CN102611624A - Method and device for controlling safety access to storage network and switching equipment - Google Patents

Method and device for controlling safety access to storage network and switching equipment Download PDF

Info

Publication number
CN102611624A
CN102611624A CN2012100717871A CN201210071787A CN102611624A CN 102611624 A CN102611624 A CN 102611624A CN 2012100717871 A CN2012100717871 A CN 2012100717871A CN 201210071787 A CN201210071787 A CN 201210071787A CN 102611624 A CN102611624 A CN 102611624A
Authority
CN
China
Prior art keywords
equipment
destination end
originating
end equipment
destination
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN2012100717871A
Other languages
Chinese (zh)
Inventor
谢伟武
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Star Net Ruijie Networks Co Ltd
Original Assignee
Beijing Star Net Ruijie Networks Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Star Net Ruijie Networks Co Ltd filed Critical Beijing Star Net Ruijie Networks Co Ltd
Priority to CN2012100717871A priority Critical patent/CN102611624A/en
Publication of CN102611624A publication Critical patent/CN102611624A/en
Pending legal-status Critical Current

Links

Images

Abstract

The invention discloses a method and a device for controlling safety access to a storage network, and switching equipment, which are used for enhancing safety and reliability of the storage network. The method for controlling safety access to the storage network includes the steps: after receiving a connection establishment request message transmitted from initiating-end equipment to target-end equipment, acquiring access authority control information between the initiating-end equipment and the target-end equipment; judging whether the initiating-end equipment has the authority to access to the target-end equipment or not according to the access authority control information; allowing the initiating-end equipment to access to the target-end equipment if the initiating-end equipment has the authority to access to the target-end equipment; and forbidding the initiating-end equipment to access to the target-end equipment if the initiating-end equipment has no authority to access to the target-end equipment.

Description

A kind of storage networking safety access control method, device and switching equipment
Technical field
The present invention relates to the computer communication technology field, relate in particular to a kind of storage networking safety access control method, device and switching equipment.
Background technology
Storage area network (SAN, Storage Area Network) is a kind of express network or sub-network, is provided at the transfer of data between server and the memory device, and memory device is meant one or more disk unit in order to the storage data.A SAN network is made up of management level, memory unit and the computer system that the communication structure of being responsible for the network connection, responsible tissue connect, thereby guarantees safety of data transmission.At present; The SAN support technology of main flow comprises optical-fibre channel (Fiber Channel) technology; FC has defined one and has overlapped the protocol stack of following osi model; The exchanging visit that realizes the SAN webserver and memory device through FC related protocol standard is technological, and the FC related protocol runs on the switching equipment between server and the memory device usually.As shown in Figure 1, the structural representation for based on the storage networking of FC protocol technology (for the ease of describing, being designated hereinafter simply as the FC network) comprises server 101, switching equipment 102, memory device 103.
In the FC network, each equipment is in order to realize communication, currently used two types of addresses:
First kind address: name identifiers (Name ID), use worldwide name (WWN, World Wide Port name) address to identify, WWN is one 64 a global unique address.As its name suggests, this address is used for an object of global unique identification FC network, and this object can be a switching equipment, a main process equipment (server or memory device) or a port.In a FC network, every switching equipment needs a WWN address, is used to identify this equipment, and the election main switching unit uses in the FC network.
Second type of address: FC ID address, 24 local address is based on each FC network allocation.This address realm is based on each FC network; Though the WWN address has overall uniqueness, in the FC network, main process equipment is exchanged visits and is not used the WWN address; But every the equipment of FC ID address designation through FC network dynamic assignment, and carry out data interaction through this address.As shown in Figure 2, FC ID address structure comprises three fields:
1,8 Domain ID
Domain ID is used for identifying the switching equipment of a FC network, and every switching equipment in FC network need have a unique Domain ID address.In the FC network, with electing a unique main switching unit of the whole network, generation is distributed by main switching unit in Domain ID address, and therefore, Domain ID can be used for identifying a switching equipment in the FC network.
2,8 Area ID
Area ID can be divided into same zone with one or more port of switching equipment, through to dividing region, can realize the control that equipment is exchanged visits.
3,8 Port ID
In the FC network; When main process equipment signs in on the switching equipment; Switching equipment can combine the Domain ID and the Area ID of this equipment; Be that main process equipment distributes a Port ID, finally be the uniqueness of the main process equipment that FC ID address of main process equipment distribution, wherein minimum 8 Port ID must guarantee to be distributed.
For the main process equipment that signs in on the switching equipment is managed; Need to realize name server (Name Server) function on every switching equipment; Name Server is a distributed management module, the information of All hosts equipment in the whole FC network of guardian, and Name Server is managing the port relevant information that is registered in the main process equipment in the Name Server database; The port relevant information of main process equipment is as shown in Figure 3, wherein:
Port Identifier: the FC ID address of main process equipment;
Port Type: the port type of main process equipment;
Plantform Name: the platform title of equipment;
Port Name: the WWN of main process equipment port;
Node Name: the WWN of main process equipment node;
Class of Service: the COS that main process equipment is supported;
FC-4Protocols: the service agreement of current main process equipment for example is originating end or the destination end as equipment, and in general, in storage networking the inside, server is generally as the originating end of equipment, and memory device is generally as the destination end of equipment.
Name Server knows all devices (the DNS service of type in IP network) among the Fabric; When a main process equipment signs in to the FC network; It can be to Name Server register information; And to all devices information of its inquiry in the FC network, concrete behavior is: 1, main frame (server or disk) is registered to information in the name database of name server; 2, main frame (server or disk) Query Database obtains the information of other port; 3, main frame (server or disk) can be from name database un-register, when Name Server information changes, will optionally announce to main frame (server or disk).
The FC network can be realized the read-write operation between server and the memory device.Because the FC technology is a kind of technology of intelligence relatively; Behind server or memory device access network; Can automatically be the distribution that server or memory device are realized FC ID address, and can find remote storage device intelligently, effective method is provided for server.Current server finds that the method for remote storage device is: 1) need pay close attention to the variation of FC ID to switching equipment registration book server; 2) the Name Server functional module of switching equipment is paid close attention to the server of FC ID address change and is announced when finding that FC ID geology changes to registration.Pay close attention to registration and address change notifying mechanism according to FC ID address, can realize in the FC network the mutual discovery of server and memory device smoothly.Server is set up the link path with memory device if desired; The first FC ID address of inquiring about and obtaining this memory device to switching equipment of needs; Being destination address with FC ID address again, is the protocol massages of Prli to memory device initiation protocol type, consults to set up the link path.Wherein, being characterized as of Prli protocol massages: 1) source ID is the FC ID address of server, and purpose ID is the FC ID address of memory device; 2) the Prli message is the FC data message; 3) switching equipment is responsible for transmitting the Prli message and is given target device.After accomplishing the negotiation of Prli communication link, server and memory device just can carry out data communication.
