to the one of the plurality of devices attempting to access the storage system and representing itself to the storage system as a first device, determining whether the one of the plurality of devices is attempting to access the storage system through a port of the at least one network component that is different than a first port of the at least one network component used by the first device to access the storage system; and
      
      wherein the act (b) includes an act of, when it is determined in the act (a) that the one of the plurality of devices is attempting to access the storage system through a port of the at least one network component that is different than the first port, denying the attempted access by the one of the plurality of devices to the storage system.
  - 21. The method of claim 20, wherein the acts (a) and (b) are performed by the storage system.
  - 22. The method of claim 20, wherein the acts (a) and (b) are performed by a device disposed between the storage system and the network.
  - 56. The method of claim 2, wherein the shared resource is a storage system;
    - wherein the act (a) includes an act of, in response to the one of the plurality of devices attempting to login to the storage system and representing itself to the storage system as the first device, determining whether the one of the plurality of devices is attempting to login to the storage system through a port of the at least one network component that is different than a first port of the at least one network component that the first device uses to login to the storage system; and
      
      wherein the act (b) includes an act of, when it is determined in the act (a) that the one of the plurality of devices is attempting to login to the storage system through a port of the at least one network component that is different than the first port, denying the attempted login by the one of the plurality of devices to the storage system.

23. A method for use in a computer system including a plurality of devices, a storage system shared by the plurality of devices, and a network that couples the plurality of devices to the storage system, wherein the network employs a protocol wherein each of the plurality of devices has a first identifier that uniquely identifies the device in a manner that is independent of a physical configuration of the computer system and a second identifier that uniquely identifies a port of at least one network component through which the respective device accesses the network, the method including acts of:
- (a) in response to a login of a first device of the plurality of devices to the storage system, storing the first and second identifiers of the first device;
  
  (b) in response to an attempt, subsequent to the act (a), by one of the plurality of devices to login to the storage system while representing itself to the storage system as the first device, determining whether the one of the plurality of devices is attempting to login to the storage system through a port of the at least one network component that is different than a first port of the at least one network component used by the first device to login to the storage system in the act (a), including acts of;
  
  (b1) examining a value of the first identifier presented by the one of the plurality of devices to the storage system to determine that the one of the plurality of devices is representing itself to be the first device;
  
  (b2) comparing a value of the second identifier presented by the one of the plurality of devices to the stored value of the second identifier for the first device; and
  
  (b3) determining that the one of the plurality of devices is attempting to login to the storage system through a port of the at least one network component that is different than the first port when the value of the second identifier presented by the one of the plurality of devices mismatches the stored value of the second identifier for the first device; and
  
  (c) when it is determined in the act (b3) that the one of the plurality of devices is attempting to login to the storage system through a port of the at least one network component that is different than the first port, denying the attempted login by the one of the plurality of devices to the storage system.
- View Dependent Claims (24, 25, 26)
- - 24. The method of claim 23, wherein the network is a Fibre Channel fabric, wherein the first identifier is a world wide name (WWN) and the second identifier is a fabric identifier (fabric ID);
    - wherein the act (a) includes an act of, in response to a login of first device to the storage system, storing the WWN and the fabric ID of the first device;
      
      wherein the act (b1) includes an act of examining a value of the WWN presented by the one of the plurality of devices to determine that the one of the plurality of devices is representing itself to be the first device;
      
      wherein the act (b2) includes an act of comparing a value of the fabric ID presented by the one of the plurality of devices to the stored value of the fabric ID for the first device; and
      
      wherein the act (b3) includes an act of determining that the one of the plurality of devices is attempting to login to the storage system through a port of the at least one network component that is different than first port when the value of the fabric ID presented by the one of the plurality of devices mismatches the stored value of the fabric ID for the first device.
  - 25. The method of claim 23, wherein the acts (a) and (b) are performed by the storage system.
  - 26. The method of claim 23, wherein the acts (a) and (b) are performed by a device disposed between the storage system and the network.

27. A method for use in a computer system including a network and a plurality of devices coupled to the network, the network employing a protocol wherein each of the plurality of devices has a first identifier that uniquely identifies the device in a manner that is independent of a physical configuration of the computer system and a second identifier that uniquely identifies a port on at least one network component at which the respective device is connected, the at least one network component assigning a unique value for the second identifier to each of the plurality of devices that is logged into the network, the method including acts of:
- (a) in response to one of the plurality of devices attempting to login to the network and representing itself to the network as a first device, determining whether the one of the plurality of devices is attempting to login to the network through a port on the at least one network component that is different than a first port of the at least one network component through which the first device previously logged into the network; and
  
  (b) when it is determined in the act (a) that the one of the plurality of devices is attempting to access the network through a port that is different than the first port, denying the attempted login by the one of the plurality of devices to the network.
- View Dependent Claims (28, 29, 30, 31)
- - 28. The method of claim 27, wherein the at least one network component includes at least one switch having a first switch port that forms the first port through which the first device previously logged into the network;
    - andwherein the act (a) includes an act of, in response to the one of the plurality of devices attempting to login to the network and representing itself to the network as the first device, determining whether the one of the plurality of devices is attempting to login to the network through a port different than the first switch port.
  - 29. The method of claim 27, further including an act of preventing at least one of the plurality of devices from transmitting information through the network while representing itself with a value for the second identifier that differs from its value assigned by the at least one network component.
  - 30. The method of claim 27, wherein the network is a Fibre Channel fabric, wherein the first identifier is a world wide name (WWN) and the second identifier is a fabric identifier (fabric ID);
    - wherein the method further includes an act of, in response to the previous login of the first device into the network, storing the WWN and the fabric ID of the first device; and
      
      wherein the act (a) includes acts of;
      
      examining a value of the WWN presented by the one of the plurality of devices during the attempted login to determine that the one of the plurality of devices is representing itself to be the first device;
      
      comparing a value of the fabric ID presented by the one of the plurality of devices to the stored value of the fabric ID for the first device; and
      
      determining that the one of the plurality of devices is attempting to access the network through a port of the at least one network component that is different than the first port when the value of the fabric ID presented by the one of the plurality of devices mismatches the stored value of the fabric ID for the first device.
  - 31. The method of claim 27, wherein the method further includes an act of, in response to the previous login of the first device into the network, storing the first and second identifiers of the first device;
    - andwherein the act (a) includes acts of;
      
      examining a value of the first identifier presented by the one of the plurality of devices during the attempted login to determine that the one of the plurality of devices is representing itself to be the first device;
      
      comparing a value of the second identifier presented by the one of the plurality of devices to the stored value of the second identifier for the first device; and
      
      determining that the one of the plurality of devices is attempting to access the network through a port different than the first port when the value of the second identifier presented by the one of the plurality of devices mismatches the stored value of the second identifier for the first device.

32. An apparatus for use in a computer system including a plurality of devices, a shared resource shared by the plurality of devices each having a first identifier that uniquely identifies the respective device, and a network that couples the plurality of devices to the shared resource, the network assigning a second identifier to each of the plurality of devices, the second identifier indicating a port of at least one network component at which the respective device is connected, the apparatus including:
- an input to be coupled to the network; and
  
  at least one controller, coupled to the input, that is responsive to one of the plurality of devices attempting to access the shared resource while representing itself to the shared resource as a first device via the first identifier, to determine, based at least in part on the second identifier, whether the one of the plurality of devices is attempting to access the shared resource through a port of the at least one network component that is different than a first port of the at least one network component used by the first device to access the shared resource, and to deny the attempted access by the one of the plurality of devices to the shared resource when it is determined that the one of the plurality of devices is attempting to access the shared resource through a port of the at least one network component that is different than the first port.
- View Dependent Claims (33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55)
- - 33. The apparatus of claim 32, wherein the attempted access by the one of the plurality of devices is an attempt to login to the shared resource, and wherein the at least one controller denies the attempted login when it is determined that the one of the plurality of devices is attempting to login to the shared resource through a port of the at least one network component that is different than the first port.
  - 34. The apparatus of claim 32, wherein the network is a Fibre Channel fabric, wherein the first identifier includes a world wide name (WWN) and the second identifier includes a fabric identifier (fabric ID);
    - wherein the apparatus further includes a storage device coupled to the at least one controller;
      
