<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2975524&amp;fmt=gif">
BLOG

How Bypass TAP Filtering Can Improve Inline Cybersecurity Tools

October 7, 2021

Bypass TAP Filtering

When architecting inline security tools like IPS, WAF, and Firewalls into your network, incorporating network bypass technology is a fundamental best practice to avoid costly network downtime. Simply put, a Bypass TAP, also referred to as a ‘bypass switch’, provides the ability to manage the availability of your inline tools any time without having to take down the network or impact business availability for maintenance or upgrades.

According to a recent Imperva report, DDoS Attacks in the Time of COVID “Network DDoS traffic volumes increased by 24% with attack duration rising by 21%.” These attacks also saw the number of specific ‘DDoS packets’ grow by 41%. The same time period saw application DDoS attacks grow by 79%, meaning these attacks have almost doubled in intensity during the pandemic period.

How are IT security teams battling the rising attacks on a network and the overwhelming amount of traffic security tools must process to properly protect the network? Some advanced inline bypass packet broker solutions like the EdgeLens® from Garland Technology have filtering capabilities to tackle this issue. But for external bypass architectures, Bypass TAPs like Garland’s EdgeSafe now provide advanced filtering capabilities to allow engineers to focus on specific data streams to actively block with their inline tools – reducing the traffic burden.


How Filtering Bypass TAPs Improves Inline Tool Performance

One of our customers had a specific use case that standard bypass TAPs or switches in the industry could not accomplish – filtering the traffic that needed to be monitored. A Bypass TAP is placed in a network segment, between a router and switch on a critical link at the edge of the network connecting the inline tools that need to protect the network. The Bypass TAP is used to manage the availability of the inline security tools, ensuring they are functioning 24/7/365 and ensuring network uptime in the event there is a tool failure.

This exclusive filtering capability from Garland Technology, allows SecOp teams to easily manage the availability of inline security tools while only passing filtered traffic, like specific IP addresses, to actively secure only what you want to see.

Another use case for this feature is to relieve the processing burden for an inline tool. Instead of relying on a decryption tool to filter traffic and decrypt and encrypt traffic, only send specific encrypted traffic to be inspected using a filtering Bypass TAP.


HOW IT WORKS

    1. Blue, orange, yellow, green and purple traffic Ingress in Network Port 1 from the network
    2. A filter is created to pass the orange and green traffic to the inline tool through monitor port 3
    3. The blue, yellow and purple traffic is passed on to network port 2 and egressed, without going through the inline tool
    4. Pink and magenta traffic Ingress in network port 2 from the network
    5. A filter is created to pass the pink traffic to the inline tool through monitor port 4
    6. The magenta traffic is passed to network port 1 and egressed, without going through the inline tool
    7. Heartbeat packets (darker pink) are passed between port 3 and port 4 and the inline tool to check the connectivity health of the tool

Result: The inline tool is actively monitoring the orange and green traffic from port 1 and the pink from port 2

Free Whitepaper A Guide to Avoiding Network Downtime Download Now


The EdgeSafe Bypass allows you to not only manage and filter the availability of inline tools as a Bypass TAP but also provides the ability as a Network TAP to tap full-duplex links (e.g., between a router and switch) and send filtered traffic to out-of-band listen-only monitoring tools. Only send what you want to see.


HOW IT WORKS

  1. Blue, orange, and green traffic Ingress in Network Port 1 from the network
  2. A filter is created to pass a copy of the orange traffic to the monitor tool through Monitor Port 3 and Port 4
  3. The blue, orange, and green traffic is passed to Network Port 2 and egressed, without blue and green traffic going to the tool
  4. Pink and magenta traffic Ingress in Network Port 2 from the network
  5. A filter is created to pass a copy of the pink traffic to the monitor tool through Port 4
  6. The pink and magenta traffic is passed to Network Port 1 and egressed, without magenta going to the tool

Result (7): The out-of-band tool is monitoring the orange traffic from Port 1 and the pink traffic from Port 2

Garland Technology’s industry-leading Bypass product line has a solution for any environment. EdgeSafeTM Bypass TAPs from 1G to 100G and the innovative EdgeLens® hybrid inline packet brokers combine the resiliency and reliability of a bypass tap with the functionality of a packet broker with advanced filtering, out-of-band tools and provide High Availability [HA] architecture from one device. All designed to simplify the modern security stack.

As security threats and traffic continue to grow, inline security tools will rely on external Bypass TAPs to reduce downtime by ensuring their availability. Now with bypass filtering from Garland Technology, reducing the processing burden and improving the lives of those tools, just got better.

Looking to add a bypass solution to your inline security tool deployment, but not sure where to start? Join us for a brief network Design-IT consultation or demo. No obligation - it’s what we love to do.

3-keys-to-network-resiliency

See Everything. Secure Everything.

Contact us now to secure and optimized your network operations
Contact Us

Heartbeats Packets Inside the Bypass TAP

If the inline security tool goes off-line, the TAP will bypass the tool and automatically keep the link flowing. The Bypass TAP does this by sending heartbeat packets to the inline security tool. As long as the inline security tool is on-line, the heartbeat packets will be returned to the TAP, and the link traffic will continue to flow through the inline security tool.

If the heartbeat packets are not returned to the TAP (indicating that the inline security tool has gone off-line), the TAP will automatically 'bypass' the inline security tool and keep the link traffic flowing. The TAP also removes the heartbeat packets before sending the network traffic back onto the critical link.

While the TAP is in bypass mode, it continues to send heartbeat packets out to the inline security tool so that once the tool is back on-line, it will begin returning the heartbeat packets back to the TAP indicating that the tool is ready to go back to work. The TAP will then direct the network traffic back through the inline security tool along with the heartbeat packets placing the tool back inline.

Some of you may have noticed a flaw in the logic behind this solution!  You say, “What if the TAP should fail because it is also in-line? Then the link will also fail!” The TAP would now be considered a point of failure. That is a good catch – but in our blog on Bypass vs. Failsafe, I explained that if a TAP were to fail or lose power, it must provide failsafe protection to the link it is attached to. So our network TAP will go into Failsafe mode keeping the link flowing.

Glossary

  1. Single point of failure: a risk to an IT network if one part of the system brings down a larger part of the entire system.

  2. Heartbeat packet: a soft detection technology that monitors the health of inline appliances. Read the heartbeat packet blog here.

  3. Critical link: the connection between two or more network devices or appliances that if the connection fails then the network is disrupted.

NETWORK MANAGEMENT | THE 101 SERIES