Distributed filesystem network security extension
First Claim
1. In a data processing system comprising at least two different network adapters and a storage medium on which is stored at least a first file having a permission, a method for providing security for transmission of said first file, said method comprising:
- enabling an external client system to complete a first mount of said data processing system via a first standard/default network adapter, which provides a standard, non-secure access to the data processing system for all external client systems;
enabling a second mount of said data processing system via a second, different, secure network adapter only when said first file requires secured access, wherein said second, different, secure network adapter is configured for access from the external client system by providing one or more session parameters associated with the first mount for use in completing the second mount;
inferring said permission associated with said first file;
responsive to receipt of a request for access to said first file by the external client system;
when said permission of said first file indicates that said first file does not require secure transmission from the storage medium to the external client system, routing a transmission of the first file to the external client system via said first standard/default network adapter of the at least two different network adapters and via a respective first non-secure network connecting the external client system to the storage medium; and
when said permission of said first file indicates secured transmission is required for transmitting said first file from the storage medium, dynamically routing the transmission of said first file to the external client system via said second, different, secure network adapter also connecting the external client system to the storage medium to enable secure transmission, wherein said dynamically routing step further comprises;
automatically configuring said second, different, secure network adapter to support a remount operation in response to a mounting request from said external client system, wherein the remount operation enables the client system which was mounted on the data processing system via the first standard/default port over the first network to resume a session initiated at the first standard network adapter utilizing the second, different, secure network adapter and second secure network with stored session parameters from the first mount;
terminating a current mount on said first standard/default network adapter with said external client system;
storing session parameters of a session on said current mount to enable seamless continuation of said session on said second, different, secure network adapter; and
enabling a re-mount of the data processing system by the external client system via the second secure network adapter and resumption of the session utilizing the session parameters stored; and
wherein only certain files on the storage medium that have access permission requiring secure transmission of the files from the storage medium to any requesting external client system are transmitted from the storage medium to the external client system via the second, different, secure network adapter, while all other files on the storage medium that do not have access permission requiring secure transmission are automatically routed to the requesting external client system via the first standard/default network adapter.
1 Assignment
0 Petitions
Accused Products
Abstract
A security protocol that dynamically implements enhanced mount security of a filesystem when access to sensitive files on a networked filesystem is requested. When the user of a client system attempts to access a specially-tagged sensitive file, the server hosting the filesystem executes a software code that terminates the current mount and re-configures the server ports to accept a re-mount from the client via a more secure port. The server re-configured server port is provided the IP address of the client and matches the IP address during the re-mount operation. The switch to a secure mount is completed in a seamless manner so that authorized users are allowed to access sensitive files without bogging down the server with costly encryption and other resource-intensive security features. No significant delay is experienced by the user, while the sensitive file is shielded from un-authorized capture during transmission to the client system.
-
Citations
15 Claims
-
1. In a data processing system comprising at least two different network adapters and a storage medium on which is stored at least a first file having a permission, a method for providing security for transmission of said first file, said method comprising:
-
enabling an external client system to complete a first mount of said data processing system via a first standard/default network adapter, which provides a standard, non-secure access to the data processing system for all external client systems; enabling a second mount of said data processing system via a second, different, secure network adapter only when said first file requires secured access, wherein said second, different, secure network adapter is configured for access from the external client system by providing one or more session parameters associated with the first mount for use in completing the second mount; inferring said permission associated with said first file; responsive to receipt of a request for access to said first file by the external client system; when said permission of said first file indicates that said first file does not require secure transmission from the storage medium to the external client system, routing a transmission of the first file to the external client system via said first standard/default network adapter of the at least two different network adapters and via a respective first non-secure network connecting the external client system to the storage medium; and when said permission of said first file indicates secured transmission is required for transmitting said first file from the storage medium, dynamically routing the transmission of said first file to the external client system via said second, different, secure network adapter also connecting the external client system to the storage medium to enable secure transmission, wherein said dynamically routing step further comprises; automatically configuring said second, different, secure network adapter to support a remount operation in response to a mounting request from said external client system, wherein the remount operation enables the client system which was mounted on the data processing system via the first standard/default port over