      wherein the at least one controller stores the WWN and the fabric ID of the first device in the storage device in response to an access by the first device to the shared resource; and
      
      wherein when the one of the plurality of devices attempts to access the shared resource after the access by the first device, the at least one controller;
      
      examines a value of the WWN presented by the one of the plurality of devices to the shared resource to determine that the one of the plurality of devices is representing itself as being the first device;
      
      compares a value of the fabric ID presented by the one of the plurality of devices to the stored fabric ID for the first device; and
      
      determines that the one of the plurality of devices is attempting to access the shared resource through a port of the at least one network component that is different than the first port when the value of the fabric ID presented by the one of the plurality of devices mismatches the stored fabric ID for the first device.
  - 35. The apparatus of claim 32, wherein the network employs a protocol wherein the first identifier uniquely identifies the device in a manner that is independent of a physical configuration of the computer system and the second identifier uniquely identifies the device in a manner that is dependent upon the physical configuration of the computer system;
    - wherein the apparatus further includes a storage device coupled to the at least one controller;
      
      wherein the at least one controller stores the first and second identifiers of the first device in the storage device in response to an access by the first device to the shared resource; and
      
      wherein when the one of the plurality of devices attempts to access the shared resource after the access by the first device, the at least one controller;
      
      examines a value of the first identifier presented by the one of the plurality of devices to the shared resource to determine that the one of the plurality of devices is representing itself to be the first device;
      
      compares a value of the second identifier presented by the one of the plurality of devices to the stored value of the second identifier for the first device; and
      
      determines that the one of the plurality of devices is attempting to access the shared resource through a port of the at least one network component that is different than the first port when the value of the second identifier presented by the one of the plurality of devices mismatches the stored value of the second identifier for the first device.
  - 36. The apparatus of claim 32, wherein the shared resource is a storage system;
    - wherein in response to the one of the plurality of devices attempting to access the storage system and representing itself to the storage system as a first device, the at least one controller determines whether the one of the plurality of devices is attempting to access the storage system through a port of the at least one network component that is different than the first port; and
      
      wherein when it is determined that the one of the plurality of devices is attempting to access the storage system through a port of the at least one network component that is different than the first port the at least one controller denies the attempted access by the one of the plurality of devices to the storage system.
  - 37. The apparatus of claim 36, in combination with the storage system, wherein the at least one controller and the input each is disposed within the storage system.
  - 38. The apparatus of claim 36, wherein the at least one controller and the input each is disposed outside of the storage system.
  - 39. The apparatus of claim 38, wherein the apparatus includes a filter unit that includes the input and the at least one controller and is adapted to be disposed between the storage system and the network.
  - 40. The apparatus of claim 33, wherein the network is a Fibre Channel fabric and wherein the first identifier includes a world wide name (WWN) and the second identifier includes a fabric identifier (fabric ID);
    - wherein the at least one controller stores the WWN and the fabric ID of the first device in response to a login by the first device to the shared resource; and
      
      wherein when the one of the plurality of devices attempts to login to the shared resource after the login by the first device, the at least one controller;
      
      examines a value of the WWN presented by the one of the plurality of devices to the shared resource to determine that the one of the plurality of devices is representing itself as being the first device;
      
      compares a value of the fabric ID presented by the one of the plurality of devices to the stored fabric ID for the first device; and
      
      determines that the one of the plurality of devices is attempting to login to the shared resource through a port of the at least one network component that is different than the first port when the value of the fabric ID presented by the one of the plurality of devices mismatches the stored fabric ID for the first device.
  - 41. The apparatus of claim 40, wherein the shared resource is a storage system;
    - wherein in response to the one of the plurality of devices attempting to login to the storage system and representing itself to the storage system as a first device, the at least one controller determines whether the one of the plurality of devices is attempting to login to the storage system through a port of the at least one network component that is different than the first port; and
      
