External Bypass Switches A Better Inline Security Solution

Similar documents
Fail-Safe IPS Integration with Bypass Technology

BIG-IP ASM plus ibypass Switch

WHITE PAPER. Static Load Balancers Implemented with Filters

WHITE PAPER. Achieving Total Traffic Visibility in Enterprise and Carrier Grade Optical Networks

WHITE PAPER. Network Traffic Port Aggregation: Improved Visibility, Security, and Efficiency

WHITE PAPER. Tap Technology Enables Healthcare s Digital Future

Reduce Your Network's Attack Surface

WHITE PAPER. Addressing Monitoring, Access, and Control Challenges in a Virtualized Environment

Innovate, Integrate, Lead

WHITE PAPER. Extending Network Monitoring Tool Performance

WHITE PAPER. Gaining Total Visibility for Lawful Interception

Data Center Automation - A Must For All Service Providers

Taps vs. SPAN The Forest AND the Trees: Full Visibility into Today's Networks

Best Practices for Network Monitoring

WHITE PAPER. Best Practices for Network Monitoring Switch Automation

WHITE PAPER. 50 versus 62.5 micron multimode fiber

WHITE PAPER. Net Optics Phantom Virtual Tap Delivers Best-Practice Network Monitoring For Virtualized Server Environs

Efficient Network Monitoring Access

WHITE PAPER. How To Compare Virtual Devices (NFV) vs Hardware Devices: Testing VNF Performance

WHITE PAPER. Monitoring Load Balancing in the 10G Arena: Strategies and Requirements for Solving Performance Challenges

Any-to-any switching with aggregation and filtering reduces monitoring costs

In-Band Security Solution // Solutions Overview

An Executive Brief for Network Security Investments

tap into your network product brochure

Channel Xcelerate. Full Speed Ahead. The Ixia Channel Xcelerate Program - The Americas. Application Performance and Security Resilience

Net Optics Learning Center Presents The Fundamentals of Passive Monitoring Access

FULL SPEED AHEAD THE IXIA CHANNEL XCELERATE PROGRAM LATIN AMERICA

WHITE PAPER. Best Practices for Eliminating Duplicate Packets

Best Practices for Network Monitoring How a Network Monitoring Switch Helps IT Teams Stay Proactive

SPAN Port or TAP? TAP is the only viable data access technology for today s business critical networks

Enhanced Visibility, Improved ROI

EBOOK. Software Defined Networking (SDN)

Physical Infrastructure Management Solutions

White Paper. Optimizing Visibility, Control and Performance of Network Traffic

WHITE PAPER. Realizing ROI from Your Network Visibility Investment

Network Performance Channel

On-Premises DDoS Mitigation for the Enterprise

Intelligent Routing Platform White Paper

EBOOK. The Network Comes of Age: Access and Monitoring at the Application Level

Observer Probe Family

White Paper. Best Practices for 40 Gigabit Implementation in the Enterprise

Network Instruments white paper

How To Configure The Fortigate Cluster Protocol In A Cluster Of Three (Fcfc) On A Microsoft Ipo (For A Powerpoint) On An Ipo 2.5 (For An Ipos 2.2.5)

Evaluating Wireless Broadband Gateways for Deployment by Service Provider Customers

XRoads Networks, Inc.

WHITE PAPER. Enabling 100 Gigabit Ethernet Implementing PCS Lanes

50. DFN Betriebstagung

How To Manage The Sas Metadata Server With Ibm Director Multiplatform

Save Budget Dollars using Smart Data Access Technology

IxChariot Virtualization Performance Test Plan

SECURITY FOR TODAY S PHYSICAL NETWORK AND DATA TRAFFIC

Network Management System (NMS) FAQ

Ixia Director TM. Powerful, All-in-One Smart Filtering with Ultra-High Port Density. Efficient Monitoring Access DATA SHEET

How To Use A Network Instrument Ntap

Total Business Continuity with Cyberoam High Availability

Executive Summary WHAT IS DRIVING THE PUSH FOR HIGH AVAILABILITY?

Guidebook to MEF Certification

Business Benefits. Infrastructure Management. Adrian Parry Technical Consultant.

