Storage area network (SAN) security

US 7,437,753 B2
Filed: 02/27/2002
Issued: 10/14/2008
Est. Priority Date: 03/01/2001
Status: Active Grant

First Claim

Patent Images

1. A method for implementing security and booting of a Storage Area Network, SAN, the SAN including:

physical devices having a first array of hosts and a second array of storage devices,a storage network with network links,a users network with user network links, anda SAN Switch coupled intermediate the first array of hosts and the second array of storage devices and to each physical device via network links and to the users network via a users network link, the SAN Switch routing I/O commands to the physical devices and being configured for accepting zoning commands to define zones for communication between at least one host and at least one storage device, the San Switch comprising a plurality of ports for coupling each one of the physical devices to at least one port out of the plurality of ports by at least one network link, the method comprising the steps of;

coupling a SAN Firewall by the storage network link to a SAN-Firewall-port (sf) accommodated in the SAN Switch and coupled by the users network link to the users network, andconfiguring the SAN Firewall to operate an encrypted authentication procedure and to automatically program the SAN Switch into zones, with each zone residing first in default zoning out of a binary zoning comprising;

in default zoning, at least one default zone counting only two ports, with a first SAN-Firewall-port (sf) coupled to the SAN Firewall and connected to a second device port coupled to and isolating a physical device of the physical devices, the SAN Firewall operating an encrypted authentication procedure authenticating each host out of the array of hosts and at least one security verification procedure on the isolated physical device prior to permitting work zone coupling, andin work zoning thereafter, at least one working zone coupling at least three ports, with a single SAN-Firewall-port (sf), and at least two ports coupling only authenticated hosts and security verified physical devices counting at least one host port, and at least one storage device port.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for the binary zoning of a Storage Area Network (SAN) for security is disclosed, for a SAN with physical devices consisting of a first array of hosts (1) and a second array of storage devices (4), and a SAN Switch (2, 2A) coupled intermediate the hosts and the storage devices. The SAN Switch routes I/O commands and accepts zoning commands. The method is based on starting operation of the SAN with mutually isolated physical devices and accepting zoning commands only after running security verification procedures requiring that hosts be authenticated and that storage devices be identified. Zoning is dynamically controlled from a workstation (8) operated by a System Administrator entering meta-zoning instructions which are used to automatically program the zoning of the SAN Switch for legitimate physical devices. The method is implemented for security and booting of a SAN.

205 Citations

34 Claims

1. A method for implementing security and booting of a Storage Area Network, SAN, the SAN including:
- physical devices having a first array of hosts and a second array of storage devices,a storage network with network links,a users network with user network links, anda SAN Switch coupled intermediate the first array of hosts and the second array of storage devices and to each physical device via network links and to the users network via a users network link, the SAN Switch routing I/O commands to the physical devices and being configured for accepting zoning commands to define zones for communication between at least one host and at least one storage device, the San Switch comprising a plurality of ports for coupling each one of the physical devices to at least one port out of the plurality of ports by at least one network link, the method comprising the steps of;
  
  coupling a SAN Firewall by the storage network link to a SAN-Firewall-port (sf) accommodated in the SAN Switch and coupled by the users network link to the users network, andconfiguring the SAN Firewall to operate an encrypted authentication procedure and to automatically program the SAN Switch into zones, with each zone residing first in default zoning out of a binary zoning comprising;
  
  in default zoning, at least one default zone counting only two ports, with a first SAN-Firewall-port (sf) coupled to the SAN Firewall and connected to a second device port coupled to and isolating a physical device of the physical devices, the SAN Firewall operating an encrypted authentication procedure authenticating each host out of the array of hosts and at least one security verification procedure on the isolated physical device prior to permitting work zone coupling, andin work zoning thereafter, at least one working zone coupling at least three ports, with a single SAN-Firewall-port (sf), and at least two ports coupling only authenticated hosts and security verified physical devices counting at least one host port, and at least one storage device port.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 15, 27, 28, 29, 30, 31, 32, 33, 34)
- - 2. The method according to claim 1, further comprising the steps of:
    - running, in default zoning, of the encrypted authentication and security procedure and thereafter,creating, in work zoning, of at least one work zone comprising at least one authenticated legitimate host and at least one legitimate storage device.
  - 3. The method according to claim 1, wherein running the security procedure further comprises the steps of:
    - running an authentication procedure for presence and legitimacy verification of each one host out of the first array, andrunning an identification procedure for presence and legitimacy verification of each one storage device out of the second array.
  - 4. The method according to claim 1, further comprising the steps of:
    - continuously running the security verification procedure for detecting the presence and for authentication legitimacy verification of the physical devices actually coupled in operation with the SAN, andrezoning in real time the at least one work zone according to configuration changes associated with continuously running the security procedure.
  - 5. The method according to claim 3, wherein:
    - a host comprises at least one Host Bus Adaptor, HBA, which is identified by a first World Wide Number, and,a storage device comprises at least one Logical Unit, and identified by a second WWN and by at least one Logical Unit Number,the method further comprising the steps of;
      
