Managing connections in a data storage system

US 8,434,131 B2
Filed: 12/21/2009
Issued: 04/30/2013
Est. Priority Date: 03/20/2009
Status: Active Grant

First Claim

Patent Images

1. A system for managing connections in a data storage system, wherein the data storage system includes at least one client computing device storing data, the system comprising:

an authentication manager;

a storage device; and

at least one secondary storage computing device configured to receive a request from the client computing device to store the data on the storage device, wherein the secondary storage computing device includes;

a blacklist that includes one or more entries, wherein the entries are configured to include an identifier of a computing device and, optionally, a timestamp indicating a time at which the secondary storage computing device received a connection request from the identified computing device;

a connection manager component configured to;

receive at a first time from the client computing device a connection request, wherein the connection request includes a identifier identifying the client computing device;

based upon the identifier of the client computing device or the combination of the identifier of the client computing device and the first time, determine from the blacklist whether the connection request from the client computing device should be refused;

refuse the connection request from the client computing device if the connection request from the client computing device should be refused based upon the determination from the blacklist;

if the connection request from the client computing device should not be refused based upon the determination from the blacklist, request that the authentication manager perform at least one of authenticating the client computing device and determining whether the client computing device is authorized to connect to the secondary storage computing device;

receive a response from the authentication manager that indicates at least one of whether the client computing device is authenticated and whether the client computing device is authorized to connect to the secondary storage computing device;

if the response from the authentication manager indicates that the client computing device is either not authenticated or not authorized to connect to the secondary storage computing device, refuse the connection request from the client computing device; and

if the response from the authentication manager indicates that the client computing device is authenticated and if the client computing device is authorized to connect to the secondary storage computing device, allow the client computing device to connect to the secondary storage computing device,wherein the secondary storage computing device receives the data and stores the data on the storage device upon the connection manager component allowing the client computing device to connect to the secondary storage computing device; and

wherein the connection manager component is further configured to remove an existing entry that includes the identifier of the client computing device from the blacklist if the client computing device is authorized.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Described in detail herein are systems and methods for managing connections in a data storage system. For example, the systems and methods may be used to manage connections between two or more computing devices for purposes of performing storage operations on the data of one of the computing devices. The data storage system includes at least two computing devices. A first computing device includes an unauthorized connection data structure and a connection manager component. The connection manager component receives a connection request from a second computing device. If the second computing device is not identified on the unauthorized connection data structure, the connection manager component can request that an authentication manager authenticate the second computing device and/or determine whether the second computing device is properly authorized. If so, the connection manager component can allow the second computing device to connect to the first computing device.

320 Citations

21 Claims

1. A system for managing connections in a data storage system, wherein the data storage system includes at least one client computing device storing data, the system comprising:
- an authentication manager;
  
  a storage device; and
  
  at least one secondary storage computing device configured to receive a request from the client computing device to store the data on the storage device, wherein the secondary storage computing device includes;
  
  a blacklist that includes one or more entries, wherein the entries are configured to include an identifier of a computing device and, optionally, a timestamp indicating a time at which the secondary storage computing device received a connection request from the identified computing device;
  
  a connection manager component configured to;
  
  receive at a first time from the client computing device a connection request, wherein the connection request includes a identifier identifying the client computing device;
  
  based upon the identifier of the client computing device or the combination of the identifier of the client computing device and the first time, determine from the blacklist whether the connection request from the client computing device should be refused;
  
  refuse the connection request from the client computing device if the connection request from the client computing device should be refused based upon the determination from the blacklist;
  
  if the connection request from the client computing device should not be refused based upon the determination from the blacklist, request that the authentication manager perform at least one of authenticating the client computing device and determining whether the client computing device is authorized to connect to the secondary storage computing device;
  
  receive a response from the authentication manager that indicates at least one of whether the client computing device is authenticated and whether the client computing device is authorized to connect to the secondary storage computing device;
  
  if the response from the authentication manager indicates that the client computing device is either not authenticated or not authorized to connect to the secondary storage computing device, refuse the connection request from the client computing device; and
  
  if the response from the authentication manager indicates that the client computing device is authenticated and if the client computing device is authorized to connect to the secondary storage computing device, allow the client computing device to connect to the secondary storage computing device,wherein the secondary storage computing device receives the data and stores the data on the storage device upon the connection manager component allowing the client computing device to connect to the secondary storage computing device; and
  
  wherein the connection manager component is further configured to remove an existing entry that includes the identifier of the client computing device from the blacklist if the client computing device is authorized.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, wherein the secondary storage computing device is located at a friendly side of a firewall, the client computing device is not located at the friendly side of the firewall, and wherein the secondary storage computing device receives the request from the client computing device through the firewall.
  - 3. The system of claim 1, wherein the connection manager component is further configured to either:
    - add an entry to the blacklist that includes the identifier of the client computing device and a timestamp indicating the first time;
      
