Fail-Open Or Fail-Closed Functionality - McAfee M-1250 - Network Security Platform Manual

McAfee® Network Security Platform 6.0

Fail-open or fail-closed functionality

Sensor ports deployed in inline mode have the option of failing open or closed. Similar in
terminology to firewall operation, ports failing open allow traffic to continue to flow. Thus,
even if the ports fail, your Sensor does not become a bottleneck. However, monitoring
ceases, allowing all traffic to continue to flow through the network, which can allow attacks
to impact systems in your network. When ports are configured to fail-closed, the Sensor
does not allow traffic to continue to flow, thus the failed ports become a bottleneck,
stopping all traffic at the Sensor.
Note:
bypass mode is on, the traffic bypasses the Sensor and is not inspected; therefore,
the Sensor cannot prevent malicious attacks.
There are two fail-open options available:
Fail-open with external hardware
Inline fail-open mode, available for both 10/100 and GE links, guarantees that data will be
forwarded over a monitored link in the event that the Sensor's processes are temporarily
stopped for upgrades or when the Sensor fails. This guarantee is delivered for 10/100 port
pairs using an internal mechanical tap that connects the monitoring ports when hardware
failure is detected. The 10/100 configurations is a choice made per port pair. The Gigabit
fail-open implementation involves the use of the external Gigabit Fail-Open Kit, which
includes a Bypass Switch.
Fail-open with the Layer 2 Passthru (L2) feature
Layer 2 Passthru is also known as "software fail-open." The L2 feature, when triggered,
causes traffic to flow through the Sensor without being copied to the detection engine.
There are security consequences when the Sensor is in bypass mode. When
Caution 1: Note that Sensor outage breaks the link connecting the devices on
either side of the Sensor and requires the renegotiation of the network link
between the two peer devices connected to the Sensor.
Caution 2: Depending on the network equipment, this disruption introduced by
the renegotiation of the link layer between the two peer devices may range from
a couple of seconds to more than a minute with certain vendors' devices.
Caution 3: A very brief link disruption may also occur while the links between
the Sensor and each of the peer devices are renegotiated to place the Sensor
back in inline mode. This outage, again, varies depending on the device, and
can range from a few seconds to more than a minute.
Note: The Layer 2 Passthru option is provided specifically to handle internal
Sensor errors; it is not provided as an alternative to other HA options, such as
the Fail-Open kit.
Determine your high availability strategy
5