This invention relates to network computer systems having one or more host computers and one or more storage devices. Specifically, in a Storage Area Network (SAN), the invention pertains to a structure and method for making transfer of data between hosts and storage devices secure.
Storage virtualization describes the process of representing, to a user, a number of discrete physical storage devices as a single storage pool having a single set of characteristics. For example, in a storage area network connecting host computers with storage devices, the user perceives a single block of disk space with a defined reliability (e.g., 100 GB at RAID1); however, the user's host computer is configured to access the storage devices such that 100 GB at RAID1 is provided, regardless of whether the data is stored on a single RAID1 disk array or is split across multiple, separate disks.
In the above situation, each host computer must be aware of the storage devices connected to the storage area network because each host computer manages the storage virtualization that is presented to its users. When the storage devices connected to the storage area network are modified (such as a new device being added or an existing device being removed), each host computer must be reconfigured to accommodate the modification. Such reconfiguration involves work by network administrators and ensures that changes in the network are not seamless.
Sharing storage between clustered hosts, or clustered applications may require sophisticated access controls to prevent problems with data integrity. Usually, such access controls are distributed throughout the network. The host manages access to volumes by applications using access control lists of the file system. The host bus adapter manages access to the raw volume using Logical Unit Number (LUN) masking. A fibre channel switch manages access from one port to another using port zoning and can provide switch-based LUN masking. Lastly, the storage device itself manages access to volumes using LUN masking.
However, managing device security as described above (i.e. a box at a time), does not scale when considering large SANs. In addition, every time the SAN changes by adding or removing an element, the administrator must reconfigure access rights manually. Mistakes made during this process can create the potential for security breaches.
Data Warehouses (and Data Marts) are critical components of an enterprise's Decision Support System. These components organize and collect data into databases available for searching and mining for information using Business Intelligence solutions. These collections of data often serve as the basis of crucial business decisions.
In order to support data warehouses and data mining applications, storage systems may offer shared access to storage devices. Typically, such shared access can be READ/WRITE or READ ONLY. Usually, one host is granted write access to a SCSI LUN and serves to load and update the database. Once all the data is loaded, the access rights of that host become READ only. Another host is used to copy the data into other databases, from which reports and other analyses are generated. Lastly, mined information may be presented READ ONLY as WEB pages using WEB servers.
To change the access rights of a host under the configuration just described is a manual process. Because data mining is done on a periodic basis (such as daily or monthly), and because changing access rights is performed manually, such applications may consume substantial resources to manage the operation.
Another potential security issue in a heterogeneous, open-systems environment relates to Vendor-unique requests, and in particular in-band management. Specifically, access control on a SCSI logical unit may not be possible on Vendor-unique requests without knowing exactly the effect of the request on the unit. For example, READ only access rights granted to a host should not permit an in-band management request from that host to remove a LUN, or to modify a SCSI mode page.
A similar potential security problem relates to unit reservation. When commands are Vendor-unique, it may not be possible to know if executing a command violates unit reservation.
Still another potential security issue may be referred to as “World Wide Name (WWN Spoofing”. The use of the port WWN to restrict access is known. However, the host WWN may readily be obtained through unauthorized server access (a “break in”). And once the host WWN has been obtained, another port can be inserted into the network using the same WWN.
Accordingly, embodiments of the present invention are directed toward improvements of security in storage network devices.