FIG. 1 shows a system 10 of the prior art. A router 11 operates to provide layer 3 routing of data packets between different hosts of the system. As generally discussed herein layer 3 is a reference to the network layer which determines how to transmit messages between connected network segments. Different aspects of different operations of such networks are discussed generally in the International Standards Organization, standard ISO/IEC 7498, which defines a 7-layer model for describing interconnected systems. It is referred to as the Open Systems Interconnection (OSI) model, and is incorporated herein by reference in its entirety.
The router 11 operates to route data packets received on a port of the router to other ports of the router based on a destination source IP address contained in the data packet. Typically a router will contain a large number of ports to which different data link layer (layer 2 of the OSI model) subnets are connected. In FIG. 1 six ports 12, 14, 16, 18, 20 and 22 are shown, but in many embodiments the router would include additional ports. For example, a typical router could include 24 or 36 ports.
The router 11 includes a CPU 24 which operates to control operations of the router. As is known in the art a CPU 24 operates to execute software program instructions which are loaded into the CPU 24. These software instructions can be stored in a memory 28 and the memory 28 can be utilized by the CPU 24 to access stored information, and instructions. The router 11 also includes content addressable memory (CAM) 26. The CAM includes fields which store data forming an access control list ACL. An application specific integrated circuit (ASIC) 27 is provided, and the ASIC utilizes the CAM with an ACL. The functionality of the ASIC 27 is determined by its hard wiring, and the content of the CAM and the ACL data fields (as opposed to a CPU which requires the loading of software). Thus the ASIC 27 can provide for the switching of the of data packets, or other possible functions at a very high speed relative to the operation of the CPU 24, and the CPU processing power can be used for other operational details of the router.
One aspect of the operation of the router 11 is that it allows for network managers to access control features of the router. Typically, the CPU 24 will be programmed to allow a network manager to change operations of the router. For example, a network manager might modify routing tables of the router, block certain ports from traffic from hosts having different IP addresses, set up new subnets or change subnets.
In order to gain access to, and send instructions to the CPU 24 for the management of the router 11, typically one of a number of different known management communication protocols are used; these protocols include Telnet, SSH, Web management, SNMP, and TFTP etc.
In general operation prior systems operated such that each port of the router can be used to access the CPU management functions of the router. This means that the gateway IP address associated with each port of the router can function as a management address, in that host generating data packets directed to any of the gateway addresses of the ports of router can access management of the router. As a result security procedures have to be provided which allow for filtering and controlling access to the management function of the router through each port and corresponding gateway address of the router.
FIG. 1 shows layer 2 subnets 30, 32, 34, 36, 38 and 40 connected to ports 12, 14, 16, 18, 20 and 22 of the router 11. The layer 2 subnets would typically include a number of layer 2 switches networked together, and hosts, such as personal computers or other devices would be connected to the switches. A host having proper authorization such as proper passwords, or having been previously identified by their source IP address, and generating data packets in accordance with the management communication protocol utilized by the system would be able to gain access to the management functions of the CPU 24 of the router 11 through the any of the ports 12-22 of the router 11. The CPU 24 is responsible for receiving the data packets from hosts of the layer 2 subnet that are directed to obtaining access to the management functions of the CPU 24. If the CPU 24 determines that the host attempting to obtain access to the management functions is not authorized for such access, for example, the host could be a hacker attempting to attack the router 11, then the CPU 24 will drop the data packets from the attacking host, and additional protective measures could also be taken.
In some cases, however, an attacking host, or possibly multiple attacking hosts on different layer 2 subnets connected to different ports of the router 11 may generate a large amount of traffic directed at the CPU 24 management functions. In some cases, where the volume of traffic is sufficiently large, the CPU 24 can become overwhelmed and its ability to effectively filter and authenticate attempts to gain access to the management functions of the router 11 can be significantly reduced and render the router 11 vulnerable to attack. Thus, what is needed is a way to provide enhanced protection against attacks on the router CPU 24 and its management functions.