System and method for protecting CPU against remote access attacks
DC CAFCFirst Claim
1. A method comprising:
- identifying, by a network device, a first port of the network device as a management port, the first port having a gateway address;
identifying, by the network device, a second port of the network device as a non-management port; and
filtering, by the network device, a data packet received on the second port if a destination IP address of the data packet corresponds to the gateway address of the first port and if the data packet utilizes a management protocol.
9 Assignments
Litigations
0 Petitions
Reexaminations
Accused Products
Abstract
A system and method that provides for protection of a CPU of a router, by establishing a management port on a router. Hosts which are connected to a non-management ports of the router are denied access to management functions of a CPU of the router. The system and method can utilize an application specific integrated circuit, in conjunction with a CAM-ACL, which analyzes data packets received on the ports of router, and the ASIC operates to drop data packets which are directed to the CPU of the router. This system and method operates to filter data packets which may be generated in attempts to hack in to control functions of a network device, and the operation does not require that the CPU analyze all received data packets in connection with determining access to the control functions of the router.
140 Citations
17 Claims
-
1. A method comprising:
-
identifying, by a network device, a first port of the network device as a management port, the first port having a gateway address; identifying, by the network device, a second port of the network device as a non-management port; and filtering, by the network device, a data packet received on the second port if a destination IP address of the data packet corresponds to the gateway address of the first port and if the data packet utilizes a management protocol. - View Dependent Claims (2, 3, 4, 5, 6, 7, 16)
-
-
8. A network device comprising:
-
a first port defined as a management port; a second port defined as a non-management port; an application specific integrated circuit operable to filter a data packet received on the second port if a destination IP address of the data packet corresponds to a gateway address of the first port and if the data packet utilizes a management protocol. - View Dependent Claims (9, 10, 17)
-
-
11. A network device comprising:
-
a plurality of ports including a management port; and a control component configured to; determine if a destination IP address included in a received data packet corresponds to a gateway IP address of the management port; if the destination IP address corresponds to the gateway IP address of the management port, determine if the data packet originated from a management virtual local area network (VLAN), wherein the management VLAN includes the management port; if the data packet did not originate from the management VLAN, determine if the data packet uses a management protocol; and if the data packet uses a management protocol, drop the packet. - View Dependent Claims (12, 13, 14, 15)
-
Specification