WO2015148266A1 - Content segregation via logical unit number (lun) masking - Google Patents

Content segregation via logical unit number (lun) masking Download PDF

Info

Publication number
WO2015148266A1
WO2015148266A1 PCT/US2015/021515 US2015021515W WO2015148266A1 WO 2015148266 A1 WO2015148266 A1 WO 2015148266A1 US 2015021515 W US2015021515 W US 2015021515W WO 2015148266 A1 WO2015148266 A1 WO 2015148266A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
client device
access
permissions
lun
Prior art date
Application number
PCT/US2015/021515
Other languages
French (fr)
Inventor
Jean-Sebastien BETSCH
Adrian RAMOS
Original Assignee
Thomson Licensing
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Thomson Licensing filed Critical Thomson Licensing
Publication of WO2015148266A1 publication Critical patent/WO2015148266A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Definitions

  • the present invention is related to providing a LUN masking at a user level (i.e., users of a client) such that user access to volumes of a storage area network (SAN) can be restricted.
  • a user level i.e., users of a client
  • SAN storage area network
  • a multicast system as used herein is a system in which a server transmits the same data to multiple receivers simultaneously, where the receivers form a subset of all the receivers up to and including all of the receivers.
  • a broadcast system is a system in which a server transmits the same data to all of the receivers simultaneously. That is, a multicast system by definition can include a broadcast system.
  • SANs Storage Area Networks
  • a client is an end device which is used by users. That is, in production type facilities,.
  • a client (client device) may be used by any authorized user and is not restricted to any particular user.
  • Exemplary clients for Technicolor include internal production machines, each having a fiber card having worldwide name (WWN) that indicates to which SAN the fiber card has access.
  • WWN worldwide name
  • Technicolor customers e.g., Disney and other studios
  • the customer may also want to limit which Technicolor employees can access the customers data on the SAN (i.e., the customer may only want a single Technicolor employee to access the customer's data, may desire to limit the time of day or work shift during which the Technicolor employee can access the data, and the like).
  • LUN masking is provided at a client device (e.g., production machine) level such that the client device is given access to specific folders or volumes within a Storage Area Network (SAN).
  • the present invention is directed to providing a LUN masking at a user level (i.e., users of a client) such that user access to volumes of a storage area network (SAN) can be restricted.
  • the present invention proposes content segregation by leveraging LUN masking as a mechanism for end user authentication and access. Therefore, organizing LUN masking at the user level instead of at the host bus adapter (HBA) hardware level (worldwide name).
  • HBA host bus adapter
  • Fig. 1 is a schematic diagram showing conventional LUN masking.
  • Fig. 2 is a schematic diagram showing a simplified direct access to storage.
  • Fig. 3 is a schematic diagram showing the LUN masking of the present invention where the worldwide name is altered based on user login.
  • Fig. 4 is a simplified diagram of the operation of the present invention.
  • Fig. 5 is a flowchart of an exemplary implementation of the present invention.
  • Fig. 6 is a block diagram of an exemplary embodiment of the present invention.
  • the present invention is described in terms of a content mastering system but is not so limited and may be used anywhere access to content may or must be segregated by user and in particular, where SANs are used for content storage.
  • a storage area network is a dedicated storage fabric that provides access to clustered, block level data storage.
  • SANs are primarily used to make volumes and file system storage devices, such as disk arrays, tape libraries, and optical jukeboxes, accessible to servers so that the devices appear like locally attached devices to the operating system.
  • a SAN typically has its own network of storage devices that are generally not accessible through the local area network by other devices.
  • LUN masking is an authorization process that makes a Logical Unit Number available to some hosts and unavailable to other hosts.
  • LUN masking is mainly implemented at HBA level.
  • the security benefits of LUN masking implemented at HBAs are limited, since with many HBAs it is possible to forge source addresses (WWNs/MACs/IPs) and compromise the access.
  • Many storage controllers also support LUN masking.
  • controller When LUN masking is implemented at storage controller level, controller itself enforces the access policies to the device which makes access more secure. However, it is mainly implemented not as a security measure per se, but rather as a protection against misbehaving servers which may corrupt disks belonging to other servers.
  • Conventional LUN masking is used to restrict a client's access to a specific volume on a Storage Area Network.
  • client device refers to a server/machine not a user.
  • the server is identified by a worldwide name that is hard-coded in the fiber card of the server.
  • any user logging on to the server will have the same access to the volumes.
  • the user logs on to a server and overwrites the default server wwn with a personal wwn that refers to a user (person). Therefore, depending on who logs on to a server, the visibility of volumes is different.
