Focus on IDS
How does Internal Bypass mode work on Juniper IDP range Oct 26 2010 04:29PM
Maqbool Hashim (mhashim ntsuk co uk) (2 replies)

I recently saw an outage in a network that had a Juniper IPS device deployed. The outage consisted of tcp sessions timing out for users, ping connectivity was not confirmed. The IPS is deployed in transparent mode and Internal Bypass is enabled on the ingress and egress interface pair that make up the virtual router. My understanding of the internal bypass feature is as follows as per the Juniper documentation:

In bypass mode, traffic enters the IDP ingress port and is forwarded out of the egress interface without being passed to the IDP engine. The ingress and egress interface join mechanically to form a circuit in order to continue passing traffic through the IPS device. Effectively the interfaces become a piece of wire. Bypass mode is triggered by a timing mechanism during system failure or shutdown. This feature has been enabled to optimise availability and ensure that network outages do not occur because the IDS crashes/fails/ or cannot process packets fast enough.

I'm trying to determine the cause of the outage we suffered, which is why I wanted a deeper understanding of internal bypass and the effects it may or may not have on the surrounding network architecture. The outage I saw occurred at around the same time the IPS box rebooted and consequently entered bypass mode. Bypass mode was only activated for a minute from the syslog entries, however the outage we saw lasted for approximately half an hour.

So my questions regarding bypass mode are:

1) During bypass mode the link status on the IPS interfaces will be down. Will the switch interfaces connected to the IPS device remain up as they are now connected to each other through the IPS (piece of wire) rather than to the IPS interfaces?

2) If the switch interfaces are now connected to each other rather than the IPS what about mac forwarding tables? Is it possible that the forwarding tables on the switches get confused?

3) Any specific session based issues that could be caused by the IPS device engaging and disengaging internal bypass mode?

My feeling is that the issues might be caused by how the network environment responds to the IPS engaging/disengaging internal bypass mode rather than an issue with the IPS device. I'm just looking for some guidance on any gotchas that I should be aware of with regards to the network environment when the IPS device triggers bypass mode.



This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not an intended recipient, please delete this e-mail immediately and notify NTS(UK) Ltd on 0844 815 5925
This e-mail does not necessarily reflect the Company's opinion and should not be interpreted as such.
This message was scanned by Proofpoint Protection Server - please contact NTS for further information.

Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.;5001;25;1371;0;1;946;9a80e04e1a

[ reply ]
Re: How does Internal Bypass mode work on Juniper IDP range Oct 26 2010 09:32PM
Fairtel - Barry Hofland (barry fairtel nl)
Re: How does Internal Bypass mode work on Juniper IDP range Oct 26 2010 05:24PM
Joel M Snyder (Joel Snyder Opus1 COM)


Privacy Statement
Copyright 2010, SecurityFocus