Modern networking continues to provide an improvement in communication and information access. As an example, in-house data centers, associated with a particular entity of interrelated group of users, could contain a large number of information technology (IT) resources that are interconnected through a network. These networks are configured in different ways depending on implementation-specific details such as the hardware used and the physical location of the equipment, and depending on the particular objectives of the network. One common type of network configuration is a local area network (LAN). In actual practice, a typical LAN will include large numbers of computer systems and switches (as well as other devices). Another common type of network configuration is a storage area network (SAN). In actual practice, a typical SAN will include large numbers of disk logical units (LUNs) of a disk array and switches (as well as other devices). Devices such as computer systems, routers, switches, load balancers, firewalls, and the like, are commonly linked to each other in networks.
Generally, the in-house data centers include technicians working from a network operation center (NOC). The technicians issue commands to control the deployment of servers and to control the supporting infrastructures, such as disk logical units (LUNs) in a disk array, network switches in the LAN, and switches in the SAN.
Once the servers, the SAN switches and the disk array have been configured to properly map one or more LUNs to a server, additional security can be achieved by defining a network access control construct, such as an access control list (ACL), that specifies the source and destination port identifiers for the devices that are allowed to communicate via the ports of the SAN switches. Therefore, the ACL prevents abusive or erroneous use of the SAN including access to the LUNs of the disk array in an unauthorized manner.
In general, the network access control constructs (e.g., ACLs) that are configured by commands from the NOC, include many steps which must be coordinated. This method is expensive and prone to error, especially if the data center environment is dynamic, with high demand for changes in computer deployment and therefore a need to change the content of the ACLs. Additionally, a malicious attack on the configuration of the SAN switches could result in alteration of ACL definitions, thereby allowing the attacker to access confidential data.