      wherein when it is determined that the one of the plurality of devices is attempting to login to the storage system through a port of the at least one network component that is different than the first port the at least one controller denies the attempted login by the one of the plurality of devices to the storage system.
  - 42. The apparatus of claim 41, in combination with the storage system, wherein the at least one controller and the input each is disposed within the storage system.
  - 43. The apparatus of claim 41, wherein the apparatus includes a filter unit that includes the input and the at least one controller and is adapted to be disposed between the storage system and the network.
  - 44. The apparatus of claim 33, wherein the network employs a protocol wherein the first identifier uniquely identifies the device in a manner that is independent of a physical configuration of the computer system and the second identifier uniquely identifies the device in a manner that is dependent upon the physical configuration of the computer system;
    - wherein the apparatus further includes a storage device coupled to the at least one controller;
      
      wherein the at least one controller stores the first and second identifiers of the first device in the storage device in response to a login by the first device to the shared resource; and
      
      wherein when the one of the plurality of devices attempts to login to the shared resource after the login by the first device, the at least one controller;
      
      examines a value of the first identifier presented by the one of the plurality of devices to the shared resource to determine that the one of the plurality of devices is representing itself to be the first device;
      
      compares a value of the second identifier presented by the one of the plurality of devices to the stored value of the second identifier for the first device; and
      
      determines that the one of the plurality of devices is attempting to login to the shared resource through a port of the at least one network component that is different than the first port when the value of the second identifier presented by the one of the plurality of devices mismatches the stored value of the second identifier for the first device.
  - 45. The apparatus of claim 44, wherein the shared resource is a storage system;
    - wherein in response to the one of the plurality of devices attempting to login to the storage system and representing itself to the storage system as a first device, the at least one controller determines whether the one of the plurality of devices is attempting to login to the storage system through a port of the at least one network component that is different than the first physical connection; and
      
      wherein when it is determined that the one of the plurality of devices is attempting to login to the storage system through a port of the at least one network component that is different than the first port the at least one controller denies the attempted login by the one of the plurality of devices to the storage system.
  - 46. The apparatus of claim 45, in combination with the storage system, wherein the at least one controller and the input each is disposed within the storage system.
  - 47. The apparatus of claim 45, wherein the apparatus includes a filter unit that includes the input and the at least one controller and is adapted to be disposed between the storage system and the network.
  - 48. The apparatus of claim 34, wherein the shared resource is a storage system;
    - wherein in response to the one of the plurality of devices attempting to access the storage system and representing itself to the storage system as a first device, the at least one controller determines whether the one of the plurality of devices is attempting to access the storage system through a port of the at least one network component that is different than the first port; and
      
      wherein when it is determined that the one of the plurality of devices is attempting to access the storage system through a port of the at least one network component that is different than the first port the at least one controller denies the attempted access by the one of the plurality of devices to the storage system.
  - 49. The apparatus of claim 48, in combination with the storage system, wherein the at least one controller and the input each is disposed within the storage system.
  - 50. The apparatus of claim 48, wherein the apparatus includes a filter unit that includes the input and the at least one controller and is adapted to be disposed between the storage system and the network.
  - 51. The apparatus of claim 35, wherein the shared resource is a storage system;
    - wherein in response to the one of the plurality of devices attempting to access the storage system and representing itself to the storage system as a first device, the at least one controller determines whether the one of the plurality of devices is attempting to access the storage system through a port of the at least one network component that is different than the first port; and
      
      wherein when it is determined that the one of the plurality of devices is attempting to access the storage system through a port of the at least one network component that is different than the first port the at least one controller denies the attempted access by the one of the plurality of devices to the storage system.
  - 52. The apparatus of claim 51, in combination with the storage system, wherein the at least one controller and the input each is disposed within the storage system.
  - 53. The apparatus of claim 51, wherein the apparatus includes a filter unit that includes the input and the at least one controller and is adapted to be disposed between the storage system and the network.
  - 54. The apparatus of claim 32, wherein the at least one controller includes:
    - means, responsive to the one of the plurality of devices attempting to access the shared resource while representing itself to the shared resource as a first device, for determining whether the one of the plurality of devices is attempting to access the shared resource through a port of the at least one network component that is different than a first port of the at least one network component used by the first device to access the shared resource; and
      