WHITE PAPER PROCESS CONTROL NETWORK SECURITY: INTRUSION PREVENTION IN A CONTROL SYSTEMS ENVIRONMENT

Architecture Overview

Ensuring Success in a Virtual World: Demystifying SDN and NFV Migrations

Active Visibility for Multi-Tiered Security. Juergen Kirchmann Director Enterprise Sales EMEA

Out-of-Band Security Solution // Solutions Overview

WHITE PAPER. SDN Controller Testing: Part 1

Analyzing Full-Duplex Networks

How To Make A Network Safer With Stealthwatch

Cisco Bandwidth Quality Manager 3.1

Deploying Network Taps for improved security

The Aspect Unified IP Five 9s Environment

White Paper. Protecting Databases from Unauthorized Activities Using Imperva SecureSphere

Network Instruments white paper

Whitepaper. Controlling the Network Edge to Accommodate Increasing Demand

White Paper. Simplify Network Monitoring

Clustering and Queue Replication:

High Availability Solutions & Technology for NetScreen s Security Systems

Maximizing Data Center Uptime with Business Continuity Planning Next to ensuring the safety of your employees, the most important business continuity

Building Reliable Networks with the nmu, Mirrored Servers, & Redundant Data Paths. Copyright 2006 WideBand Corporation

Avoid Network Outages Within SaaS and Cloud Computing Environments

FTP is Free, but Can You Really Afford It?

Observer Probe Family

Intensive Hosting. Intensive Hosting Overview. Why Intensive Hosting?

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

WHITE PAPER. Best Practices to Ensure SAP Availability. Software for Innovative Open Solutions. Abstract. What is high availability?

White Paper February McAfee Network Protection Solutions. IntruShield Virtualization Delivering Real Benefits.

SysAid IT On-Demand Architecture Including Security and Disaster Recovery Plan

Observer Analysis Advantages

Brocade Fabric Vision Technology Frequently Asked Questions

Overview of NetFlow NetFlow and ITSG-33 Existing Monitoring Tools Network Monitoring and Visibility Challenges Technology of the future Q&A

Networking and High Availability

White Paper: Deploying Network Taps with Intrusion Detection Systems

IPCOM S Series Functions Overview

An Oracle White Paper November Oracle Real Application Clusters One Node: The Always On Single-Instance Database

FortiCompanion to Technical Support

Configuring Failover

How To Monitor A Network With A Network Probe

Uninterrupted Internet:

Cyber Range Training Services


ETM System SIP Trunk Support Technical Discussion

F5 and Oracle Database Solution Guide. Solutions to optimize the network for database operations, replication, scalability, and security

Transcription:

External es A Better Inline Security Solution FOR EVERY NETWORKING TOOL Keeping network and security tools alive on any size network. The Need for Bypass Functionality For perimeter security, many organizations turn to an inline security strategy as a first line of defense. Intrusion-prevention system () appliances provide security and IT teams with a device inline with the direct flow of traffic. These devices are an improvement over firewall security measures because the appliances allowed security managers to make real-time decisions based on application content rather than by more basic data. The need to control and protect the flow of information has dramatically increased as well. In a recent survey, 35% of companies reported experiencing network downtime due to a security attack, and 5% of attack-related downtime resulted in more than one hour of outage. When a network monitoring device such as an is deployed inline in a network link, it is vital to ensure that traffic continues to flow in all circumstances, even if the loses power, so that mission-critical business applications remain available. If the function is crucial to application security, traffic must be switched to a backup device. A bypass switch is an excellent solution that ensures continued availability. WHITE PAPER

A bypass switch is a passive device that maintains traffic flow when the is not available. There are two basic implementations for bypass switches: internal and external. Internal bypass is performed as a function of an inline security device such as an. The bypass function can also be performed outside the itself, using an external Bypass switch device. For example, Ixia has a line of bypass switch devices that support any link media type and provide a variety of features. External bypass switching advantages include: Increased Security Network Reliability Better Visibility Programmability This paper examines the value an external bypass switch provides, over and above that of an internal bypass switch. Bypass switches improve the overall solution reliability, increase application availability, provide better instrumentation, and add the convenience and cost savings of remote monitoring and control. Internal External Increased Security Security is at a premium today for both the enterprise and the consumer. The consumer needs to trust the networks they use, and therefore the enterprise must make securing networks a priority in order to maintain business and brand fidelity. Inline security resources can themselves actually become points of failure and vulnerability. They bring concerns about network uptime, performance, operational ownership, security flexibility and overall costs. Despite redundancy and other protections, they must be taken offline for upgrades and scheduled or unscheduled maintenance. Further, if a tool loses power or becomes overprovisioned, the network link can break and traffic cease to flow. Bypass switches offers a proven solution for deploying multiple inline security tools. Bypass switch bi-directional heartbeat monitoring for system, link, and power failures ensures uninterrupted network uptime while increasing network availability. Security tool load balancing ensures efficiency while enabling you to leverage existing tool investments and add capacity as needed, rather than investing in a forklift upgrade. Replacing multiple inline security devices with a single passive bypass switch eliminates network maintenance downtime while providing a pay-as-you-go capacity upgrade path for your changing security needs dramatically reducing costs of migrating your 1GbE tools to the 10GbE environment, for example. Ixia bypass switches offer proven, fail-safe inline protection for your security and monitoring tools. With support for 10Mbps to 40Gbps connectivity, you receive automated failover protection on full duplex traffic streams. Because the bypass switch is passive, link traffic continues to flow even if the bypass itself loses power.

ibypass w/heartbeat Switch Disabled Mode 1 When the Optical is in Bypass Disabled mode, all in-line traffic is routed through the appliance Access the i from the Command Line Interface (CLI), Web Manager, and System Manager Power to the is ON and the heartbeat is being received on Monitor Port D ibypass w/heartbeat Switch Enabled Mode 1 When the Optical is in Bypass Enabled mode, all in-line traffic continues to flow on the network link without being directed through the appliance Access the i from the Command Line Interface (CLI), Web Manager, and System Manager 3 Because in-line traffic is no longer flowing through the monitoring device, it may be removed and replaced without downtime Power to the is ON and the heartbeat is sent and awaiting receipt on Monitor Port D Improved Network Reliability Anything can fail. The question is never Will it fail? but rather When will it fail? According to Ixia s survey, hardware failure drove 4% of all network incidents. 53% of network devices are aging or obsolete. Devices WILL fail. More than 90 percent of our customers prefer availability over security when a security tool fails. An external bypass switch increases the reliability of an deployment because it keeps traffic flowing whenever the fails, for any reason. The bypass switch can automatically detect an issue with inline tools and route traffic around the security tool while issuing an alert to ensure action is taken by the network or security teams. Internal bypass switches may not have all the technology advantages of an external solution, and therefore simply do not protect your network as well. An external bypass switch improves the solution reliability by adding an independent check on the, but it also contributes to availability in another way. Using an external bypass switch, you can take an off-line at any time without affecting link traffic. For example, if you activate a new set of intrusion signatures and the impact on the network is not what was expected too many false positives show up, blocking critical traffic you can easily bypass the. In either case, the external bypass switch keeps link traffic flowing. This capability is often not available in an internal bypass switch. More advanced bypass switch models provide high availability support, allowing customers to configure redundant inline tool infrastructure to maximize availability. Certain models even support simple serial inline deployments where if one tool fails, traffic is automatically rerouted to the next inline tool. An Ixia Heartbeat Measures the Health of Your Inline Solution One important technology included in many Ixia bypass switches is the Heartbeat packet. A hearbeat is a small packet that the bypass switch passes through the on a regular basis. If the Heartbeat packet is not returned to the bypass switch within a programmed timeout period (and number of retries), the bypass switch knows the is unresponsive immediately opens the link allowing network traffic to flow directly, bypassing the. 3

While heartbeats are common to many bypass technologies, Ixia s heartbeat technology is superior to other implementations for two reasons. First, the granularity of the Heartbeat packet can be set to a very high frequency (down to 1 nanosecond). This guarantees that if an inline security device fails, the bypass switch will know nearly instantaneously, and react. Secondly, Ixia s implementation is based in the bypass fieldprogrammable gateway array (FPGA), not the software. This hardware-based heartbeat means the response time of the bypass switch is also measurable in nanoseconds (between 1 and 3). This translates to very little (if any data) loss by the or other inline security device in the fail over process (or on the network should it fail open). Visibility We have seen that a basic external bypass switch improves the overall network reliability and application availability compared to a bypass switch internal to the. However, Ixia offers bypass switches with additional features that add even more value. These products include a remote management interface that enables network professionals to monitor the status of the bypass switch itself, the attached device, and the attached links. Obtaining traffic statistics from the bypass switch is particularly valuable. Information such as bandwidth utilization, peak traffic, packet and byte counts, and error counts enable security personnel to measure the impact of new signature sets and configurations, without the need for additional monitoring tools and network taps, and without reconfiguring SPAN ports on switches. Some bypass switches can also generate alarms (SNMP traps) when traffic on a given port exceeds a programmed use level. These traps can be used by a network management system such as IBM Tivoli or HP OpenView to alert an operator that an unusual condition exists perhaps one in which the traffic volume could exceed the capability of the. Programmability Some bypass switches allow you to programmatically route traffic into or around inline security tools. This feature is very helpful when troubleshooting or when upgrading the tool software. in Bypass Off Mode Bypass Off mode = traffic is routed through the appliance in Bypass On Mode Bypass On mode = in-line traffic bypasses the appliance can be removed and replaced without causing network downtime. By logging into the device from anywhere on the network, operators can monitor traffic and device status, and configure and control the device. One aspect of device control is the ability to force the bypass switch into Bypass On mode, taking the offline. This capability can be handy for easily removing the from service without requiring a technician to be physically on site with the, saving time and travel costs. When a bypass switch is configured in Tap mode, taking the offline, the bypass assumes the function of a full-duplex network tap. In this way, it mirrors all the traffic received at network link Port A to monitor Port 1, and all the traffic received at network link Port B to monitor Port. This enables the to continue to monitor the network traffic, acting as an out-of-band intrusion detection system (IDS), a useful way to test signature sets before actually applying them to network traffic. The device can also be used as a conventional network tap, eliminating the need to break the link to install a tap when other types of monitoring tools are required to investigate a network issue. 4

WHITE PAPER Modularity Sometimes it is necessary to physically remove the from the link, perhaps for maintenance, upgrade, or reconfiguring a growing network. If the was deployed with an external bypass switch, the can be physically removed from the link without impacting link traffic or application availability. With an internal bypass switch, or no bypass switch at all, you would have to wait for a scheduled maintenance window, perhaps get a network change authorization signed, and alert users of all applications dependent on the link that their service will be interrupted for a period. Clearly the external bypass switch saves a lot of time and trouble in this case. But the scenario can be worse than that. So far, the examples assumed a planned event. What happens when an must be taken offline or physically removed because of an unplanned situation? For example, a cable could be accidentally unplugged from the during some maintenance activity. Or the could experience a physical failure such as an electrical component going bad. The external Bypass switch ensures that the application is not taken down by one of these unplanned events, should they occur. External bypass switches eliminate the single-point-offailure that internal bypass switches pose. Conclusion We've shown that an external bypass switch makes an inline security deployment more reliable and flexible as compared to depending on integrated bypass circuitry. Moreover, the cost of the external bypass switch is further justified by the value-add of improved instrumentation and the cost savings of remote management capabilities. Customer issues: How do I deploy monitoring or security tools inline without adding a point of failure? How can I replace or upgrade my inline tools with no interruption to the business? How do I maximize network uptime when deploying active security solutions? Ixia Worldwide Headquarters 6601 Agoura Rd. Calabasas, CA 9130 (Toll Free North America) 1.877.367.494 (Outside North America) +1.818.871.1800 (Fax) 818.871.1805 www.ixiacom.com Ixia European Headquarters Ixia Technologies Europe Ltd Clarion House, Norreys Drive Maidenhead SL6 4FL United Kingdom Sales +44 168 408750 (Fax) +44 168 639916 Ixia Asia Pacific Headquarters 101 Thomson Road, #9-04/05 United Square, Singapore 307591 Sales +65.633.015 Fax +65.633.017 915-6688-01 Rev. B, December 015

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information