When architecting your inline security tools into your network, incorporating bypass technology is a fundamental best practice to avoid costly network downtime. Simply put, a Bypass TAP, also referred to as a 'bypass switch', provides the ability to manage your inline tool any time without having to take down the network or impact business availability for maintenance or upgrades.
In the tense moments of unplanned downtime, bypass provides expedited problem resolution in the event of a tool failure, with the flexibility to bypass the tool and keep the network up, failover to a redundant link or an HA solution.
Why Use an External Bypass TAP?
The Bypass TAP was developed specifically to resolve the problem of an inline security tool causing a single point of failure (SPOF) in the network. In the event an inline device becomes unavailable, it is bypassed and traffic is automatically forwarded around the failed tool, keeping the link up. Implementing an external bypass as part of your security strategy will:
The Role of Heartbeat Packets to Monitor Tool Health
Heartbeat packets, a soft detection technology, are configured to monitor the health of inline appliances. Instead of relying on the direct connectivity of the network to the tool, the bypass TAP is purpose-built, designed specifically to pass heartbeat packets back and forth to detect an issue with the connected appliance. A heartbeat packet is added by the Bypass TAP to the data, and both are sent out to the input port of the inline device. The inline device performs its task and then sends the data back into the TAP with the heartbeat. The Bypass TAP strips the heartbeat from the data, which is sent out of the TAP and back into the live network. Heartbeats are never sent into the live network. If the heartbeat sent from the TAP is not received back, indicating the device is offline for some reason, the TAP will automatically bypass the device, keeping the network up even though the device is offline. No network downtime. No single point of failure.
Utilizing an external Bypass TAP, and not relying on bypass functionality within your inline tool, offers the unique ability to implement inline lifecycle management. From sandboxing a new tool deployment to easily taking tools out-of-band for updates, installing patches, performing maintenance or troubleshooting to optimize and validate before pushing back inline, a Bypass TAP has quickly become the essential compliment to any inline tool.
Sandboxing or piloting new tools in your real environment with live packet data, without impacting the availability of the network, provides the ability to evaluate and optimize the tool out-of-band, before deploying it live in your network. The tool being tested is exposed to the same type of data it would be monitoring for a production deployment, rather than test data, increasing the confidence of the piloting being performed.
Learn how to increase your network resiliency by expediting troubleshooting and shortening your maintenance windows. This whitepaper from Garland Technology will explore why bypass technology is a critical part of inline security design, how does failsafe technology prevent a single point of failure, and why setting up a redundant bypass architecture improves the usefulness of connected appliances.