System and method for protecting CPU against remote access attacks

US 8,893,256 B2
Filed: 06/30/2010
Issued: 11/18/2014
Est. Priority Date: 09/23/2003
Status: Expired due to Fees

First Claim

Patent Images

1. A network device comprising:

a plurality of ports including a first port and a second port; and

means for filtering a data packet received at the second port if;

the network device determines that the data packet is destined for the first port,the network device determines that the data packet is a management data packet, andthe network device determines that the data packet originated from a VLAN other than a management VLAN that includes the first port.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method that provides for protection of a CPU of a router, by establishing a management port on a router. Hosts which are connected to a non-management ports of the router are denied access to management functions of a CPU of the router. The system and method can utilize an application specific integrated circuit, in conjunction with a CAM-ACL, which analyzes data packets received on the ports of router, and the ASIC operates to drop data packets which are directed to the CPU of the router. This system and method operates to filter data packets which may be generated in attempts to hack in to control functions of a network device, and the operation does not require that the CPU analyze all received data packets in connection with determining access to the control functions of the router.

142 Citations

15 Claims

1. A network device comprising:
- a plurality of ports including a first port and a second port; and
  
  means for filtering a data packet received at the second port if;
  
  the network device determines that the data packet is destined for the first port,the network device determines that the data packet is a management data packet, andthe network device determines that the data packet originated from a VLAN other than a management VLAN that includes the first port.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The network device of claim 1 where the data packet is destined for the first port if the data packet includes a destination IP address corresponding to a gateway IP address of the first port.
  - 3. The network device of claim 1 wherein the first port is defined as a management port for the network device and wherein the second port is defined as a non-management port for the network device.
  - 4. The network device of claim 1 wherein the data packet is a management data packet if the data packet uses a management protocol.
  - 5. The network device of claim 4 wherein the management protocol is selected from a group consisting of:
    - Telnet, SSH, SNMP, and TFTP.
  - 6. The network device of claim 1 wherein the first port is part of a management virtual local area network (VLAN).
  - 7. The network device of claim 6 wherein the second port is not part of the management VLAN.
  - 8. The network device of claim 1 wherein filtering the data packet comprises dropping the data packet.
  - 9. The network device of claim 1 wherein filtering the data packet comprises storing the data packet without forwarding the data packet to the first port.

10. A network device comprising:
- a management port;
  
  a non-management port; and
  
  means for filtering management data packets received at the non-management port, wherein the filtering comprises;
  
  determining if a destination IP address included in a management data packet received at the non-management port corresponds to a gateway address of the management port; and
  
  if the destination IP address included in the management data packet corresponds to the gateway address of the management port, determining if the data packet originated from a management VLAN that includes the management port.
- View Dependent Claims (11)
- - 11. The network device of claim 10 wherein the filtering further comprises:
    - if the data packet did not originate from the management VLAN, dropping the data packet.

12. A network device comprising:
- a plurality of ports including a first port and a second port,wherein the network device filters a data packet received at the second port if;
  
  the network device determines that the data packet is destined for the first port,the network device determines that the data packet is a management data packet, andthe network device determines that the data packet originated from a VLAN other than a management VLAN that includes the first port.

13. A network device comprising:
- a management port and a non-management port,wherein the network device filters management data packets received at the non-management port by;
  
  determining if a destination IP address included in a management data packet received at the non-management port corresponds to a gateway address of the management port; and
  
  if the destination IP address included in the management data packet corresponds to the gateway address of the management port, determining if the data packet originated from a management VLAN that includes the management port.

14. A method comprising:
- filtering, by a network device, a data packet received at a non-management port of the network device if;
  
  the network device determines that the data packet is destined for a first port of the network device,the network device determines that the data packet is a management data packet, andthe network device determines that the data packet originated from a VLAN other than a management VLAN that includes the first port.

15. A non-transitory computer readable medium having stored thereon instructions executable by a processor, the instructions including:
- instructions that cause the processor to filter a data packet received at a non-management port of the network device if;
  
  the processor determines that the data packet is destined for a first port of the network device,the processor determines that the data packet is a management data packet, andthe processor determines that the data packet originated from a VLAN other than a management VLAN that includes the first port.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avago Technologies International Sales Pte Limited (Broadcom, Inc.)
Original Assignee
Brocade Communications Systems, Inc. (Broadcom, Inc.)
Inventors
Szeto, Ronald W., Kwan, Philip, Kwong, Raymond Wai-Kit
Primary Examiner(s)
Dinh, Minh

Application Number

US12/827,235
Publication Number

US 20100333191A1
Time in Patent Office

1,602 Days
Field of Search

713/160, 713/162, 726/15
US Class Current

726/13
CPC Class Codes

H04L 63/0236 Filtering by address, proto...

System and method for protecting CPU against remote access attacks

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

142 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for protecting CPU against remote access attacks

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

142 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links