the first network to resume a session initiated at the first standard network adapter utilizing the second, different, secure network adapter and second secure network with stored session parameters from the first mount; terminating a current mount on said first standard/default network adapter with said external client system; storing session parameters of a session on said current mount to enable seamless continuation of said session on said second, different, secure network adapter; and enabling a re-mount of the data processing system by the external client system via the second secure network adapter and resumption of the session utilizing the session parameters stored; and wherein only certain files on the storage medium that have access permission requiring secure transmission of the files from the storage medium to any requesting external client system are transmitted from the storage medium to the external client system via the second, different, secure network adapter, while all other files on the storage medium that do not have access permission requiring secure transmission are automatically routed to the requesting external client system via the first standard/default network adapter. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A data processing system for providing security for transmission of selected, stored files, said system comprising:
-
(1) a storage medium on which is stored at least a first file having a permission; (2) at least a first standard/default network adapter and a second, different, secure network adapter for connecting said data processing system to external client systems via corresponding networks; (3) logic for selectively routing transmission of said at least one file via said first standard/default network adapter and said second, different, secure network adapter, said logic comprising; logic for enabling a first mount of said data processing system via said first standard/default network adapter, which provides a standard, non-secure access to the data processing system for all external client systems; logic for enabling a second mount of said data processing system via said second, different, secure network adapter only when said first file requires secured access, wherein said second, different, secure network adapter is configured for access from the external client system by providing one or more session parameters associated with the first mount for use in completing the second mount; logic, for inferring said permission of said first file; responsive to a request for access to said first file by an external client system; when said permission of said first file indicates that said first file does not require secure transmission, logic for routing a transmission of the first file to the external client system via the first standard/default network adapter; and when said permission of said first file indicates secured transmission is required for transmitting said first file from the storage medium, logic for dynamically routing the transmission of said first file to the external client system via said second, different, secure network adapter at which the external client system connects to the storage medium when secure transmission is required for a file, wherein said logic for dynamically routing further comprises; logic for configuring said second, different, secure network adapter to support a remount operation in response to a mounting request received from said external client system; logic for terminating a current mount on said first standard/default network adapter with said external client system; logic for storing session parameters of a session on said current mount to enable seamless continuation of said session on said second, different, secure network adapter; and logic for enabling a re-mount of the data processing system by the external client system via the second secure network adapter and resumption of the session utilizing the session parameters stored; and wherein only files requiring secure transmission are transmitted from the storage medium via the second, different, secure network adapter. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. In a network comprising (1) a server hosting a filesystem and having at least a first standard/default network adapter and a second, different, secure network adapter, (2) a client, and (3) a plurality of transmission subnets for linking said server and said client, wherein said plurality of transmission subnets include a first standard subnet and a second secure subnet, a filesystem access control mechanism comprising:
-
a processor; processing logic executing on the processor for scheduling and controlling transmission of files from the filesystem to the client, said processing logic including; logic for inferring a permission of said first file; logic for enabling a first mount of said server via said first standard/default network adapter, which provides a standard, non-secure access to the data processing system for all external client systems; logic for enabling a second mount of said server via said second, different, secure network adapter only when said first file requires secured access; responsive to a request for access to a first file by an external client system; when said permission of said first file indicates that said first file does not require secure transmission, logic for routing a transmission of the first file to the external client system via the first standard/default network adapter and via said first standard subnet; and when said permission of said first file indicates secured transmission is required for said first file, logic for dynamically routing the transmission of said first file to the external client system via said second, different, secure network adapter and via said second secure subnet, wherein said logic for dynamically routing further comprises; logic for configuring said second, different, secure network adapter to support a remount operation in response to a mounting request received from said external client system; logic for terminating a current mount on said first standard/default network adapter with said external client system; logic for storing session parameters of a session on said current mount to enable seamless continuation of said session on said second, different, secure network adapter; and logic for enabling a re-mount of the data processing system by the external client system via the second secure network adapter and resumption of the session utilizing the session parameters stored; and wherein only files requiring secure transmission are transmitted from the filesystem via the second, different, secure network adapter and second secure subnet.
-
Specification