1. Field of the Invention
The present invention relates to a system constituted of a storage device connected to a network and a plurality of information processing apparatuses.
2. Description of the Related Art
Attention has been paid recently to network storage technology, IP-SAN (Internet Protocol-Storage Area Network), which uses an IP network whose initial cost is cheaper than that a network using Fibre Channel (hereinafter abbreviated to “FC”). The IP network requires, however, an additional cost for maintaining security because many security threatening crack tools are circulated.
As the security countermeasure for a conventional FC-SAN, LUN (Logical Unit Number) masking has been used. The LUN masking is the technique according to which access from a computer to a logical unit (Logical Unit, hereinafter abbreviated to LU) of a storage device is restricted by the storage device to prevent illegal data reference, alteration and erase.
If the LUN masking technique of FC-SAN is to be realized in IP-SAN, a computer accessible to each LUN of a storage device is designated by an IP address assigned to the computer. It is, however, easy to tap a packet sent/received to/from another computer connected to the same subnet in the IP network. Therefore, if the same network is shared by two or more departments or businesses, data security is impossible to be ensured, and the configuration of only the LUN masking is insufficient for the security countermeasure. It is therefore necessary to use other security techniques together with the LUN masking.
A candidate for the security technique to be used with the LUN masking may be data cryptograph utilizing IPSec techniques or the like. However, a cryptography process has a large load on a CPU. If this process is applied to IP-SAN, the I/O performance of a storage device is degraded. In order to suppress such performance degradation, although the cryptography process may be executed by using dedicated hardware, this approach is unsatisfactory for the security technique to be used together with the LUN masking because it requires a high initial cost.
Another candidate for the security technique may be VLAN (Virtual Local Area Network) techniques according to which one physical network is divided into a plurality of logical networks. With the VLAN techniques, one or more computers such as those used by the same department posing no problem of data tapping are classified into one group. Each group is assigned a logical network to prevent data tapping by other groups. VLAN has been adopted by most of LAN switches so that there is no additional initial cost. It can therefore be expected that a combination of LUN masking and VLAN technologies will be used as the security countermeasure of IP-SAN.
Techniques of reducing the load of configuring VLAN are disclosed in JP-A-2001-53776.
The configuration work of LUN masking and VLAN is required to be performed not only on the side of a storage device but also on the side of switches in IP-SAN. Since the configuration work is required on the sides of different devices, a system user or administrator has a large work load.
In the configuration work of LUN masking, a computer is designated by an IP address (or domain name), whereas in the configuration work of VLAN, it is necessary to designate a computer by a port ID for identifying a port of a connection destination switch. Since the configuration works of LUN masking and VLAN designate a computer by using different IDs, a configuration miss is likely to occur.
The techniques disclosed in the above-cited JP-A-2001-53776 automatically perform the configuration work of VLAN when a switch to which a computer is connected is changed, and do not solve the above-described problem.