      means for denying the attempted access by the one of the plurality of devices to the shared resource when it is determined that the one of the plurality of devices is attempting to access the shared resource through a port of the at least one network component that is different than the first port.
  - 55. The apparatus of claim 33, wherein the shared resource is a storage system;
    - wherein in response to the one of the plurality of devices attempting to login to the storage system and representing itself to the storage system as a first device, the at least one controller determines whether the one of the plurality of devices is attempting to login to the storage system through a port of the at least one network component that is different than the first port; and
      
      wherein when it is determined that the one of the plurality of devices is attempting to login to the storage system through a port of the at least one network component that is different than the first port the at least one controller denies the attempted login by the one of the plurality of devices to the storage system.

57. An apparatus for use in a computer system including a plurality of devices, a storage system shared by the plurality of devices, and a network that couples the plurality of devices to the storage system, wherein the network employs a protocol wherein each of the plurality of devices has a first identifier that uniquely identifies the device in a manner that is independent of a physical configuration of the computer system and a second identifier that uniquely identifies a port on at least one network component through which the respective device connects to the network, the apparatus comprising:
- an input to be coupled to the network;
  
  a storage device; and
  
  at least one controller, coupled to the network and the storage device, that is responsive to a login of a first device of the plurality of devices to the storage system to store the first and second identifiers of the first device in the storage device;
  
  the at least one controller further being responsive to an attempt, after the login by the first device, by one of the plurality of devices to login to the storage system, while representing itself to the storage system as the first device, to;
  
  examine a value of the first identifier presented by the one of the plurality of devices to the storage system to determine that the one of the plurality of devices is representing itself to be the first device;
  
  compare a value of the second identifier presented by the one of the plurality of devices to the stored value of the second identifier for the first device;
  
  determine that the one of the plurality of devices is attempting to access the storage system through a port of the at least one network component that is different than a first port of the at least one network component used by the first device in logging into the storage system when the value of the second identifier presented by the one of the plurality of devices mismatches the stored value of the second identifier for the first device; and
  
  deny the attempted login by the one of the plurality of devices to the storage system when it is determined that the one of the plurality of devices is attempting to login to the storage system through a port of the at least one network component that is different than the first port.
- View Dependent Claims (58, 59, 60, 61)
- - 58. The apparatus of claim 57, wherein the network is a Fibre Channel fabric, wherein the first identifier is a world wide name (WWN) and the second identifier is a fabric identifier (fabric ID);
    - wherein the at least one controller stores the WWN and the fabric ID of the first device in the storage device in response to the login by the first device to the storage system; and
      
      wherein when the one of the plurality of devices attempts to login to the storage system after the login by the first device, the at least one controller;
      
      examines a value of the WWN presented by the one of the plurality of devices to the storage system to determine that the one of the plurality of devices is representing itself as being the first device;
      
      compares a value of the fabric ID presented by the one of the plurality of devices to the stored fabric ID for the first device; and
      
      determines that the one of the plurality of devices is attempting to access the storage system through a port of the at least one network component that is different than the first port when the value of the fabric ID presented by the one of the plurality of devices mismatches the stored fabric ID for the first device.
  - 59. The apparatus of claim 57, in combination with the storage system, wherein the at least one controller, the storage device and the input each is disposed within the storage system.
  - 60. The apparatus of claim 57, further including a filter unit that includes the input and the at least one controller and is adapted to be disposed between the storage system and the network.
  - 61. The apparatus of claim 57, wherein the at least one controller includes:
    - means, responsive to the login of a first device of the plurality of devices to the storage system, to store the first and second identifiers of the first device in the storage device;
      
      means, responsive to an attempt, after the login by the first device, by one of the plurality of devices to login to the storage system, while representing itself to the storage system as the first device, for examining a value of the first identifier presented by the one of the plurality of devices to the storage system to determine that the one of the plurality of devices is representing itself to be the first device and for comparing a value of the second identifier presented by the one of the plurality of devices to the stored value of the second identifier for the first device;
      
      means for determining that the one of the plurality of devices is attempting to access the storage system through a port of the at least one network component that is different than a first port used by the first device in logging into the storage system when the value of the second identifier presented by the one of the plurality of devices mismatches the stored value of the second identifier for the first device; and
      
      means for denying the attempted login by the one of the plurality of devices to the storage system when it is determined that the one of the plurality of devices is attempting to login to the storage system through a port of the at least one network component that is different than the first port.