  • the present invention is a security protocol to restrict user visibility to a SAN.
  • a host bus adapter connects a host system (the computer) to other network and storage devices.
  • the terms are primarily used to refer to devices for connecting small computer system interface (SCSI), Fibre Channel and external serial advanced technology attachment (eSATA) devices.
  • SCSI small computer system interface
  • eSATA external serial advanced technology attachment
  • An eSATA is an external computer bus interface that connects HBAs to mass storage devices such as hard disk drives and optical drives.
  • a media access control address is a unique identifier assigned to network interfaces for communications on the physical network segment.
  • MAC addresses are most often assigned by the manufacturer of a network interface controller (NIC) and are stored in its hardware, such as the card's read-only memory or some other firmware mechanism. If assigned by the manufacturer, a MAC address usually encodes the manufacturer's registered identification number and may be referred to as the burned-in address. It may also be known as an Ethernet hardware address (EHA), hardware address or physical address. This can be contrasted to a programmed address, where the host device issues commands to the NIC to use an arbitrary address.
  • EHA Ethernet hardware address
  • a worldwide name (WWN) or worldwide identifier (WWID) is a unique identifier used in storage technologies including Fibre Channel, Advanced Technology Attachment (ATA) or Serial Attached SCSI (SAS).
  • a WWN may be employed in a variety of roles, such as a serial number or for addressability; for example, in Fibre Channel networks, a WWN may be used as a WWNN (worldwide node name) to identify a switch, or a WWPN (worldwide port name) to identify an individual port on a switch.
  • a network controller/metadata controller is a storage area network (SAN) technology for managing file locking, space allocation and data access authorization. This is needed when several clients are given block level access to the same disk volume.
  • MDC examples include Data Direct Network Controller and Quantum D660.
  • the present invention provides an additional layer of software, which can provide an additional security mechanism that other (less burdensome, but more expensive, less flexible) solutions do not provide. That is, the present invention can provide logging, and easy, dynamic granting or denying access though user account management. This additional software layer also provides flexibility to meet further security needs that might evolve in the future.
  • the present invention promotes a secure, logged, user oriented, LUN masking mechanism that answers many of the security needs of studios (customers).
  • Fig. 1 is a schematic diagram showing conventional LUN masking. In Fig. 1 each client device is assigned a worldwide name, each client device is logged in to the network controller via an HBA. The network controller advises the fiber switch of the client logging in and the client's worldwide name.
  • the client's worldwide name is mapped to a particular LUN or multiple LUNs by LUN masking.
  • client device 1 is assigned WWM1, which is mapped via LUN masking to LUN C only.
  • Client device 1 logs on to the network controller via its HBA.
  • the network controller advise the fiber switch of client device 1 logging in.
  • the fiber switch only allows WWN1 to access LUN C only.
  • Client device 2 is assigned WWN2 so when client device 2 logs on to the network controller via the HBA, the network controller advises the fiber switch of client device 2 logging in and the client device's worldwide name.
  • the fiber switch allows WWN2 to access LUN A, LUN B and LUN C.
  • Client device 3 is assigned WWM3, which is mapped via LUN masking to LUN A only.
  • Client device 3 logs on to the network controller via its HBA.
  • the network controller advise the fiber switch of client device 3 logging in.
  • the fiber switch only allows WWN3 to access LUN A only. It does not matter which user is sitting at any of the client devices (work stations, client, server). It only matters what worldwide name is assigned to the client device (client, work station, server). In a content mastering environment, any user could sit at any work station (client, client device, server) and access whatever the worldwide name was authorized to access.
  • By sitting a client device 2 a user that was not authorized by a particular studio to access the content of the particular studio would be granted access to the content simply based on which client (work station, client device, server) to which the user logged on. This is not acceptable to some studios.
  • Some studios want access to their content restricted to one or a very small number of users or perhaps to a particular user or small number of users and further only at specified times (work shifts and/or work days).
  • FIG. 2 is a schematic diagram showing a simplified direct access to storage.
  • clients client devices, work stations, servers
  • LUN storage directly (probably via hard-wiring) to which their worldwide name allowed access. This does not really solve the problem of controlling access by user rather than by client (client device, server, work station).
  • client device 1 has access only to LUN C.
  • client device 3 has access only to LUNA and client device 2 has access to LUN A, LUN B and LUN C.
  • Fig. 1 client device 1 has access only to LUN C.
