Storage security appliance with out-of-band management capabilities

US 8,387,127 B1
Filed: 11/28/2007
Issued: 02/26/2013
Est. Priority Date: 11/28/2007
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

intercepting, at a data security appliance, out-of-band control traffic from a computing device directed to a data storage device, wherein the out-of-band control traffic includes a command to change a configuration of the data storage device;

forwarding the out-of-band control traffic from the data security appliance to the data storage device;

intercepting, at the data security appliance, a response from the data storage device that indicates the command was successfully executed; and

reconfiguring automatically and without user interaction, by the data security appliance, a parameter of the data security appliance associated with communication with the data storage device in accordance with the command in order to conform with a new configuration of the data storage device, wherein the reconfiguring is performed as a result of intercepting the response from the data storage device.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A data security appliance intercepts out-of-band control traffic directed to a data storage device, wherein the out-of-band control traffic includes a command to change a configuration of the data storage device. The data security appliance is reconfigured in accordance with the command in order to conform with a new configuration of the data storage device.

Citations

21 Claims

1. A method comprising:
- intercepting, at a data security appliance, out-of-band control traffic from a computing device directed to a data storage device, wherein the out-of-band control traffic includes a command to change a configuration of the data storage device;
  
  forwarding the out-of-band control traffic from the data security appliance to the data storage device;
  
  intercepting, at the data security appliance, a response from the data storage device that indicates the command was successfully executed; and
  
  reconfiguring automatically and without user interaction, by the data security appliance, a parameter of the data security appliance associated with communication with the data storage device in accordance with the command in order to conform with a new configuration of the data storage device, wherein the reconfiguring is performed as a result of intercepting the response from the data storage device.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising:
    - temporarily storing the command in the data security appliance until the response is intercepted.
  - 3. The method of claim 1, further comprising:
    - forwarding the response from the data security appliance to the computing device, wherein the computing device is at least one of a host that sent the out-of-band control traffic or an administration station that sent the out-of-band control traffic.
  - 4. The method of claim 1, further comprising:
    - determining information about the changed configuration of the data storage device; and
      
      reporting the determined information to a host.
  - 5. The method of claim 1, further comprising:
    - determining whether the computing device from which the out-of-band control traffic was intercepted has at least one of a first privilege to send the out-of-band control traffic or a second privilege to issue the command; and
      
      forwarding the out-of-band control traffic to the data storage device if the computing device has at least one of the first privilege or the second privilege.
  - 6. The method of claim 1, wherein the out-of-band control traffic is formatted according to a first communication protocol, the method further comprising:
    - intercepting data traffic directed from a host to the data storage device, wherein the data traffic is formatted according to a second communication protocol;
      
      encrypting the data traffic; and
      
      forwarding the encrypted data traffic to the data storage device.
  - 7. The method of claim 6, wherein reconfiguring the data security appliance includes updating one or more data structures managed by the data security appliance by performing at least one of adding entries to the one or more data structures or modifying existing entries in the one or more data structures.

8. A non-transitory machine readable medium including instructions that, when executed by a machine, cause the machine to perform a method comprising:
- intercepting, at a data security appliance, communication traffic from a computing device directed to a data storage device;
  
  forwarding the communication traffic from the data security appliance to the data storage device;
  
  intercepting, at the data security appliance, a response from the data storage device that indicates a command was successfully executed; and
  
  if the communication traffic includes out-of-band control traffic having a command to change a configuration of the data storage device, reconfiguring automatically and without user interaction, a parameter of the data security appliance associated with communication with the data storage device in accordance with the command, wherein the reconfiguring is performed as a result of intercepting the response from the data storage device.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The non-transitory machine readable medium of claim 8, wherein the data security appliance is reconfigured in order to conform with a changed configuration of the data storage device.
  - 10. The non-transitory machine readable medium of claim 8, the method further comprising:
    - forwarding the out-of-band control traffic from the data security appliance to the data storage device; and
      
      temporarily storing the command in the data security appliance until the response is intercepted by the data security appliance from the data storage device, indicating whether the command was successfully executed.
  - 11. The non-transitory machine readable medium of claim 8, the method further comprising:
    - forwarding the response from the data security appliance to the computing device, wherein the computing device is at least one of a host that sent the out-of-band control traffic or an administration station that sent the out-of-band control traffic.
  - 12. The non-transitory machine readable medium of claim 8, the method further comprising:
    - determining information about the changed configuration of the data storage device; and
      
      reporting the determined information to a host.
  - 13. The non-transitory machine readable medium of claim 8, wherein the communication traffic includes the out-of-band control traffic that is formatted according to a first communication protocol and data traffic that is formatted according to a second communication protocol.
  - 14. The non-transitory machine readable medium of claim 8, the method further comprising:
    - intercepting traffic directed from a host to the data storage device;
      
      encrypting the data traffic; and
      
      forwarding the encrypted data traffic to the data storage device.

