System and method for protecting CPU against remote access attacks

DC CAFC

US 7,774,833 B1
Filed: 09/23/2003
Issued: 08/10/2010
Est. Priority Date: 09/23/2003
Status: Active Grant

- Alert
- Pin

Associated Case

Associated Defendants

First Claim

Patent Images

1. A method comprising:

identifying, by a network device, a first port of the network device as a management port, the first port having a gateway address;

identifying, by the network device, a second port of the network device as a non-management port; and

filtering, by the network device, a data packet received on the second port if a destination IP address of the data packet corresponds to the gateway address of the first port and if the data packet utilizes a management protocol.

View all claims

9 Assignments

Timeline View

Assignment View

Litigations

0 Petitions

Reexaminations

Accused Products

Abstract

A system and method that provides for protection of a CPU of a router, by establishing a management port on a router. Hosts which are connected to a non-management ports of the router are denied access to management functions of a CPU of the router. The system and method can utilize an application specific integrated circuit, in conjunction with a CAM-ACL, which analyzes data packets received on the ports of router, and the ASIC operates to drop data packets which are directed to the CPU of the router. This system and method operates to filter data packets which may be generated in attempts to hack in to control functions of a network device, and the operation does not require that the CPU analyze all received data packets in connection with determining access to the control functions of the router.

140 Citations

17 Claims

1. A method comprising:
- identifying, by a network device, a first port of the network device as a management port, the first port having a gateway address;
  
  identifying, by the network device, a second port of the network device as a non-management port; and
  
  filtering, by the network device, a data packet received on the second port if a destination IP address of the data packet corresponds to the gateway address of the first port and if the data packet utilizes a management protocol.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 16)
- - 2. The method of claim 1, wherein the filtering comprises dropping the data packet.
  - 3. The method of claim 1, further comprising passing the data packet received on the second port if the data packet originated from a virtual local area network that includes the first port.
  - 4. The method of claim 3, wherein another network device is connected to the second port, wherein a port of the another network device is defined to be part of the virtual local area network and is assigned a source IP address corresponding to the gateway address of the first port, and wherein management data packets for managing the another network device are sent to the source IP address.
  - 5. The method of claim 4, wherein the management data packets have higher priority than other data packets routed through the network device.
  - 6. The method of claim 1, wherein the network device includes an application specific integrated circuit operable to perform the filtering.
  - 7. The method of claim 6, wherein the application specific integrated circuit is configured to determine if the destination IP address for the data packet received on the second port corresponds to the gateway address of the first port.
  - 16. The method of claim 1 wherein filtering the data packet received on the second port comprises storing the data packet in a memory area separate from other types of received data packets.

8. A network device comprising:
- a first port defined as a management port;
  
  a second port defined as a non-management port;
  
  an application specific integrated circuit operable to filter a data packet received on the second port if a destination IP address of the data packet corresponds to a gateway address of the first port and if the data packet utilizes a management protocol.
- View Dependent Claims (9, 10, 17)
- - 9. The network device of claim 8 wherein the filtering comprises dropping the data packet.
  - 10. The network device of claim 8, wherein the application specific integrated circuit is further operable to pass the data packet received on the second port if the data packet originated from a virtual local area network that includes the first port.
  - 17. The network device of claim 8 wherein filtering the data packet received on the second port comprises storing the data packet in a memory area separate from other types of received data packets.

11. A network device comprising:
- a plurality of ports including a management port; and
  
  a control component configured to;
  
  determine if a destination IP address included in a received data packet corresponds to a gateway IP address of the management port;
  
  if the destination IP address corresponds to the gateway IP address of the management port, determine if the data packet originated from a management virtual local area network (VLAN), wherein the management VLAN includes the management port;
  
  if the data packet did not originate from the management VLAN, determine if the data packet uses a management protocol; and
  
  if the data packet uses a management protocol, drop the packet.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The network device of claim 11 wherein if the destination IP address does not correspond to the gateway IP address of the management port, the control component is configured to pass the data packet.
  - 13. The network device of claim 11 wherein if the data packet did originate from the management VLAN, the control component is configured to pass the data packet.
  - 14. The network device of claim 11 wherein if the data packet does not use a management protocol, the control component is configured to pass the data packet.
  - 15. The network device of claim 11 wherein the network device is a router.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Avago Technologies International Sales Pte Limited (Broadcom, Inc.)
Original Assignee
Foundry Networks Incorporated (Broadcom, Inc.)
Inventors
Kwong, Raymond Wai-Kit, Kwan, Philip, Szeto, Ronald W.
Primary Examiner(s)
Barron, Jr.; Gilberto
Assistant Examiner(s)
HO, VIRGINIA T

Application Number

US10/668,455
Time in Patent Office

2,513 Days
Field of Search

713/153, 713/154, 713/160, 713/162, 709/221, 709/225, 709/229, 709/232, 709/242, 726 13- 15
US Class Current

726/13
CPC Class Codes

H04L 63/0236 Filtering by address, proto...

System and method for protecting CPU against remote access attacks

First Claim

9 Assignments

Litigations

0 Petitions

Reexaminations

Accused Products

Abstract

140 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for protecting CPU against remote access attacks

First Claim

9 Assignments

Subscription Required

Subscription Required

Litigations

0 Petitions

Subscription Required

Reexaminations

Accused Products

Subscription Required

Abstract

140 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links