Insights > Network Visibility + Security

Bypass Switches - "Quis custodiet ipsos custodes?"

2021-11-12  |  7 min read 

For those of you who skipped high school Latin, a close translation would be – "Who will guard the guards?"

It's a very valid question in situations where bypass switches 'protect' Network Packet Brokers (NPBs). In many inline applications, NPBs are used to load balance or pass traffic through to downstream security tools. In such cases, bypass switches are used to protect the NPB (or security tools).

The NPB can be switched out of the inline flow of network data for many reasons:

  • upgrading of the NPB (or security tool)
  • software or scheduled maintenance,
  • or even to configure and deploy new security appliances

There are two main ways that bypass switches can be deployed:

As independent, stand-alone appliances - Keysight, a leading provider of visibility solutions, belives that the separation of bypass switches and NPBs is the better and more robust solution for complex network architectures.

As integrated by pass option - Keysight does not provide the integrated bypass option. Customers sometimes ask why Keysight does not provide integrated bypass switches with NPBs? The answer is simple – it's not a sound failsafe architecture for providing true bypass capabilities. In fact, in certain use cases it can be positively dangerous.

Let me discuss the three key use cases why integrated bypass switches should not be used within an NPB for inline deployments:

Use case #1 - Imagine a situation where an NPB has 48 individual 10G connections connected to a single NPB and 2 x 40G links are being used to provide the network traffic. Let's now assume the NPB has a hardware failure. In the event of a complete hardware failure most integrated bypass switches will switch to bypass mode and bypass the failed NPB. Now what? How is the failed NPB with the integrated bypass to be replaced? A major benefit of having a separate bypass switch is to allow you to replace the security device (be it a NPB or other tool) without bringing down the network. With an integrated bypass switch its just not possible (this argument also applies to using built-in bypass switches within a firewall/IPS as well) to swap out the NPB without disrupting live network traffic. You also must be careful to not disturb any of the live network links when performing maintenance on the NPB. Removing the 48 x 10G cables whilst a Bypass module is 'suspended' in thin air is not a professional approach in this scenario. A bypass switch is an excellent solution that keeps traffic flowing, for failsafe implementation of inline security tools. The White paper External Bypass Switches: A Better Inline Security Tool examines the value of an external bypass switch, over and above that of an internal bypass switch. Bypass switches improve the overall solution reliability, increase application availability, provide better instrumentation, and add the convenience and cost savings of remote monitoring and control.

Now where is that live network connection among the NPB ports?

Use case #2 - With built-in bypass switches, the management interface is common between the NPB and the bypass switch the can become a major single point of failure. What happens if the NPB management interface 'freezes"? You may wish to switch the NPB out of the circuit while further diagnostic work is undertaken. How do you do this? It's the same management interface used for both the bypass and the NPB. The two devices should be independent, but they are not. I suppose you could always pull the power to the NPB and 'hope' that the bypass switch activates correctly – a prey and hope strategy to network operations which is generally not a good approach.

Well it's a good thing I have one management I/F for the Bypass and one for the device it's protecting!

Use case #3 – Costs. Around 75% of all bypass deployments do not involve NPBs. NPBs are great for large complex environments, but in many deployments, they are "overkill." Vendors including bypass switches that are built-in with an NPB are "forcing" customers to adopt overly complex expensive solutions in all network locations. This is inefficient and a waste of scarce resources and budgets. Stand-alone bypass switches often cost one third or even less the price of an integrated NPB/bypass switch solution.

 

Let's optimize the costs of providing bypass capabilities. Why have a NPB when it's not needed?

 

SUMMARY

When a network monitoring device such as an Intrusion Protection Solution (IPS) is deployed inline in a network, it is vital to ensure that traffic continues to flow in all circumstances, even if the IPS loses power, so that mission-critical business applications remain available. Bypass Switches are in-line devices that provide fail-safe protection for in-line security and monitoring devices, such as an intrusion prevention system (IPS), web application firewalls (WAFs), and many others. Keysight offers a wide array of iBypass switch products to support user requirements for high availability, failure modes, speeds, and different media types. In Keysight’s Buying Guide – Which iBypass Belongs in Your Network? You will find the right iBypass product for your particular deployment architecture. Keysight’s line of bypass switches offers a few benefits that many integrated solutions do not provide like - fast switching time for active/standby configurations - pre-configured heartbeats - Product reliability - Keep bypass switches "simple". If you want to know more about Keysight's range of Bypass switches, please visit the webpage Keysight Bypass Switches