SYSTEM AND METHOD FOR PROTECTING CPU AGAINST REMOTE ACCESS ATTACKS
4 Assignments
0 Petitions
Accused Products
Abstract
A system and method that provides for protection of a CPU of a router, by establishing a management port on a router. Hosts which are connected to a non-management ports of the router are denied access to management functions of a CPU of the router. The system and method can utilize an application specific integrated circuit, in conjunction with a CAM-ACL, which analyzes data packets received on the ports of router, and the ASIC operates to drop data packets which are directed to the CPU of the router. This system and method operates to filter data packets which may be generated in attempts to hack in to control functions of a network device, and the operation does not require that the CPU analyze all received data packets in connection with determining access to the control functions of the router.
107 Citations
30 Claims
-
1-11. -11. (canceled)
-
12. A network device comprising:
-
a plurality of ports including a first port and a second port; and means for filtering a data packet received at the second port if the data packet is destined for the first port and if the data packet is a management data packet. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. A network device comprising:
-
a management port; a non-management port; a central processing unit (CPU) configured to provide one or more management functions for the network device; and means for filtering management data packets received at the non-management port without impacting performance of the CPU. - View Dependent Claims (24, 25, 26, 27, 28)
-
-
29. An application-specific integrated circuit (ASIC) for use in a network device, the ASIC being configured to:
-
determine if a destination IP address included in a data packet received at a non-management port of the network device corresponds to a gateway address of a management port of the network device; if the destination IP address corresponds to the gateway address, determine if the data packet uses a management protocol; and if the data packet uses a management protocol, filter the data packet.
-
-
30. A non-transitory computer-readable storage medium having stored thereon program code executable by a processor, the program code comprising:
-
code that causes the processor to determine if a destination IP address included in a data packet received at a non-management port of a network device corresponds to a gateway address of a management port of the network device; code that causes the processor to, if the destination IP address corresponds to the gateway address, determine if the data packet uses a management protocol; and code that causes the processor to, if the data packet uses a management protocol, filter the data packet.
-
Specification