  • Client device 3 has access only to LUNA and client device 2 has access to LUN A, LUN B and LUN C.
  • FIG. 3 is a schematic diagram showing the LUN masking of the present invention where the worldwide name is altered based on user login.
  • a user logs on to a client device.
  • user A logs on to client device 1.
  • a script is executed which maps user A to WWN1.
  • the implementation of software that captures the user credential and in turn allows the spoofing of the HBA's worldwide name to a worldwide name which is unique to each user. Therefore, carrying the LUN masking configuration, specific to a user on any machine the user is logged into.
  • Fig. 4 is a simplified diagram of the operation of the present invention. In Fig.
  • Fig. 4 (1) user A logs in on client device 1 and accesses LUN C. In Fig. 4 (2) when user A is done, user A logs off of client device 1. In Fig. 4 (3) user B then logs in on client device 1 and access LUN A, LUN B and LUN C in accordance with user B's access permissions.
  • Fig. 5 is a flowchart of an exemplary implementation of the present invention.
  • Fig. 5 when user A logs in using a particular client device, the security database is accessed in order to retrieve the permissions for user A.
  • a user's identity is verified or confirmed by using a user ID and password or biometric data.
  • the wwn for user A is spoofed into client device HBA.
  • the LUNs are mapped according to user A LUN masking permissions.
  • User A uses the network resources to complete his/her work whereupon user A logs out/off of the particular client device.
  • Network resources include LUNs of a SAN.
  • the LUNs are unmapped by the security system of the present invention.
  • User A wwn is unspoofed from the client device's HBA.
  • the particular client device is now ready to accept a new user to log in/on.
  • the wwn name used to define access to the SAN is always be the one associated with the first user to login. This will define SAN access until the user logs out or is idle for a certain period of time and automatically logged off the client device.
  • a hierarchy of users can be created and only users with equal or superior credentials will be permitted to login alongside an existing user. The client device and, therefore, all users logged in will however keep the access level and wwn of the first user. A new wwn can only be spoofed when all users are logged off and new single user logs in.
  • the client device When a user logs off as operations are in process, the client device retains the wwn and access level of the user until all operations are completed. It is only then that the user is "really" logged off of the client. This will prevent any interruption accessing data on the SAN. If another user tries to log in while operations are still in progress, the multiple user protocol is the same as multiple users described above. Once operations are completed and if another user has logged in while those operations where in progress, he/she is prompted and given the choice to re-log in to spoof his own personal wwn.
  • Fig. 6 is a block diagram of an exemplary embodiment of the present invention.
  • Fig. 6 includes a network controller, which includes a number of modules.
  • This I/O module is in communication with a security database wher users' permissions are stored including users' masking permissions in accordance with the principles of the present invention.
  • the security database is in communication with a module which performs spoofing of a user' s wwn into the client deivce onto which the user is logged on.
  • This module also maps the LUNs according the the user's permissions. When the user logs out (off) then this module also unmaps the LUNs and unspoofs the user's wwn.
  • This module is in communication with an access module which permits the user to access the content segregated network resources in accordance with the spoofing and mapping. The content is segregated on the various LUNs of one or more SANs.
  • the present invention may be implemented in various forms of hardware, software, firmware, special purpose processors, or a combination thereof.
  • Special purpose processors may include application specific integrated circuits (ASICs), reduced instruction set computers (RISCs) and/or field programmable gate arrays (FPGAs).
  • ASICs application specific integrated circuits
  • RISCs reduced instruction set computers
  • FPGAs field programmable gate arrays
  • the present invention is implemented as a combination of hardware and software.
  • the software is preferably implemented as an application program tangibly embodied on a program storage device.
  • the application program may be uploaded to, and executed by, a machine comprising any suitable architecture.
  • the machine is implemented on a computer platform having hardware such as one or more central processing units (CPU), a random access memory (RAM), and input/output (I/O) interface(s).
  • CPU central processing units
  • RAM random access memory
  • I/O input/output
  • the computer platform also includes an operating system and microinstruction code.
  • the various processes and functions described herein may either be part of the microinstruction code or part of the application program (or a combination thereof), which is executed via the operating system.
  • various other peripheral devices may be connected to the computer platform such as an additional data storage device and a printing device.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

