The Role of Bypass Switches for Network Visibility and Security

André Vink By: André Vink December 31, 2018

There’s one glaring problem with modern security tools. Even if you’ve deployed next-gen firewalls (NGFW), intrusion prevention systems (IPS), data leakage prevention and more, they’re all useless without total visibility of network packets.

To keep up with increasingly-sophisticated cyber attackers, you need to place these advanced security tools in line. But that introduces another problem. Each device that sits on a critical data link becomes a point of failure.

To maximize both visibility and security, you need a way to connect inline tools without creating points of failure.

That’s where network bypass switches come into play.

What Is a Network Bypass Switch?

Network bypass switches are hardware devices that deliver failover capabilities for your in-line security tools. Whether the appliance fails, or you just need to take the tool off-line for maintenance, bypass switches will automatically reroute traffic without disrupting the flow of your network.

Your bypass switches will sit in the middle of a network segment at an access point that has one or more inline tools. As the bypass switch monitors tool health and performance, it can redirect packets to avoid downtime and performance issues that might come from disruptive points of failure.

During normal functionality, the traffic between two network elements like a router and a switch is sent through any connected, inline security tools. But in the case of appliance failure, the bypass switch cuts off the connection to inline appliances and maintains uptime for the link between your two network elements.

Even if the bypass switch, itself, fails, your link stays up and running thanks to an optical/copper relay between the two network ports.

However, not all network bypass switches are created equal. In our own BypassP2 line of network bypass switches, we offer three unique features that are critical to maintaining visibility and security:

  • Configurable Failsafe: The ability to maintain uninterrupted network flows during power failure is an essential bypass switch function. With Niagara Networks bypass switches, you can configure the optical relays to fail open or fail close depending on your unique deployment needs. No matter the conditions or situation, you can guarantee network services operate without disruption.
  • User-Configured Heartbeat Protection: Our bypass network switches transmit heartbeat packets on appliance ports. When an appliance experiences a software crash, system failure, or loss of power, heartbeat packets aren’t returned to the bypass switch and the failure is detected. When detected, our bypass switches immediately redirect traffic to network ports and maintain packet flow. Heartbeats continue to transmit until systems are restored and inline appliances receive packets again. The user can configure the frequency of the heartbeat packets and the ‘fail’ criteria.
  • Network Active Tap: Our bypass switches can be user configured to function as a active network tap. This means that some of the segments can be used as bypass switches for the in-line network tools and some of the segments can be used for the out-of-band network tools. This flexibility optimizes your deployments options without increasing capital expenditure on additional network visibility devices. Moreover, in some cases this flexibility can help you better address future network growth and future changes in the mix of your network tools.

While network bypass switches are critical components of a pervasive visibility layer, they don’t act alone. Rather than evaluating your bypass switch options in a vacuum, consider the benefits of a modular approach. 

Bringing Bypass to the Network Packet Broker vs. Bringing Network Packet Broker to the Bypass Switch

Actually it's the same...but combining the capabilities of a bypass switch and a network packet broker in a single device is a very powerful concept.

A bypass switch is designed to optimize availability and visibility for in-line network tools. But what if you want to filter the traffic going to the in-line network tool? or what if you need to load balance traffic between multiple in-line devices? The hybrid network packet broker is designed exactly for those scenarios. A hybrid network packet broker is a packet broker with dedicated hardware that enables some ports (or all ports) to fully function as a bypass switch with all the benefits of Niagara’s BypassP2 technology.

We can take the hybrid packet broker one step forward to a modular multi-purpose network visibility node. Pervasive visibility has to be built into any networking plan. However, bypass functionality is just one of three main components of network visibility. The other two are network taps and packet brokers.

With our N2 modular network packet broker, you can implement a single multi-purpose platform that covers all three of these key visibility scenarios. The modular design allows you to tailor the packet broker to your networking needs. But as you choose nodules, you have access to:

  • inBypass: Bypass segments of two network ports and two appliance ports that come with the failsafe optical/copper relay and heartbeat monitoring. With bypass switching included in the modular platform, you can configure traffic routing while also keeping all packets available for use on other modules.
  • inBroker: Input/output ports connected to the non-blocking switching fabric for rerouting to any security and monitoring tools necessary.
  • inPassive: Not all appliances are deployed inline and require bypass switches. In these cases, you can use passive tap modules to connect monitoring appliances and load balance traffic accordingly.
Regardless of your specific networking requirements, network visibility must be a top priority. And as your stack of security and monitoring tools becomes increasingly complex, you need the right mix of bypass switches, taps, and packet brokers to maximize availability as well as network protection.

Guaranteeing 100% network traffic visibility may seem easier said than done. But it doesn’t have to be.

Download our white paper about ensuring uptime with active monitoring devices to learn more about the importance of bypass switches and other visibility tools. Niagara Networks are industry specialists in network visibility. Contact us to find out more about Niagara Networks solutions or to schedule a consultation with one of our network visibility experts.

New call-to-action