Bypass switch explained

A bypass switch (or bypass TAP) is a hardware device that provides a fail-safe access port for an in-line active security appliance such as an intrusion prevention system (IPS), next generation firewall (NGFW), etc. Active, in-line security appliances are single points of failure in live computer networks because if the appliance loses power, experiences a software failure, or is taken off-line for updates or upgrades, traffic can no longer flow through the critical link. The bypass switch or bypass tap removes this point of failure by automatically 'switching traffic via bypass mode' to keep the critical network link up.

A bypass switch has four ports. Two network ports create an in-line connection in the network link that is to be monitored. This connection is fully passive; if the bypass switch itself loses power, traffic continues to flow unimpeded through the link. Two monitor ports are used to connect the in-line monitoring appliance. During normal operation, the bypass switch passes all network traffic through the appliance as if it were directly in-line itself. But when the in-line appliance loses power, is disconnected, or otherwise fails, the bypass switch passes traffic directly between its network ports, bypassing the appliance, and ensuring that traffic continues to flow on the network link.

A bypass switch or TAP monitors the health of the active, in-line appliance by sending heartbeats to the in-line security appliance as long as the in band security appliance is on-line, the heartbeat packets will be returned to the switch/TAP, and the link traffic will continue to flow through the in-line security appliance.

If the heartbeat packets are not returned to the TAP (indicating that the in-line security appliance has gone off-line), the TAP will automatically bypass the in band security appliance and keep the link traffic flowing. The TAP also removes the heartbeat packets before sending the network traffic back onto the critical link.

In some products, when the bypass switch shunts traffic around the monitoring appliance, the monitor ports revert to acting like a network tap, mirroring the half-duplex traffic received at the network ports to the monitor ports. In this mode, an attached IPS appliance can be used as an intrusion detection system (IDS) to passively monitor the traffic without affecting it. This mode is useful for analyzing the effectiveness of a signature set before switching to IPS mode and potentially disrupting network traffic.

Multi-segment bypass switches provide a number of independent bypass switches in a single chassis, providing higher density in the equipment rack.

Terminology

Bypass TAP - Normal Mode: traffic flows through the network TAP before it travels through the appliance and back onto the network

Bypass TAP - Bypass Mode: heartbeat packets are sent out to the in-line security appliance, once the appliance is back on-line, it will begin returning the heartbeat packets back to the TAP indicating that the appliance is ready to resume bypass TAP normal mode. The TAP will then direct the network traffic back through the in-line security appliance along with the heartbeat packets placing the appliance back in-line.

Advantages

Using an external bypass switch to connect an in-line appliance such as a NGFW, IPS, or DDoS has several benefits.[1]

It keeps network traffic flowing when the in-line appliance fails.

It allows the in-line appliance to be removed or serviced without impacting network traffic. For example, an IPS can be taken offline to upgrades, maintenance or troubleshooting

The in-line appliance can be moved from one network segment to another without impacting network traffic.

Note that the latter two advantages are not provided by internal bypass-switch functionality that may be integrated within some NGFW/IPS appliances.

Some bypass TAPs support multiple modes and can be used throughout the networks lifetime, ie: aggregation, regeneration/SPAN, breakout/normal.

Disadvantages

Bypass switches and TAPs add acquisition cost to the monitoring solution, although they may save cost in the long run by increasing network uptime.

Bypass switches move the single point of failure from the in-line monitoring appliance to the bypass switch itself. This should be a net gain in reliability, because the bypass switch is a simpler device than the monitoring appliance, and because it is designed for fault-tolerance. Nevertheless, reliability is an important criterion when evaluating bypass switch solutions.

Technical information

Bypass switches increase network reliability through several mechanisms including passive in-line connections, link detection, and heartbeat packets.

The two network ports in a bypass switch create a fully passive in-line connection that maintains traffic flow even in the absence of power. For fiber links, a normally closed optical switch creates a path for light to flow unimpeded through the device when power is absent. For copper links, micro-relays connect the two ports when power is absent.

The bypass switch monitors the status of the links between its monitor ports and the in-line appliance. If a link goes down, the bypass switch immediately switches into bypass- mode. Some manufacturers of bypass TAPs/switches still send traffic to the appliance during bypass mode. When the link comes back up again, the bypass switch returns to bypass-off normal.

Some bypass switches send a heartbeat packet through the monitoring appliance in order to ensure that the appliance is passing traffic. If the heartbeat packet does not return to the bypass switch, the appliance is assumed to be down, and the switch goes into bypass-on mode, excluding the appliance from the traffic path. The bypass switch continues to transmit heartbeat packets to the appliance, and when they are again returned by the appliance, the bypass switch changes back to bypass-off mode and the appliance resumes receiving traffic....

Whenever the bypass switch transitions to bypass mode for any reason, the link may be temporarily dropped. A good bypass switch reconnects the link in under 1 second,[2] but the network may take several seconds to re-establish communications on link.

Device management

Bypass switches may be managed through any of several interfaces: a command-line interface (CLI), a Web browser-based interface, or a platform-based SNMP tool. Management functions may include configuring an IP address for SNMP traps, retrieving RMON statistics, and setting parameters for the heartbeat packet such as packet contents, timing, and retry counts.

See also

Notes and References

  1. http://www.sys-con.com/read/378274.htm Sys-Con Media.com - Net Optics, Inc. Introduces iBypass for Fail-Safe IPS Security Deployments
  2. Web site: The Tolly Group - Net Optics 10/100/1000 iBypass Switch Evaluation . 2008-06-23 . https://web.archive.org/web/20090114021945/http://www.tolly.com/DocDetail.aspx?DocNumber=208291 . 2009-01-14 . dead .