A method is described for performing content segregation by a network security system using logical unit number masking. Also described is a method including logging on to a client device by a first user, retrieving permissions from a database for the first user, spoofing a worldwide name for the first user into the client device host bus adapter, mapping logical unit numbers according to the first user's permissions and accessing content segregated network resources.

Description

CONTENT SEGREGATION VIA LOGICAL UNIT NUMBER (LUN) MASKING
FIELD OF THE INVENTION
The present invention is related to providing a LUN masking at a user level (i.e., users of a client) such that user access to volumes of a storage area network (SAN) can be restricted.
BACKGROUND OF THE INVENTION
In multicast and broadcast applications, data are transmitted from a server to multiple receivers over wired and/or wireless networks. A multicast system as used herein is a system in which a server transmits the same data to multiple receivers simultaneously, where the receivers form a subset of all the receivers up to and including all of the receivers. A broadcast system is a system in which a server transmits the same data to all of the receivers simultaneously. That is, a multicast system by definition can include a broadcast system.
In conventional Storage Area Networks (SANs) all data on the SAN is accessible to clients connected to the SAN. As used herein a client is an end device which is used by users. That is, in production type facilities,. A client (client device) may be used by any authorized user and is not restricted to any particular user. Exemplary clients for Technicolor include internal production machines, each having a fiber card having worldwide name (WWN) that indicates to which SAN the fiber card has access. However, Technicolor customers (e.g., Disney and other studios) want to limit which clients have access to the customer's data on the SAN. For example, the customer may desire that only certain clients (i.e., certain production machines) have access to the client's data on the SAN. An additional example is that the customer may also want to limit which Technicolor employees can access the customers data on the SAN (i.e., the customer may only want a single Technicolor employee to access the customer's data, may desire to limit the time of day or work shift during which the Technicolor employee can access the data, and the like).
A conventional approach to fulfilling the desire of Technicolor's customers would be to have a dedicated SAN for each Technicolor customer. However, SANs are expensive and this type of solution is cost prohibitive.
SUMMARY OF THE INVENTION Traditional LUN (Logic Unit Number) masking is provided at a client device (e.g., production machine) level such that the client device is given access to specific folders or volumes within a Storage Area Network (SAN). The present invention is directed to providing a LUN masking at a user level (i.e., users of a client) such that user access to volumes of a storage area network (SAN) can be restricted.
The present invention proposes content segregation by leveraging LUN masking as a mechanism for end user authentication and access. Therefore, organizing LUN masking at the user level instead of at the host bus adapter (HBA) hardware level (worldwide name).
The digital cinema industry is moving towards tighter security, which requires segregation of content. So far, this has been strictly physical segregation, but the present invention permits logical segregation as well.
BRIEF DESCRIPTION OF THE DRAWINGS
The present invention is best understood from the following detailed description when read in conjunction with the accompanying drawings. The drawings include the following figures briefly described below:
Fig. 1 is a schematic diagram showing conventional LUN masking.
Fig. 2 is a schematic diagram showing a simplified direct access to storage.
Fig. 3 is a schematic diagram showing the LUN masking of the present invention where the worldwide name is altered based on user login.
Fig. 4 is a simplified diagram of the operation of the present invention.
Fig. 5 is a flowchart of an exemplary implementation of the present invention.
Fig. 6 is a block diagram of an exemplary embodiment of the present invention.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
The present invention is described in terms of a content mastering system but is not so limited and may be used anywhere access to content may or must be segregated by user and in particular, where SANs are used for content storage.
A storage area network (SAN) is a dedicated storage fabric that provides access to clustered, block level data storage. SANs are primarily used to make volumes and file system storage devices, such as disk arrays, tape libraries, and optical jukeboxes, accessible to servers so that the devices appear like locally attached devices to the operating system. A SAN typically has its own network of storage devices that are generally not accessible through the local area network by other devices.
LUN masking is an authorization process that makes a Logical Unit Number available to some hosts and unavailable to other hosts. LUN masking is mainly implemented at HBA level. The security benefits of LUN masking implemented at HBAs are limited, since with many HBAs it is possible to forge source addresses (WWNs/MACs/IPs) and compromise the access. Many storage controllers also support LUN masking. When LUN masking is implemented at storage controller level, controller itself enforces the access policies to the device which makes access more secure. However, it is mainly implemented not as a security measure per se, but rather as a protection against misbehaving servers which may corrupt disks belonging to other servers. Conventional LUN masking is used to restrict a client's access to a specific volume on a Storage Area Network. Note that client device refers to a server/machine not a user. The server is identified by a worldwide name that is hard-coded in the fiber card of the server. As a result any user logging on to the server will have the same access to the volumes. In the present invention, the user logs on to a server and overwrites the default server wwn with a personal wwn that refers to a user (person). Therefore, depending on who logs on to a server, the visibility of volumes is different. Thus, the present invention is a security protocol to restrict user visibility to a SAN.