      ormodify a timestamp of an existing entry of the blacklist that includes the identifier of the client computing device to indicate the first time.
  - 4. The system of claim 1, wherein the secondary storage computing device further includes:
    - an interface at which the secondary storage computing device receives the connection request; and
      
      an interface blacklist, wherein the interface blacklist includes one or more entries, wherein at least one of the entries is configured to include an identifier of an interface,wherein the connection manager component is further configured to;
      
      determine an identifier of the interface;
      
      based upon the identifier of the interface, determine from the interface blacklist whether the connection request from the client computing device should be refused; and
      
      refuse the connection request from the client computing device if the connection request from the client computing device should be refused based upon the determination from the interface blacklist.
  - 5. The system of claim 1, wherein the connection manager component is further configured to:
    - receive an identifier of a computing device to which the connection manager component should refuse connection requests; and
      
      add the identifier of the computing device to the blacklist.
  - 6. The system of claim 1, wherein the connection manager component is further configured to receive an indication to enable refusing connection requests from computing devices that are not authorized.
  - 7. The system of claim 1, wherein the blacklist includes at least two entries, wherein a first entry includes an identifier of a computing device, and wherein a second entry includes an identifier of another computing device and a timestamp indicating a time at which the connection manager component received a connection request from the identified other computing device.
  - 8. The system of claim 1, wherein the data storage system includes at least two different hierarchical tiers of data storage, wherein the client computing device is at a first hierarchical tier of data storage, and wherein the secondary storage computing device is at a second hierarchical tier of data storage.
  - 9. The system of claim 1, wherein the authentication manager performs both authentication of the client computing device and determining whether the client computing device is authorized to access the secondary storage computing device.

10. A method of managing connections in a data storage system, wherein the data storage system includes at least two computing devices, the method comprising:
- receiving at a first time at a local computing device a connection request from a remote computing device, wherein the connection request includes an identifier that identifies the remote computing device;
  
  accessing an unauthorized connection data structure, wherein the unauthorized connection data structure includes one or more entries, wherein the entries are configured to include an identifier of a computing device and, optionally, a timestamp indicating a time at which the local computing device received a connection request from the identified computing device;
  
  based upon the identifier of the remote computing device or the combination of the identifier of the remote computing device and the first time, determining from the unauthorized connection data structure whether the connection request from the remote computing device should be refused;
  
  if the connection request from the remote computing device should be refused based upon the determination from the unauthorized connection data structure, then refusing the connection request from the remote computing device;
  
  if the connection request from the remote computing device should not be refused, then determining whether the remote computing device is authorized to connect to the local computing device;
  
  if the remote computing device is authorized, then allowing the remote computing device to connect to the local computing device; and
  
  if the remote computing device is not authorized, then refusing the connection request from the remote computing device;
  
  wherein at least one of the entries included in the unauthorized connection data structure includes an identifier of a computing device that is not licensed in the data storage system.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The method of claim 10, further comprising if the connection request from the remote computing device is refused, then either:
    - adding an entry to the unauthorized connection data structure that includes the identifier of the remote computing device and a timestamp indicating the first time;
      
      ormodifying a timestamp of an existing entry of the unauthorized connection data structure that includes the identifier of the remote computing device to indicate the first time.
  - 12. The method of claim 10, wherein the local computing device receives the connection request at an interface, and further comprising:
    - determining an identifier of the interface at which the connection request is received;
      
      accessing an interface blacklist data structure, wherein the interface blacklist data structure includes one or more entries, wherein at least one of the entries is configured to store an identifier of an interface;
      
      based upon the identifier of the interface, determining from the interface blacklist data structure whether the connection request from the remote computing device should be refused; and
      
      if the connection request from the remote computing device should be refused based upon the determination from the interface blacklist data structure, then refusing the connection request from the remote computing device.
  - 13. The method of claim 10, wherein determining whether the remote computing device is authorized to connect to the local computing device includes:
    - requesting that an authorization computing device determine whether the remote computing device is authorized to connect to the local computing device; and
      
      receiving an indication from the authorization computing device whether the remote computing device is authorized to connect to the local computing device,wherein, if the remote computing device is authorized to connect to the local computing device, then removing an existing entry from the unauthorized connection data structure that includes the identifier of the remote computing device.
  - 14. The method of claim 10, further comprising:
    - receiving an identifier of a computing device to which the local computing device should refuse connection requests; and
      
      adding the identifier of the computing device to the unauthorized connection data structure.
  - 15. The method of claim 10, wherein the local computing device is located at a friendly side of a firewall, wherein the request from the remote computing device is received through the firewall, and wherein the method further comprises receiving an indication to enable refusing connection requests at the local computing device to computing devices that are not at the friendly side of the firewall and that are not authenticated.
  - 16. The method of claim 10, wherein the unauthorized connection data structure includes at least two entries, wherein a first entry includes only an identifier of a computing device, and wherein a second entry includes an identifier of another computing device and a timestamp indicating a time at which the local computing device received a connection request from the identified other computing device.

