Bypass switch

A bypass switch is a hardware device that provides a fail-safe access port for an in-line monitoring appliance such as an intrusion prevention system (IPS), firewall, WAN optimization device or unified threat management system. In-line monitoring appliances are single points of failure in computer networks because if the appliance loses power, experiences a software failure, or is removed, traffic can no longer flow through the link. The bypass switch removes this point of failure by automatically shunting traffic around the appliance whenever the appliance is incapable of passing traffic.

A bypass switch has four ports. Two network ports create an in-line connection in the network link that is to be monitored. This connection is fully passive; if the bypass switch itself loses power, traffic continues to flow unimpeded through the link. Two monitor ports are used to connect the in-line monitoring appliance. During normal operation, the bypass switch passes all network traffic through the appliance as if it were directly in-line itself. But when the in-line appliance loses power, is disconnected, or otherwise fails, the bypass switch passes traffic directly between its network ports, bypassing the appliance, and ensuring that traffic continues to flow on the network link.

In some products, when the bypass switch is shunting traffic around the monitoring appliance, the monitor ports revert to acting like a network tap, mirroring the half-duplex traffic received at the network ports to the monitor ports. In this mode, an attached IPS appliance can be used as an intrusion detection system (IDS) to passively monitor the traffic without affecting it. This mode is useful for analyzing the effectiveness of a signature set before switching to IPS mode and potentially disrupting network traffic.

Multi-segment bypass switches provide a number of independent bypass switches in a single chassis, providing higher density in the equipment rack.

Contents

Terminology

When the bypass switch is passing traffic through the attached in-line appliance, it is said to be in bypass-off mode.

When the bypass switch is passing traffic directly between the network ports, and bypassing the attached in-line appliance, it is said to be in bypass-on mode.

Advantages

Using an external bypass switch to connect an in-line appliance such as an IPS has several benefits.[1]

It keeps network traffic flowing when the in-line appliance fails.

It allows the in-line appliance to be removed or serviced without impacting network traffic. For example, an IPS can be taken offline to upgrade signatures, software, or hardware.

The in-line appliance can be moved from one network segment to another without impacting network traffic.

Note that the latter two advantages are not provided by internal bypass-switch functionality that may be integrated within some IPS appliances.

Disadvantages

Bypass switches add acquisition cost to the monitoring solution, although they may save cost in the long run by increasing network uptime.

Bypass switches move the single point of failure from the in-line monitoring appliance to the bypass switch itself. This should be a net gain in reliability, because the bypass switch is a simpler device than the monitoring appliance, and because it is designed for fault-tolerance. Nevertheless, reliability is an important criteria when evaluating bypass switch solutions.

Technical information

Bypass switches increase network reliability through several mechanisms including passive in-line connections, link detection, and Heartbeat packets.

The two network ports in a bypass switch create a fully passive in-line connection that maintains traffic flow even in the absence of power. For fiber links, a normally closed optical switch creates a path for light to flow unimpeded through the device when power is absent. For copper links, micro-relays connect the two ports when power is absent.

The bypass switch monitors the status of the links between its monitor ports and the in-line appliance. If a link goes down, the bypass switch immediately switches into bypass-on mode. When the link come back up again, the bypass switch returns to bypass-off mode and the appliance resumes receiving traffic.

Some bypass switches send a heartbeat packet through the monitoring appliance in order to ensure that the appliance is passing traffic. If the heartbeat packet does not return to the bypass switch, the appliance is assumed to be down, and the switch goes into bypass-on mode, excluding the appliance from the traffic path. The bypass switch continues to transmit heartbeat packets to the appliance, and when they are again returned by the appliance, the bypass switch changes back to bypass-off mode and the appliance resumes receiving traffic.

Whenever the bypass switch transitions to bypass-on mode for any reasaon, the link may be temporarily dropped. A good bypass switch reconnects the link in under 1 second,[2] but the network may take several seconds to re-establish communications on link.

Device management

Bypass switches may be managed through any of several interfaces: a command-line interface (CLI), a Web browser-based interface, or a platform-based SNMP tool. Management functions may include configuring an IP address for SNMP traps, retrieving RMON statistics, and setting parameters for the heartbeat packet such as packet contents, timing, and retry counts.

References

See also