Focus on IDS
RE: How does Internal Bypass mode work on Juniper IDP range Oct 27 2010 08:13AM
Maqbool Hashim (mhashim ntsuk co uk) (1 replies)
Hi Joel,

Good point, I'm not sure that a duplex or mdix issue was the cause of the downtime in our case however. Reason I say this is that the issue seemed to disappear after half an hour, without any intervention. This wouldn't happen if it was a duplex/MDIX issue. However its certainly the type of gotcha I was hoping to find out about when posted to the mailing list.

Many Thanks

-----Original Message-----
From: Joel M Snyder [mailto:Joel.Snyder (at) Opus1 (dot) COM [email concealed]]
Sent: 26 October 2010 18:25
To: Maqbool Hashim
Cc: focus-ids (at) securityfocus (dot) com [email concealed]
Subject: Re: How does Internal Bypass mode work on Juniper IDP range

> In bypass mode, traffic enters the IDP ingress port and is forwarded > out of the egress interface without being passed to the IDP engine.

I can't speak to the Juniper IDP box, but there are a number of issues that I have seen with hardware bypass.

First, depending on the equipment, you may have incorrectly made cables.
Different hardware works differently, but normally the hardware bypass inserts a crossover between the two devices when it snaps into place.
Thus, depending on what you have on either end of the IPS, you may need to have one crossover cable on one side and a straight-through on the
other side. For gig, not a problem, but if you have a device that
doesn't do auto-MDIX, you've got an issue. This is the number-one problem I've seen and is the result of a sloppy install.

Second, you may have a negotiation problem. These are myriad throughout the networking world. Your typical networking team member knows how to set it up correctly, but if a security person without the right background did the configuration, you may have (for example) one side doing auto-negotiation and the other side not, a recipe for failure (depending on how your device actually implements non-negotiated traffic)

Those two seem to cover about 90% of the issues. The other 10% are caused by bad relays--the IPS box doesn't actually "snap in" to bypass mode when the watchdog doesn't go off or the power disappears.

You can probably isolate to these three, or some other, by performing a power cord attenuation on the IPS device during a sanctioned downtime.

Unless the Juniper is badly flawed and in need of a forklift upgrade, the MAC table issue is non-existent; the IPS should not be interfering with the MAC on either side of it.

jms

On 10/26/10 6:29 PM, Maqbool Hashim wrote:
> Hi,
>
> I recently saw an outage in a network that had a Juniper IPS device deployed. The outage consisted of tcp sessions timing out for users, ping connectivity was not confirmed. The IPS is deployed in transparent mode and Internal Bypass is enabled on the ingress and egress interface pair that make up the virtual router. My understanding of the internal bypass feature is as follows as per the Juniper documentation:
>
> In bypass mode, traffic enters the IDP ingress port and is forwarded out of the egress interface without being passed to the IDP engine. The ingress and egress interface join mechanically to form a circuit in order to continue passing traffic through the IPS device. Effectively the interfaces become a piece of wire. Bypass mode is triggered by a timing mechanism during system failure or shutdown. This feature has been enabled to optimise availability and ensure that network outages do not occur because the IDS crashes/fails/ or cannot process packets fast enough.
>
> I'm trying to determine the cause of the outage we suffered, which is why I wanted a deeper understanding of internal bypass and the effects it may or may not have on the surrounding network architecture. The outage I saw occurred at around the same time the IPS box rebooted and consequently entered bypass mode. Bypass mode was only activated for a minute from the syslog entries, however the outage we saw lasted for approximately half an hour.
>
> So my questions regarding bypass mode are:
>
> 1) During bypass mode the link status on the IPS interfaces will be down. Will the switch interfaces connected to the IPS device remain up as they are now connected to each other through the IPS (piece of wire) rather than to the IPS interfaces?
>
> 2) If the switch interfaces are now connected to each other rather than the IPS what about mac forwarding tables? Is it possible that the forwarding tables on the switches get confused?
>
> 3) Any specific session based issues that could be caused by the IPS device engaging and disengaging internal bypass mode?
>
> My feeling is that the issues might be caused by how the network environment responds to the IPS engaging/disengaging internal bypass mode rather than an issue with the IPS device. I'm just looking for some guidance on any gotchas that I should be aware of with regards to the network environment when the IPS device triggers bypass mode.
>
> Thanks
>
> Maq
>
>
>
> ----------------------------------------------------------------------
> This e-mail and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they are addressed. If you are not an intended recipient, please delete this e-mail immediately and notify NTS(UK) Ltd on 0844 815 5925 This e-mail does not necessarily reflect the Company's opinion and should not be interpreted as such.
> This message was scanned by Proofpoint Protection Server - please contact NTS for further information.
>
> -----------------------------------------------------------------
> Securing Your Online Data Transfer with SSL.
> A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
> http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e
> 1a17f194
>
>

--
Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Senior Partner, Opus One Phone: +1 520 324 0494
jms (at) Opus1 (dot) COM [email concealed] http://www.opus1.com/jms

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a
17f194

[ reply ]
Re: How does Internal Bypass mode work on Juniper IDP range Oct 29 2010 06:03PM
Paul Palmer (b paul palmer gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus