<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2975524&amp;fmt=gif">
BLOG

The Role of Bypass Solutions in a Network Visibility Fabric

April 4, 2019

abstract-art-color-887349

Designing complete network visibility solutions takes more than just Network TAPs and Network Packet Brokers at key points in the access and aggregation layers of the network. With network security being more important than ever before, today’s network visibility fabrics also must supply traffic to inline security tools such as a next-gen firewall, WAF, or IPS to protect critical parts of the network.


In order to get production network traffic to inline security tools, the network visibility fabric must make use of bypass technology. Unlike SPAN ports, Bypass TAPs provide complete network visibility by passing all live wire data to the active, inline security tools, while monitoring the health of the appliance. According to the researchers at EMA, inline security tools are the most popular analysis tool connected to a visibility fabric. 55% of enterprises have firewalls connected to their fabrics, 50% have WAFs connected, and 50% also have data loss prevention systems (DLP) connected to their network visibility fabrics.


Download Now: 3 Keys to Network Resiliency - A Security Engineer's Go-to Guide to Avoiding Network Downtime [Free whitepaper]



Depending on the network size and design, there are two different methods to using bypass technology as part of the network visibility fabric: at the access layer in bypass TAPs or at the aggregation/core layer by using hybrid NPBs with inline capabilities.

Using Bypass TAPs at the Access Layer

The Bypass TAP was specifically designed to resolve the problem of an inline security appliance introducing a point of failure in the network. By placing the Bypass TAP inline, traffic flows to the security tool where it can be inspected and acted on if necessary. Once the security tools have inspected the data, allowable traffic then flows back through the bypass TAPs before returning to the production network. If your security tool goes off-line for any reason, the bypass TAP, like Garland Technology’s EdgeSafe™: Bypass TAPs automatically switches to bypass mode, keeping your network link up while you resolve the issue.

Hybrid NPB with Inline Capabilities

Networks with higher speeds or more links at the aggregation or core layers can make use of hybrid Network Packet Brokers with inline capabilities, like Garland Technology’s EdgeLens® for complete management of the edge of the network. A benefit to using the hybrid NPB approach is that the same traffic that’s being sent through the inline security tools, can also be sent to out-of-band monitoring tools for analysis via the additional ports on the hybrid NPB.

While failure of the tools and appliances in a network visibility fabric is something that you want to minimize the risk of actually happening; when you’re talking about the bypass technology either in bypass TAPs, bypass switches, or hybrid NPBs, reliable functionality is critical. The use of these tools in your network visibility fabric does inherently create a point of failure, since they are inline, rather than out-of-band. If the security tool fails for any reason, traffic must be able to continue flowing, unless corporate security policies prevent traffic to pass uninspected. In some network visibility fabrics, a bypass device may be configured in a high availability scenario, where traffic is forwarded to an alternative security system if the primary solution fails, creating additional redundancy and ensuring that your network protected at all times.

Looking to add a bypass solution to your security deployment, but not sure where to start? Join us for a brief network Design-IT consultation or demo. No obligation - it’s what we love to do!

New call-to-action

See Everything. Secure Everything.

Contact us now to secure and optimized your network operations
Contact Us

Heartbeats Packets Inside the Bypass TAP

If the inline security tool goes off-line, the TAP will bypass the tool and automatically keep the link flowing. The Bypass TAP does this by sending heartbeat packets to the inline security tool. As long as the inline security tool is on-line, the heartbeat packets will be returned to the TAP, and the link traffic will continue to flow through the inline security tool.

If the heartbeat packets are not returned to the TAP (indicating that the inline security tool has gone off-line), the TAP will automatically 'bypass' the inline security tool and keep the link traffic flowing. The TAP also removes the heartbeat packets before sending the network traffic back onto the critical link.

While the TAP is in bypass mode, it continues to send heartbeat packets out to the inline security tool so that once the tool is back on-line, it will begin returning the heartbeat packets back to the TAP indicating that the tool is ready to go back to work. The TAP will then direct the network traffic back through the inline security tool along with the heartbeat packets placing the tool back inline.

Some of you may have noticed a flaw in the logic behind this solution!  You say, “What if the TAP should fail because it is also in-line? Then the link will also fail!” The TAP would now be considered a point of failure. That is a good catch – but in our blog on Bypass vs. Failsafe, I explained that if a TAP were to fail or lose power, it must provide failsafe protection to the link it is attached to. So our network TAP will go into Failsafe mode keeping the link flowing.

Glossary

  1. Single point of failure: a risk to an IT network if one part of the system brings down a larger part of the entire system.

  2. Heartbeat packet: a soft detection technology that monitors the health of inline appliances. Read the heartbeat packet blog here.

  3. Critical link: the connection between two or more network devices or appliances that if the connection fails then the network is disrupted.

NETWORK MANAGEMENT | THE 101 SERIES