      authenticating each one host out of the first array independently of the first WWN, andidentifying each one storage device out of the second array by the second WWN and by the at least one LUN.
  - 6. The method according to claim 1, further comprising the steps of:
    - coupling a System Administration (SA) workstation to the users network and to the SAN Switch,configuring the SA workstation for managing, securing and booting the SAN,entering meta-zoning instructions via the SA workstation, the meta-zoning instructions defining programming commands for deriving default zoning and working zoning,dynamically controlling the binary zoning of the SAN Switch by the meta-zoning instructions, andautomatically programming the SAN Switch, according to the meta-zoning instructions, into default zones and work zones.
  - 7. The method according to claim 1, further comprising:
    - disposing at least one HBA in each one host out of the first array, said the metazoning instructions comprising instructions for zoning in a working zone of the at least one HBA pertaining to an authenticated legitimate host with at least one legitimate storage device.
  - 8. The method according to claim 1, further comprising the step of:
    - burning-in the default zones in the SAN Switch, for automatically returning to and always start operation in default zoning, wherein the physical devices are mutually isolated.
  - 9. The method according to claim 1, further comprising:
    - coupling each one physical device to at least one port out of the plurality of ports of the SAN Switch, each of said ports having a port identity, the security procedure further comprising the steps of;
      
      verifying the authenticity and legitimacy of each one of the physical devices independently of the port identity of the at least one port to which one physical device is coupled, andimmediately returning the at least one port from which a physical device is decoupled, to a default zone.
  - 10. The method according to claim 1, further comprising the step of configuring the storage network as a Fibre Channel network.
  - 11. The method according to claim 10, further comprising the steps of:
    - running the boot procedure and thereafter,creating, in work zoning, of at least one work zone comprising at least one operative host and at least one authenticated operative storage device.
  - 12. The method according to claim 1, further comprising functionally integrating the SAN Firewall and the SAN Switch to form a single unit package.
  - 13. The method according to claim 1, further comprising operating the SAN Firewall on a host selected from the first array, or on a remote host coupled the SAN, or on a remote host coupled to the SAN Switch via a network link coupled to a global communication network.
  - 15. The system according to claim 10, wherein:
    - the SAN Firewall is operatively associated with the physical devices to operate the at least one security authentication and booting procedure upon start of the SAN, in default zoning, andthe physical devices being isolated each in a default zone if they fail the at least one security authentication and booting procedure.
  - 27. A Security Computer Program (SCP) resident on computer storage media for implementing security and booting of a Storage Area Network (SAN), the computer program being arranged to perform the method steps of claim 1.
  - 28. A Security Computer Program resident on computer storage media for implementing security and booting of a Storage Area Network (SAN), the computer program being arranged to perform the method steps of claim 2.
  - 29. A Security Computer Program resident on computer storage media for implementing security and booting of a Storage Area Network (SAN), the computer program being arranged to perform the method steps of claim 3.
  - 30. A Security Computer Program resident on computer storage media for implementing security and booting of a Storage Area Network (SAN), the computer program being arranged to perform the method steps of claim 4.
  - 31. A Security Computer Program resident on computer storage media for implementing security and booting of a Storage Area Network (SAN), the computer program being arranged to perform the method steps of claim 5.
  - 32. A Security Computer Program resident on computer storage media for implementing security and booting of a Storage Area Network (SAN), the computer program being arranged to perform the method steps of claim 6.
  - 33. A Security Computer Program resident on computer storage media for implementing security and booting of a Storage Area Network (SAN), the computer program being arranged to perform the method steps of claim 10.
  - 34. The method according to claim 3, further comprising the steps of:
    - continuously running the security procedure for detection of presence and authenticity verification of the physical devices actually coupled in operation with the SAN, andrezoning in real time the at least one work zone according to configuration changes associated with running the security procedure continuously.

