Abstract: Classification techniques are employed in computer networks. For example, network activity is monitored in a computer network and the monitored network activity is used to discover an endpoint of unknown type. A first set of classification models is utilized to identify an endpoint type of the discovered endpoint based on the monitored network activity. In addition, communication patterns between different endpoints of known types are monitored in the computer network, and a second set of classification models is utilized to determine a logical topology of the computer network based on the monitored communication patterns.

Abstract: A method is provided to allow for encryption keys to be safely vaulted and for restarts after system failures, even when an external key server is not accessible. In one embodiment, the encryption keys are stored in memory in an encrypted format, the encryption keys being encrypted with a key encryption key (KEK). The data stored in a write cache may be encrypted and written to a vault, protecting it from unauthorized access, but the key table may be written directly to the data vault without need for any further encryption. Because the encryption keys are themselves encrypted, the encryption keys are protected from unauthorized access, ensuring the security of all the encrypted data stored on disk. This embodiment allows the data storage system to be restarted without accessing an external key server. In another embodiment, the KEK is stored in persistent storage within the data storage system, allowing for unattended restart. To enhance security, the KEK may be stored in ROM in a hardened location.

Abstract: A method is provided for effectively managing encryption keys. A storage processor requests a key associated with a particular object ID associated with a particular device address range from a key server. The key server provides a unique key associated with the object ID. Old keys may be deleted either upon a determination by the storage processor that the key is no longer needed, or upon a signal from the key server indicating that the key is to be deleted. In either case, the storage processor deletes the key from all locations in memory and sends a confirmation signal to the key server. The key server then lists the key as disabled for possible future re-use. Embodiments are also directed to apparatus for use in practicing the method.

Abstract: A data storage system employs data encryption to increase data security, and techniques for ensuring consistency of key information maintained and used throughout the system to reduce the likelihood that data will become non-recoverable due to the use of an incorrect encryption key. In one aspect, a verification process is performed between a key table at a central storage processor and key tables containing decrypted copies of the same information that are stored and utilized at separate input/output (I/O) modules. The verification process includes computing respective hash values at the I/O modules and at the storage processor and comparing the hash values to determine whether they match, a match indicating that the tables are consistent and a non-match indicating that the tables are not consistent. In another aspect, an I/O module performs a check prior to performing an encryption/decryption operation as part of processing an I/O command to ensure that the correct key will be utilized.

Abstract: According to one embodiment of the present invention, a network adapter is provided that may be used to interface to a network environment a first data storage system. The adapter includes a switching system that may be coupled to data exchanging devices in the network environment, and port circuitry that may be used to facilitate establishment of a link between the first data storage system and a second, remote data storage system in the network environment. The link, when established, may facilitate the establishment of a target device in the second data storage device as a mirror device that may comprise a mirror of data residing in a source device in the first network data storage system.