Because the FC network is intelligence comparatively, can realize the automatic distribution of device address and the discovery of remote equipment.In this case, the webmaster personnel are often difficult with the current running status of monitoring FC network.Because server can be found disk unit easily through Name Server, and sets up communication link with it, has so also caused some potential safety hazards.Such as some memory device read right is arranged, do not allow server at will to read, so just propose the requirement of security performance aspect.In the prior art, on the FC Network Management, the mainly management through ZONE:, realize the restriction of FC network access authority through the ZONE function.As shown in Figure 4, there are three Zone in the FC network, in Zone 1 the inside, restriction has only the H1 server can visit the S1 memory device; In Zone 2 the insides, restriction has only the H3 server can visit the S3 memory device; In Zone 3 the insides, restriction has only the H2 server can visit the S2 memory device.
Because on the realization mechanism of Zone function; It mainly is behavior through control Name Server; When server during to the FC ID address of switching equipment inquiry memory device; Do not announce the FC ID address of the memory device of its lack of competence visit, cause server can't find memory device like this, thereby can't carry out read-write operation to server.If but server gets access to the FC ID address of the memory device of its lack of competence visit through other method; Just can directly connect, and carry out read-write operation, therefore with this memory device; Increase the security risks of FC network, reduced the reliability of FC network.
Summary of the invention
The embodiment of the invention provides a kind of storage networking safety access control method, device and switching equipment, in order in storage networking, improves the fail safe and the reliability of storage networking.
The embodiment of the invention provides a kind of storage networking safety access control method, comprising:
Receiving originating end equipment after request message is set up in the connection that destination end equipment sends, obtain the access rights control information between said originating end equipment and the said destination end equipment;
According to said access rights control information, judge whether said originating end equipment has authority to visit said destination end equipment;
If allow the said destination end equipment of said originating end device access; If not, forbid the said destination end equipment of said originating end device access.
The embodiment of the invention provides a kind of storage networking safe access control device, comprising:
Obtain the unit, be used for obtaining the access rights control information between said originating end equipment and the said destination end equipment receiving originating end equipment after request message is set up in the connection that destination end equipment sends;
Judging unit is used for the access rights control information according to the acquisition of said acquisition unit, judges whether said originating end equipment has authority to visit said destination end equipment;
Performance element is used in the judged result of said judging unit allowing the said destination end equipment of said originating end device access when being; For not the time, forbid the said destination end equipment of said originating end device access in the judged result of said judging unit.
Storage networking safety access control method, device and switching equipment that the embodiment of the invention provides; When originating end equipment is being prepared to be connected with destination end equipment; When request message is set up in destination end equipment transmission connection,, confirm whether originating end equipment has authority access destination end equipment according to the originating end equipment of configuration and the access rights control information between the destination end equipment; If have; Then allow originating end device access destination end equipment, otherwise, will forbid originating end device access destination end equipment.Because sending ending equipment before access destination end equipment, at first need send to connect and set up request message to destination end equipment, is connected to set up communication with destination end equipment; In the embodiment of the invention, be connected when setting up request message when finding to send between sending ending equipment and the destination end equipment, whether at first definite sending ending equipment has authority access destination end equipment; And in view of the above sending ending equipment access destination end equipment is controlled; Like this, even sending ending equipment has obtained the address of the destination end equipment of its lack of competence visit through alternate manner, also can set up according to the embodiment of the invention and in time find when communication is connected at sending ending equipment and destination end equipment; And forbid sending ending equipment access destination end equipment; Thereby, reduced the security risks of storage networking, improved the reliability of storage networking.
Other features and advantages of the present invention will be set forth in specification subsequently, and, partly from specification, become obvious, perhaps understand through embodiment of the present invention.The object of the invention can be realized through the structure that in the specification of being write, claims and accompanying drawing, is particularly pointed out and obtained with other advantages.
Description of drawings
Fig. 1 is in the prior art, the structural representation of FC network;
Fig. 2 is in the prior art, the structural representation of FC ID address;
Fig. 3 is in the prior art, in the FC network, and the port relevant information sketch map of main process equipment;
Fig. 4 is in the prior art, realizes the structural representation of the FC network of ZONE function;
Fig. 5 is in the embodiment of the invention, the implementing procedure sketch map of storage networking safety access control method;
Fig. 6 is in the embodiment of the invention, the structural representation of storage networking safe access control device.
Embodiment
In order to reduce the security risks of storage networking, improve the reliability of storage networking, the embodiment of the invention provides a kind of storage networking safety access control method, device and switching equipment.
In storage networking; For each originating end equipment, during access destination end equipment, need at first to set up the passage that be used to carry out communication if desired with destination end equipment; Promptly at first setting up communication with destination end equipment is connected; Set up communication when being connected at originating end equipment and destination end equipment, can send to connect to destination end equipment and set up request message, like this; Through being connected of transmitting between monitoring transmission end equipment and the destination end equipment setting up request message, just can carry out security control to originating end device access destination end equipment.
Based on this; The embodiment of the invention provides a kind of storage networking safety access control method, below in conjunction with Figure of description the preferred embodiments of the present invention is described, and is to be understood that; Preferred embodiment described herein only is used for explanation and explains the present invention; And be not used in qualification the present invention, and under the situation of not conflicting, embodiment and the characteristic among the embodiment among the present invention can make up each other.
