Packet-based communication networks continue to grow in importance, and it is often desirable to monitor network traffic associated with these packet-based networks on an ongoing basis. For such network traffic monitoring, in-line network tools are often placed between two network nodes such that the network traffic flows from one network node through the in-line network tool to another network node.
Deployment of an in-line network tool between network nodes within a network, however, adds a risk of the in-line network tool becoming a point of failure. To address or eliminate this potential point of failure, the deployment can include a bypass switch that is placed between the network and the in-line network tool. The bypass switch operates in a bypass “OFF” mode to route network traffic through the in-line network tool and operates in a bypass “ON” mode to route network traffic directly between network nodes without passing through the in-line network tool. For many implementations, the bypass switch operates to bypass the in-line network tool in the event of a tool failure thereby allowing the in-line network tool to monitor and inspect network traffic while still protecting the network traffic in the event of a tool failure. In this way, bypass switches provide fail-safe, in-line protection that safeguards a network with automated failover protection, preventing temporary tool outages from escalating into costly network outages. Bypass switches thereby provide a reliable separation point between the network and security layers for in-line monitoring of network traffic.
A bypass switch is typically implemented as a passive device that maintains traffic flow when the in-line monitoring tool (e.g., intrusion prevention system (IPS) and/or other network tool) is not available. There are two basic implementations for bypass switches: internal and external. Internal bypass is performed as a function of an in-line security device such as an IPS. The bypass function can also be performed outside the security tool, using an external bypass switch. The bypass switch automatically detects failure events or other operational events with respect to in-line security tools and routes traffic around the security tool while issuing an alert to ensure action is taken by the network or security system administrators. Internal bypass switches often have limited functionality, while external bypass switches often include more robust protection.
In addition to this core functionality of the bypass switch, existing bypass switches can also provide mirrored copies of received network traffic to out-of-band tools or other processing nodes. In particular, existing bypass switches can capture network traffic received by a network port of a bypass switch and send this received network traffic through a tap output port to an out-of-band tool for further inspection or processing.
FIG. 1A (Prior Art) provides a block diagram of an example embodiment 100 for a prior bypass switch 112 connected in-line between network nodes 102 and 104 where the bypass switch 112 is operating in bypass “OFF” mode. For this bypass “OFF” operational mode, the network traffic flowing through the network node 102/104 passes through the bypass switch 112 and also through the in-line tool 110. In particular, the network traffic 106 flowing through the first network node (N1) 102 includes network packets 130 and processed packets 136. The bypass switch 112 receives network packets 130 as ingress packets from the first network node (N1) 102 at a network port 114, and these network packets 130 are forwarded to tool port 118 before being transmitted to the in-line tool 110. After processing by the in-line tool 110, processed packets 132 are sent back to the bypass switch 112 and received at tool port 120. The processed packets 132 are then forwarded to the network port 116 before being transmitted as egress packets to the second network node 104 as part of network traffic 108. Similarly, the network traffic 108 flowing through the second network node (N2) 104 includes network packets 134 and processed packets 132. The bypass switch 112 receives network packets 134 as ingress packets from the second network node (N2) 104 at a network port 116, and these network packets 134 are forwarded to tool port 120 before being transmitted to the in-line tool 110. After processing by the in-line tool 110, processed packets 136 are sent back to the bypass switch 112 and received at tool port 120. The processed packets 132 are then forwarded to the network port 114 before being transmitted as egress packets to the first network node 102 as part of network traffic 106. The in-line tool 110 analyzes the network packets 130/134 and can provide various monitoring and/or security functions. For example, the in-line tool 110 can be an intrusion prevention system (IPS) that blocks packets representing network threats. Other in-line tools and related processing can also be used.
As indicated above, the bypass switch 112 can be configured to provide copies of network packets 130/134 received as ingress packets by the network nodes 102/104 through tap output ports (TAP-A, TAP-B) 122/123. For example, network packets 130 received as ingress packets by the first network node (N1) 102 can be copied, as indicated by capture node 124, and forwarded to the tap output port (TAP-A) 122. Similarly, the network packets 134 received as ingress packets by the second network node (N1) 104 can be copies, as indicated by capture node 126, and then forwarded to the tap output port (TAP-B) 123. The copied network packets 138/139 are output by the tap output ports 122/123 and can be received by an out-of-band tool (T1) 128 connected to the tap output port 122 and an out-of-band tool (T2) 129 connected to the tap output port 123.
FIG. 1B (Prior Art) provides a block diagram of an example embodiment 150 for a prior bypass switch 112 connected in-line between network nodes 102 and 104 where the bypass switch 112 is operating in bypass “ON” mode. For this bypass “ON” operational mode, the network traffic flowing through the network node 102/104 passes through the bypass switch 112 but not through the in-line tool 110. In particular, the network traffic 106 flowing through the first network node (N1) 102 includes network packets 130 and network packets 134. The bypass switch 112 receives network packets 130 as ingress packets from the first network node (N1) 102 at a network port 114, and these network packets 130 bypass the in-line tool 110 and are forwarded directly to network port 116. The network packets 130 are then output as egress packets to the second network node (N2) 104. Similarly, the network traffic 108 flowing through the second network node (N2) 104 includes network packets 134 and network packets 130. The bypass switch 112 receives network packets 134 as ingress packets from the second network node (N2) 104 at a network port 116, and these network packets 134 bypass the in-line tool 110 and are forwarded directly to network port 114. The network packets 134 are then output as egress packets to the first network node (N1) 102. As above, the bypass switch 112 can be configured to provide copies of network packets 130/134 received as ingress packets by the network nodes 102/104 through tap output ports (TAP-A, TAP-B) 122/123 and can be received by an out-of-band tool (T1) 128 connected to the tap output port 122 and an out-of-band tool (T2) 129 connected to the tap output port 123.