Focus on IDS
RE: How does Internal Bypass mode work on Juniper IDP range Oct 27 2010 08:13AM
Maqbool Hashim (mhashim ntsuk co uk) (1 replies)
Re: How does Internal Bypass mode work on Juniper IDP range Oct 29 2010 06:03PM
Paul Palmer (b paul palmer gmail com)
The problem may have been related to the spanning tree protocol. Many
(most?) bypass units cause a momentary loss of link when relays switch
the security device in and out of the circuit. The link state change
likely causes the switches on either end of the link to enter a
recovery phase in which they begin to recalculate the "new" network
topology. With some switches and some complex (redundant network
paths) networks, this can take many minutes to complete during which
the network will generally not pass traffic. Combine that with the
typical bypass event triggering 4 link state changes (bypass engages
causes a link down followed by an immediate link up, and when the
bypass disengages it causes another link down and link up) and you
find that some switch topologies get "lost in the weeds" for _many_
minutes while all of the spanning tree activity resolves itself.

On Wed, Oct 27, 2010 at 4:13 AM, Maqbool Hashim <mhashim (at) ntsuk.co (dot) uk [email concealed]> wrote:
> Hi Joel,
>
> Good point, I'm not sure that a duplex or mdix issue was the cause of the downtime in our case however.  Reason I say this is that the issue seemed to disappear after half an hour, without any intervention.  This wouldn't happen if it was a duplex/MDIX issue.  However its certainly the type of gotcha I was hoping to find out about when posted to the mailing list.
>
> Many Thanks
>
> -----Original Message-----
> From: Joel M Snyder [mailto:Joel.Snyder (at) Opus1 (dot) COM [email concealed]]
> Sent: 26 October 2010 18:25
> To: Maqbool Hashim
> Cc: focus-ids (at) securityfocus (dot) com [email concealed]
> Subject: Re: How does Internal Bypass mode work on Juniper IDP range
>
>  > In bypass mode, traffic enters the IDP ingress port and is forwarded  > out of the egress interface without being passed to the IDP engine.
>
> I can't speak to the Juniper IDP box, but there are a number of issues that I have seen with hardware bypass.
>
> First, depending on the equipment, you may have incorrectly made cables.
>  Different hardware works differently, but normally the hardware bypass inserts a crossover between the two devices when it snaps into place.
> Thus, depending on what you have on either end of the IPS, you may need to have one crossover cable on one side and a straight-through on the
> other side.   For gig, not a problem, but if you have a device that
> doesn't do auto-MDIX, you've got an issue.  This is the number-one problem I've seen and is the result of a sloppy install.
>
> Second, you may have a negotiation problem.  These are myriad throughout the networking world.  Your typical networking team member knows how to set it up correctly, but if a security person without the right background did the configuration, you may have (for example) one side doing auto-negotiation and the other side not, a recipe for failure (depending on how your device actually implements non-negotiated traffic)
>
> Those two seem to cover about 90% of the issues.  The other 10% are caused by bad relays--the IPS box doesn't actually "snap in" to bypass mode when the watchdog doesn't go off or the power disappears.
>
> You can probably isolate to these three, or some other, by performing a power cord attenuation on the IPS device during a sanctioned downtime.
>
> Unless the Juniper is badly flawed and in need of a forklift upgrade, the MAC table issue is non-existent; the IPS should not be interfering with the MAC on either side of it.
>
> jms
>
>
> On 10/26/10 6:29 PM, Maqbool Hashim wrote:
>> Hi,
>>
>> I recently saw an outage in a network that had a Juniper IPS device deployed.  The outage consisted of tcp sessions timing out for users, ping connectivity was not confirmed.  The IPS is deployed in transparent mode and Internal Bypass is enabled on the ingress and egress interface pair that make up the virtual router.   My understanding of the internal bypass feature is as follows as per the Juniper documentation:
>>
>> In bypass mode, traffic enters the IDP ingress port and is forwarded out of the egress interface without being passed to the IDP engine.  The ingress and egress interface join mechanically to form a circuit in order to continue passing traffic through the IPS device.  Effectively the interfaces become a piece of wire.  Bypass mode is triggered by a timing mechanism during system failure or shutdown.  This feature has been enabled to optimise availability and ensure that network outages do not occur because the IDS crashes/fails/ or cannot process packets fast enough.
>>
>> I'm trying to determine the cause of the outage we suffered, which is why I wanted a deeper understanding of internal bypass and the effects it may or may not have on the surrounding network architecture.  The outage I saw occurred at around the same time the IPS box rebooted and consequently entered bypass mode.  Bypass mode was only activated for a minute from the syslog entries, however the outage we saw lasted for approximately half an hour.
>>
>> So my questions regarding bypass mode are:
>>
>> 1) During bypass mode the link status on the IPS interfaces will be down.  Will the switch interfaces connected to the IPS device remain up as they are now connected to each other through the IPS (piece of wire) rather than to the IPS interfaces?
>>
>> 2)  If the switch interfaces are now connected to each other rather than the IPS what about mac forwarding tables?  Is it possible that the forwarding tables on the switches get confused?
>>
>> 3) Any specific session based issues that could be caused by the IPS device engaging and disengaging internal bypass mode?
>>
>> My feeling is that the issues might be caused by how the network environment responds to the IPS engaging/disengaging internal bypass mode rather than an issue with the IPS device.  I'm just looking for some guidance on any gotchas that I should be aware of with regards to the network environment when the IPS device triggers bypass mode.
>>
>> Thanks
>>
>> Maq
>>
>>
>>
>> ----------------------------------------------------------------------
>> This e-mail and any files transmitted with it are confidential and
>> intended solely for the use of the individual or entity to whom they are addressed. If you are not an intended recipient, please delete this e-mail immediately and notify NTS(UK) Ltd on 0844 815 5925 This e-mail does not necessarily reflect the Company's opinion and should not be interpreted as such.
>> This message was scanned by Proofpoint Protection Server - please contact NTS for further information.
>>
>> -----------------------------------------------------------------
>> Securing Your Online Data Transfer with SSL.
>> A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
>> http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e
>> 1a17f194
>>
>>
>
> --
> Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
> Senior Partner, Opus One       Phone: +1 520 324 0494
> jms (at) Opus1 (dot) COM [email concealed]                http://www.opus1.com/jms
>
> -----------------------------------------------------------------
> Securing Your Online Data Transfer with SSL.
> A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
> http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a
17f194
>
>
>

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a
17f194

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus