公开(公告)号：CA2332084A1

公开(公告)日：2001-08-17

申请号：CA2332084

申请日：2001-01-23

Applicant: IBM

Inventor： MULLEN SHAWN PATRICK ,  SHIEH JOHNNY MENG-HAN ,  MCBREARTY GERALD FRANCIS ,  CRONK MATTHEW SLADE

IPC: G06F9/46 ,  G06F9/445 ,  G06F15/16 ,  G06F17/00 ,  G06F15/76

Abstract: A method and system for running, on different computers at the same time, multiple operating systems from the same shared system resource is provided. This is accomplished, for example, by using persistent elemental disk reservations. Each machine reads the master boot record without reservation to determine the partition of the operating syste m to be booted. Each machine then makes an elemental exclusive write persistent reservation for accessing the operating system boot partition. This is followed by each machine making another elemental exclusive write persistent reservation for accessing the operating system partition itself. Each machine is assigned a different operating system partition even if they are running the same operating system. The unique reservation key for these reservations is creat ed from at least on of a Processor ID, a Cluster ID, a Multiple Processor partition ID, a Non-Unifo rm Memory Access complex ID, and/or a Non-Uniform Memory Access node ID.

公开(公告)号：GB2356765A

公开(公告)日：2001-05-30

申请号：GB0019673

申请日：2000-08-11

Applicant: IBM

Inventor： GENTY DENISE MARIE ,  MCBREARTY GERALD FRANCIS ,  MULLEN SHAWN PATRICK ,  SHIEH JOHNNY MENG-HAN ,  UNNKRISHNAN RAMACHANDRAN

IPC: H04L12/46 ,  H04L29/06 ,  H04L29/12 ,  H04Q11/04 ,  H04L12/56

Abstract: A method and system for an algorithm-based network snoop avoider is provided. A first data processing system and a second data processing system communicate on a physical network by transmitting data packets on the network using a virtual private network (VPN). Data packets are transmitted through a first VPN tunnel between the first data processing system with a first network address terminating a first end of the VPN tunnel and the second data processing system with a second network address terminating a second end of the first VPN tunnel. The VPN is automatically reconfigured to use alternate addresses on the network for the tunnel endpoints by automatically determining, in accordance with a predetermined algorithm, a third network address and a fourth network address and by automatically assigning the third network address to the first data processing system and the fourth network address to the second data processing system. Data packets may then be transmitted through a second VPN tunnel in which a first end of the second VPN tunnel is terminated by the first data processing system using the third network address and a second end of the second VPN tunnel is terminated by the second data processing system using the fourth network address. The data packets may be transmitted using Internet Protocol (IP), and a portion of the network may include the Internet.

公开(公告)号：CA2672528A1

公开(公告)日：2008-10-30

申请号：CA2672528

申请日：2008-04-16

Applicant: IBM

Inventor： SHIEH JOHNNY MENG-HAN ,  MURILLO JESSICA CAROL ,  KEOHANE SUSANN MARIE ,  MCBREARTY GERALD FRANCIS ,  MULLEN SHAWN PATRICK

IPC: H04L29/06 ,  H04L12/22

Abstract: A computer implemented method, apparatus, and computer program product fo r port scan protection. A reply data packet having a modified transmission c ontrol protocol header is generated to form a modified reply data packet, in response to detecting a port scan. The modified reply data packet will illi cit a response from a recipient of the modified data packet. The reply data packet is sent to a first Internet protocol address associated with the port scan. A second Internet protocol address is identified from a header of the response to the modified reply data packet. The second Internet protocol ad dress is an actual Internet protocol address of a source of the port scan. A ll network traffic from the second Internet protocol address may be blocked to prevent an attack on any open ports from the source of the port scan.

公开(公告)号：SG143953A1

公开(公告)日：2008-07-29

申请号：SG2004025359

申请日：2004-05-03

Applicant: IBM

Inventor： KEOHANE SUSANN ,  MCBREARTY GERALD FRANCIS ,  MULLEN SHAWN PATRICK ,  MURILLO JESSICA KELLEY ,  SHIEH JOHNNY MENG-HAN

IPC: G06F3/06 ,  G06F13/10 ,  G06F9/445 ,  G06F12/00 ,  G06F15/16 ,  G06F15/177 ,  H04L12/24 ,  H04L29/08

Abstract: METHOD, APPARATUS, AND PROGRAM FOR PERFORMING BOOT, MAINTENANCE, OR INSTALL OPERATIONS ON A STORAGE AREA NETWORK A mechanism is provided for configuring a set of devices for a given machine attached to a storage area network (102). The initial program load firmware and network adapter firmware for each machine (104-108) on the storage area network (102) are modified to query a storage area network appliance (120) for lists of devices. The storage area network appliance (120) may be identified by a world wide name and may store lists of boot devices, root volume group devices, primary devices, and secondary devices for each machine on the storage area network. The storage area network appliance (120) then listens for queries and returns the appropriate list of devices based on query type and/or boot type. The boot type for a machine may be set to normal boot, maintenance boot, or install boot.

公开(公告)号：CA2312460C

公开(公告)日：2006-11-28

申请号：CA2312460

申请日：2000-06-20

Applicant: IBM

Inventor： UNNIKRISHNAN RAMACHANDRAN ,  GENTY DENISE MARIE ,  SHIEH JOHNNY MENG-HAN ,  MCBREARTY GERALD FRANCIS ,  MULLEN SHAWN PATRICK

IPC: H04L12/22 ,  G06F12/14 ,  H04L12/46 ,  H04L29/06 ,  H04L29/12 ,  H04Q11/04

Abstract: A method and system for an algorithm-based network snoop avoider is provided . A first data processing system and a second data processing system communicate on a physical network by transmitting data packets on the network using a virtual private network (VPN). Data packets are transmitted through a first VPN tunnel between the first data processing system with a first network address terminating a first end of the VPN tunnel and the second dat a processing system with a second network address terminating a second end of the first VPN tunnel. The VPN is automatically reconfigured to use alternate addresses on the network for the tunnel endpoints by automatically determining, in accordance with a predetermined algorithm, a third network address and a fourth network address and by automatically assigning the thir d network address to the first data processing system and the fourth network address to the secon d data processing system. Data packets may then be transmitted through a second VPN tunnel in which a first end of the second VPN tunnel is terminated by the first data processing system using the third network address and a second end of the second VPN tunnel is terminated by t he second data processing system using the fourth network address. The data packets may be transmitted using InternetProtocol (IP), and a portion of the network may include the Internet .

公开(公告)号：DE10052312B4

公开(公告)日：2006-10-26

申请号：DE10052312

申请日：2000-10-21

Applicant: IBM

Inventor： GENTY DENISE MARIE ,  MCBREARTY GERALD FRANCIS ,  MULLEN SHAWN PATRICK ,  SHIEH JOHNNY MENG-HAN ,  UNNIKRISHNAN RAMACHANDRAN

IPC: H04L12/28 ,  G06F12/14 ,  H04L12/22 ,  H04L12/56 ,  H04L29/06 ,  H04L29/08

Abstract: Disclosed is a system and method for enhancing the security of virtual private network (VPN) connections by automatic pre-negotiation of a secondary configuration. If snooping or other security breaches are detected, the VPN tunnel is modified automatically to the secondary pre-arranged configuration, stymieing attempted security violations.

公开(公告)号：CA2332084C

公开(公告)日：2006-08-01

申请号：CA2332084

申请日：2001-01-23

Applicant: IBM

Inventor： CRONK MATTHEW SLADE ,  SHIEH JOHNNY MENG-HAN ,  MULLEN SHAWN PATRICK ,  MCBREARTY GERALD FRANCIS

IPC: G06F9/445 ,  G06F9/46 ,  G06F15/16

Abstract: A method and system for running, on different computers at the same time, multiple operating systems from the same shared system resource is provided. This is accomplished, for example, by using persistent elemental disk reservations. Each machine reads the master boot record without reservation to determine the partition of the operating syste m to be booted. Each machine then makes an elemental exclusive write persistent reservation for accessing the operating system boot partition. This is followed by each machine making another elemental exclusive write persistent reservation for accessing the operating system partition itself. Each machine is assigned a different operating system partition even if they are running the same operating system. The unique reservation key for these reservations is creat ed from at least on of a Processor ID, a Cluster ID, a Multiple Processor partition ID, a Non-Unifo rm Memory Access complex ID, and/or a Non-Uniform Memory Access node ID.

