AUTHENTICATED ACCESS TO STORAGE
1. Field of the Present Invention
The present invention generally relates to the field of data processing and more particularly to a method and implementation for secured or authenticated access to a storage area network, particularly, a Fibre Channel compliant stor- 10 age area network.
2. History of Related Art
In the field of data processing, the rapidly growing number of data intensive applications has produced a seemingly insatiable demand for raw data storage capacity. Meet- 15 ing the demands of applications such as data warehousing, data mining, on-line transaction processing, and multimedia internet and intranet browsing requires approximately twice as much new storage capacity each year. In addition, the number of network connections for server-storage sub- 20 systems is also rapidly increasing. With the rise of client networking, data intensive computing applications, and electronic communications applications, virtually all network stored data is mission critical. Increased reliance on being able to access networked stored data is challenging the 25 limitations of traditional server-storage systems. As a result, adding more storage, servicing more users, and backing up more data have become never ending tasks. The parallel Small Computer System Interface (SCSI) bus widely used for server-storage connectivity on Local Area Network 30 (LAN) servers is imposing severe limits on network storage. Compounding these limits is the traditional use of LAN connections for server-storage backup which detracts from usable client bandwidth.
The Storage Area Network (SAN) is an emerging data 35 communications platform that interconnects servers and storage at Gigabaud speeds. SAN attempts to eliminate the bandwidth bottlenecks and scalability limitations imposed by SCSI architectures by integrating LAN networking models with the core building blocks of server performance and 40 mass storage capacity. The Fibre Channel protocol is a widely endorsed open standard for the SAN environment. Fibre Channel combines high bandwidth and high scalability with multiple protocol support, including SCSI and IP, over a single physical connection. This enables the SAN to 45 serve as both a server interconnect and as a direct interface to storage devices and storage arrays.
Unfortunately, the openness that is at least partially responsible for the increasing prevalence of Fibre Channel storage area networks, creates a potentially significant secu- 50 rity issue for a tremendous number of large (as well as small) and highly valued databases. As an open standard, the Fibre Channel network is susceptible to many of the same security concerns as the Internet. A malicious hacker who was able to gain control of a host bus adapter connected to a Fibre 55 Channel switch may be able to alter, delete, or otherwise damage data across the entire SAN. An unauthorized user who gains access to a Fibre Channel fabric attached element can compromise a Fibre Channel switch in at least three ways. First, the user may write software to use the existing 60 Fibre Channel device interface to compromise the fabric operating environment. Second, the user could install device level drivers that try to compromise the fabric operating environment at the Fibre Channel physical and signaling interface (FC-PH) level. Third, the user could install a 65 doctored host bus adapter that has hardware or micro-code that tries to exploit the fabric operating environment at the
FC-PH level. Therefore, it would be highly desirable to implement a secure and cost effective mechanism for assuring the integrity of transactions that occur on a SAN network.
SUMMARY OF THE INVENTION
The problem identified above is addressed in the present invention by a method and system for authenticated access to a storage area network (SAN). Initially, a password is retrieved from a first copy of a password table in response to an access (login) request, the first copy of the password table residing on a switch and corresponding to a switch port. The password is used to retrieve a response from the first copy of the password table. The response is encrypted according to a first copy of an encryption key stored on the switch. The encrypted password is then sent to the node requesting access to the SAN, where it is decrypted according to a second copy of the encryption key residing on the node. The decrypted password is used to retrieve a response from a second copy of the password table residing on the node. The response is encrypted according to the second copy of the encryption key and sent back to the switch port. The response received from the node is then compared with the response determined from the first copy of the password table. Access to the SAN is permitted if the two responses match and denied otherwise. The method further includes a mechanism for generating codes based on hardware serial ID numbers (or other unique values) and comparing the serial ID numbers against previously stored codes to determine if the hardware serial numbers have changed and allowing or denying access to the SAN based upon that determination.
BRIEF DESCRIPTION OF THE DRAWINGS
Other objects and advantages of the invention will become apparent upon reading the following detailed description and upon reference to the accompanying drawings in which:
FIG. 1A illustrates one embodiment of a storage area network suitable for implementing the present invention;
FIG. IB illustrates greater detail of the Fibre Channel fabric of the network of FIG. 1A;
FIG. 2 is a block diagram of a data processing system suitable for connecting as a node to the storage area network of FIG. 1;
FIG. 3 is a simplified block diagram illustrating a link between a fabric switch in the storage area network and an endpoint node;
FIG. 4 depicts the software components of a storage area network authentication mechanism according to one embodiment of the present invention; and
FIG. 5 is a flow diagram illustrating a method of authenticating a storage area network according to one embodiment of the invention.
While the invention is susceptible to various modifications and alternative forms, specific embodiments thereof are shown by way of example in the drawings and will herein be described in detail. It should be understood, however, that the drawings and detailed description presented herein are not intended to limit the invention to the particular embodiment disclosed, but on the contrary, the intention is to cover all modifications, equivalents, and alternatives falling within the spirit and scope of the present invention as defined by the appended claims.