A host bus adapter (HBA) connects a host system (the computer) to other network and storage devices. The terms are primarily used to refer to devices for connecting small computer system interface (SCSI), Fibre Channel and external serial advanced technology attachment (eSATA) devices. An eSATA is an external computer bus interface that connects HBAs to mass storage devices such as hard disk drives and optical drives.
A media access control address (MAC address) is a unique identifier assigned to network interfaces for communications on the physical network segment. MAC addresses are most often assigned by the manufacturer of a network interface controller (NIC) and are stored in its hardware, such as the card's read-only memory or some other firmware mechanism. If assigned by the manufacturer, a MAC address usually encodes the manufacturer's registered identification number and may be referred to as the burned-in address. It may also be known as an Ethernet hardware address (EHA), hardware address or physical address. This can be contrasted to a programmed address, where the host device issues commands to the NIC to use an arbitrary address.
A worldwide name (WWN) or worldwide identifier (WWID) is a unique identifier used in storage technologies including Fibre Channel, Advanced Technology Attachment (ATA) or Serial Attached SCSI (SAS). A WWN may be employed in a variety of roles, such as a serial number or for addressability; for example, in Fibre Channel networks, a WWN may be used as a WWNN (worldwide node name) to identify a switch, or a WWPN (worldwide port name) to identify an individual port on a switch.
A network controller/metadata controller (or MDC) is a storage area network (SAN) technology for managing file locking, space allocation and data access authorization. This is needed when several clients are given block level access to the same disk volume. MDC examples include Data Direct Network Controller and Quantum D660.
The present invention provides an additional layer of software, which can provide an additional security mechanism that other (less burdensome, but more expensive, less flexible) solutions do not provide. That is, the present invention can provide logging, and easy, dynamic granting or denying access though user account management. This additional software layer also provides flexibility to meet further security needs that might evolve in the future. The present invention promotes a secure, logged, user oriented, LUN masking mechanism that answers many of the security needs of studios (customers). Fig. 1 is a schematic diagram showing conventional LUN masking. In Fig. 1 each client device is assigned a worldwide name, each client device is logged in to the network controller via an HBA. The network controller advises the fiber switch of the client logging in and the client's worldwide name. The client's worldwide name is mapped to a particular LUN or multiple LUNs by LUN masking. For example, client device 1 is assigned WWM1, which is mapped via LUN masking to LUN C only. Client device 1 logs on to the network controller via its HBA. The network controller advise the fiber switch of client device 1 logging in. The fiber switch only allows WWN1 to access LUN C only. Client device 2 is assigned WWN2 so when client device 2 logs on to the network controller via the HBA, the network controller advises the fiber switch of client device 2 logging in and the client device's worldwide name. The fiber switch allows WWN2 to access LUN A, LUN B and LUN C. Client device 3 is assigned WWM3, which is mapped via LUN masking to LUN A only. Client device 3 logs on to the network controller via its HBA. The network controller advise the fiber switch of client device 3 logging in. The fiber switch only allows WWN3 to access LUN A only. It does not matter which user is sitting at any of the client devices (work stations, client, server). It only matters what worldwide name is assigned to the client device (client, work station, server). In a content mastering environment, any user could sit at any work station (client, client device, server) and access whatever the worldwide name was authorized to access. By sitting a client device 2 a user that was not authorized by a particular studio to access the content of the particular studio would be granted access to the content simply based on which client (work station, client device, server) to which the user logged on. This is not acceptable to some studios. Some studios want access to their content restricted to one or a very small number of users or perhaps to a particular user or small number of users and further only at specified times (work shifts and/or work days).
A conventional approach to fulfilling the desire of studios (customers) would be to have a dedicated SAN for each customer (studio). However, SANs are expensive and this type of solution is cost prohibitive. Fig. 2 is a schematic diagram showing a simplified direct access to storage. In the approach shown in Fig. 2, clients (client devices, work stations, servers) would have access to the LUN storage directly (probably via hard-wiring) to which their worldwide name allowed access. This does not really solve the problem of controlling access by user rather than by client (client device, server, work station). As shown in Fig. 1 client device 1 has access only to LUN C. Client device 3 has access only to LUNA and client device 2 has access to LUN A, LUN B and LUN C. Fig. 3 is a schematic diagram showing the LUN masking of the present invention where the worldwide name is altered based on user login. In Fig. 3 a user logs on to a client device. In the case shown in Fig. 3, user A logs on to client device 1. Upon login of user A (and proper identification of user A by some means known in the art such as user identification and password or biometric data such as fingerprint or iris scan), a script is executed which maps user A to WWN1. The implementation of software that captures the user credential and in turn allows the spoofing of the HBA's worldwide name to a worldwide name which is unique to each user. Therefore, carrying the LUN masking configuration, specific to a user on any machine the user is logged into. Fig. 4 is a simplified diagram of the operation of the present invention. In Fig.