62. An apparatus for use in a computer system including a network and a plurality of devices coupled to the network, the network employing a protocol wherein each of the plurality of devices has a first identifier that uniquely identifies the device in a manner that is independent of a physical configuration of the computer system and a second identifier that uniquely identifies a port of at least one network component at which the respective device is connected, the at least one network component assigning a unique value for the second identifier to each of the plurality of devices that is logged into the network, the apparatus comprising:
- at least one input to be coupled to at least one of the plurality of devices; and
  
  at least one controller that is responsive to one of the plurality of devices attempting to login to the network and representing itself to the network as a first device, to determine whether the one of the plurality of devices is attempting to login to the network through a port that is different than a first port of the at least one network component through which the first device previously logged into the network, and to deny the attempted login by the one of the plurality of devices to the network when the one of the plurality of devices is attempting to login to the network through a port of the at least one network component that is different than the first port.
- View Dependent Claims (63, 64, 65, 66)
- - 63. The apparatus of claim 62, in combination with a network switch to form at least a portion of the network, wherein the at least one controller is disposed within the switch.
  - 64. The apparatus of claim 62, wherein the at least one controller prevents at least one of the plurality of devices from transmitting information through the network while representing itself with a value for the second identifier that differs from its value assigned by the at least one network component.
  - 65. The apparatus of claim 62, wherein the network is a Fibre Channel fabric, wherein the first identifier is a world wide name (WWN) and the second identifier is a fabric identifier (fabric ID);
    - wherein the apparatus further includes a storage device coupled to the at least one controller;
      
      wherein the at least one controller stores the WWN and the fabric ID of the first device in response to the login of the first device into the network; and
      
      wherein when the one of the plurality of devices attempts to login to the shared resource after the login by the first device, the at least one controller;
      
      examines a value of the WWN presented by the one of the plurality of devices during the attempted login to determine that the one of the plurality of devices is representing itself to be the first device;
      
      compares a value of the fabric ID presented by the one of the plurality of devices to the stored value of the fabric ID for the first device; and
      
      determines that the one of the plurality of devices is attempting to access the network through a port of the at least one network component that is different than the first port when the value of the fabric ID presented by the one of the plurality of devices mismatches the stored value of the fabric ID for the first device.
  - 66. The apparatus of claim 62, wherein the apparatus further includes a storage device coupled to the at least one controller;
    - wherein the at least one controller stores the first and second identifiers of the first device in response to the login of the first device into the network; and
      
      wherein when the one of the plurality of devices attempts to login to the shared resource after the login by the first device, the at least one controller;
      
      examines a value of the first identifier presented by the one of the plurality of devices during the attempted login to determine that the one of the plurality of devices is representing itself to be the first device;
      
      compares a value of the second identifier presented by the one of the plurality of devices to the stored value of the second identifier for the first device; and
      
      determines that the one of the plurality of devices is attempting to access the network through a port of the at least one network component different than the first port when the value of the second identifier presented by the one of the plurality of devices mismatches the stored value of the second identifier for the first device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
Fitzgerald, John T., Blumenau, Steven M., Madden, John F. Jr.
Primary Examiner(s)
Barron; Gilberto
Assistant Examiner(s)
HO, THOMAS

Application Number

US09/748,053
Publication Number

US 20020083339A1
Time in Patent Office

2,433 Days
Field of Search

710/11, 714/4, 709/225, 709/218, 709/229, 709/227, 709/228, 709/220
US Class Current

709/227
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/0876   based on the identity of th...

H04L 63/101   Access control lists [ACL]

Method and apparatus for preventing unauthorized access by a network device

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

86 Citations

66 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for preventing unauthorized access by a network device

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

86 Citations

66 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links