A bypass switch (or bypass TAP) is a hardware device that provides a fail-safe access port for an in-line active security appliance such as an

intrusion prevention system An intrusion detection system (IDS; also intrusion prevention system or IPS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically rep ...

(IPS), next generation firewall (NGFW), etc. Active, in-line security appliances are single points of failure in live computer networks because if the appliance loses power, experiences a software failure, or is taken off-line for updates or upgrades, traffic can no longer flow through the critical link. The bypass switch or bypass tap removes this point of failure by automatically 'switching traffic via bypass mode' to keep the critical network link up. A bypass switch has four ports. Two network ports create an in-line connection in the network link that is to be monitored. This connection is fully passive; if the bypass switch itself loses power, traffic continues to flow unimpeded through the link. Two monitor ports are used to connect the in-line monitoring appliance. During normal operation, the bypass switch passes all network traffic through the appliance as if it were directly in-line itself. But when the in-line appliance loses power, is disconnected, or otherwise fails, the bypass switch passes traffic directly between its network ports, bypassing the appliance, and ensuring that traffic continues to flow on the network link. A bypass switch or TAP monitors the health of the active, in-line appliance by sending heartbeats to the in-line security appliance as long as the in band security appliance is on-line, the heartbeat packets will be returned to the switch/TAP, and the link traffic will continue to flow through the in-line security appliance. If the heartbeat packets are not returned to the TAP (indicating that the in-line security appliance has gone off-line), the TAP will automatically bypass the in band security appliance and keep the link traffic flowing. The TAP also removes the heartbeat packets before sending the network traffic back onto the critical link. In some products, when the bypass switch shunts traffic around the monitoring appliance, the monitor ports revert to acting like a

network tap A network tap is a system that monitors events on a local network. A tap is typically a dedicated hardware device, which provides a way to access the data flowing across a computer network. The network tap has (at least) three ports: an ''A port ...

, mirroring the half-duplex traffic received at the network ports to the monitor ports. In this mode, an attached IPS appliance can be used as an intrusion detection system (IDS) to passively monitor the traffic without affecting it. This mode is useful for analyzing the effectiveness of a signature set before switching to IPS mode and potentially disrupting network traffic. Multi-segment bypass switches provide a number of independent bypass switches in a single chassis, providing higher density in the equipment rack.

Terminology

Bypass TAP - Normal Mode: traffic flows through the network TAP before it travels through the appliance and back onto the network Bypass TAP - Bypass Mode: heartbeat packets are sent out to the in-line security appliance, once the appliance is back on-line, it will begin returning the heartbeat packets back to the TAP indicating that the appliance is ready to resume bypass TAP normal mode. The TAP will then direct the network traffic back through the in-line security appliance along with the heartbeat packets placing the appliance back in-line.

Advantages

Using an external bypass switch to connect an in-line appliance such as a NGFW, IPS, or DDoS has several benefits. It keeps network traffic flowing when the in-line appliance fails. It allows the in-line appliance to be removed or serviced without impacting network traffic. For example, an IPS can be taken offline to upgrades, maintenance or troubleshooting The in-line appliance can be moved from one network segment to another without impacting network traffic. Note that the latter two advantages are not provided by internal bypass-switch functionality that may be integrated within some NGFW/IPS appliances. Some bypass TAPs support multiple modes and can be used throughout the networks lifetime, ie: aggregation, regeneration/SPAN, breakout/normal.

Disadvantages

Bypass switches and TAPs add acquisition cost to the monitoring solution, although they may save cost in the long run by increasing network uptime. Bypass switches move the

single point of failure A single point of failure (SPOF) is a part of a system that, if it fails, will stop the entire system from working. SPOFs are undesirable in any system with a goal of high availability or reliability, be it a business practice, software appl ...

from the in-line monitoring appliance to the bypass switch itself. This should be a net gain in reliability, because the bypass switch is a simpler device than the monitoring appliance, and because it is designed for fault-tolerance. Nevertheless, reliability is an important criterion when evaluating bypass switch solutions.

Technical information

Bypass switches increase network reliability through several mechanisms including passive in-line connections, link detection, and heartbeat packets. The two network ports in a bypass switch create a fully passive in-line connection that maintains traffic flow even in the absence of power. For fiber links, a normally closed optical switch creates a path for light to flow unimpeded through the device when power is absent. For copper links, micro-relays connect the two ports when power is absent. The bypass switch monitors the status of the links between its monitor ports and the in-line appliance. If a link goes down, the bypass switch immediately switches into bypass- mode. Some manufacturers of bypass TAPs/switches still send traffic to the appliance during bypass mode. When the link comes back up again, the bypass switch returns to bypass-off normal. Some bypass switches send a heartbeat packet through the monitoring appliance in order to ensure that the appliance is passing traffic. If the heartbeat packet does not return to the bypass switch, the appliance is assumed to be down, and the switch goes into bypass-on mode, excluding the appliance from the traffic path. The bypass switch continues to transmit heartbeat packets to the appliance, and when they are again returned by the appliance, the bypass switch changes back to bypass-off mode and the appliance resumes receiving traffic.... Whenever the bypass switch transitions to bypass mode for any reason, the link may be temporarily dropped. A good bypass switch reconnects the link in under 1 second, but the network may take several seconds to re-establish communications on link.

Device management

Bypass switches may be managed through any of several interfaces: a command-line interface (CLI), a Web browser-based interface, or a platform-based

SNMP Simple Network Management Protocol (SNMP) is an Internet Standard protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behaviour. Devices that typically ...

tool. Management functions may include configuring an IP address for SNMP traps, retrieving

RMON The Remote Network Monitoring (RMON) MIB was developed by the IETF to support monitoring and protocol analysis of LANs. The original version (sometimes referred to as RMON1) focused on OSI layer 1 and layer 2 information in Ethernet and Token ...

statistics, and setting parameters for the heartbeat packet such as packet contents, timing, and retry counts.

References