4 (1) user A logs in on client device 1 and accesses LUN C. In Fig. 4 (2) when user A is done, user A logs off of client device 1. In Fig. 4 (3) user B then logs in on client device 1 and access LUN A, LUN B and LUN C in accordance with user B's access permissions. Fig. 5 is a flowchart of an exemplary implementation of the present invention.
In Fig. 5 when user A logs in using a particular client device, the security database is accessed in order to retrieve the permissions for user A. A user's identity is verified or confirmed by using a user ID and password or biometric data. The wwn for user A is spoofed into client device HBA. The LUNs are mapped according to user A LUN masking permissions. User A uses the network resources to complete his/her work whereupon user A logs out/off of the particular client device. Network resources include LUNs of a SAN. Upon receiving the log out/off, the LUNs are unmapped by the security system of the present invention. User A wwn is unspoofed from the client device's HBA. The particular client device is now ready to accept a new user to log in/on. There is a need to establish a user priority protocol in order to resolve conflicts that will emerge from multiple users on client devices. Multiple users may login to a client device - whose wwn is used. If a user logs out while operations are in progress, what happens to the content and to the mapping (access) to the content?
When multiple users login to a client device (client, work station, server), the wwn name used to define access to the SAN is always be the one associated with the first user to login. This will define SAN access until the user logs out or is idle for a certain period of time and automatically logged off the client device. In case of several users logging in remotely, a hierarchy of users can be created and only users with equal or superior credentials will be permitted to login alongside an existing user. The client device and, therefore, all users logged in will however keep the access level and wwn of the first user. A new wwn can only be spoofed when all users are logged off and new single user logs in.
When a user logs off as operations are in process, the client device retains the wwn and access level of the user until all operations are completed. It is only then that the user is "really" logged off of the client. This will prevent any interruption accessing data on the SAN. If another user tries to log in while operations are still in progress, the multiple user protocol is the same as multiple users described above. Once operations are completed and if another user has logged in while those operations where in progress, he/she is prompted and given the choice to re-log in to spoof his own personal wwn.
In the scenario shown in Fig. 3 above, if user B logs in while user A is logged in then user B is limited to LUN C unless user B is a super user (a user with superior security credentials and permissions). If user A then logs out then user B is still only given access to LUN C. User B will, however, be prompted to logout and log back in again in order to receive full access to LUNS A, B and C. In the scenario depicted in Fig. 3, if user C logs in while user A is logged in then user C has no access unless user C is a super user. This is because user C only has access permission for LUN A and user A has no access to LUN A and user C is limited to user A's access permissions.
The security protocol can also be tightened to only allow one user at a time with a super user who would be able to log in at any time and also force the log off of other users. Fig. 6 is a block diagram of an exemplary embodiment of the present invention. Fig. 6 includes a network controller, which includes a number of modules. There is an I/O module for accepting users logging in/out (off) and is also used to provide for user identity verification (confirmation). This I/O module is in communication with a security database wher users' permissions are stored including users' masking permissions in accordance with the principles of the present invention. The security database is in communication with a module which performs spoofing of a user' s wwn into the client deivce onto which the user is logged on. This module also maps the LUNs according the the user's permissions. When the user logs out (off) then this module also unmaps the LUNs and unspoofs the user's wwn. This module is in communication with an access module which permits the user to access the content segregated network resources in accordance with the spoofing and mapping. The content is segregated on the various LUNs of one or more SANs.
It is to be understood that the present invention may be implemented in various forms of hardware, software, firmware, special purpose processors, or a combination thereof. Special purpose processors may include application specific integrated circuits (ASICs), reduced instruction set computers (RISCs) and/or field programmable gate arrays (FPGAs). Preferably, the present invention is implemented as a combination of hardware and software. Moreover, the software is preferably implemented as an application program tangibly embodied on a program storage device. The application program may be uploaded to, and executed by, a machine comprising any suitable architecture. Preferably, the machine is implemented on a computer platform having hardware such as one or more central processing units (CPU), a random access memory (RAM), and input/output (I/O) interface(s). The computer platform also includes an operating system and microinstruction code. The various processes and functions described herein may either be part of the microinstruction code or part of the application program (or a combination thereof), which is executed via the operating system. In addition, various other peripheral devices may be connected to the computer platform such as an additional data storage device and a printing device.
It is to be further understood that, because some of the constituent system components and method steps depicted in the accompanying figures are preferably implemented in software, the actual connections between the system components (or the process steps) may differ depending upon the manner in which the present invention is programmed. Given the teachings herein, one of ordinary skill in related art will be able to contemplate these and similar implementations configurations of the present invention.