14. A system for operating security and booting of a Storage Area Network, SAN, including:
- physical devices comprising a first array of hosts and a second array of storage devices,a storage network with storage network links,a users network with user network links, anda SAN Switch coupled intermediate the first array of hosts and the second array of storage devices and to each physical device via network links, and coupled to the users network via the users network link, the SAN Switch routing I/O commands to the physical devices and being configured for accepting zoning commands defining zones for communication between at least one host and at least one storage device, the SAN Switch comprising a plurality of ports for coupling each one of the physical devices to at least one port out of the plurality of ports by at least one network link,the system comprising;
  
  a SAN Firewall coupled by the storage network link to a SAN-Firewall-port (sf) accommodated in the San Switch and coupled by the user network link to the users network, the SAN Firewall being configured to operate an encrypted authentication procedure and to automatically program the SAN Switch into zones, with each zone residing first in default zoning out of a binary zoning comprising;
  
  in default zoning, at least one default zone counting only two ports, with a first SAN-Firewall-port coupled to the SAN Firewall and connected to a second deviceport coupled to and isolating a physical device of the physical devices, the SAN Firewall operating an encrypted authentication procedure authenticating each host out of the array of hosts and operating at least one security verification procedure on the isolated physical device prior to permitting work zone coupling, andin work zoning thereafter, at least one working zone coupling at least three ports, with a single SAN-Firewall-port (sf), and at least two ports coupling only authenticated hosts and security verified physical devices counting at least one host port, and at least one storage device port.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 16. The system according to claim 14, wherein the SAN Firewall is operatively associated with the physical devices for carrying out a security procedure for securing the SAN, whereby the security procedure comprises verifying each one host out of the first array for authenticity and each one storage device out of the second array for identity.
  - 17. The system according to claim 14, wherein the SAN Switch has default zones being burnt-in therein to always start operation in default zoning.
  - 18. The system according to claim 14, wherein:
    - port of the SAN Switch from which a physical device is decoupled, is adapted to immediately return to a default zone, anda physical device which is coupled to a port of the SAN Switch, is adapted to always couple to a default zone.
  - 19. The system according to claim 14, further comprising:
    - a third array of user workstations coupled to the user network and comprising a System Administrator (SA) workstation coupled to the user network and to the SAN Firewall, the SA workstation being configured for managing, securing and booting the SAN wherein;
      
      meta-zoning instructions, entered at the SA workstation are received at the SAN Firewall where programming commands are derived automatically to zone the SAN Switch in working zones, andsaid meta-zoning instructions being adapted to dynamically control said binary zoning.
  - 20. The system according to claim 14, wherein:
    - a host comprises at least one Host Bus Adapter (HBA) which is identified by a first World Wide Number (WWN), anda storage device comprises at least one Logical Unit (LU) identified by a second WWN and by at least one Local Unit Number (LUN),the SAN Firewall being operatively associated with each one host out of the first array for authentication thereof independent of the first WWN, said SAN Firewall being operatively associated with each one storage device out of the second array for identification thereof by the second WWN and by the at least one LUN.
  - 21. The system according to claim 14, wherein each one host out of the first array has at least one HBA, the meta-zoning instructions being adapted to zone in a work zone of any one HBA pertaining to an authenticated legitimate host with at least one legitimate storage device.
  - 22. The system according to claim 14, wherein:
    - each port out of the plurality of ports of the SAN Switch has a port identity,each one physical device is coupled to at least one port out of the plurality of ports, the SAN Firewall being operatively associated with each one of the physical devices for verifying the authenticity and legitimacy of each one of the physical devices independent of the port identity of the at least one port to which one physical device is coupled.
  - 23. The system according to claim 14, wherein the SAN Firewall is operatively associated with one each Host out of the first array to verify booting thereof in said at least one security and booting procedure, said SAN Firewall being further operatively associated with each one storage device out of the second array, to verify operation thereof in said security authentication and booting procedure, thereby simultaneously booting the first array of hosts in mutual isolation.
  - 24. The system according to claim 14, wherein:
    - the SAN Firewall and the SAN Switch are functionally integrated, to form a single unit package.
  - 25. The system according to claim 14, wherein the SAN Firewall functions are operated on a host selected from the first array, or on a remote host coupled to the SAN Switch, or on a remote host coupled to the SAN Switch via a network link coupled to a global communication network.
  - 26. The system according to claim 14, wherein the storage network is a Fibre Channel network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NetApp, Inc.
Original Assignee
LSI Technologies Israel Ltd.
Inventors
Nahum, Nelson
Primary Examiner(s)
Sheikh; Ayaz
Assistant Examiner(s)
DOAN, TRANG T

Application Number

US10/469,727
Publication Number

US 20040078599A1
Time in Patent Office

2,421 Days
Field of Search

726 1- 4, 726/16, 726 26- 27, 711/114, 711/156, 710/36, 705/30, 705/34, 707/202, 709/223
US Class Current

726/4
CPC Class Codes

G06Q 30/04   Billing or invoicing

G06Q 40/12   Accounting

H04L 63/0209   Architectural arrangements,...

H04L 63/20   for managing network securi...

H04L 67/1097   for distributed storage of ...

Y10S 707/99953   Recoverability

Storage area network (SAN) security

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

205 Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

Storage area network (SAN) security

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

205 Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links