17. A non-transitory computer-readable storage medium including instructions for performing a method for managing connections in a data storage system, wherein the data storage system includes at least two computing devices, the method comprising:
- receiving at a first time at a first computing device a connection request from a second computing device, wherein the connection request includes an identifier that identifies the second computing device;
  
  accessing an unauthorized connection data structure, wherein the unauthorized connection data structure includes zero or more entries, the entries configured to include an identifier of a computing device and a timestamp indicating a time at which the first computing device received a connection request from the identified computing device;
  
  based upon the combination of the identifier of the second computing device and the first time, determining from the unauthorized connection data structure whether the connection request from the second computing device should be refused;
  
  if the connection request from the second computing device should be refused based upon the determination from the unauthorized connection data structure, then refusing the connection request from the second computing device;
  
  if the connection request from the second computing device should not be refused, then determining whether the second computing device is authorized to connect to the first computing device;
  
  if the second computing device is authorized, then allowing the second computing device to connect to the first computing device;
  
  if the second computing device is not authorized, then refusing the connection request from the second computing device; and
  
  if the connection request from the second computing device is refused, then either;
  
  adding an entry to the unauthorized connection data structure that includes the identifier of the second computing device and a timestamp indicating the first time;
  
  or modifying a timestamp of an existing entry of the unauthorized connection data structure that includes the identifier of the second computing device to indicate the first time.
- View Dependent Claims (18)
- - 18. The non-transitory computer-readable medium of claim 17 wherein the connection request is received at an interface of the first computing device, and wherein the method further comprises:
    - determining an identifier of the interface;
      
      determining whether the identifier is included in an interface blacklist data structure that includes zero or more entries; and
      
      if the identifier is included in the interface blacklist data structure, then refusing the connection request from the second computing device at the interface.

19. A computing system for managing connection requests in a data storage system, the computing system comprising:
- means for receiving a connection request from a computing device for purposes of performing a data storage operation on data stored by the computing device;
  
  means for determining an identifier of the computing device;
  
  means for storing first information identifying computing devices to which connection requests should be refused;
  
  means for determining whether the connection request from the computing device should be refused, wherein the means for determining determines whether the connection request should be refused based at least in part upon the determined identifier and the stored first information;
  
  means for refusing the connection request, wherein the means for refusing the connection request refuses the connection request if the means for determining determines that the connection request should be refused;
  
  means for allowing the connection request, wherein the means for allowing the connection request allows the connection request if the means for determining determines that the connection request should be allowed;
  
  means for performing the data storage operation on data stored by the computing device;
  
  means for determining a time at which the connection request is received; and
  
  means for modifying the stored first information to include the determined time.
- View Dependent Claims (20, 21)
- - 20. The computing system of claim 19, further comprising means for determining whether the computing device is authorized to connect to the computing system,wherein the means for allowing the connection request allows the connection request if the computing device is authorized, andwherein the means for refusing the connection request refuses the connection request if the computing device is not authorized.
  - 21. The computing system of claim 19, further comprising:
    - means for determining an identifier of an interface at which the connection request is received; and
      
      means for storing second information identifying interfaces at which connection requests should be refused,wherein the means for determining determines whether the connection request should be refused based at least in part upon the determined interface identifier and the stored second information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CommVault Systems Incorporated
Original Assignee
CommVault Systems Incorporated
Inventors
Varadharajan, Prakash, Dornemann, Henry W., Gokhale, Parag
Primary Examiner(s)
Hoffman, Brandon
Assistant Examiner(s)
SONG, HEE K

Application Number

US12/643,653
Publication Number

US 20100242096A1
Time in Patent Office

1,226 Days
Field of Search

726 2- 7, 726/17, 726 26- 31, 711/162, 711/163, 709/3, 709/9, 709/202, 709/205, 709/204, 713/189, 713/193
US Class Current

726/4
CPC Class Codes

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/08   for authentication of entit...

H04L 63/101   Access control lists [ACL]

Managing connections in a data storage system

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

320 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Managing connections in a data storage system

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

320 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links