Claims
A method, said method comprising performing content segregation by a network security system using logical unit number masking.
A method, said method comprising:
logging on to a client device by a first user;
retrieving permissions from a database for said first user;
spoofing a worldwide name for said first user into said client device host bus adapter;
mapping logical unit numbers according to said first user's permissions; and
accessing content segregated network resources.
The method according to claim 2, said method further comprising;
logging out of said first user from said client device;
unmapping said logical unit numbers; and
unspoofing said worldwide name for said first user from said client device.
The method according to claim 2, wherein said database is a security database. The method according to claim 2, wherein said permissions are masking permissions.
The method according to claim 2, wherein said network resources include logical unit numbers of a storage area network.
The method according to claim 2, further comprising:
receiving a login request from a second user;
determining if said second user has permissions at least as great as said first user;
retrieving said worldwide name of said first user; and
limiting access to said network resources by said second user to access to said network resources granted to said first user.
The method according to claim 7, further comprising:
logging out of said first user from said client device;
unmapping said logical unit numbers;
unspoofing said worldwide name for said first user from said client device; and prompting said second user to log out and to re-login to gain full permissions of said second user.
9. The method according to claim 2, wherein said method is performed by a security system resident in a network controller.
PCT/US2015/021515 2014-03-24 2015-03-19 Content segregation via logical unit number (lun) masking WO2015148266A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201461969309P 2014-03-24 2014-03-24
US61/969,309 2014-03-24