公开(公告)号：DE10132461B4

公开(公告)日：2006-07-06

申请号：DE10132461

申请日：2001-07-04

Applicant: IBM

Inventor： CAROLL SCOTT ALLEN ,  FIVEASH WILLIAM ALTON ,  MCBREARTY GERALD FRANCIS ,  MULLEN SHAWN PATRICK ,  SHIEH JOHNNY MENG-HAN

IPC: H04L12/26 ,  G06F11/30 ,  G06F21/00 ,  H04L12/24 ,  H04L29/06

Abstract: The present invention is embodied in a system and method for monitoring and alerting remote client users of digital intrusions of their computers by host servers. In general, the present invention monitors actions taken by host servers relating to information about the remote client and displays graphical alerts when a digital intrusion or a breach of security occurs during a network connection, such as a connection to the Internet, with the host server. Specifically, the present invention monitors certain aspects of the remote client user s interaction with host servers. Based on certain interaction, such as an attempt by the host server to retrieve non-related information about the remote client, the remote client user can be provided with a graphical alert. This allows the remote client user to make an informed decision whether or not to allow certain host server sites to retrieve the client user s personal information.

公开(公告)号：BRPI0410569A

公开(公告)日：2006-06-20

申请号：BRPI0410569

申请日：2004-04-15

Applicant: IBM

Inventor： KEOHANE SUSANN MARIE ,  MCBREARTY GERALD FRANCIS ,  MULLEN SHAWN PATRICK ,  MURILLO JESSICA KELLEY ,  SHIEH JOHNNY MENG-HAN

IPC: G06F17/30 ,  H04L29/06 ,  H04L29/08 ,  G06F21/00 ,  G06F1/00

Abstract: A security protocol that dynamically implements enhanced mount security of a filesystem when access to sensitive files on a networked filesystem is requested. When the user of a client system attempts to access a specially-tagged sensitive file, the server hosting the filesystem executes a software code that terminates the current mount and re-configures the server ports to accept a re-mount from the client via a more secure port. The server re-configured server port is provided the IP address of the client and matches the IP address during the re-mount operation. The switch to a secure mount is completed in a seamless manner so that authorized users are allowed to access sensitive files without bogging down the server with costly encryption and other resource-intensive security features. No significant delay is experienced by the user, while the sensitive file is shielded from un-authorized capture during transmission to the client system.

公开(公告)号：CA2525249A1

公开(公告)日：2004-12-02

申请号：CA2525249

申请日：2004-04-15

Applicant: IBM

Inventor： SHIEH JOHNNY MENG-HAN ,  MULLEN SHAWN PATRICK ,  MCBREARTY GERALD FRANCIS ,  KEOHANE SUSANN MARIE ,  MURILLO JESSICA KELLEY

IPC: H04L29/06 ,  G06F1/00 ,  G06F17/30 ,  H04L29/08

Abstract: A security protocol that dynamically implements enhanced mount security of a filesystem when access to sensitive files on a networked filesystem is requested. When the user of a client system attempts to access a specially- tagged sensitive file, the server hosting the filesystem executes a software code that terminates the current mount and reconfigures the server ports to accept a re-mount from the client via a more secure port. The server reconfigured server port is provided the IP address of the client and matche s the IP address during the re-mount operation. The switch to a secure mount i s completed in a seamless manner so that authorized users are allowed to acces s sensitive files without bogging down the server with costly encryption and other resource-intensive security features. No significant delay is experienced by the user, while the sensitive file is shielded from unauthorized capture during transmission to the client system.