US Patent No. 10,169,594

NETWORK SECURITY FOR DATA STORAGE SYSTEMS


Patent No. 10,169,594
Issue Date January 01, 2019
Title Network Security For Data Storage Systems
Inventorship Zah Barzik, Rishon LeZion (IL)
Maxim Kalaev, Petach Tikva (IL)
Alexander Snast, Rishon LeZion (IL)
Assignee International Business Machines Corporation, Armonk, NY (US)

Claim of US Patent No. 10,169,594

1. A method comprising:creating, by one or more processors of a network adapter of a storage system, a set of filter rules, wherein the set of filter rules is located in a firmware that is included on the network adapter, and wherein the set of filter rules includes a list of port numbers and protocols that are allowed or blocked from being accessed within the storage system;
responsive to receiving a request to modify the set of filter rules, prompting, by one or more processors of the network adapter, a requestor for a cryptographic key, wherein the requestor has privileged access to a guest operating system running on the storage system only if the cryptographic key is provided;
receiving, by one or more processors of the network adapter, a first packet;
analyzing, by one or more processors of the network adapter, a header of the first packet to determine a set of packet parameters, wherein the set of packet parameters includes a set of ports and protocols;
determining, by one or more processors of the network adapter, that the set of packet parameters of the received first packet is consistent with a rule in the set of filter rules;
in response to determining that the set of packet parameters of the received first packet is consistent with a rule in the set of filter rules, transmitting, by one or more processors of the network adapter, the received first packet through the network adapter;
receiving, by one or more processors of the network adapter, a second packet;
analyzing, by one or more processors of the network adapter, a header of the second packet to determine a set of packet parameters, wherein the set of packet parameters includes a set of ports and protocols;
determining, by one or more processors of the network adapter, that the set of packet parameters of the received second packet is inconsistent with the set of filter rules; and
in response to determining that the set of packet parameters of the received second packet is inconsistent with the set of filter rules, dropping, by one or more processors of the network adapter, the received second packet to prevent transmission through the network adapter.