Storage area network (SAN) security
First Claim
1. A method for implementing security and booting of a Storage Area Network, SAN, the SAN including:
- physical devices having a first array of hosts and a second array of storage devices,a storage network with network links,a users network with user network links, anda SAN Switch coupled intermediate the first array of hosts and the second array of storage devices and to each physical device via network links and to the users network via a users network link, the SAN Switch routing I/O commands to the physical devices and being configured for accepting zoning commands to define zones for communication between at least one host and at least one storage device, the San Switch comprising a plurality of ports for coupling each one of the physical devices to at least one port out of the plurality of ports by at least one network link, the method comprising the steps of;
coupling a SAN Firewall by the storage network link to a SAN-Firewall-port (sf) accommodated in the SAN Switch and coupled by the users network link to the users network, andconfiguring the SAN Firewall to operate an encrypted authentication procedure and to automatically program the SAN Switch into zones, with each zone residing first in default zoning out of a binary zoning comprising;
in default zoning, at least one default zone counting only two ports, with a first SAN-Firewall-port (sf) coupled to the SAN Firewall and connected to a second device port coupled to and isolating a physical device of the physical devices, the SAN Firewall operating an encrypted authentication procedure authenticating each host out of the array of hosts and at least one security verification procedure on the isolated physical device prior to permitting work zone coupling, andin work zoning thereafter, at least one working zone coupling at least three ports, with a single SAN-Firewall-port (sf), and at least two ports coupling only authenticated hosts and security verified physical devices counting at least one host port, and at least one storage device port.
4 Assignments
0 Petitions
Accused Products
Abstract
A method for the binary zoning of a Storage Area Network (SAN) for security is disclosed, for a SAN with physical devices consisting of a first array of hosts (1) and a second array of storage devices (4), and a SAN Switch (2, 2A) coupled intermediate the hosts and the storage devices. The SAN Switch routes I/O commands and accepts zoning commands. The method is based on starting operation of the SAN with mutually isolated physical devices and accepting zoning commands only after running security verification procedures requiring that hosts be authenticated and that storage devices be identified. Zoning is dynamically controlled from a workstation (8) operated by a System Administrator entering meta-zoning instructions which are used to automatically program the zoning of the SAN Switch for legitimate physical devices. The method is implemented for security and booting of a SAN.
205 Citations
34 Claims
-
1. A method for implementing security and booting of a Storage Area Network, SAN, the SAN including:
-
physical devices having a first array of hosts and a second array of storage devices, a storage network with network links, a users network with user network links, and a SAN Switch coupled intermediate the first array of hosts and the second array of storage devices and to each physical device via network links and to the users network via a users network link, the SAN Switch routing I/O commands to the physical devices and being configured for accepting zoning commands to define zones for communication between at least one host and at least one storage device, the San Switch comprising a plurality of ports for coupling each one of the physical devices to at least one port out of the plurality of ports by at least one network link, the method comprising the steps of; coupling a SAN Firewall by the storage network link to a SAN-Firewall-port (sf) accommodated in the SAN Switch and coupled by the users network link to the users network, and configuring the SAN Firewall to operate an encrypted authentication procedure and to automatically program the SAN Switch into zones, with each zone residing first in default zoning out of a binary zoning comprising; in default zoning, at least one default zone counting only two ports, with a first SAN-Firewall-port (sf) coupled to the SAN Firewall and connected to a second device port coupled to and isolating a physical device of the physical devices, the SAN Firewall operating an encrypted authentication procedure authenticating each host out of the array of hosts and at least one security verification procedure on the isolated physical device prior to permitting work zone coupling, and in work zoning thereafter, at least one working zone coupling at least three ports, with a single SAN-Firewall-port (sf), and at least two ports coupling only authenticated hosts and security verified physical devices counting at least one host port, and at least one storage device port. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 15, 27, 28, 29, 30, 31, 32, 33, 34)
-
-
14. A system for operating security and booting of a Storage Area Network, SAN, including:
-
physical devices comprising a first array of hosts and a second array of storage devices, a storage network with storage network links, a users network with user network links, and a SAN Switch coupled intermediate the first array of hosts and the second array of storage devices and to each physical device via network links, and coupled to the users network via the users network link, the SAN Switch routing I/O commands to the physical devices and being configured for accepting zoning commands defining zones for communication between at least one host and at least one storage device, the SAN Switch comprising a plurality of ports for coupling each one of the physical devices to at least one port out of the plurality of ports by at least one network link, the system comprising; a SAN Firewall coupled by the storage network link to a SAN-Firewall-port (sf) accommodated in the San Switch and coupled by the user network link to the users network, the SAN Firewall being configured to operate an encrypted authentication procedure and to automatically program the SAN Switch into zones, with each zone residing first in default zoning out of a binary zoning comprising; in default zoning, at least one default zone counting only two ports, with a first SAN-Firewall-port coupled to the SAN Firewall and connected to a second deviceport coupled to and isolating a physical device of the physical devices, the SAN Firewall operating an encrypted authentication procedure authenticating each host out of the array of hosts and operating at least one security verification procedure on the isolated physical device prior to permitting work zone coupling, and in work zoning thereafter, at least one working zone coupling at least three ports, with a single SAN-Firewall-port (sf), and at least two ports coupling only authenticated hosts and security verified physical devices counting at least one host port, and at least one storage device port. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
-
Specification