System and method for performing storage operations through a firewall

US 7,631,351 B2
Filed: 04/05/2004
Issued: 12/08/2009
Est. Priority Date: 04/03/2003
Status: Active Grant

First Claim

Patent Images

1. A method for performing a data storage operation through a firewall in a networked computer system, the method comprising:

identifying, based on configuration data, whether each of a set of network elements related to the data storage operation is within a trusted network or not within the trusted network, wherein traffic between elements within the trusted network and elements not within the trusted network must pass through the firewall, wherein the firewall is an element in the networked computer system that is not a firewall in a client computer system;

when the set of network elements related to the data storage operation is such that storage operation data must pass through the firewall, determining a specific set of ports to be used to send and receive storage operation data,wherein storage operation data includes data associated with at least one of a backup operation, a restore operation, a migration operation, an archival operation, and a recovery operation, andwherein the specific set of ports includes a first set of one or more ports and a second set of one or more ports;

wherein the first set of one or more ports are one or more ports through which storage operation data is to pass; and

wherein the second set of one or more ports are one or more ports through which data associated with control of the data storage operation is to pass; and

prior to receipt by the firewall of storage operation data, allocating the specific set of ports with the firewall in advance, in accordance with at least one security parameter, for use in performing the data storage operation.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention provides systems and methods for performing storage operations through a firewall. Methods are provided that include, in a networked computer system, identifying, based on configuration data, whether each of a set of network elements is within a trusted network or not within the trusted network. Traffic between elements within the trusted network and elements not within the trusted network must pass through a firewall. The methods also include, prior to performing a storage operation through the firewall, allocating a specific set of ports, in accordance with at least one security parameter, for use in performing the storage operation. Methods are also provided which include monitoring traffic through the specific ports, and, if traffic is determined to be inactive through a first port of the specific ports, sending a packet through the first port.

Citations

25 Claims

1. A method for performing a data storage operation through a firewall in a networked computer system, the method comprising:
- identifying, based on configuration data, whether each of a set of network elements related to the data storage operation is within a trusted network or not within the trusted network, wherein traffic between elements within the trusted network and elements not within the trusted network must pass through the firewall, wherein the firewall is an element in the networked computer system that is not a firewall in a client computer system;
  
  when the set of network elements related to the data storage operation is such that storage operation data must pass through the firewall, determining a specific set of ports to be used to send and receive storage operation data,wherein storage operation data includes data associated with at least one of a backup operation, a restore operation, a migration operation, an archival operation, and a recovery operation, andwherein the specific set of ports includes a first set of one or more ports and a second set of one or more ports;
  
  wherein the first set of one or more ports are one or more ports through which storage operation data is to pass; and
  
  wherein the second set of one or more ports are one or more ports through which data associated with control of the data storage operation is to pass; and
  
  prior to receipt by the firewall of storage operation data, allocating the specific set of ports with the firewall in advance, in accordance with at least one security parameter, for use in performing the data storage operation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein ports to be utilized during the data storage operation are limited to the specific set of ports.
  - 3. The method of claim 1, wherein the specific set of ports allocated according to the at least one security parameter is a minimal number of ports needed to conduct the data storage operation.
  - 4. The method of claim 1, wherein traffic between network elements within the trusted network does not pass through the firewall.
  - 5. The method of claim 1, wherein the configuration data resides in a port configuration file.
  - 6. The method of claim 5, wherein allocating the specific set of ports comprises reading the port configuration file.
  - 7. The method of claim 1, wherein the specific set of ports with the firewall is allocated by a storage manager.
  - 8. The method of claim 1, wherein the specific set of ports with the firewall is allocated by a storage manager that allocates one or more of the ports in the specific set for each of one or more media agents, and one or more of the ports in the specific set for each of one or more data agents.
  - 9. The method of claim 1, wherein storage operation data comprises chunks having sizes, and wherein the method further comprises reducing chunk size to be utilized during the data storage operation as necessary to cause chunk creation time to be less than a firewall time-out interval.
  - 10. The method of claim 1, wherein storage operation data comprises chunks having sizes, and wherein the method further comprises reducing chunk size to be utilized based at least in part upon a transmission rate of the storage operation data.
  - 11. The method of claim 1, wherein the data associated with control of the data storage operation includes at least one of:
    - start and stop messages;
      
      control checksums; and
      
      parity blocks.
  - 12. The method of claim 1, further comprising performing the data storage operation through the firewall, wherein performing the data storage operation includes:
    - transferring storage operation data through the first set of one or more ports in the firewall; and
      
      transferring data associated with control of the data storage operation through the second set of one or more ports in the firewall.

