Question & Answer
Question
What is the difference between hardware bypass and software bypass for the Security Network Protection (XGS) platform and what circumstances cause each to engage?
Answer
On the XGS, there are two different bypass methods that are used:
Hardware Bypass
The hardware bypass feature is included in the built-in copper interfaces and any copper or fiber-based Network Interface Module (NIM). SFP modules do not support internal hardware bypass capability.
When the hardware bypass engages, it physically bridges the port pair to allow data to flow through the physical interface without requiring any packet processing by the sensor. The hardware bypass engages in the event of a hardware failure, loss of power, kernel panic, or if the primary analysis daemon crashes.
Note: For hardware bypass to work the interfaces should be enabled in protection interfaces policy. Without interfaces being enabled, the link between the adjacent devices will never get established.
A hardware bypass does create a short network outage or interface flat during the bypass transition. When XGS engages hardware bypass at the time of a power failure or restart, it physically bridges the port pair and the adjacent devices have to renegotiate and reestablish the network link through XGS. This causes the interfaces to flap and the outage time generally depends on the negotiation time. Also, the more connected NIMs/ports on XGS means longer outages. The time varies from a few seconds up to a minute. Similar outages are also observed when XGS has to leave the hardware bypass.
Software Bypass
The software bypass feature is built into the device firmware and is controlled by the packet driver layer of the firmware.
When software bypass engages, traffic being processed by the packet driver bypasses all IPS sensor inspection and will automatically be passed through the appliance. The software bypass engages in circumstances where the analysis daemon crashes or hangs, or if the sensor is unable to keep up with volume of packet inspection due to the unavailability of system resources.
- The hardware bypass is controlled by the physical network interfaces.
- The software bypass is controlled by the packet driver.
Hardware Bypass
The hardware bypass feature is included in the built-in copper interfaces and any copper or fiber-based Network Interface Module (NIM). SFP modules do not support internal hardware bypass capability.
When the hardware bypass engages, it physically bridges the port pair to allow data to flow through the physical interface without requiring any packet processing by the sensor. The hardware bypass engages in the event of a hardware failure, loss of power, kernel panic, or if the primary analysis daemon crashes.
Note: For hardware bypass to work the interfaces should be enabled in protection interfaces policy. Without interfaces being enabled, the link between the adjacent devices will never get established.
A hardware bypass does create a short network outage or interface flat during the bypass transition. When XGS engages hardware bypass at the time of a power failure or restart, it physically bridges the port pair and the adjacent devices have to renegotiate and reestablish the network link through XGS. This causes the interfaces to flap and the outage time generally depends on the negotiation time. Also, the more connected NIMs/ports on XGS means longer outages. The time varies from a few seconds up to a minute. Similar outages are also observed when XGS has to leave the hardware bypass.
|
Hardware Bypass Modes
|
|
|---|---|
| Auto | In non-HA modes, all traffic is allowed to pass through the appliance (fail open). In HA mode, interface links are closed and traffic is prevented from passing through the appliance (fail closed). |
| Fail Open | Allows all network traffic to pass through the appliance. |
| Fail Closed | Closes the links for the interface pair and prevents any network traffic from passing through the appliance. |
Software Bypass
The software bypass feature is built into the device firmware and is controlled by the packet driver layer of the firmware.
When software bypass engages, traffic being processed by the packet driver bypasses all IPS sensor inspection and will automatically be passed through the appliance. The software bypass engages in circumstances where the analysis daemon crashes or hangs, or if the sensor is unable to keep up with volume of packet inspection due to the unavailability of system resources.
|
Unanalyzed Policy Modes
|
|
|---|---|
| Forward | The appliance performs connection tracking if possible. It continues to discard packets that belong to blocked connections. Other packets are transmitted. |
| Drop | The appliance discards any packets that cannot be fully analyzed. |
[{"Product":{"code":"SSHLHV","label":"IBM Security Network Protection"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"Bypass","Platform":[{"code":"PF009","label":"Firmware"}],"Version":"5.2.0;5.3;5.3.1;5.3.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
23 January 2021
UID
swg21882622