Publications (1)

Publication Number Publication Date
WO2015148266A1 true WO2015148266A1 (en) 2015-10-01

Family

ID=52988408

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2015/021515 WO2015148266A1 (en) 2014-03-24 2015-03-19 Content segregation via logical unit number (lun) masking

Country Status (1)

Country Link
WO (1) WO2015148266A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050021727A1 (en) * 1999-03-12 2005-01-27 Naoto Matsunami Computer system
EP1509021A2 (en) * 2003-08-21 2005-02-23 Microsoft Corporation Providing SCSI device access over a network
US20100080237A1 (en) * 2008-09-30 2010-04-01 Gridlron Systems, Inc. Fibre channel proxy

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050021727A1 (en) * 1999-03-12 2005-01-27 Naoto Matsunami Computer system
EP1509021A2 (en) * 2003-08-21 2005-02-23 Microsoft Corporation Providing SCSI device access over a network
US20100080237A1 (en) * 2008-09-30 2010-04-01 Gridlron Systems, Inc. Fibre channel proxy

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
TECHNOMAGESINC: "Data Transport Processor Applications Overview", INTERNET CITATION, 8 September 2002 (2002-09-08), pages 1 - 12, XP002481539, Retrieved from the Internet <URL:http://web.archive.org/web/20020809071759/www.technomagesinc.com/papers/DTP_Apps.html> [retrieved on 20080526] *

Similar Documents

Publication Publication Date Title
EP3111615B1 (en) Systems and methods for providing secure access to local network devices
EP3089040B1 (en) Security access control method for hard disk, and hard disk
EP3360302B1 (en) Techniques for generating a virtual private container
US9049189B2 (en) Multi-control password changing
US9256723B2 (en) Security key using multi-OTP, security service apparatus, security system
US20200304543A1 (en) Providing different levels of resource access to a computing device that is connected to a dock
US20070057048A1 (en) Method and/or system to authorize access to stored data
WO2013048439A1 (en) Managing basic input/output system (bios) access
US10630685B2 (en) Integrated hosted directory
KR20060015714A (en) Distributed filesystem network security extension
US10404702B1 (en) System and method for tenant network identity-based authentication and authorization for administrative access in a protection storage system
JP2007102761A (en) System and method for limiting access to storage device
US10567962B1 (en) Systems and methods for connecting internet-connected devices to wireless access points
US11171957B2 (en) Integrated hosted directory
US20190243784A1 (en) Encrypted raid drive management
JP2007272792A (en) Storage system, storage used in storage system and access control method
US11431886B1 (en) Device management for an information handling system
WO2015148266A1 (en) Content segregation via logical unit number (lun) masking
US11954195B2 (en) Multi-level authentication for shared device
US10567387B1 (en) Systems and methods for managing computing device access to local area computer networks
JP4315142B2 (en) Storage system and storage system access method
US20220029991A1 (en) Integrated hosted directory
JP2022122492A (en) System and method for controlling user access to resource
EP2426893A1 (en) Roled-based access control method applicable to Iscsi storage subsystem

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15717301

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15717301

Country of ref document: EP

Kind code of ref document: A1