Distributed filesystem network security extension

US 7,917,751 B2
Filed: 05/22/2003
Issued: 03/29/2011
Est. Priority Date: 05/22/2003
Status: Expired due to Fees

First Claim

Patent Images

1. In a data processing system comprising at least two different network adapters and a storage medium on which is stored at least a first file having a permission, a method for providing security for transmission of said first file, said method comprising:

enabling an external client system to complete a first mount of said data processing system via a first standard/default network adapter, which provides a standard, non-secure access to the data processing system for all external client systems;

enabling a second mount of said data processing system via a second, different, secure network adapter only when said first file requires secured access, wherein said second, different, secure network adapter is configured for access from the external client system by providing one or more session parameters associated with the first mount for use in completing the second mount;

inferring said permission associated with said first file;

responsive to receipt of a request for access to said first file by the external client system;

when said permission of said first file indicates that said first file does not require secure transmission from the storage medium to the external client system, routing a transmission of the first file to the external client system via said first standard/default network adapter of the at least two different network adapters and via a respective first non-secure network connecting the external client system to the storage medium; and

when said permission of said first file indicates secured transmission is required for transmitting said first file from the storage medium, dynamically routing the transmission of said first file to the external client system via said second, different, secure network adapter also connecting the external client system to the storage medium to enable secure transmission, wherein said dynamically routing step further comprises;

automatically configuring said second, different, secure network adapter to support a remount operation in response to a mounting request from said external client system, wherein the remount operation enables the client system which was mounted on the data processing system via the first standard/default port over the first network to resume a session initiated at the first standard network adapter utilizing the second, different, secure network adapter and second secure network with stored session parameters from the first mount;

terminating a current mount on said first standard/default network adapter with said external client system;

storing session parameters of a session on said current mount to enable seamless continuation of said session on said second, different, secure network adapter; and

enabling a re-mount of the data processing system by the external client system via the second secure network adapter and resumption of the session utilizing the session parameters stored; and

wherein only certain files on the storage medium that have access permission requiring secure transmission of the files from the storage medium to any requesting external client system are transmitted from the storage medium to the external client system via the second, different, secure network adapter, while all other files on the storage medium that do not have access permission requiring secure transmission are automatically routed to the requesting external client system via the first standard/default network adapter.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security protocol that dynamically implements enhanced mount security of a filesystem when access to sensitive files on a networked filesystem is requested. When the user of a client system attempts to access a specially-tagged sensitive file, the server hosting the filesystem executes a software code that terminates the current mount and re-configures the server ports to accept a re-mount from the client via a more secure port. The server re-configured server port is provided the IP address of the client and matches the IP address during the re-mount operation. The switch to a secure mount is completed in a seamless manner so that authorized users are allowed to access sensitive files without bogging down the server with costly encryption and other resource-intensive security features. No significant delay is experienced by the user, while the sensitive file is shielded from un-authorized capture during transmission to the client system.

70 Citations

View as Search Results

15 Claims

1. In a data processing system comprising at least two different network adapters and a storage medium on which is stored at least a first file having a permission, a method for providing security for transmission of said first file, said method comprising:
- enabling an external client system to complete a first mount of said data processing system via a first standard/default network adapter, which provides a standard, non-secure access to the data processing system for all external client systems;
  
  enabling a second mount of said data processing system via a second, different, secure network adapter only when said first file requires secured access, wherein said second, different, secure network adapter is configured for access from the external client system by providing one or more session parameters associated with the first mount for use in completing the second mount;
  
  inferring said permission associated with said first file;
  
  responsive to receipt of a request for access to said first file by the external client system;
  
  when said permission of said first file indicates that said first file does not require secure transmission from the storage medium to the external client system, routing a transmission of the first file to the external client system via said first standard/default network adapter of the at least two different network adapters and via a respective first non-secure network connecting the external client system to the storage medium; and
  
  when said permission of said first file indicates secured transmission is required for transmitting said first file from the storage medium, dynamically routing the transmission of said first file to the external client system via said second, different, secure network adapter also connecting the external client system to the storage medium to enable secure transmission, wherein said dynamically routing step further comprises;
  
  automatically configuring said second, different, secure network adapter to support a remount operation in response to a mounting request from said external client system, wherein the remount operation enables the client system which was mounted on the data processing system via the first standard/default port over the first network to resume a session initiated at the first standard network adapter utilizing the second, different, secure network adapter and second secure network with stored session parameters from the first mount;
  
  terminating a current mount on said first standard/default network adapter with said external client system;
  
  storing session parameters of a session on said current mount to enable seamless continuation of said session on said second, different, secure network adapter; and
  
  enabling a re-mount of the data processing system by the external client system via the second secure network adapter and resumption of the session utilizing the session parameters stored; and
  