As shown in Figure 5, the storage networking safety access control method for the embodiment of the invention provides may further comprise the steps:
Switching equipment in S501, the storage networking obtains the access rights control information between originating end equipment and the destination end equipment receiving originating end equipment after request message is set up in the connection that destination end equipment sends;
During practical implementation, connection is set up and is carried originating end device identification and destination end device identification in the request message.
S502, switching equipment judge according to the access rights control information that obtains whether this originating end equipment has this destination end equipment of authority visit, in judged result when being, execution in step S503, in judged result when denying, execution in step S504;
S503, allow this destination end equipment of this originating end device access;
Concrete, can request message be set up in the connection that receive and sent to destination end equipment, promptly allow originating end equipment to set up communication and be connected, and and then carry out follow-up accessing operation with destination end equipment.
S504, forbid this destination end equipment of this originating end device access.
Concrete; Can request message be set up in the connection that receive and directly abandoned, promptly not allow originating end equipment to set up communication and be connected, preferably with destination end equipment; Can also send the message of refusal request further to originating end equipment, to finish the foundation of communication link.
In the practical implementation,, need at first dispose the access rights control information between originating end equipment and the destination end equipment for the access rights between originating end equipment and the destination end equipment are controlled.For example, can be with the access rights control information between each originating end equipment and the destination end equipment in the whole storage networking of employing security control tabulation preservation, a kind of possible data format is as shown in table 1:
Table 1
The originating end device identification The destination end device identification The access rights control information
20:02:00:05:73:b9:0c:c1 20:02:00:05:73:b9:0c:c1 Authority is arranged
20:02:00:05:73:b9:0c:c1 20:02:00:05:73:b9:0c:c2 Authority is arranged
20:02:00:05:73:b9:0c:c5 20:02:00:05:73:b9:0c:c3 Lack of competence
?… ?…
The storage networking that relates in the embodiment of the invention includes but not limited to the FC network, and in the FC network, the originating end device identification can be originating end FC ID or originating end WWN, and the destination end device identification can be destination end FC ID or destination end WWN.When actual deployment, the security control tabulation can adopt distributed and centralized dual mode to dispose, wherein:
Distributed deployment; Be the originating end equipment that is connected with self of each comfortable local storage of every switching equipment and the access rights control information of destination end equipment; I.e. storage secure topical control tabulation in this locality; Include only the originating end equipment that is connected with self or the access rights control information between the destination end equipment in this secure topical control tabulation; Between each switching equipment can through distributed interactive realize each originating end equipment and destination end equipment the access rights control information synchronously, secure topical control tabulation can updated at any time, tabulates when changing in secure topical control; Can between each switching equipment, carry out synchronously through the form of announcement, to guarantee the consistency of whole net information.
Centralized deployment a: security server promptly is set; This security server stores global safety control tabulation; Global safety control list storage has the access authority information between the target phase equipment of all originating end equipment in the whole storage networking; So that the secure access of whole net is controlled; Originating end equipment that security server can be initiatively be connected with this switching equipment to each switching equipment distribution and the access rights control information between the destination end equipment also can be waited for the access rights control information between connected originating end equipment of switching equipment active inquiry and the destination end equipment.
If adopt the distributed deployment mode; The security strategy that arbitrary switching equipment in the storage networking only need be provided with this machine gets final product; Other switching equipment can be through distributed synchronization study security policy information, with the consistency of the whole net information that guarantees in the storage networking security strategy on every switching equipment; Simultaneously; Because the access rights control information of originating end equipment and destination end equipment directly is issued to switching equipment, and treatment effeciency is more quick, but owing to adopt the distributed deployment mode; Need the synchronous safety strategy between each switching equipment; In synchronizing process, the access rights control information that possibly cause getting access to is incorrect, thereby can't in time control the visit of originating end equipment to destination end equipment; If adopt the centralized deployment mode; Have only the edge switching equipment just to need security strategy (directly be connected with originating end equipment or destination end equipment switching equipment) just to need security strategy, so the needs safe access control of putting in order net equipment on the switching equipment on the edge of only, the edge switching equipment only need get final product to the access rights control information that security server obtains originating end equipment and destination end equipment; Can manage whole net equipment easily through security server; Simultaneously, when obtaining the access rights control information of originating end equipment and destination end equipment, can be not incorrect because of the access rights control information that time delay causes getting access to; But; Adopt and concentrate deployment way, have following problem: needs are disposed a security server, have increased lower deployment cost; Each switching equipment need be inquired about the access rights control information of originating end equipment and destination end equipment to security server, and treatment effeciency is lower.
According to above-mentioned analysis; During practical implementation, can select rational deployment way according to the actual needs of network management; If under the less demanding situation of security control real-time; The distributed deployment mode can be adopted, when having relatively high expectations, the centralized deployment mode can be adopted for the security control real-time.
Based on above-mentioned two kinds of deployment way, in step S502, can obtain the access rights control information between originating end equipment and the destination end equipment through following dual mode:
