<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2975524&amp;fmt=gif">
BLOG

One Link, Multiple In-Line Security Appliances—What Can Security Architects Do?

August 4, 2016

Security Links

The days when firewalls alone could defend corporate networks are long gone. 

Today, security architects are realizing that the most productive way to protect enterprise networks is to deploy active, in-line security appliances at the edge of the network for active blocking.

The problem is that there are many impressive specialized security solutions—but none of them can cover 100% of your security needs. Now, you need 3 or 4 security solutions, but how do you deploy that stack? A bypass TAP worked when you only had two in-line appliances between a switch and a router, but security needs are surpassing this use case.

Luckily, you can use the EdgeLens® to chain the edge and support 4 active, in-line devices for active blocking. Here’s how.

What Happens When a Manager Needs More In-Line Appliances than You Can Handle?

Imagine a scenario where you have two connections at the edge and a couple of connection to a DMZ or web server. You might have a bypass TAP here to hook up an intrusion prevention system (IPS), but management comes in and tells you that you need a DDoS appliance on that link, too. It won’t be long until you’re adding an SSL decryptor and data leakage protection solution as well.

With so many active, in-line security appliances to deploy on one link, you have a couple of options:

  • Plug the router into the DDoS, which plugs into the SSL decryptor, which plugs into the IPS, and so on. But just imagine the management nightmare trying to troubleshoot a problem on that in-line appliance string.
  • Use SPAN ports to connect all of these devices. From a connection standpoint, this might work. However, we’ve talked at length about the limitations of SPAN ports, which are magnified in this scenario.

These two ineffective connectivity strategies leave security architects needed a new answer. 

New Call-to-action

1G/10G Chaining the Edge—
The EdgeLens Use Case for  Multiple
In-Line Devices

Having all of these appliances stacked on a single link is a security architecture challenge that many professionals haven’t faced and, as a result, don’t have a strong strategy for. Chaining the edge with the EdgeLens network packet broker is the most efficient way to ensure network visibility and uptime in this situation.

The following EdgeLens use case is geared toward large, high-traffic enterprises (for example, in the retail or financial services industries):

Chainging with Multiple In-Line Security AppliancesHere, you see a 24-port EdgeLens setup sitting between a router and a switch at the network edge. This solution allows security architects to chain four in-line security appliances at the network's edge.

The EdgeLens supports bypass mode for each in-line security appliances. which enables network troubleshooting and guarantees network uptime even in this complicated use case. In this scenario, if there are network performance issues, each appliance can be moved from active, in-line to passive, out-of-band to identify the problem area.

Managing the Increasingly Complex Network Edge

The new network reality is a hybrid network supporting internal business apps and cloud-based solutions—all of which function at the network’s edge. If you want to manage and secure these applications and solutions, you need a more efficient way to connect in-line and out-of-band devices.

To learn more about the new world of network edge management, download our free white paper, Managing the Edge of the Network: A New Necessity for Security Architects.

See Everything. Secure Everything.

Contact us now to secure and optimized your network operations
Contact Us

Heartbeats Packets Inside the Bypass TAP

If the inline security tool goes off-line, the TAP will bypass the tool and automatically keep the link flowing. The Bypass TAP does this by sending heartbeat packets to the inline security tool. As long as the inline security tool is on-line, the heartbeat packets will be returned to the TAP, and the link traffic will continue to flow through the inline security tool.

If the heartbeat packets are not returned to the TAP (indicating that the inline security tool has gone off-line), the TAP will automatically 'bypass' the inline security tool and keep the link traffic flowing. The TAP also removes the heartbeat packets before sending the network traffic back onto the critical link.

While the TAP is in bypass mode, it continues to send heartbeat packets out to the inline security tool so that once the tool is back on-line, it will begin returning the heartbeat packets back to the TAP indicating that the tool is ready to go back to work. The TAP will then direct the network traffic back through the inline security tool along with the heartbeat packets placing the tool back inline.

Some of you may have noticed a flaw in the logic behind this solution!  You say, “What if the TAP should fail because it is also in-line? Then the link will also fail!” The TAP would now be considered a point of failure. That is a good catch – but in our blog on Bypass vs. Failsafe, I explained that if a TAP were to fail or lose power, it must provide failsafe protection to the link it is attached to. So our network TAP will go into Failsafe mode keeping the link flowing.

Glossary

  1. Single point of failure: a risk to an IT network if one part of the system brings down a larger part of the entire system.

  2. Heartbeat packet: a soft detection technology that monitors the health of inline appliances. Read the heartbeat packet blog here.

  3. Critical link: the connection between two or more network devices or appliances that if the connection fails then the network is disrupted.

NETWORK MANAGEMENT | THE 101 SERIES