1. Field of the Invention
The present invention relates generally to data processing systems. More specifically, the present invention is directed to a computer-implemented method, apparatus, and computer program product for securing access to node ports in a switched-fabric storage area network.
2. Description of the Related Art
A switched-fabric storage area network (SAN) is a dedicated network that serves to interconnect storage-related resources available to one or more networked servers. A SAN is typically separate from local area networks (LANs) and wide area networks (WANs). SANs are often characterized by high interconnection data rates between member storage peripherals. SANs are also often characterized by highly scalable architectures. SANs include both hardware and software for hardware management, monitoring, and configuration.
Fibre Channel (FC) Storage Area Networks (SAN) are highly prone to premeditated and accidental compromise by an unauthorized agent. When a Fibre Channel Storage Area Network (FC SAN) is compromised, the data contained in the attached storage devices can be stolen, changed, or destroyed by the unauthorized agent. The Fiber Channel Storage Area Network can be compromised in two broad ways: (1) unauthorized access to any of the components comprising the Storage Area Network itself, or (2) unauthorized access to any of the network-attached systems able to access any of the components comprising the Storage Area Network.
A host that is attached to the Fibre Channel Storage Area Network can try maliciously to gain access to a storage component for which it is not authorized. This type of attack is called spoofing, in which an unauthorized entity or agent tries to appear as an authorized entity or agent through some sort of deception. There are two scenarios in which spoofing can be used to gain unauthorized access to a Storage Area Network storage component: (1) a spoofing host system can gain unauthorized access to the Fibre Channel (FC) switch and use any other visible host World Wide Port Name (WWPN) as its assigned WWPN to gain unauthorized access to a storage subsystem port, or (2) a spoofing host system that has authorized access to the Fibre Channel switch uses a visible WWPN different from its assigned WWPN to gain unauthorized access to a storage subsystem port.
Visible WWPNs are those WWPNs that a host can obtain via querying the well known name server service when logged into a Fibre Channel switch. These are the WWPNs that reside in the Fibre Channel switch active zone containing all the host ports and storage ports that can connect to each other. The WWPN is a programmable feature of host ports, i.e. Host Bus Adapters (HBAs), and can be programmed to any value relatively easily by a knowledgeable system programmer.