McAfee M-1250 Network Protection - Page 13

Fail-open or fail-closed functionality, Caution 1

Get McAfee M-1250 - Network Security Platform PDF manuals and user guides View all McAfee M-1250 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 13 highlights

McAfee® Network Security Platform 6.0 Determine your high availability strategy Fail-open or fail-closed functionality Sensor ports deployed in inline mode have the option of failing open or closed. Similar in terminology to firewall operation, ports failing open allow traffic to continue to flow. Thus, even if the ports fail, your Sensor does not become a bottleneck. However, monitoring ceases, allowing all traffic to continue to flow through the network, which can allow attacks to impact systems in your network. When ports are configured to fail-closed, the Sensor does not allow traffic to continue to flow, thus the failed ports become a bottleneck, stopping all traffic at the Sensor. Note: There are security consequences when the Sensor is in bypass mode. When bypass mode is on, the traffic bypasses the Sensor and is not inspected; therefore, the Sensor cannot prevent malicious attacks. There are two fail-open options available: Fail-open with external hardware Inline fail-open mode, available for both 10/100 and GE links, guarantees that data will be forwarded over a monitored link in the event that the Sensor's processes are temporarily stopped for upgrades or when the Sensor fails. This guarantee is delivered for 10/100 port pairs using an internal mechanical tap that connects the monitoring ports when hardware failure is detected. The 10/100 configurations is a choice made per port pair. The Gigabit fail-open implementation involves the use of the external Gigabit Fail-Open Kit, which includes a Bypass Switch. Caution 1: Note that Sensor outage breaks the link connecting the devices on either side of the Sensor and requires the renegotiation of the network link between the two peer devices connected to the Sensor. Caution 2: Depending on the network equipment, this disruption introduced by the renegotiation of the link layer between the two peer devices may range from a couple of seconds to more than a minute with certain vendors' devices. Caution 3: A very brief link disruption may also occur while the links between the Sensor and each of the peer devices are renegotiated to place the Sensor back in inline mode. This outage, again, varies depending on the device, and can range from a few seconds to more than a minute. Fail-open with the Layer 2 Passthru (L2) feature Layer 2 Passthru is also known as "software fail-open." The L2 feature, when triggered, causes traffic to flow through the Sensor without being copied to the detection engine. Note: The Layer 2 Passthru option is provided specifically to handle internal Sensor errors; it is not provided as an alternative to other HA options, such as the Fail-Open kit. 5

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
McAfee® Network Security Platform 6.0
Determine your high availability strategy
Fail-open or fail-closed functionality
Sensor ports deployed in inline mode have the option of failing open or closed. Similar in
terminology to firewall operation, ports failing open allow traffic to continue to flow. Thus,
even if the ports fail, your Sensor does not become a bottleneck. However, monitoring
ceases, allowing all traffic to continue to flow through the network, which can allow attacks
to impact systems in your network. When ports are configured to fail-closed, the Sensor
does not allow traffic to continue to flow, thus the failed ports become a bottleneck,
stopping all traffic at the Sensor.
Note:
There are security consequences when the Sensor is in bypass mode. When
bypass mode is on, the traffic bypasses the Sensor and is not inspected; therefore,
the Sensor cannot prevent malicious attacks.
There are two fail-open options available:
Fail-open with external hardware
Inline fail-open mode, available for both 10/100 and GE links, guarantees that data will be
forwarded over a monitored link in the event that the Sensor's processes are temporarily
stopped for upgrades or when the Sensor fails. This guarantee is delivered for 10/100 port
pairs using an internal mechanical tap that connects the monitoring ports when hardware
failure is detected. The 10/100 configurations is a choice made per port pair. The Gigabit
fail-open implementation involves the use of the external Gigabit Fail-Open Kit, which
includes a Bypass Switch.
Caution 1:
Note that Sensor outage breaks the link connecting the devices on
either side of the Sensor and requires the renegotiation of the network link
between the two peer devices connected to the Sensor.
Caution 2:
Depending on the network equipment, this disruption introduced by
the renegotiation of the link layer between the two peer devices may range from
a couple of seconds to more than a minute with certain vendors’ devices.
Caution 3:
A very brief link disruption may also occur while the links between
the Sensor and each of the peer devices are renegotiated to place the Sensor
back in inline mode. This outage, again, varies depending on the device, and
can range from a few seconds to more than a minute.
Fail-open with the Layer 2 Passthru (L2) feature
Layer 2 Passthru is also known as “software fail-open.” The L2 feature, when triggered,
causes traffic to flow through the Sensor without being copied to the detection engine.
Note:
The Layer 2 Passthru option is provided specifically to handle internal
Sensor errors; it is not provided as an alternative to other HA options, such as
the Fail-Open kit.
5