Protocol translation

US 8,898,452 B2
Filed: 09/08/2005
Issued: 11/25/2014
Est. Priority Date: 09/08/2005
Status: Active Grant

First Claim

Patent Images

1. A method for protocol translation executed on a security appliance, comprising:

receiving a first access request having a first command and a data payload, wherein the first command is formatted according to a first data transfer protocol, wherein the data payload is encrypted according to a first encryption protocol, wherein the first encryption protocol operates at a first layer of a multi-layered protocol stack;

decrypting the encrypted data payload;

translating the first command into a second command formatted according to a second data transfer protocol different than the first data transfer protocol;

re-encrypting the decrypted data payload according to a second encryption protocol different than the first encryption protocol, wherein the second command is not encrypted, wherein the second encryption protocol operates at a second layer of the multi-layered protocol stack different from the first layer; and

transmitting a second access request having the second command and the re-encrypted data payload to a server, wherein the second access request is transmitted according to the second data transfer protocol, wherein the re-encryption is transparent to the server.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for securing data by receiving encrypted data at a security appliance transmitted from a client, wherein at least a portion of the encrypted data is encrypted according to a first encryption protocol, and wherein the encrypted data is transmitted to the security appliance according to a first data transfer protocol. The encrypted data is then decrypted at the security appliance, wherein at least a portion of the decrypted data is re-encrypted according to a second encryption protocol at the security appliance. The re-encrypted data is transmitted from the security appliance to a storage device, wherein the re-encrypted data is transmitted according to a second data transfer protocol that is different than the first data transfer protocol.

98 Citations

View as Search Results

34 Claims

1. A method for protocol translation executed on a security appliance, comprising:
- receiving a first access request having a first command and a data payload, wherein the first command is formatted according to a first data transfer protocol, wherein the data payload is encrypted according to a first encryption protocol, wherein the first encryption protocol operates at a first layer of a multi-layered protocol stack;
  
  decrypting the encrypted data payload;
  
  translating the first command into a second command formatted according to a second data transfer protocol different than the first data transfer protocol;
  
  re-encrypting the decrypted data payload according to a second encryption protocol different than the first encryption protocol, wherein the second command is not encrypted, wherein the second encryption protocol operates at a second layer of the multi-layered protocol stack different from the first layer; and
  
  transmitting a second access request having the second command and the re-encrypted data payload to a server, wherein the second access request is transmitted according to the second data transfer protocol, wherein the re-encryption is transparent to the server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, wherein the first data transfer protocol comprises a WebDAV protocol.
  - 3. The method of claim 1, wherein the security appliance operates transparent to a client sending the first access request.
  - 4. The method of claim 1, wherein the first command is encrypted.
  - 5. The method of claim 1, wherein the second data transfer protocol comprises a network file system (NFS) protocol.
  - 6. The method of claim 1, wherein the second data transfer protocol comprises a Common Internet File System (CIFS) protocol.
  - 7. The method of claim 1, further comprising:
    - transmitting the re-encrypted data payload from the security appliance to a second security appliance; and
      
      decrypting the re-encrypted data payload at the second security appliance.
  - 8. The method of claim 1 wherein the first data transfer protocol and the second data transfer protocol are selected from a group consisting of NFS, CIFS, secure shell file transfer protocol (SFTP), secure copy protocol (SCP), and WebDAV.
  - 9. The method of claim 1 wherein the first data transfer protocol is a file-based protocol and the second data transfer protocol is a block-based protocol.
  - 10. The method of claim 1 wherein the first data transfer protocol is a block-based protocol and the second data transfer protocol is a file-based protocol.
  - 11. The method of claim 1 wherein the first data protocol is a stream-based protocol and the second data transfer protocol is a random-access protocol.
  - 12. The method of claim 1 further comprising:
    - translating the first command into a plurality of second commands formatted according to the second data transfer protocol; and
      
      transmitting the plurality of second commands to the server using the second data transfer protocol.
  - 13. The method of claim 1 further comprising:
    - statefully inspecting one or more packets having the first command; and
      
      validating the one or more packets.
  - 14. The method of claim 1, wherein the second encryption protocol at the second layer of the multi-layered protocol stack operates transparent to a client sending the first access request.
  - 15. The method of claim 1, wherein the first encryption protocol at the first layer of the multi-layered protocol stack operates transparent to the server.

