System and method for protecting CPU against remote access attacks
First Claim
1. A network device comprising:
- a plurality of ports including a first port and a second port; and
means for filtering a data packet received at the second port if;
the network device determines that the data packet is destined for the first port,the network device determines that the data packet is a management data packet, andthe network device determines that the data packet originated from a VLAN other than a management VLAN that includes the first port.
4 Assignments
0 Petitions
Accused Products
Abstract
A system and method that provides for protection of a CPU of a router, by establishing a management port on a router. Hosts which are connected to a non-management ports of the router are denied access to management functions of a CPU of the router. The system and method can utilize an application specific integrated circuit, in conjunction with a CAM-ACL, which analyzes data packets received on the ports of router, and the ASIC operates to drop data packets which are directed to the CPU of the router. This system and method operates to filter data packets which may be generated in attempts to hack in to control functions of a network device, and the operation does not require that the CPU analyze all received data packets in connection with determining access to the control functions of the router.
142 Citations
15 Claims
-
1. A network device comprising:
-
a plurality of ports including a first port and a second port; and means for filtering a data packet received at the second port if; the network device determines that the data packet is destined for the first port, the network device determines that the data packet is a management data packet, and the network device determines that the data packet originated from a VLAN other than a management VLAN that includes the first port. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A network device comprising:
-
a management port; a non-management port; and means for filtering management data packets received at the non-management port, wherein the filtering comprises; determining if a destination IP address included in a management data packet received at the non-management port corresponds to a gateway address of the management port; and if the destination IP address included in the management data packet corresponds to the gateway address of the management port, determining if the data packet originated from a management VLAN that includes the management port. - View Dependent Claims (11)
-
-
12. A network device comprising:
-
a plurality of ports including a first port and a second port, wherein the network device filters a data packet received at the second port if; the network device determines that the data packet is destined for the first port, the network device determines that the data packet is a management data packet, and the network device determines that the data packet originated from a VLAN other than a management VLAN that includes the first port.
-
-
13. A network device comprising:
-
a management port and a non-management port, wherein the network device filters management data packets received at the non-management port by; determining if a destination IP address included in a management data packet received at the non-management port corresponds to a gateway address of the management port; and if the destination IP address included in the management data packet corresponds to the gateway address of the management port, determining if the data packet originated from a management VLAN that includes the management port.
-
-
14. A method comprising:
filtering, by a network device, a data packet received at a non-management port of the network device if; the network device determines that the data packet is destined for a first port of the network device, the network device determines that the data packet is a management data packet, and the network device determines that the data packet originated from a VLAN other than a management VLAN that includes the first port.
-
15. A non-transitory computer readable medium having stored thereon instructions executable by a processor, the instructions including:
instructions that cause the processor to filter a data packet received at a non-management port of the network device if; the processor determines that the data packet is destined for a first port of the network device, the processor determines that the data packet is a management data packet, and the processor determines that the data packet originated from a VLAN other than a management VLAN that includes the first port.
Specification