15. A security apparatus comprising:
- a control proxy to intercept out-of-band control traffic transmitted between a storage device and a computing device, the computing device being at least one of a host or an administration station, wherein the control proxy is configured to forward the out-of-band control traffic from the security apparatus to the storage device;
  
  the control proxy to intercept a response from the storage device, the response indicating whether the configuration of the storage device has changed, and to forward the response to at least one of the host or the administration station; and
  
  a management module, connected with the control proxy, to examine control traffic from the storage device to determine whether a configuration of the storage device has changed, and to reconfigure automatically and without user interaction, a parameter of the security apparatus associated with communication with the storage device if the configuration of the storage device has changed.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The security apparatus of claim 15, wherein the out-of-band control traffic is formatted according to a first communication protocol, further comprising:
    - a data proxy, connected with the management module, to intercept data traffic directed from the computing device to the storage device, to encrypt the data traffic, and to forward the encrypted data traffic to the storage device, wherein the data traffic is formatted according to a second communication protocol.
  - 17. The security apparatus of claim 15, further comprising:
    - a storage module, connected with the control proxy, to temporarily store the out-of-band control traffic until it is determined whether the configuration of the storage device has changed.
  - 18. The security apparatus of claim 15, wherein the management module is configured to query the storage device to determine information about the changed configuration of the storage device.
  - 19. The security apparatus of claim 15, wherein the management module is configured to determine whether the host has at least one of a first privilege to send the out-of-band control traffic or a second privilege to issue a command included in the out-of-band control traffic.

20. A method comprising:
- intercepting, at a security appliance, data traffic and out-of-band control traffic transmitted from a host to a storage device, the out-of-band control traffic being formatted according to a first protocol and including a command to change a configuration of the storage device, and the data traffic being formatted according to a second protocol and including at least one of a read command or a write command, the host being a computing device;
  
  forwarding the out-of-band control traffic from the security appliance to the storage device;
  
  intercepting, at the security appliance, a response from the storage device that indicates the command was successfully executed; and
  
  reconfiguring automatically and without user interaction, by the security appliance, a parameter of the security appliance associated with communication with the storage device in accordance with the command in order to conform with a changed Configuration of the storage device, wherein the reconfiguring is performed upon intercepting the response from the data storage device.

21. A security apparatus comprising:
- a first port to send unencrypted data traffic to, and receive unencrypted data traffic from, a host;
  
  a second port to send encrypted data traffic to, and to receive encrypted data traffic from, a storage device;
  
  a data proxy connected with the first port and the second port, the data proxy to manage encryption, decryption and transmission of data traffic;
  
  a third port to send out-of-band control traffic to, and to receive out-of-band control traffic from, one or more of a host, an administration station, and a storage device;
  
  a control proxy connected with the first port to receive the out-of-band control traffic, to modify the out-of-band control traffic to remove identifying information of at least one of the host, the administration station, or the storage device, and to examine control traffic from the storage device to determine whether a configuration of the storage device has changed; and
  
  a management module connected with the control proxy and with the data proxy, the management module to automatically and without user interaction, direct a reconfiguration parameter of the data proxy associated with communication with the storage device if the configuration of the storage device has changed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NetApp, Inc.
Original Assignee
Network Appliance Incorporated (NetApp, Inc.)
Inventors
Narver, Andrew, Frandzel, Yuval, Chaudhary, Anant, Yang, Zi-Bin, Agarwal, Vaibhave
Primary Examiner(s)
Barron, Jr., Gilberto
Assistant Examiner(s)
ALMEIDA, DEVIN E

Application Number

US11/998,217
Time in Patent Office

1,917 Days
Field of Search

726/1
US Class Current

726/11
CPC Class Codes

G06F 21/572   Secure firmware programming...

G06F 3/0622   in relation to access

G06F 3/0659   Command handling arrangemen...

G06F 3/067   Distributed or networked st...

H04L 41/0816   the condition being an adap...

H04L 63/0281   Proxies

H04L 63/0471   applying encryption by an i...

H04L 67/1097   for distributed storage of ...

Storage security appliance with out-of-band management capabilities

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Storage security appliance with out-of-band management capabilities

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links