1. Field of the Invention
The present invention relates to holding the security of data in a second storage (second storage system) connected to a network.
2. Description of Related Prior Art
In recent years, a second storage represented by a second storage system has been oriented to a network, and many universities or enterprises are developing such a technology that the second storage is directly connected to the network such as LAN (Local Area Network), or the like.
When the second storage is directly connected to the network, there is a possibility that an unspecified number of host computers access the second storage. Accordingly, it is required to assure the security of data between the network and the second storage, that is, any security system is required for the second storage.
In Japanese Patent Laid-Open No. 10-333839 (hereinafter referred to as known example 1), an example of the second storage equipped with a security system is disclosed.
In the security system of known example 1, an administrator authenticates the host computer to be accessed to the second storage by using an identifier (world wide name in known example 1) then registers it. Specifically, the host computer transmits the worldwide name to a second storage side on request for connection to the second storage. When the transmitted world wide name is registered one, the security system of the second storage authorizes the host computer and allows it to be connected to the second storage. When it is not registered one, the system of the second storage makes a connection reject response.
However, when a system of known example 1 is applied to an unspecified number of host computers present in the network, a registration work is enormous and the administrator's load is highly increased. Accordingly, it is realistically difficult that the system of known example 1 is applied to a second storage directly connected to a network.
Further, there is a possibility that the identifier to be registered is forged. Additionally, when the host computer having a due authorization with respect to the second storage (namely, having the registered identifier) has permitted an intrusion, tampering with data cannot be prevented. The reason is that the intruded host computer has the due authorization with respect to the second storage.
Such a configuration is not conventionally general that an unspecified number of host computers are connected to the second storage, and since the host computer provided a security such as user authentication, a conventional second storage could not prevent destruction or leakage of data in the second storage due to illegal intrusion from the host computer. For example, such an event occurred early in 2000 that an intruder who illegally obtained an administrator's authorization forged a web page file in the second storage of a web server of the Japanese Government. Since the administrator has a due authorization, it is impossible at the second storage side to stop illegal intrusion of the second storage from a host computer side.
A firewall protects the second storage against a disguise to a certain degree by. The firewalls have three network transportation ports for connecting with the Internet, for connecting with the Intranet and for connecting with a demilitarized zone, respectively. Here, the demilitarized zone means a region where the host computer only for accepting access from the Internet is placed. The probability of the illegal intrusion increases when the host computer in the Intranet directly accepts the access from the Internet. The demilitarized zone is therefore provided to protect the host computer in the Internet against such intrusion.
The firewall determines passage or non-passage of a packet which passes a transportation port according to rules made by the administrator. For example, the firewall compares a source IP address in the packet passing the transportation port and the network transportation port which the packet enters. When the packet enters the port from a side of the Internet, the firewall does not pass the packet even if the source IP address is an address in the Intranet. The reason is that there is every possibility that the IP address has been forged. Since the firewall limits access from external devices to the demilitarized zone, there becomes little probability of the intrusion into the Intranet where important data is present.
As described above, in the system in known example 1, it would be difficult to prevent the unauthorized intruder who obtained the authorization of the host computer from intruding into the second storage. This is caused in known example 1 by a point that the access is controlled by transmission information from the host computer and a point that there is only a choice of two ways: connection authorization and connection rejection. There is some possibility of forgery in the transmission information from the host computer. Since there is only the choice of two ways: the connection authorization and connection rejection, if the connection has once been authorized, this leads to authorization of any work.
Furthermore, since the firewall makes only a judgment of the passage or non-passage of the packet, the firewall cannot make elaborate protections in compliance with access classes with respect to the second storage. The directly network-connected second storage is connected to an unspecified number of host computers. As the connected host computers increase, the judgment rules of the passage or non-passage of the packet become complicated. Accordingly, the firewall is not a proper protection method in terms of data protection for the directly network-connected second storage.