Fail-Open Versus Fail-Closed - McAfee M-1250 - Network Security Platform Deployment Manual

McAfee® Network Security Platform 6.0

Figure 6: In-line mode
In in-line mode (seen in the previous figure), the Sensor logically acts as a transparent
repeater with minimal latency for packet processing. Unlike bridges, routers, or switches,
the Sensor does not need to learn MAC addresses or keep an ARP cache or a routing
table.
When deployed in-line, you must specify whether the Sensor port is monitoring inside or
outside of the network it is protecting. For example, the Sensor shown in the figure in How
complex is your network topology? (on page 9) is monitoring links both inside and outside
the network.

Fail-open versus fail-closed

Sensor ports deployed in In-line Mode have the option of failing open or closed. Similar in
terminology to firewall operation, ports failing open allow traffic to continue to flow. Thus,
even if the ports fail, your Sensor does not become a bottleneck; however, monitoring
ceases which may allow bad traffic to impact systems in your network. When ports are
configured to fail closed, the Sensor does not allow traffic to continue to flow, thus the
failed ports become a bottleneck, stopping all traffic at the Sensor.
High-availability.
In in-line mode, the Sensor does become a single point of failure, so the
Sensors support complete stateful fail-over, delivering the industry's first true high-
availability IPS deployment, similar to what you'd find with firewalls. If you're running
in-line, McAfee recommends that you deploy two Sensors redundantly for failover
protection.
17
Sensor Deployment Modes