Mode one (corresponding to the distributed deployment mode)
According to originating end device identification and destination end device identification, from the secure topical ACL of this locality storage, search the access rights control information between this originating end equipment and this destination end equipment.
Wherein, originating end device identification and destination end device identification can be respectively originating end FC ID and destination end FC ID, and correspondingly, originating end device identification and destination end device identification in the security control tabulation can be respectively originating end FC ID and destination end FC ID.Because for the user; FC ID is initiatively distributed by NameServer; And possibly change at any time, therefore, in order further to improve the fail safe and the reliability of storage networking; In the embodiment of the invention, can search the access rights control information between originating end equipment and the destination end equipment in this locality according to following steps:
Step 1, inquire about the corresponding originating end WWN of this originating end FC ID respectively to Name Server, and the corresponding destination end WWN of this destination end FC ID;
Step 2, according to originating end WWN and destination end WWN, from the secure topical ACL of this locality storage, search the access rights control information between this originating end equipment and this destination end equipment.
Correspondingly, originating end device identification and the destination end device identification in the security control tabulation can be respectively originating end WWN and destination end WWN.Like this, the uniqueness and the accuracy of device identification be can guarantee, thereby the fail safe and the reliability of storage networking further improved.
Mode two (corresponding to the centralized deployment mode)
In the mode two, can obtain the access rights control information between originating end equipment and the destination end equipment according to following steps:
Step 1, send query requests to the security server that stores the global safety ACL;
Wherein, carry said originating end device identification and destination end device identification in this query requests, in the global safety ACL, comprise the access rights control information between all originating end equipment and destination end equipment in the whole storage networking;
Step 2, receive security server, in the global safety ACL, this originating end equipment of finding and the access rights control information between this destination end equipment according to this originating end device identification and destination end device identification.
Wherein, Originating end device identification and destination end device identification can be respectively originating end FC ID and destination end FC ID, based on mode one in same reason, preferably; In the embodiment of the invention; Before sending query requests to security server, can also at first inquire about the corresponding originating end WWN of this originating end FC ID respectively to Name Server, and the corresponding destination end WWN of this destination end FC ID; Originating end WWN and destination end WWN are identified as originating end sign and destination end respectively.
The storage networking safety access control method that the embodiment of the invention provides; Request message is set up in the connection of sending between the equipment through the monitoring storage networking; Can in time find contingent unauthorized access in the current storage networking; Mainly being to realize control on the access device end to end, is the final step before originating end equipment and destination end equipment carry out information interaction, through controlling the behavior in this step; Stop the possibility of originating end equipment and destination end equipment room unauthorized access, improved the reliability of storage networking.
As a rule, in storage networking, originating end equipment is generally server apparatus, and destination end equipment is generally memory device, and server apparatus access destination end equipment is generally destination end equipment is carried out read-write operation etc.In the FC network; When server apparatus request and memory device are set up communication when being connected,, connect to consult setting up communication through sending the Prli protocol massages to memory device; Want to break off communication when connecting when server apparatus or memory device, will send the Prlo message to the opposite end.
Based on same inventive concept; A kind of storage networking safe access control device and switching equipment also are provided in the embodiment of the invention; Because the principle that this device and switching equipment are dealt with problems is similar with the storage networking safety access control method; Therefore the enforcement of this device and switching equipment can repeat part and repeat no more referring to the enforcement of method.
As shown in Figure 6, the structural representation of the storage networking safe access control device that provides for the embodiment of the invention comprises:
Obtain unit 601, be used for obtaining the access rights control information between this originating end equipment and this destination end equipment receiving originating end equipment after request message is set up in the connection that destination end equipment sends;
Wherein, the connection that receives is set up and is carried originating end device identification and destination end device identification in the request message.
Judging unit 602 is used for according to obtaining the access rights control information that unit 601 obtains, and judges whether this originating end equipment has this destination end equipment of authority visit;
Performance element 603 is used in the judged result of judging unit 602 allowing this destination end equipment of this originating end device access when being; For not the time, forbid this destination end equipment of this originating end device access in the judged result of judging unit 602.
During practical implementation; Obtain unit 601; Can be used for according to this originating end device identification and this destination end device identification; From the secure topical ACL of this locality storage, search the access rights control information between this originating end equipment and this destination end equipment, comprise the access rights control information between local all originating end equipment and the destination end equipment in the secure topical ACL.
Preferably, originating end device identification and destination end device identification are respectively originating end optical-fibre channel sign FC ID and destination end FC ID, obtain unit 601, can comprise:
The inquiry subelement is used for inquiring about the corresponding originating end world wide name WWN of originating end FC ID respectively to Name Server, and the corresponding destination end WWN of destination end FC ID;
Search subelement, be used for, from the secure topical ACL of this locality storage, search the access rights control information between this originating end equipment and this destination end equipment according to originating end WWN and destination end WWN.
