When it comes to the network bypass switch and inline security solutions, you probably have a lot of questions, such as: “What is a bypass switch?”; “How will the bypass switch help if my in-line security device fails?”; “How do I connect up the bypasses?”, just to name a few.
The answers to these and other related security suite issues will demonstrate for you why this simple device is so versatile and what it can do to empower your inline network security architecture. It will ensure that you have uninterrupted connectivity and high availability (HA) network activity and - in general - protect your business interests and enterprise security.
Let’s start.
A bypass switch (sometimes also referred to as a bypass tap), is a special type of active device. It is used to connect a monitored network segment to an active, inline device (for example a security tool) and monitor that device's health. Inline network devices are considered essential to the overall performance of an enterprise network.
Consider, that inline network devices are single points of failure in IT networks. If the device should, for any reason, lose power, experience a system hang-up or software failure, or is removed from the network, traffic will no longer flow through the network link.
This generally results in dropped data packets and can cause errors in the applications and processes that depend on the successful diffusion of those packets. Therefore, any break in service is critical, and any device that can prevent an interruption is a necessary component of the network design. This is particularly critical for security devices that are protecting the network from security breaches and malevolent attacks.
The bypass switch eliminates this point of failure by automatically bypassing traffic around the network security devices whenever the device is incapable of processing or passing the traffic. The bypass device, that contains a relay switch, is an integral element of any network security solution. It is designed to maximize the efficiency of inline threat detection and prevention tools by minimizing compromise in network availability.
Thus, if there is a power outage, this will cause the relay to automatically close, and the switch will go to 'bypass mode'. This ensures continuity and will prevent an inline tool from bringing down part or all of the network, and it will also keep your network link up while you resolve the issue.
Preventing network failure if your inline security device fails – by using bypasses – is not the only thing happening when the bypass’ relay closes and goes into bypass mode. In order to maintain the network’s viability, the bypass initiates the following security scenario:
(a) As previously described, the data traffic will be rerouted, maintaining high availability (HA).
(b) Automatic load-balancing will take place from the failed device to the working ones, thus ensuring a balanced flow of data throughout the enterprise network.
For example, if the traffic begins to show signs of an inline tool failure, then a physical or logical bypass can properly divert the traffic for the network device – such as an Intrusion Detection System (IDS) or Intrusion Protection System (IPS) – to keep everything flowing smoothly. The bypass will thus preserve the network connection, reduce traffic interruption, facilitate the traffic flow to continue without any data loss, and thereby ensure business continuity while retaining pervasive visibility and resilient threat monitoring.
The network bypass switch generates a continuous series of bi-directional heartbeat (HB) packets via the device ports, to monitor the health of the inline device. As long as the HBs are returned, the traffic will continue to flow through the inline device. If the HB is not returned to the bypass switch, or in the event that the inline device loses power, is disconnected, or otherwise fails, the bypass switch will reroute the traffic directly between its other network devices, bypassing the out-of-service one. This will ensure that traffic continues to flow on the network link and data packets are not dropped. The action of switching to bypass mode and enabling the connectivity of traffic flow is called “Fail Open”.
When the heartbeats are again detected, traffic can again be diverted back to the bypassed security device. Note that HB timeouts can also be set, such that malfunctions that are not necessarily full ‘failures’ but may also just be undesired ‘slowdowns’ (for example, they are overloaded and adding unacceptable latency), can be set to be switched over by the bypass device.
Once a device has been bypassed, this new state also enables you to take down (or even physically disconnect) the inline security tool for replacement or maintenance purposes.
In a maintenance session scenario, IT can manually reset bypass switches to allocate specific traffic across the network, bypassing specific inline security tools, or whatever nodes the bypass is connected around. Since those bypassed devices are no longer directly inline, they can be removed, rebooted, or updated with great ease, without causing any network disruption.
If multiple inline devices are connected sequentially (in cascading order) data traffic will be blocked and packets may be dropped if one of the devices should fail. Therefore, the bypass switch is essential to prevent such a scenario.
The bypass switch ensures inline security tool efficiency. It makes sure that data packets are not lost, and that all the essential data traffic continues to travel smoothly over the network, even when inline security devices need to be replaced, rebooted, or even removed – whether due to failure or for maintenance. As network loads continue to increase, and more and more devices are added into the inline architecture, uninterrupted service becomes a business critical issue.
The network bypass switch is easy to integrate into the network and offers indispensable health monitoring (via its heartbeat mechanism), offline/online control (via the relay bypass), and failover versatility (via the relay bypass) for inline security device robustness.
For more information, visit our resource page or contact one of our network security consultants.