Keith Bromley
Sr. Manager, Product Marketing at Ixia

External Bypass Switch Basics

November 11, 2019 by Keith Bromley

When deploying an inline network security tool, such as an IPS, it is vital to ensure that traffic continues to flow in all circumstances, even if the inline tool loses power. This ensures that mission-critical business applications remain available to users. A bypass switch is one solution that can assist with business continuity for failsafe implementations of inline security tools.

A bypass switch is a special purpose tap with fail-over capability. Unlike a standard tap, a bypass is an active device that is a direct and integral part of network data transmission. These bypass switches do not alter the data content. The bypass switch redirects all traffic on the link and forwards it out the monitoring port(s). Should that path fail, the bypass can fail-over the traffic downstream.

In regards to fail-over settings, they can be set to either fail open or closed. Fail open means that traffic continues to flow between network devices if a security monitoring device is removed from the network, or power is lost to the bypass switch. This mechanism is also referred to as “fail to wire” to make it clear that this failure scenario is designed for business continuity. The fail closed scenario stops all traffic and is designed for maximum security protection.

Here is an illustration of how a bypass switch operates. Note, a bypass switch is often deployed with an inline packet broker to optimize inline security tool deployments although in the diagram below, the focus is on the use of a bypass switch by itself.

There are two main types of bypass switches:

  • external (stand-alone) bypass
  • internal (integrated into a security appliance) bypass

The internal bypass switch is very similar to the external bypass switch. However, they are internal to the security appliance. Despite the similarities in functionality, there are clear differences between an internal and external bypass.

Here is a summary of those differences:

  • The mean time between failure (MTBF) of an external bypass switch can be up to 5 times better than an integrated bypass.
  • External bypass switches eliminate downtime due to tool upgrades or removal.
  • The external bypass supports the use of device independent heartbeat messages to validate that the device connected to is available and working.
  • The external bypass has improved efficiency as one external bypass switch can be used concurrently with multiple security appliances.

Let’s look at these points in further detail. While direct deployment of inline security tools can create a line of defense, these tools can also result in single points of failure. Even a strong mix of security and analytics tools can lead to network reliability risks as regular rebooting, maintenance, and upgrades of those tools will increase the chances of a costly network outage. If an inline tool becomes unavailable, it can completely bring down the network link, significantly compromising network uptime and disrupting business continuity. This can be a significant problem for enterprises that directly deploy inline security tools.

An external bypass switch allows failsafe deployments of inline security and monitoring tools to ensure high availability and maximum uptime. The stand-alone (external) bypass offers superior protection when compared to a security tool with an integrated bypass option. For example, some external bypass switches have a MTBF of approximately 450,000 hours. This reliability can be up to 5 times better than various security tools (like combined firewall and IPS solutions) that have an MTBF of approximately 80,000 to 100,000 hours. Adding internal bypass capability further reduces the MTBF and reliability for those types of solutions.

Another key benefit to the external bypass switch is fail-over capability during upgrades. Certain inline security tools include an internal bypass switch. This becomes a problem when you want to replace the security tool. Even some software upgrades may cause the internal bypass a problem if the upgrade requires a reset. This destroys any supposed internal bypass advantage. The simple solution is to use an external bypass and then you don’t have to worry about future upgrades.

The external bypass switch generally uses a heartbeat packet to protect the network link from application, link, or power failure on the attached monitoring device. If the heartbeat packet is disrupted, then the bypass switch removes this point of failure by automatically shunting traffic around the security tool whenever the tool is incapable of passing traffic. No active participation is required by the security engineer, as the bypass will restore traffic to the tools once they are working again. Anti-tromboning technology reduces failover & failback network disruptions.

In addition, some external bypass models also allow you to connect multiple to them. This allows for cost savings while ensuring business continuity for the network.

Maximizing network reliability for business continuity is the primary use case for bypass switches. A hardened fail-over solution for security appliances is created.