In addition, during practical implementation, obtain unit 601, can comprise:
Send subelement; Be used for sending query requests to the security server that stores the global safety ACL; Carry said originating end device identification and destination end device identification in this query requests, comprise the access rights control information between all originating end equipment and destination end equipment in the whole storage networking in this global safety ACL;
Receive subelement, be used to receive security server, in the global safety ACL, the originating end equipment that finds and the access rights control information between the destination end equipment according to originating end device identification and destination end device identification.
Preferably; Originating end device identification and destination end device identification are respectively originating end FC ID and destination end FC ID; Obtain unit 601; Can also be used for sending subelement before security server sends query requests, inquire about the corresponding originating end WWN of originating end FC ID respectively to Name Server, and the corresponding destination end WWN of destination end FC ID; And with originating end WWN and destination end WWN respectively as originating end device identification and destination end device identification.
In the practical implementation, performance element 603 can be used in the judged result of judging unit 602 request message being set up in the connection that receives being sent to said destination end equipment when being; And in the judged result of judging unit 602 for not the time, abandon the connection that receives and set up request message.
Preferably; The storage networking safe access control device that the embodiment of the invention provides can be arranged in the switching equipment; Have switching equipment that the secure access in the storage networking is controlled, need to prove, it is a kind of preferably execution mode of the embodiment of the invention that above-mentioned storage networking safe access control device is arranged in the switching equipment; During practical implementation, can be provided with according to actual needs.
Those skilled in the art should understand that embodiments of the invention can be provided as method, system or computer program.Therefore, the present invention can adopt the form of the embodiment of complete hardware embodiment, complete software implementation example or combination software and hardware aspect.And the present invention can be employed in the form that one or more computer-usable storage medium (including but not limited to magnetic disc store, CD-ROM, optical memory etc.) that wherein include computer usable program code go up the computer program of implementing.
The present invention is that reference is described according to the flow chart and/or the block diagram of method, equipment (system) and the computer program of the embodiment of the invention.Should understand can be by the flow process in each flow process in computer program instructions realization flow figure and/or the block diagram and/or square frame and flow chart and/or the block diagram and/or the combination of square frame.Can provide these computer program instructions to the processor of all-purpose computer, special-purpose computer, Embedded Processor or other programmable data processing device to produce a machine, make the instruction of carrying out through the processor of computer or other programmable data processing device produce to be used for the device of the function that is implemented in flow process of flow chart or a plurality of flow process and/or square frame of block diagram or a plurality of square frame appointments.
These computer program instructions also can be stored in ability vectoring computer or the computer-readable memory of other programmable data processing device with ad hoc fashion work; Make the instruction that is stored in this computer-readable memory produce the manufacture that comprises command device, this command device is implemented in the function of appointment in flow process of flow chart or a plurality of flow process and/or square frame of block diagram or a plurality of square frame.
These computer program instructions also can be loaded on computer or other programmable data processing device; Make on computer or other programmable devices and to carry out the sequence of operations step producing computer implemented processing, thereby the instruction of on computer or other programmable devices, carrying out is provided for being implemented in the step of the function of appointment in flow process of flow chart or a plurality of flow process and/or square frame of block diagram or a plurality of square frame.
Although described the preferred embodiments of the present invention, in a single day those skilled in the art get the basic inventive concept could of cicada, then can make other change and modification to these embodiment.So accompanying claims is intended to be interpreted as all changes and the modification that comprises preferred embodiment and fall into the scope of the invention.
Storage networking safety access control method, device and switching equipment that the embodiment of the invention provides; When originating end equipment is being prepared to be connected with destination end equipment; When request message is set up in destination end equipment transmission connection,, confirm whether originating end equipment has authority access destination end equipment according to the originating end equipment of configuration and the access rights control information between the destination end equipment; If have; Then allow originating end device access destination end equipment, otherwise, will forbid originating end device access destination end equipment.Because sending ending equipment before access destination end equipment, at first need send to connect and set up request message to destination end equipment, is connected to set up communication with destination end equipment; In the embodiment of the invention, be connected when setting up request message when finding to send between sending ending equipment and the destination end equipment, whether at first definite sending ending equipment has authority access destination end equipment; And in view of the above sending ending equipment access destination end equipment is controlled; Like this, even sending ending equipment has obtained the address of the destination end equipment of its lack of competence visit through alternate manner, also can set up according to the embodiment of the invention and in time find when communication is connected at sending ending equipment and destination end equipment; And forbid sending ending equipment access destination end equipment; Thereby, reduced the security risks of storage networking, improved the reliability of storage networking.
Obviously, those skilled in the art can carry out various changes and modification to the present invention and not break away from the spirit and scope of the present invention.Like this, belong within the scope of claim of the present invention and equivalent technologies thereof if of the present invention these are revised with modification, then the present invention also is intended to comprise these changes and modification interior.

