Bypass switch

Last updated April 05, 2022

A bypass switch (or bypass TAP) is a hardware device that provides a fail-safe access port for an in-line active security appliance such as an intrusion prevention system (IPS), next generation firewall (NGFW), etc. Active, in-line security appliances are single points of failure in live computer networks because if the appliance loses power, experiences a software failure, or is taken off-line for updates or upgrades, traffic can no longer flow through the critical link. The bypass switch or bypass tap removes this point of failure by automatically 'switching traffic via bypass mode' to keep the critical network link up.

A bypass switch has four ports. Two network ports create an in-line connection in the network link that is to be monitored. This connection is fully passive; if the bypass switch itself loses power, traffic continues to flow unimpeded through the link. Two monitor ports are used to connect the in-line monitoring appliance. During normal operation, the bypass switch passes all network traffic through the appliance as if it were directly in-line itself. But when the in-line appliance loses power, is disconnected, or otherwise fails, the bypass switch passes traffic directly between its network ports, bypassing the appliance, and ensuring that traffic continues to flow on the network link.

A bypass switch or TAP monitors the health of the active, in-line appliance by sending heartbeats to the in-line security appliance as long as the in band security appliance is on-line, the heartbeat packets will be returned to the switch/TAP, and the link traffic will continue to flow through the in-line security appliance.

If the heartbeat packets are not returned to the TAP (indicating that the in-line security appliance has gone off-line), the TAP will automatically bypass the in band security appliance and keep the link traffic flowing. The TAP also removes the heartbeat packets before sending the network traffic back onto the critical link.

In some products, when the bypass switch shunts traffic around the monitoring appliance, the monitor ports revert to acting like a network tap, mirroring the half-duplex traffic received at the network ports to the monitor ports. In this mode, an attached IPS appliance can be used as an intrusion detection system (IDS) to passively monitor the traffic without affecting it. This mode is useful for analyzing the effectiveness of a signature set before switching to IPS mode and potentially disrupting network traffic.

Multi-segment bypass switches provide a number of independent bypass switches in a single chassis, providing higher density in the equipment rack.

Terminology

Bypass TAP - Normal Mode: traffic flows through the network TAP before it travels through the appliance and back onto the network

Bypass TAP - Bypass Mode: heartbeat packets are sent out to the in-line security appliance, once the appliance is back on-line, it will begin returning the heartbeat packets back to the TAP indicating that the appliance is ready to resume bypass TAP normal mode. The TAP will then direct the network traffic back through the in-line security appliance along with the heartbeat packets placing the appliance back in-line.

Advantages

Using an external bypass switch to connect an in-line appliance such as a NGFW, IPS, or DDoS has several benefits.^[1]

It keeps network traffic flowing when the in-line appliance fails.

It allows the in-line appliance to be removed or serviced without impacting network traffic. For example, an IPS can be taken offline to upgrades, maintenance or troubleshooting

The in-line appliance can be moved from one network segment to another without impacting network traffic.

Note that the latter two advantages are not provided by internal bypass-switch functionality that may be integrated within some NGFW/IPS appliances.

Some bypass TAPs support multiple modes and can be used throughout the networks lifetime, ie: aggregation, regeneration/SPAN, breakout/normal.

Disadvantages

Bypass switches and TAPs add acquisition cost to the monitoring solution, although they may save cost in the long run by increasing network uptime.

Bypass switches move the single point of failure from the in-line monitoring appliance to the bypass switch itself. This should be a net gain in reliability, because the bypass switch is a simpler device than the monitoring appliance, and because it is designed for fault-tolerance. Nevertheless, reliability is an important criterion when evaluating bypass switch solutions.

Technical information

Bypass switches increase network reliability through several mechanisms including passive in-line connections, link detection, and heartbeat packets.

The two network ports in a bypass switch create a fully passive in-line connection that maintains traffic flow even in the absence of power. For fiber links, a normally closed optical switch creates a path for light to flow unimpeded through the device when power is absent. For copper links, micro-relays connect the two ports when power is absent.

The bypass switch monitors the status of the links between its monitor ports and the in-line appliance. If a link goes down, the bypass switch immediately switches into bypass- mode. Some manufacturers of bypass TAPs/switches still send traffic to the appliance during bypass mode. When the link comes back up again, the bypass switch returns to bypass-off normal.

Some bypass switches send a heartbeat packet through the monitoring appliance in order to ensure that the appliance is passing traffic. If the heartbeat packet does not return to the bypass switch, the appliance is assumed to be down, and the switch goes into bypass-on mode, excluding the appliance from the traffic path. The bypass switch continues to transmit heartbeat packets to the appliance, and when they are again returned by the appliance, the bypass switch changes back to bypass-off mode and the appliance resumes receiving traffic....

Whenever the bypass switch transitions to bypass mode for any reason, the link may be temporarily dropped. A good bypass switch reconnects the link in under 1 second,^[2] but the network may take several seconds to re-establish communications on link.

Device management

Bypass switches may be managed through any of several interfaces: a command-line interface (CLI), a Web browser-based interface, or a platform-based SNMP tool. Management functions may include configuring an IP address for SNMP traps, retrieving RMON statistics, and setting parameters for the heartbeat packet such as packet contents, timing, and retry counts.

Related Research Articles

A network switch is networking hardware that connects devices on a computer network by using packet switching to receive and forward data to the destination device.

