| 摘要 |
Embodiments of the present invention are directed to enforcing zoning at a network adapter of an end point device. Thus, a network adapter can monitor the communications that are sent and/or received by the adapter and discard communications that are prohibited based on the zoning rules applicable to the adapter. In some embodiments, zoning configuration information can be defined and stored at a central entity and sent to the various network adapters. Alternatively, or in addition, each network adapter can also check outgoing communications to ensure that they include a proper source address. More specifically, outgoing communications may be checked to ensure that their source address is the address (or one of the addresses) that are associated with the network adapter. This can be used to detect and/or prevent malfunctions and/or intentional tampering or hacking. |
| 主权项 |
1. A method for enforcing network zoning in a network comprising a plurality of end point devices, each end point device being associated with one or more addresses, at least one end point device being associated with two or more addresses, where each end point device associated with only one address is an effective device, two or more end point devices in the plurality of end point devices with only one address thus defining a plurality of effective devices, and each end point device associated with two or more addresses implementing a plurality of virtual devices, the method comprising:
assigning the plurality of effective devices and the plurality of virtual devices to a plurality of zones, so that each effective device and each virtual device is a member of one or more zones; composing a plurality of sets of addresses, each set of addresses being associated with a respective effective device or a respective virtual device, each set of addresses including the addresses of all effective devices and virtual devices which are members of at least one zone the respective effective device or the respective virtual device is a member of; sending each set of addresses to its respective end point device, wherein each end point device stores the set of addresses; and enforcing network zoning by one or more elements of an attachable network adapter card, for each effective device, the enforcement of network zoning comprises:
monitoring incoming and outgoing communications of the effective device,discarding incoming communications of the effective device that do not include an address from the set of addresses as a source address, anddiscarding outgoing communications of the effective device do not include an address from the set of addresses as a destination address, for each virtual device, the enforcement of network zoning comprises:
monitoring incoming and outgoing communications of the virtual devicediscarding incoming communications of the virtual device that do not include an address from the set of addresses as a source address, anddiscarding outgoing communications of the virtual device that do not include an address from the set of addresses as a destination address.
|