Claims (11)

1. a storage networking safety access control method is characterized in that, comprising:
Receiving originating end equipment after request message is set up in the connection that destination end equipment sends, obtain the access rights control information between said originating end equipment and the said destination end equipment;
According to said access rights control information, judge whether said originating end equipment has authority to visit said destination end equipment;
If allow the said destination end equipment of said originating end device access; If not, forbid the said destination end equipment of said originating end device access.
2. the method for claim 1 is characterized in that, said connection is set up and carried originating end device identification and destination end device identification in the request message; And
Obtain the access rights control information between said originating end equipment and the said destination end equipment, specifically comprise:
According to said originating end device identification and said destination end device identification; From the secure topical ACL of this locality storage; Search the access rights control information between said originating end equipment and the said destination end equipment, comprise the access rights control information between local all originating end equipment and the destination end equipment in the said secure topical ACL.
3. method as claimed in claim 2 is characterized in that, originating end device identification and destination end device identification are respectively originating end optical-fibre channel sign FC ID and destination end FC ID; And
According to said originating end device identification and said destination end device identification, from the secure topical ACL of this locality storage, search the access rights control information between said originating end equipment and the said destination end equipment, specifically comprise:
Inquire about the corresponding originating end world wide name WWN of said originating end FC ID respectively to name server Name Server, and the corresponding destination end WWN of said destination end FC ID;
According to originating end WWN and destination end WWN, from the secure topical ACL of this locality storage, search the access rights control information between said originating end equipment and the said destination end equipment.
4. the method for claim 1 is characterized in that, said connection is set up and carried originating end device identification and destination end device identification in the request message; And
Obtain the access rights control information between said originating end equipment and the said destination end equipment, specifically comprise:
Send query requests to the security server that stores the global safety ACL; Carry said originating end device identification and destination end device identification in the said query requests, comprise the access rights control information between all originating end equipment and destination end equipment in the whole storage networking in the said global safety ACL; And
Receive said security server according to said originating end device identification and destination end device identification, in said global safety ACL, the said originating end equipment that finds and the access rights control information between the said destination end equipment.
5. method as claimed in claim 4 is characterized in that, said originating end device identification and destination end device identification are respectively originating end FC ID and destination end FC ID; And
Before sending query requests, also comprise to the security server that stores the global safety ACL:
Inquire about the corresponding originating end WWN of said originating end FC ID respectively to name server Name Server, and the corresponding destination end WWN of said destination end FC ID;
With originating end WWN and destination end WWN respectively as originating end device identification and destination end device identification.
6. a storage networking safe access control device is characterized in that, comprising:
Obtain the unit, be used for obtaining the access rights control information between said originating end equipment and the said destination end equipment receiving originating end equipment after request message is set up in the connection that destination end equipment sends;
Judging unit is used for the access rights control information according to the acquisition of said acquisition unit, judges whether said originating end equipment has authority to visit said destination end equipment;
Performance element is used in the judged result of said judging unit allowing the said destination end equipment of said originating end device access when being; For not the time, forbid the said destination end equipment of said originating end device access in the judged result of said judging unit.
7. device as claimed in claim 6 is characterized in that, said connection is set up and carried originating end device identification and destination end device identification in the request message; And
Said acquisition unit; Specifically be used for according to said originating end device identification and said destination end device identification; From the secure topical ACL of this locality storage; Search the access rights control information between said originating end equipment and the said destination end equipment, comprise the access rights control information between local all originating end equipment and the destination end equipment in the said secure topical ACL.
8. device as claimed in claim 7 is characterized in that, originating end device identification and destination end device identification are respectively originating end optical-fibre channel sign FC ID and destination end FC ID; And
Said acquisition unit comprises:
The inquiry subelement is used for inquiring about the corresponding originating end world wide name WWN of said originating end FC ID respectively to name server Name Server, and the corresponding destination end WWN of said destination end FC ID;
Search subelement, be used for, from the secure topical ACL of this locality storage, search the access rights control information between said originating end equipment and the said destination end equipment according to originating end WWN and destination end WWN.
9. device as claimed in claim 6 is characterized in that, said connection is set up and carried originating end device identification and destination end device identification in the request message; And
Said acquisition unit comprises:
Send subelement; Be used for sending query requests to the security server that stores the global safety ACL; Carry said originating end device identification and destination end device identification in the said query requests, comprise the access rights control information between all originating end equipment and destination end equipment in the whole storage networking in the said global safety ACL;
Receive subelement; Be used to receive said security server according to said originating end device identification and destination end device identification, in said global safety ACL, the said originating end equipment that finds and the access rights control information between the said destination end equipment.
10. device as claimed in claim 9 is characterized in that, said originating end device identification and destination end device identification are respectively originating end FC ID and destination end FC ID; And
Said acquisition unit; Also be used for sending subelement before said security server sends query requests; Inquire about the corresponding originating end WWN of said originating end FC ID respectively to name server Name Server, and the corresponding destination end WWN of said destination end FC ID; And with originating end WWN and destination end WWN respectively as originating end device identification and destination end device identification.
11. a switching equipment is characterized in that, comprises the described device of the arbitrary claim of claim 6~10.
CN2012100717871A 2012-03-16 2012-03-16 Method and device for controlling safety access to storage network and switching equipment Pending CN102611624A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2012100717871A CN102611624A (en) 2012-03-16 2012-03-16 Method and device for controlling safety access to storage network and switching equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2012100717871A CN102611624A (en) 2012-03-16 2012-03-16 Method and device for controlling safety access to storage network and switching equipment