  wherein only certain files on the storage medium that have access permission requiring secure transmission of the files from the storage medium to any requesting external client system are transmitted from the storage medium to the external client system via the second, different, secure network adapter, while all other files on the storage medium that do not have access permission requiring secure transmission are automatically routed to the requesting external client system via the first standard/default network adapter.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein said data processing system further comprises an encryption module associated with said second, different, secured network adapter, said dynamically routing step comprising:
    - first encrypting said first file by forwarding said first file to said encryption module; and
      
      when encryption of the first file by the encryption module is completed, forwarding an encrypted version of the first file to the second, different, secured network adapter to complete the dynamically routing to the external client system.
  - 3. The method of claim 1, wherein said configuring and storing step includes:
    - retrieving an IP address of said external client system;
      
      placing said IP address in a configuration of said second, different, secure network adapter; and
      
      responsive to detecting a mount operation at the second secure network adapter, comparing an IP address of the external client system executing the mount operation with an IP address in a configuration of the second, different, secure network adapter, wherein said second, different, secure network adapter automatically recognizes a mount operation from said external client system as a remount operation and re-establishes the session, which was previously established at the first standard/default network adapter, with said external client system.
  - 4. The method of claim 1, wherein said permission is a bit within metadata linked to said first file and said method further comprises:
    - tagging said bit to a value of one when the first file will require secure access via a secure network adapter and secure network;
      
      tagging said bit to a value of zero when the first file will not require secure access via a secure network adapter and secure network; and
      
      when a request to access the first file is detected from an external client system, reading a value of said bit to evaluate whether said first file requires secure access.
  - 5. The method of claim 1, wherein a file includes an identification (ID) of which specific users are permitted to access said first file via a secured access, said method further comprising:
    - comparing a user ID of said external client system with IDs of said specific users; and
      
      when said user ID matches one of the IDs of said specific users, automatically initiating a re-mount operation to route transmission of said first file to said external client system via said second, different, secure network adapter over said second secure network.
  - 6. The method of claim 1, wherein said first standard network adapter connects to said external client system via a first unsecured network and said second, different, secure network adapter connects to said external client system via a second secured network.
  - 7. The method of claim 1, wherein:
    - said data processing system is a server within a network having a first subnet connecting said first standard/default network adapter to said external client system and a second subnet connecting said second, different secure network adapter to said external client system;
      
      said first file is stored within a filesystem which supports mounting at two different network adapters;
      
      said checking step includes accessing said filesystem and locating said first file; and
      
      said routing step includes transmitting said first file via said second subnet when said first file requires secure access and transmitting said first file via said first subnet when said first file does not require secure access.

8. A data processing system for providing security for transmission of selected, stored files, said system comprising:
- (1) a storage medium on which is stored at least a first file having a permission;
  
  (2) at least a first standard/default network adapter and a second, different, secure network adapter for connecting said data processing system to external client systems via corresponding networks;
  
  (3) logic for selectively routing transmission of said at least one file via said first standard/default network adapter and said second, different, secure network adapter, said logic comprising;
  
  logic for enabling a first mount of said data processing system via said first standard/default network adapter, which provides a standard, non-secure access to the data processing system for all external client systems;
  
  logic for enabling a second mount of said data processing system via said second, different, secure network adapter only when said first file requires secured access, wherein said second, different, secure network adapter is configured for access from the external client system by providing one or more session parameters associated with the first mount for use in completing the second mount;
  
  logic, for inferring said permission of said first file;
  
  responsive to a request for access to said first file by an external client system;
  
  when said permission of said first file indicates that said first file does not require secure transmission, logic for routing a transmission of the first file to the external client system via the first standard/default network adapter; and
  
  when said permission of said first file indicates secured transmission is required for transmitting said first file from the storage medium, logic for dynamically routing the transmission of said first file to the external client system via said second, different, secure network adapter at which the external client system connects to the storage medium when secure transmission is required for a file, wherein said logic for dynamically routing further comprises;
  
  logic for configuring said second, different, secure network adapter to support a remount operation in response to a mounting request received from said external client system;
  
  logic for terminating a current mount on said first standard/default network adapter with said external client system;
  
  logic for storing session parameters of a session on said current mount to enable seamless continuation of said session on said second, different, secure network adapter; and
  
  logic for enabling a re-mount of the data processing system by the external client system via the second secure network adapter and resumption of the session utilizing the session parameters stored; and
  
  wherein only files requiring secure transmission are transmitted from the storage medium via the second, different, secure network adapter.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein said data processing system further comprises an encryption module associated with said second, different, secured network adapter, said logic for dynamically routing comprising:
    - logic for first encrypting said first file utilizing said encryption module; and
      