13. A system for performing a data storage operation through a firewall in a networked computer system, the system comprising:
- a firewall, wherein the firewall is a distinct element in the networked computer system and is not a firewall of a client computer;
  
  a plurality of network elements, comprising;
  
  one or more client computers; and
  
  one or more data storage devices;
  
  a storage manager; and
  
  one or more media agents configured to conduct data between the one or more client computers and the one or more data storage devices under the direction of the storage manager,wherein the storage manager is configured to;
  
  identify, based on configuration data, a first set of network elements related to the data storage operation that are within a trusted network and a second set of network elements related to the data storage operation that are not within the trusted network, wherein traffic between elements of the trusted network and elements not within the trusted network must pass through the firewall;
  
  when the first and second sets of network elements related to the data storage operation are such that storage operation data must pass through the firewall, determine a specific set of ports to be used to send and receive the storage operation data, wherein the specific set of ports includes;
  
  a first set of one or more ports through which storage operation data is to pass; and
  
  a second set of one or more ports through which data associated with control of the data storage operation is to pass; and
  
  prior to receipt by the firewall of the storage operation data, allocate the specific set of ports with the firewall in advance, according to at least one security parameter, for use in performing the data storage operation,wherein, prior to receipt of the storage operation data, the firewall opens ports in accordance with the allocation.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
- - 14. The system of claim 13, wherein ports to be utilized during the data storage operation are limited to the specific set of ports.
  - 15. The system of claim 13, wherein the specific set of ports allocated according to the at least one security parameter is a minimal number of ports needed to conduct the data storage operation.
  - 16. The system of claim 13, wherein the configuration data resides in a port configuration file.
  - 17. The system of claim 16, wherein allocating the specific set of ports comprises reading the port configuration file.
  - 18. The system of claim 13, wherein the storage manager is further configured to:
    - during the data storage operation, cause monitoring of traffic through each of the specific ports; and
      
      if, through the monitoring, traffic is determined to be inactive through a first port of the specific ports for a specified time period, cause a packet to be sent through the first port.
  - 19. The system of claim 18, wherein the packet is sent to prevent closing of the first port due to a firewall time-out.
  - 20. The system of claim 18, wherein the specified time period is less than a firewall time-out period.
  - 21. The system of claim 13, wherein the data associated with control of the data storage operation includes at least one of:
    - start and stop messages;
      
      control checksums; and
      
      parity blocks.

22. A system for performing a data storage operation involving multiple network elements in a networked computer system, including one or more client computers and one or more data storage devices, wherein the data storage operation si performed through a firewall in the networked computer system, the system comprising:
- one or more media agents configured to transfer storage operation data between the one or more client computers and the one or more data storage devices; and
  
  a storage manager configured to;
  
  identify, based on configuration data, a first set of network elements related to the data storage operation that are within a trusted network and a second set of network elements related to the data storage operation that are not within the trusted network, wherein traffic between network elements within the trusted network and network elements not within the trusted network must pass through the firewall;
  
  when the first and second sets of network elements related to the data storage operation are such that storage operation data must pass through the firewall;
  
  determine a first set of one or more firewall ports through which the one or more media agents are to transfer storage operation data between the one or more client computers and the one or more data storage devices; and
  
  determine a second set of one or more firewall ports through which data associated with control of the data storage operation is to pass; and
  
  prior to receipt by the firewall of the storage operation data, allocate the first and second sets of firewall ports with the firewall,wherein the firewall is a distinct network element in the networked computer system and is not a firewall of a client computer, and wherein prior to receipt of the storage operation data, the firewall opens the first and second sets of ports in accordance with the allocation.
- View Dependent Claims (23, 24, 25)
- - 23. The system of claim 22, wherein the data associated with control of the data storage operation includes at least one of:
    - start and stop messages;
      
      control checksums; and
      
      parity blocks.
  - 24. The system of claim 22, wherein the storage manager is further configured to:
    - determine a third set of one or more firewall ports through which additional storage operation data or additional data associated with control of the data storage operation may pass; and
      
      prior to receipt by the firewall of the storage operation data, allocate the third set of firewall ports with the firewall.
  - 25. The system of claim 22, wherein the storage manager is further configured to:
    - determine a third set of one or more firewall ports through which traffic associated with a graphical user interface is to pass; and
      
      prior to receipt by the firewall of the storage operation data, allocate the third set of firewall ports with the firewall.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CommVault Systems Incorporated
Original Assignee
CommVault Systems Incorporated
Inventors
Erofeev, Andrei
Primary Examiner(s)
CHEN, SHIN HON

Application Number

US10/818,747
Publication Number

US 20050039051A1
Time in Patent Office

2,073 Days
Field of Search

709/225, 709/232, 713/150
US Class Current

726/11
CPC Class Codes

H04L 63/0236 Filtering by address, proto...

H04L 63/029 Firewall traversal, e.g. tu...

System and method for performing storage operations through a firewall

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for performing storage operations through a firewall

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links