External bypass switch: Unsung hero of security monitoring
Working the Ixia booth at RSA 2017 was a great opportunity to learn first-hand about the current concerns of security and network managers. I was interested to talk with people who wanted to strengthen security while not adversely impacting their network. Not everyone knew how their organization was preventing glitches in their intrusion prevention systems (IPS) or next generation firewalls (NGFW) from disrupting their network. Even popular and proven products are susceptible to unexpected power or port failures, traffic congestion or oversubscription, and configuration errors. These issues can increase latency to an unacceptable level or even cause security devices to fail closed, causing a self-inflicted denial of service.
The value of a bypass switch can sometimes be overlooked among other “sexier” security devices, especially among all the vendors at RSA. Once I had the chance to explain the purpose of a bypass however, I got a lot of heads nodding in my booth conversations. The bypass switch is a passive device that is installed directly on the network perimeter in front of any appliance that processes live network traffic (like an IPS or NGFW). The bypass works by continually monitoring the devices attached to it at very fast intervals and reacting quickly if it senses a breakdown. In Bypass On mode, traffic is moved around the nonresponsive device to keep traffic flowing. The faster the bypass reacts, the less risk there is that transactions or interactions will be affected. The cost of network outages is well documented and can include a loss of revenue and an impact to brand and reputation. A bypass easily pays for itself by reducing the risk of an outage.
Security appliances are monitored using very small heartbeat packets that are continually sent from the bypass at very fast regular intervals. Some bypasses continue to send heartbeat packets even after a device goes offline. This allows them to quickly determine when connectivity is restored and shift back into Bypass Off mode, again sending traffic to the now-functioning device.
External vs. Internal
There are two basic types of bypass switches: internal and external. Some people I talked to told me their IPS or firewall included an internal bypass and assumed it provided adequate protection, but an internal bypass may not actually be the best solution. It’s true that when an appliance with an internal bypass fails for any reason, it fails open and begins passing traffic through the non-functioning device to keep the network flowing. But what if the appliance doesn’t fail completely and, instead, slows response times enough to require troubleshooting? In that situation, the external bypass offers a better solution.
Maintenance without Downtime
My discussions got more interesting when I explained that with an external bypass switch:
- You can proactively take an inline security appliance offline without disrupting traffic flow by putting the switch in ‘forced bypass’ mode.
- Then, with traffic flowing passively through the external bypass, you can troubleshoot any attached security device or even remove and replace the device without impacting network availability.
- You can connect multiple inline security tools to a single bypass, which reduces the number of connections you need to make in your live network and consequently the potential points of failure. Ixia bypasses allow you to pass traffic inspected by one security appliance directly to another in a serial chain, which speeds the process of inline security inspection.
Remote Bypass Management
One feature of Ixia’s external bypass you can actually demonstrate is the remote interface that lets you monitor the switch, as well as the status of the attached appliances and links. You can also make changes if you need to, without having a technician onsite. This feature is particularly useful for ensuring your security devices are updated with all of the latest software updates and releases. Cyber criminals—particularly the less talented ones--have a lot of success taking advantage of known vulnerabilities. They know that security teams are overworked and network maintenance windows are fully booked for weeks. Even when an exploit is published and fixes are available, the window to take advantage of the hole can remain open for months or even years. Being able to easily suspend the processing of the device and install the update from a remote location makes it that much easier to keep your security tools as strong as possible.
The management interface also supplies useful traffic statistics. Bandwidth utilization, peak traffic, packet and byte counts, and number of errors help you perform basic network monitoring without investing in additional tools. You can also configure the bypass to generate alarms when traffic exceeds a chosen level and trigger a response from another network management tool.
Since attendees at RSA are generally focused on security, the most compelling benefit of the external bypass was probably not it’s ability to maintain network uptime, but it’s ability to maintain the IPS function. This can be critical in environments like financial services or healthcare. Ixia offers an external bypass that can automatically move traffic around a non-responsive security appliance and deliver to a backup device with no manual intervention. With a primary and secondary path configured and remote management available, you can keep security inspection strong and the network available, even during failure of your primary IPS.
Altogether, I think people found the value of the external bypass to be more compelling than they may have initially thought. It may not get the attention that the fancy threat prevention devices and analysis tools do, but it’s value is hard to beat.