16. A non-transitory computer readable storage medium containing executable program instructions for execution by a processor, comprising:
- program instructions that receive, at a security appliance, an access request having a first command and a data payload, the access request directed to a storage device, wherein the data payload is encrypted according to a first encryption protocol and received at the security appliance according to a first data transfer protocol, wherein the first encryption protocol operates at a first layer of a multi-layered protocol stack;
  
  program instructions that decrypt the encrypted data payload at the security appliance;
  
  program instructions that translate the first command into a second command formatted according to a second data transfer protocol different than the first data transfer protocol;
  
  program instructions that re-encrypt the decrypted data payload at the security appliance according to a second encryption protocol different than the first encryption protocol, wherein the second command is not encrypted, wherein the second encryption protocol operates at a second layer of the multi-layered protocol stack different from the first layer; and
  
  program instructions that transmit the second command and the re-encrypted data payload according to the second data transfer protocol from the security appliance to a storage device, wherein the re-encryption is transparent to the storage device such that the re-encrypted data payload is stored at the storage device.
- View Dependent Claims (17, 18)
- - 17. The computer readable storage medium of claim 16 further comprising:
    - program instructions that translate the first command into a plurality of second commands formatted according to the second data transfer protocol, andprogram instructions that transmit the plurality of second commands to the storage device according to the second data protocol.
  - 18. The computer readable storage medium of claim 17, wherein the first command is encrypted.

19. A system, comprising:
- a security appliance configured to be coupled to transmitting and receiving devices, the security appliance further configured to receive a first access request from the transmitting device, wherein the first access request is directed to the receiving device, wherein the first access request includes a first command and a data payload encrypted according to a first encryption protocol, and wherein the first access request is received at the security appliance according to a first data transfer protocol, wherein the first encryption protocol operates at a first layer of a multi-layered protocol stack;
  
  the security appliance further configured to decrypt the encrypted data payload;
  
  the security appliance further configured to translate the first command into a second command formatted according to a second data transfer protocol different than the first data transfer protocol;
  
  the security appliance further configured to re-encrypt the decrypted data payload according to a second encryption protocol different than the first encryption protocol, wherein the second command is not encrypted, wherein the second encryption protocol operates at a second layer of the multi-layered protocol stack different from the first layer; and
  
  the security appliance further configured to transmit a second access request having the second command and the re-encrypted data payload to the receiving device, wherein the second access request is transmitted according to the second data transfer protocol, wherein the re-encryption is transparent to the receiving device such that the re-encrypted data payload is received at the receiving device.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
- - 20. The system of claim 19, wherein the security appliance is further configured to transmit the re-encrypted data payload to a second security appliance, wherein the second security appliance is configured to decrypt the re-encrypted data payload.
  - 21. The system of claim 20, wherein the second security appliance is further configured to transmit the decrypted data payload to the receiving device according to a third data transfer protocol.
  - 22. The system of claim 19, wherein the first command is encrypted.
  - 23. The system of claim 20 further comprising:
    - the security appliance further configured to decrypt the first command, wherein the first command is encrypted according to the first encryption protocol; and
      
      the security appliance further configured to encrypt the second command according to the second encryption protocol.
  - 24. The system of claim 19, wherein the first data transfer protocol comprises a WebDAV protocol.
  - 25. The system of claim 19, wherein the security appliance is further configured to operate transparent to the transmitting device sending the first access request.
  - 26. The system of claim 19, wherein the second data transfer protocol comprises a network file system (NFS) protocol.
  - 27. The system of claim 19, wherein the second data transfer protocol comprises a Common Internet File System (CIFS) protocol.
  - 28. The system of claim 19 wherein the first data transfer protocol and the second data transfer protocol are selected from a group consisting of NFS, CIFS, secure shell file transfer protocol (SFTP), secure copy protocol (SCP), and WebDAV.
  - 29. The system of claim 19 wherein the first data transfer protocol is a file-based protocol and the second data transfer protocol is a block-based protocol.
  - 30. The system of claim 19 wherein the first data transfer protocol is a block-based protocol and second data transfer protocol is a file-based protocol.
  - 31. The system of claim 19 wherein the first data transfer protocol is a steam-based protocol and second data transfer protocol is a random-access protocol.
  - 32. The system of claim 19 wherein the security appliance is configured to statefully inspect one or more packets having the first command and the security appliance is further configured to validate the one or more packets.
  - 33. The system of claim 19, wherein the second encryption protocol at the second layer of the multi-layered protocol stack operates transparent to the transmitting device.
  - 34. The system of claim 19, wherein the first encryption protocol at the first layer of the multi-layered protocol stack operates transparent to the receiving device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NetApp, Inc.
Original Assignee
NetApp, Inc.
Inventors
Bojinov, Hristo, Frandzel, Yuval, Narver, Andrew, Yang, Zi-Bin, Plotkin, Serge
Primary Examiner(s)
Abrishamkar, Kaveh

Application Number

US11/222,684
Publication Number

US 20070055891A1
Time in Patent Office

3,365 Days
Field of Search

None
US Class Current

713/153
CPC Class Codes

G06F 21/6236   between heterogeneous systems

H04L 63/0464   using hop-by-hop encryption...

H04L 63/162   at the data link layer

Protocol translation

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

98 Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

Protocol translation

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

98 Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links