Publications (1)

Publication Number Publication Date
CN102611624A true CN102611624A (en) 2012-07-25

Family

ID=46528787

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2012100717871A Pending CN102611624A (en) 2012-03-16 2012-03-16 Method and device for controlling safety access to storage network and switching equipment

Country Status (1)

Country Link
CN (1) CN102611624A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104717290A (en) * 2015-03-19 2015-06-17 杭州华三通信技术有限公司 SAN access control method and device
CN106375091A (en) * 2015-07-20 2017-02-01 德国邮政股份公司 communication link established to user apparatus via an access control device
CN105245636B (en) * 2015-10-23 2018-09-14 中国联合网络通信集团有限公司 message communication method and device
CN111831513A (en) * 2020-07-15 2020-10-27 北京达佳互联信息技术有限公司 Log query method and device, electronic equipment and storage medium
CN113495504A (en) * 2020-03-18 2021-10-12 杭州海康威视数字技术股份有限公司 Intelligent control equipment, monitoring system and intelligent control method

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101047594A (en) * 2006-03-28 2007-10-03 国际商业机器公司 Method and apparatus for securing node port access in a switched-fabric storage area network
US20080095367A1 (en) * 2004-03-19 2008-04-24 Cisco Technology, Inc. Methods and apparatus for confidentiality protection for fibre channel common transport
US20110090816A1 (en) * 2003-06-26 2011-04-21 Cisco Technology, Inc. FIBRE CHANNEL SWITCH THAT ENABLES END DEVICES IN DIFFERENT FABRICS TO COMMUNICATE WITH ONE ANOTHER WHILE RETAINING THEIR UNIQUE FIBRE CHANNEL DOMAIN_IDs
CN102208945A (en) * 2010-03-31 2011-10-05 成都市华为赛门铁克科技有限公司 Method for obtaining network address and FCoE target and communication system
CN102263807A (en) * 2010-05-31 2011-11-30 国际商业机器公司 Method for keeping communication path smooth in storage area network and storage area network
CN102316155A (en) * 2011-07-01 2012-01-11 杭州华三通信技术有限公司 Storage area network (SAN) discovery method and switchboard

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110090816A1 (en) * 2003-06-26 2011-04-21 Cisco Technology, Inc. FIBRE CHANNEL SWITCH THAT ENABLES END DEVICES IN DIFFERENT FABRICS TO COMMUNICATE WITH ONE ANOTHER WHILE RETAINING THEIR UNIQUE FIBRE CHANNEL DOMAIN_IDs
US20080095367A1 (en) * 2004-03-19 2008-04-24 Cisco Technology, Inc. Methods and apparatus for confidentiality protection for fibre channel common transport
CN101047594A (en) * 2006-03-28 2007-10-03 国际商业机器公司 Method and apparatus for securing node port access in a switched-fabric storage area network
CN102208945A (en) * 2010-03-31 2011-10-05 成都市华为赛门铁克科技有限公司 Method for obtaining network address and FCoE target and communication system
CN102263807A (en) * 2010-05-31 2011-11-30 国际商业机器公司 Method for keeping communication path smooth in storage area network and storage area network
CN102316155A (en) * 2011-07-01 2012-01-11 杭州华三通信技术有限公司 Storage area network (SAN) discovery method and switchboard

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104717290A (en) * 2015-03-19 2015-06-17 杭州华三通信技术有限公司 SAN access control method and device
CN104717290B (en) * 2015-03-19 2018-02-09 新华三技术有限公司 SAN access control method and device
CN106375091A (en) * 2015-07-20 2017-02-01 德国邮政股份公司 communication link established to user apparatus via an access control device
CN106375091B (en) * 2015-07-20 2020-08-28 德国邮政股份公司 Establishing a communication link to a user equipment via an access control device
US10896400B2 (en) 2015-07-20 2021-01-19 Deutsche Post Ag Setup of a communication link to a user apparatus via an access control apparatus
CN105245636B (en) * 2015-10-23 2018-09-14 中国联合网络通信集团有限公司 message communication method and device
CN113495504A (en) * 2020-03-18 2021-10-12 杭州海康威视数字技术股份有限公司 Intelligent control equipment, monitoring system and intelligent control method
CN113495504B (en) * 2020-03-18 2023-01-31 杭州海康威视数字技术股份有限公司 Intelligent control equipment, monitoring system and intelligent control method
CN111831513A (en) * 2020-07-15 2020-10-27 北京达佳互联信息技术有限公司 Log query method and device, electronic equipment and storage medium

Similar Documents

Publication Publication Date Title
US10469314B2 (en) API gateway for network policy and configuration management with public cloud
CN109889621B (en) Configuration method and device of virtual private cloud service
US8767737B2 (en) Data center network system and packet forwarding method thereof
CN107733670B (en) Forwarding strategy configuration method and device
JP5582344B2 (en) Connection management system and connection management server linkage method in thin client system
US20190021047A1 (en) Method and System for Selecting Network Slice
US10862961B2 (en) Discovery and formation of local communication group
JP2021525923A (en) How to control intelligent devices and devices
JP6888078B2 (en) Network function NF management method and NF management device
CN103607430A (en) Network processing method and system, and network control center
CN102611624A (en) Method and device for controlling safety access to storage network and switching equipment
US20170180309A1 (en) Selective ip address allocation for probes that do not have assigned ip addresses
CN109474936A (en) Applied to the Internet of Things means of communication and system between multiple lora gateways
CN103607432A (en) Network establishment method and system, and network control center
CN108259356B (en) Routing control method and device
CN111327668A (en) Network management method, device, equipment and storage medium
CN105657078B (en) A kind of data transmission method, device and multitiered network manager
CN106878480A (en) A kind of DHCP service process sharing method and device
US20120257491A1 (en) Access Point Configuration Propagation
CN102368728A (en) Automatic configuration method of routing protocol, routing device and authorization server
JP2016019270A (en) Communication method and communication program
US9641611B2 (en) Logical interface encoding
CN103812672A (en) Method for discovering newly-added network element device, correlative device, and system
US10405132B2 (en) Precise and custom location based service discovery application for wired and wireless devices
CN114157532A (en) Remote control method, system, electronic device and storage medium

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C02 Deemed withdrawal of patent application after publication (patent law 2001)
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20120725