Distributed filesystem network security extension

US 20040236745A1
Filed: 05/22/2003
Published: 11/25/2004
Est. Priority Date: 05/22/2003
Status: Active Grant

First Claim

Patent Images

1. In a data processing system comprising (1) a storage medium on which is stored at least a first having a preset access permission, (2) at least a first standard port and a second secure port for connecting said data processing system to external client systems, and (3) logic for selectively routing transmission of said at least one file via said first port and said second port, a method for providing security for transmission of said at least one file, said method comprising:

responsive to a request for access to said first file by said external client system, checking said preset access permission of said first file; and

when said preset access permission of said first file indicates secured access is required for said first file, dynamically routing a transmission of said first file to external client system via said second port.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security protocol that dynamically implements enhanced mount security of a filesystem when access to sensitive files on a networked filesystem is requested. When the user of a client system attempts to access a specially-tagged sensitive file, the server hosting the filesystem executes a software code that terminates the current mount and re-configures the server ports to accept a re-mount from the client via a more secure port. The server re-configured server port is provided the IP address of the client and matches the IP address during the re-mount operation. The switch to a secure mount is completed in a seamless manner so that authorized users are allowed to access sensitive files without bogging down the server with costly encryption and other resource-intensive security features. No significant delay is experienced by the user, while the sensitive file is shielded from un-authorized capture during transmission to the client system.

Citations

30 Claims

1. In a data processing system comprising (1) a storage medium on which is stored at least a first having a preset access permission, (2) at least a first standard port and a second secure port for connecting said data processing system to external client systems, and (3) logic for selectively routing transmission of said at least one file via said first port and said second port, a method for providing security for transmission of said at least one file, said method comprising:
- responsive to a request for access to said first file by said external client system, checking said preset access permission of said first file; and
  
  when said preset access permission of said first file indicates secured access is required for said first file, dynamically routing a transmission of said first file to external client system via said second port.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising:
    - routing said transmission of said first file via said first standard port when said preset access permission indicates a regular access is sufficient.
  - 3. The method of claim 1, further comprising:
    - enabling a first mount of said data processing system via said first standard port; and
      
      enabling a second mount of said data processing system via said second secure port only when said first file requires secured access.
  - 4. The method of claim 1, wherein said data processing system further comprises an encryption module associated with said second secured port, said dynamic routing step comprising:
    - first encrypting said first file utilizing said encryption module.
  - 5. The method of claim 1, wherein said data processing system further reconfiguration logic for configuring said first standard port and said second secured port for supporting a mount by said client system, said dynamic routing step comprising:
    - first configuring said second secure port to support a remount operation received from said client system;
      
      terminating a current mount on said first standard port with said client system; and
      
      storing session parameters of said current mount to enable seamless continuation of said session on said second secure port.
  - 6. The method of claim 5, wherein said configuring and storing step includes:
    - retrieving an IP address of said client system;
      
      placing said IP address in a configuration of said second secure port, wherein said second secure port automatically recognizes a remount operation from said client system and re-establishes the session with said client system.
  - 7. The method of claim 1, wherein said preset access permission is a bit within metadata linked to said first file and said method further comprises reading a value of said bit to evaluate whether said first file requires secure access.
  - 8. The method of claim 1, wherein said preset access permission includes an identification of which specific users are permitted to access said first file via a secured access, said method further comprising:
    - comparing a user of said client system with said specific users with permission to access said file; and
      
      when said user is one of said specific users, automatically initiating a re-routing of a transmission of said first file via said second secure port.
  - 9. The method of claim 1, wherein said first standard port connects to said client system via a first unsecured network and said second secure port connects to said client system via a second secured network.
  - 10. The method of claim 1, wherein:
    - said data processing system is a server within a network having a first subnet connecting said first standard port to said client system and a second subnet connecting said second secure port to said client system;
      
      said first file is stored within a filesystem;
      
      said checking step includes accessing said filesystem and locating said first file; and
      
      said routing step includes transmitting said file via said second subnet when said file requires secure access and transmitting said first file via said first subnet when said first file does not require secure access.

11. In a data processing system comprising (1) a storage medium on which is stored at least a first having a preset access permission, (2) at least a first standard port and a second secure port for connecting said data processing system to external client systems, and (3) logic for selectively routing transmission of said at least one file via said first port and said second port, a system for providing security for transmission of said at least one file, said system comprising:
- logic, responsive to a request for access to said first file by said external client system, for checking said preset access permission of said first file; and
  
  when said preset access permission of said first file indicates secured access is required for said first file, logic for dynamically routing a transmission of said first file to external client system via said second port.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system of claim 11, further comprising:
    - logic for routing said transmission of said first file via said first standard port when said preset access permission indicates a regular access is sufficient.
  - 13. The system of claim 11, further comprising:
    - logic for enabling a first mount of said data processing system via said first standard port; and
      
      logic for enabling a second mount of said data processing system via said second secure port only when said first file requires secured access.
  - 14. The system of claim 11, wherein said data processing system further comprises an encryption module associated with said second secured port, said logic for dynamically routing comprising:
    - logic for first encrypting said first file utilizing said encryption module.
  - 15. The system of claim 11, wherein said data processing system further reconfiguration logic for configuring said first standard port and said second secured port for supporting a mount by said client system, said logic for dynamically routing comprising:
    - logic for first configuring said second secure port to support a remount operation received from said client system;
      
