Focus on IDS
How does Internal Bypass mode work on Juniper IDP range Oct 26 2010 04:29PM
Maqbool Hashim (mhashim ntsuk co uk) (2 replies)
Re: How does Internal Bypass mode work on Juniper IDP range Oct 26 2010 09:32PM
Fairtel - Barry Hofland (barry fairtel nl)
Re: How does Internal Bypass mode work on Juniper IDP range Oct 26 2010 05:24PM
Joel M Snyder (Joel Snyder Opus1 COM)
> In bypass mode, traffic enters the IDP ingress port and is forwarded
> out of the egress interface without being passed to the IDP engine.

I can't speak to the Juniper IDP box, but there are a number of issues
that I have seen with hardware bypass.

First, depending on the equipment, you may have incorrectly made cables.
Different hardware works differently, but normally the hardware bypass
inserts a crossover between the two devices when it snaps into place.
Thus, depending on what you have on either end of the IPS, you may need
to have one crossover cable on one side and a straight-through on the
other side. For gig, not a problem, but if you have a device that
doesn't do auto-MDIX, you've got an issue. This is the number-one
problem I've seen and is the result of a sloppy install.

Second, you may have a negotiation problem. These are myriad throughout
the networking world. Your typical networking team member knows how to
set it up correctly, but if a security person without the right
background did the configuration, you may have (for example) one side
doing auto-negotiation and the other side not, a recipe for failure
(depending on how your device actually implements non-negotiated traffic)

Those two seem to cover about 90% of the issues. The other 10% are
caused by bad relays--the IPS box doesn't actually "snap in" to bypass
mode when the watchdog doesn't go off or the power disappears.

You can probably isolate to these three, or some other, by performing a
power cord attenuation on the IPS device during a sanctioned downtime.

Unless the Juniper is badly flawed and in need of a forklift upgrade,
the MAC table issue is non-existent; the IPS should not be interfering
with the MAC on either side of it.

jms

On 10/26/10 6:29 PM, Maqbool Hashim wrote:
> Hi,
>
> I recently saw an outage in a network that had a Juniper IPS device deployed. The outage consisted of tcp sessions timing out for users, ping connectivity was not confirmed. The IPS is deployed in transparent mode and Internal Bypass is enabled on the ingress and egress interface pair that make up the virtual router. My understanding of the internal bypass feature is as follows as per the Juniper documentation:
>
> In bypass mode, traffic enters the IDP ingress port and is forwarded out of the egress interface without being passed to the IDP engine. The ingress and egress interface join mechanically to form a circuit in order to continue passing traffic through the IPS device. Effectively the interfaces become a piece of wire. Bypass mode is triggered by a timing mechanism during system failure or shutdown. This feature has been enabled to optimise availability and ensure that network outages do not occur because the IDS crashes/fails/ or cannot process packets fast enough.
>
> I'm trying to determine the cause of the outage we suffered, which is why I wanted a deeper understanding of internal bypass and the effects it may or may not have on the surrounding network architecture. The outage I saw occurred at around the same time the IPS box rebooted and consequently entered bypass mode. Bypass mode was only activated for a minute from the syslog entries, however the outage we saw lasted for approximately half an hour.
>
> So my questions regarding bypass mode are:
>
> 1) During bypass mode the link status on the IPS interfaces will be down. Will the switch interfaces connected to the IPS device remain up as they are now connected to each other through the IPS (piece of wire) rather than to the IPS interfaces?
>
> 2) If the switch interfaces are now connected to each other rather than the IPS what about mac forwarding tables? Is it possible that the forwarding tables on the switches get confused?
>
> 3) Any specific session based issues that could be caused by the IPS device engaging and disengaging internal bypass mode?
>
> My feeling is that the issues might be caused by how the network environment responds to the IPS engaging/disengaging internal bypass mode rather than an issue with the IPS device. I'm just looking for some guidance on any gotchas that I should be aware of with regards to the network environment when the IPS device triggers bypass mode.
>
> Thanks
>
> Maq
>
>
>
> ----------------------------------------------------------------------
> This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not an intended recipient, please delete this e-mail immediately and notify NTS(UK) Ltd on 0844 815 5925
> This e-mail does not necessarily reflect the Company's opinion and should not be interpreted as such.
> This message was scanned by Proofpoint Protection Server - please contact NTS for further information.
>
> -----------------------------------------------------------------
> Securing Your Online Data Transfer with SSL.
> A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
> http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a
17f194
>
>

--
Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Senior Partner, Opus One Phone: +1 520 324 0494
jms (at) Opus1 (dot) COM [email concealed] http://www.opus1.com/jms

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a
17f194

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus