Kevin Formby
VP, Market Development
Blog

Bypass Switches - "Quis custodiet ipsos custodes?"

May 31, 2017 by Kevin Formby

For those of you who skipped high school Latin, the rough translation is – "Who will guard the guards?"

It's a very good question in situations where bypass switches 'protect' Network Packet Brokers (NPBs).

In many inline applications, NPBs are used to load balance or pass traffic through to downstream security tools. In such cases, bypass switches are used to protect the NPB (or security tools). The NPB can be switched out of the inline flow of network data for many reasons: upgrading of the NPB (or security tool) software, scheduled maintenance, or even to configure and deploy new security appliances.

There are two main ways that bypass switches can be deployed:

  • They can be independent, stand-alone appliances
  • They can be integrated within the NPB (typically using a separate bypass card).

Ixia, a leading provider of visibility solutions, has both bypass switches and NPBs in its portfolio. However, Ixia does not provide the integrated bypass option. Customers sometimes ask why Ixia does not provide bypass switches integrated with NPBs . The answer is simple – it's not a sound architecture for providing true bypass capabilities. In fact, in certain circumstances it's positively dangerous. There are three key reasons why integrated bypass switches should not be used within an NPB for inline deployments:

1. Imagine a situation where an NPB has 48 individual 10G connections connected to a single NPB and say 2 40G links are being used to provide the network traffic. Let's now assume the NPB has a hardware failure.  In the event of a complete hardware failure most bypass switches will switch to bypass mode and bypass the failed NPB. Now what? How is the failed NPB to be replaced? A major benefit of having a bypass switch is to allow you to replace the security device (be it a NPB or other tool) without bringing down the network. With an integrated bypass switch its just not possible (this argument also applies to using inbuilt bypass switches within a firewall/IPS as well) to swap out the NPB without disrupting live network traffic. You also have to be careful to not disturb any of the live network links when performing maintenance on the NPB. Removing the 48 10G cables whilst a Bypass module is 'suspended' in thin air is not a professional approach in this scenario.

Now which is the fiber I must not touch?
Now where is that live network connection among the NPB ports?

 

2. With inbuilt bypass switches, the management interface is common between the NPB and the bypass switch – a major single point of failure. What happens if the NPB management interface 'freezes"? You may wish to switch the NPB out of the circuit while further diagnostic work is undertaken. How do you do this? It's the same management interface used for both the bypass and the NPB. The two devices should be independent, but they are not. I suppose you could always pull the power to the NPB and 'hope' that the bypass switch activates correctly – a prey and hope strategy to network operations which is generally not a good approach.

 

Two management ports
Well it's a good thing I have one management I/F for the Bypass and one for the device it's protecting!

 

3. Cost – Around 75% of all bypass deployments do not involve NPBs. NPBs are great for large complex environments, but in many deployments they are "overkill." Vendors including bypass switches that are inbuilt within an NPB are "forcing" customers to adopt overly complex expensive solutions in all network locations. This is inefficient and a waste of scarce resources and budgets.  Stand-alone bypass switches often cost one-third or even one-tenth the price of an integrated NPB/bypass switch solution.

Money Saving
Let's optimize the costs of providing bypass capabilities. Why have a NPB when it's not needed?

 

There are some other benefits as well (e.g. reliability is one of them – keep bypass switches "simple" is a good rule). In addition, Ixia's implementation of bypass switches offers a number of benefits that many integrated solutions do not – e.g. fast switching time for active/standby configurations and pre-configured heartbeats. If you want to know more about Ixia's range of iBypass bypass switches please visit the following web page.