      when encryption of the first file by the encryption module is completed, logic for forwarding an encrypted version of the first file to the second, different, secured network adapter to complete the dynamically routing to the external client system.
  - 10. The system of claim 8, wherein said configuring and storing logic includes:
    - logic for retrieving an IP address of said external client system; and
      
      logic for placing said IP address in a configuration of said second, different, secure network adapter; and
      
      responsive to detecting a mount operation at the second secure network adapter, logic for comparing an IP address of the external client system executing the mount operation with an IP address in a configuration of the second, different, secure network adapter, wherein said second, different, secure network adapter automatically recognizes a mount operation from said external client system as a remount operation and re-establishes the session, which was previously established at the first standard/default network adapter, with said external client system.
  - 11. The system of claim 8, wherein said permission is a bit within metadata linked to said first file and said system further comprises:
    - logic for tagging said bit to a value of one when the first file will require secure access via a secure network adapter and secure network;
      
      logic for tagging the bit to a value of zero when the first file will not require secure access via a secure network adapter and secure network; and
      
      when a request to access the first file is detected from an external client system, logic for reading a value of said bit to evaluate whether said first file requires secure access.
  - 12. The system of claim 8, wherein said permission includes an identification of which specific users are permitted to access said first file via a secured access, said system further comprising:
    - logic for comparing a user of said external client system with said specific users with said permission to access said file; and
      
      when said user is one of said specific users, logic for automatically initiating a re-routing of a transmission of said first file via said second, different, secure network adapter.
  - 13. The system of claim 8, wherein said first standard network adapter connects to said client system via a first unsecured network and said second, different, secure network adapter connects to said external client system via a second secured network.
  - 14. The system of claim 8, wherein:
    - said data processing system is a server within a network having a first subnet connecting said first standard/default network adapter to said external client system and a second subnet connecting said second secure network adapter to said external client system;
      
      said first file is stored within a filesystem;
      
      said logic for checking includes means for accessing said filesystem and locating said first file; and
      
      said logic for routing includes means for transmitting said first file via said second subnet when said first file requires secure access and transmitting said first file via said first subnet when said first file does not require secure access.

15. In a network comprising (1) a server hosting a filesystem and having at least a first standard/default network adapter and a second, different, secure network adapter, (2) a client, and (3) a plurality of transmission subnets for linking said server and said client, wherein said plurality of transmission subnets include a first standard subnet and a second secure subnet, a filesystem access control mechanism comprising:
- a processor;
  
  processing logic executing on the processor for scheduling and controlling transmission of files from the filesystem to the client, said processing logic including;
  
  logic for inferring a permission of said first file;
  
  logic for enabling a first mount of said server via said first standard/default network adapter, which provides a standard, non-secure access to the data processing system for all external client systems;
  
  logic for enabling a second mount of said server via said second, different, secure network adapter only when said first file requires secured access;
  
  responsive to a request for access to a first file by an external client system;
  
  when said permission of said first file indicates that said first file does not require secure transmission, logic for routing a transmission of the first file to the external client system via the first standard/default network adapter and via said first standard subnet; and
  
  when said permission of said first file indicates secured transmission is required for said first file, logic for dynamically routing the transmission of said first file to the external client system via said second, different, secure network adapter and via said second secure subnet, wherein said logic for dynamically routing further comprises;
  
  logic for configuring said second, different, secure network adapter to support a remount operation in response to a mounting request received from said external client system;
  
  logic for terminating a current mount on said first standard/default network adapter with said external client system;
  
  logic for storing session parameters of a session on said current mount to enable seamless continuation of said session on said second, different, secure network adapter; and
  
  logic for enabling a re-mount of the data processing system by the external client system via the second secure network adapter and resumption of the session utilizing the session parameters stored; and
  
  wherein only files requiring secure transmission are transmitted from the filesystem via the second, different, secure network adapter and second secure subnet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Keohane, Susan Marie, McBrearty, Gerald Francis, Shieh, Johnny Meng-Han, Murillo, Jessica Kelley, Mullen, Shawn Patrick
Primary Examiner(s)
Pyzocha; Michael
Assistant Examiner(s)
WILLIAMS, JEFFERY L

Application Number

US10/443,675
Publication Number

US 20040236745A1
Time in Patent Office

2,868 Days
Field of Search

726/2, 726/3, 726/4, 726/21, 726/26, 726/27
US Class Current

713/165
CPC Class Codes

G06F 16/10   File systems; File servers

G06F 21/606   by securing the transmissio...

G06F 21/6218   to a system of files or obj...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/102   Entity profiles

H04L 67/10   in which an application is ...

H04L 69/329   in the application layer [O...

Distributed filesystem network security extension

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

70 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed filesystem network security extension

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

70 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links