      logic for terminating a current mount on said first standard port with said client system; and
      
      logic for storing session parameters of said current mount to enable seamless continuation of said session on said second secure port.
  - 16. The system of claim 15, wherein said configuring and storing step includes:
    - logic for retrieving an IP address of said client system;
      
      logic for placing said IP address in a configuration of said second secure port, wherein said second secure port automatically recognizes a remount operation from said client system and re-establishes the session with said client system.
  - 17. The system of claim 11, wherein said preset access permission is a bit within metadata linked to said first file and said system further comprises reading a value of said bit to evaluate whether said first file requires secure access.
  - 18. The system of claim 11, wherein said preset access permission includes an identification of which specific users are permitted to access said first file via a secured access, said system further comprising:
    - logic for comparing a user of said client system with said specific users with permission to access said file; and
      
      when said user is one of said specific users, logic for automatically initiating a re-routing of a transmission of said first file via said second secure port.
  - 19. The system of claim 11, wherein said first standard port connects to said client system via a first unsecured network and said second secure port connects to said client system via a second secured network.
  - 20. The system of claim 11, wherein:
    - said data processing system is a server within a network having a first subnet connecting said first standard port to said client system and a second subnet connecting said second secure port to said client system;
      
      said first file is stored within a filesystem;
      
      said logic for checking includes means for accessing said filesystem and locating said first file; and
      
      said logic for routing includes means for transmitting said file via said second subnet when said file requires secure access and transmitting said first file via said first subnet when said first file does not require secure access.

21. In a network comprising (1) a server hosting a filesystem and having at least a first standard port and a second secure port, (2) a client, and (3) a plurality of transmission subnets for linking said server and said client, wherein said plurality of transmission subnets include a first standard subnet and a second secure subnet, a filesystem access control mechanism comprising:
- logic, responsive to a request for access to said first file by said external client system, for checking said preset access permission of said first file; and
  
  when said preset access permission of said first file indicates secured access is required for said first file, logic for dynamically routing a transmission of said first file to external client system via said second port.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The filesystem access control mechanism of claim 21, further comprising:
    - logic for routing said transmission of said first file via said first standard port when said preset access permission indicates a regular access is sufficient.
  - 23. The filesystem access control mechanism of claim 21, further comprising:
    - logic for enabling a first mount of said data processing system via said first standard port; and
      
      logic for enabling a second mount of said data processing system via said second secure port only when said first file requires secured access.
  - 24. The filesystem access control mechanism of claim 21, wherein said data processing system further comprises an encryption module associated with said second secured port, said logic for dynamically routing comprising:
    - logic for first encrypting said first file utilizing said encryption module.
  - 25. The filesystem access control mechanism of claim 21, wherein said data processing system further reconfiguration logic for configuring said first standard port and said second secured port for supporting a mount by said client system, said logic for dynamically routing comprising:
    - logic for first configuring said second secure port to support a remount operation received from said client system;
      
      logic for terminating a current mount on said first standard port with said client system; and
      
      logic for storing session parameters of said current mount to enable seamless continuation of said session on said second secure port.
  - 26. The filesystem access control mechanism of claim 25, wherein said configuring and storing step includes:
    - logic for retrieving an IP address of said client system;
      
      logic for placing said IP address in a configuration of said second secure port, wherein said second secure port automatically recognizes a remount operation from said client system and re-establishes the session with said client system.
  - 27. The filesystem access control mechanism of claim 21, wherein said preset access permission is a bit within metadata linked to said first file and said system further comprises reading a value of said bit to evaluate whether said first file requires secure access.
  - 28. The filesystem access control mechanism of claim 21, wherein said preset access permission includes an identification of which specific users are permitted to access said first file via a secured access, said system further comprising:
    - logic for comparing a user of said client system with said specific users with permission to access said file; and
      
      when said user is one of said specific users, logic for automatically initiating a re-routing of a transmission of said first file via said second secure port.
  - 29. The filesystem access control mechanism of claim 21, wherein said first standard port connects to said client system via a first unsecured network and said second secure port connects to said client system via a second secured network.
  - 30. The filesystem access control mechanism of claim 21, wherein:
    - said data processing system is a server within a network having a first subnet connecting said first standard port to said client system and a second subnet connecting said second secure port to said client system;
      
      said first file is stored within a filesystem;
      
      said logic for checking includes means for accessing said filesystem and locating said first file; and
      
      said logic for routing includes means for transmitting said file via said second subnet when said file requires secure access and transmitting said first file via said first subnet when said first file does not require secure access.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
McBrearty, Gerald Francis, Shieh, Johnny Meng-Han, Keohane, Susan Marie, Murillo, Jessica Kelley, Mullen, Shawn Patrick

Granted Patent

US 7,917,751 B2
Time in Patent Office

Days
Field of Search
US Class Current

707/9
CPC Class Codes

G06F 16/10   File systems; File servers

G06F 21/606   by securing the transmissio...

G06F 21/6218   to a system of files or obj...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/102   Entity profiles

H04L 67/10   in which an application is ...

H04L 69/329   in the application layer [O...

Distributed filesystem network security extension

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed filesystem network security extension

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links