Simple Network Management Protocol (SNMP) is an Internet Standard protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behaviour. Devices that typically support SNMP include cable modems, routers, switches, servers, workstations, printers, and more.

A packet analyzer, also known as packet sniffer, protocol analyzer, or network analyzer, is a computer program or computer hardware such as a packet capture appliance, that can intercept and log traffic that passes over a computer network or part of a network. Packet capture is the process of intercepting and logging traffic. As data streams flow across the network, the analyzer captures each packet and, if needed, decodes the packet's raw data, showing the values of various fields in the packet, and analyzes its content according to the appropriate RFC or other specifications.

Intrusion detection system Network protection device or software

An intrusion detection system is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically reported either to an administrator or collected centrally using a security information and event management (SIEM) system. A SIEM system combines outputs from multiple sources and uses alarm filtering techniques to distinguish malicious activity from false alarms.

Port mirroring is used on a network switch to send a copy of network packets seen on one switch port to a network monitoring connection on another switch port. This is commonly used for network appliances that require monitoring of network traffic such as an intrusion detection system, passive probe or real user monitoring (RUM) technology that is used to support application performance management (APM). Port mirroring on a Cisco Systems switch is generally referred to as Switched Port Analyzer (SPAN) or Remote Switched Port Analyzer (RSPAN). Other vendors have different names for it, such as Roving Analysis Port (RAP) on 3Com switches.

NetFlow is a feature that was introduced on Cisco routers around 1996 that provides the ability to collect IP network traffic as it enters or exits an interface. By analyzing the data provided by NetFlow, a network administrator can determine things such as the source and destination of traffic, class of service, and the causes of congestion. A typical flow monitoring setup consists of three main components:

dSniff is a set of password sniffing and network traffic analysis tools written by security researcher and startup founder Dug Song to parse different application protocols and extract relevant information. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data. arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker. sshmitm and webmitm implement active man-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI.

Network monitoring is the use of a system that constantly monitors a computer network for slow or failing components and that notifies the network administrator in case of outages or other trouble. Network monitoring is part of network management.

A network tap is a system that monitors events on a local network. A tap is typically a dedicated hardware device, which provides a way to access the data flowing across a computer network.

sFlow, short for "sampled flow", is an industry standard for packet export at Layer 2 of the OSI model. sFlow was originally developed by InMon Corp. It provides a means for exporting truncated packets, together with interface counters for the purpose of network monitoring. Maintenance of the protocol is performed by the sFlow.org consortium, the authoritative source of the sFlow protocol specifications. The current version of sFlow is v5.

In computer networks, network traffic measurement is the process of measuring the amount and type of traffic on a particular network. This is especially important with regard to effective bandwidth management.

Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Originally named Ethereal, the project was renamed Wireshark in May 2006 due to trademark issues.

Network interface cards... A network monitoring interface card or NMIC is similar to a network card (NIC). However, unlike a standard network card, an NMIC is designed to passively listen on a network. At a functional level, an NMIC may differ from a NIC, in that the NMIC may not have a MAC address, may lack the ability to transmit and may not announce its presence on a network. Advanced NMICs have features that include an ability to offload CPU intensive processing from a system's CPU, accurate time measurement, traffic filtering, and an ability to perform other application specific processing.

The Remote Network Monitoring (RMON) MIB was developed by the IETF to support monitoring and protocol analysis of LANs. The original version focused on OSI layer 1 and layer 2 information in Ethernet and Token Ring networks. It has been extended by RMON2 which adds support for Network- and Application-layer monitoring and by SMON which adds support for switched networks. It is an industry-standard specification that provides much of the functionality offered by proprietary network analyzers. RMON agents are built into many high-end switches and routers.

Network forensics is a sub-branch of digital forensics relating to the monitoring and analysis of computer network traffic for the purposes of information gathering, legal evidence, or intrusion detection. Unlike other areas of digital forensics, network investigations deal with volatile and dynamic information. Network traffic is transmitted and then lost, so network forensics is often a pro-active investigation.

Net Optics is a manufacturer of network monitoring and intelligent access solutions for physical and virtual networks. The company was established in 1996 by Eldad Matityahu. Ixia announced the purchase of Net Optics^[11] on October 29, 2013.

A data monitoring switch is a networking hardware appliance that provides a pool of monitoring tools with access to traffic from a large number of network links. It provides a combination of functionality that may include aggregating monitoring traffic from multiple links, regenerating traffic to multiple tools, pre-filtering traffic to offload tools, and directing traffic according to one-to-one and many-to-many port mappings.

A virtual firewall (VF) is a network firewall service or appliance running entirely within a virtualized environment and which provides the usual packet filtering and monitoring provided via a physical network firewall. The VF can be realized as a traditional software firewall on a guest virtual machine already running, a purpose-built virtual security appliance designed with virtual network security in mind, a virtual switch with additional security capabilities, or a managed kernel process running within the host hypervisor.

A packet capture appliance is a standalone device that performs packet capture. Packet capture appliances may be deployed anywhere on a network, however, most commonly are placed at the entrances to the network and in front of critical equipment, such as servers containing sensitive information.

References

↑ Sys-Con Media.com - Net Optics, Inc. Introduces iBypass for Fail-Safe IPS Security Deployments
↑ "The Tolly Group - Net Optics 10/100/1000 iBypass Switch Evaluation". Archived from the original on 2009-01-14. Retrieved 2008-06-23.