1- What’s the Define Heartbeat Packet?
The heartbeat packets of Mylinking™ Network Tap Bypass Switch default to Ethernet Layer 2 frames. When deploying transparent Layer 2 bridging mode (such as IPS / FW), Layer 2 Ethernet frames are normally forwarded, blocked or discarded. At the same time, Mylinking™ Network Tap Bypass Switch supports custom heartbeat message format to meet the situation that some special serial security devices can not normally forward ordinary Layer 2 Ethernet frames.
And Mylinking™ Network Tap Bypass Switch also supports heartbeat packet detection based on VLAN tag, Layer 3 and Layer 4 custom message types. Based on this mechanism, the user can implement a service safety test function of the connection safety device to make it more effective to ensure that the corresponding security services work properly.
Mylinking™ Network Tap Bypass Switch can support the monitor to send different heartbeat packets in both directions. For example, TCP and UDP type heartbeat packets are customized on the “Strategy Traffic Traction Protector”, according to the particularity of the serial device. You can configure the sending of TCP heartbeat packets on the uplink monitor A port and the sending of UDP heartbeat packets on the downlink monitor B port to accommodate the message forwarding mechanism of the serial security device. This function can more effectively guarantee the string. Connect the safety equipment to normal operation.
Mylinking™ Network Inline Bypass Switch is researched and developed to be used for flexible deployment of various types of serial security equipment while providing high network reliability.
2-Network Inline Bypass Switch Advanced Features and Technologies
Mylinking™ “SpecFlow” Protection Mode and “FullLink” Protection Mode Technology
Mylinking™ Fast Bypass Switching Protection Technology
Mylinking™ “LinkSafeSwitch” Technology
Mylinking™ “WebService” Dynamic Strategy Forwarding/Issue Technology
Mylinking™ Intelligent Heartbeat Message Detection Technology
Mylinking™ Definable Heartbeat Messages Technology
Mylinking™ Multi-link Load Balancing Technology
Mylinking™ Intelligent Traffic Distribution Technology
Mylinking™ Dynamic Load Balancing Technology
Mylinking™ Remote Management Technology(HTTP/WEB, TELNET/SSH, “EasyConfig/AdvanceConfig” Characteristic)
3-Network Inline Bypass Switch Application(as following)
3.1 The Risk of Inline Security Equipment (IPS / FW)
The following is a typical IPS (Intrusion Prevention System), FW (Firewall) deployment mode, IPS / FW is deployed in series to the network equipment (routers, switches, etc.) between the traffic through the implementation of security checks, according to the corresponding security policy to determine the release or blocking the corresponding traffic, to achieve the effect of security defense.
At the same time, we can observe IPS / FW as a serial deployment of the equipment, usually deployed in the key location of the enterprise network to implement serial security, the reliability of its connected devices directly affect the overall enterprise network availability. Once the serial devices overload, crash, software updates, policy updates, etc., the entire enterprise network availability will be greatly affected. At this point, we only through the network cut, physical bypass jumper can make the network to be restored, seriously affecting the reliability of the network. IPS / FW and other serial devices on one hand improve the deployment of enterprise network security, on the other hand also reduces the reliability of enterprise networks, increasing the risk of the network is not available.
3.2 Inline Link Series Equipment Protection
Mylinking™ ” Network Inline Bypass ” is deployed in series between network devices (routers, switches, etc.), and the data flow between network devices no longer leads directly to IPS / FW, ” Network Inline Bypass ” to IPS / FW, when the IPS / FW due to overload, crash, software updates, policy updates and other conditions of failure, the “Network Inline Bypass ” through intelligent heartbeat message detection Function of the timely discovery, and thus skip the faulty device, without interrupting the premise of the network, the rapid network equipment directly connected to protect the normal communication network; when the IPS / FW failure recovery, but also through intelligent heartbeat packets Detection of timely detection of the function, the original link to restore the security of enterprise network security checks.
Mylinking™ “Network Inline Bypass ” has a powerful intelligent heartbeat message detection function, the user can customize the heartbeat interval and the maximum number of retries, through a custom heartbeat message on the IPS / FW for health testing, such as send the heartbeat check message to the upstream / downstream port of IPS / FW, and then receive from the upstream / downstream port of IPS / FW, and judge whether the IPS / FW is working normally by sending and receiving the heartbeat message.
3.3 “SpecFlow” Policy Flow Inline Traction Series Protection
When the security network device only needs to deal with the specific traffic in series security protection, through the Mylinking™ ” Network Inline Bypass ” traffic per-processing function, through the traffic screening strategy to connect the security device ” Concerned “traffic is sent back directly to the network link, and the” concerned traffic section “is traction to the in-line safety device to perform safety checks. This will not only maintain the normal application of the safety detection function of the safety device, but also reduce the inefficient flow of the safety equipment to deal with the pressure; at the same time, the ” Network Inline Bypass ” can detect the working condition of the safety device in real time. The safety device works abnormally bypasses the data traffic directly to avoid disruption of network service.
3.4 Load balanced Series Protection
The Mylinking™ “Network Inline Bypass ” is deployed in series between network devices (routers, switches, etc.). When a single IPS / FW processing performance is not sufficient to cope with network link peak traffic, The traffic load balancing function of the protector, the “bundling” of multiple IPS / FW cluster processing network link traffic, can effectively reduce the single IPS / FW processing pressure, improve the overall processing performance to meet the high bandwidth of the deployment environment Claim.
Mylinking™ “Network Inline Bypass ” has a powerful load balancing function, according to the frame VLAN tag, MAC information, IP information, port number, protocol and other information on the Hash load balancing distribution of traffic to ensure that each IPS / FW received data flow Session integrity.
3.5 Multi-series Inline Equipment Flow Traction Protection (Change Serial Connection to Parallel Connection)
In some key links (such as Internet outlets, server area exchange link) location is often due to the needs of security features and the deployment of multiple in-line security testing equipment (such as firewall, anti-DDOS attack equipment, WEB application firewall, intrusion prevention Equipment, etc.), multiple security detection equipment at the same time in series on the link to increase the link of a single point of failure, reducing the overall reliability of the network. And in the above-mentioned security equipment on-line deployment, equipment upgrades, equipment replacement and other operations, will cause the network for a long time service interruption and a larger project cut action to complete the successful implementation of such projects.
By deploying the “Network Inline Bypass ” in a unified manner, the deployment mode of multiple security devices connected in series on the same link can be changed from “physical concatenation mode” to “physical concatenation, logical concatenation mode” The link on the link of a single point of failure to improve the reliability of the link, while the “Network Inline Bypass ” on the link flow on demand traction, to achieve the same flow with the original mode of safe processing effect.
More than one security device at the same time in series deployment diagram:
Network Inline Bypass Switch Deployment Diagram:
3.6 Based on the Dynamic Strategy of Traffic Traction Security Detection Protection
“Network Inline Bypass ” Another advanced application scenario is based on the dynamic strategy of traffic traction security detection protection applications, the deployment of the way as shown below:
Take the “Anti-DDoS attack protection and detection” security testing equipment, for example, through the front-end deployment of ” Network Inline Bypass ” and then anti-DDOS protection equipment and then connected to the ” Network Inline Bypass “, in the usual ” Traction protector “to the full amount of traffic wire-speed forwarding at the same time the flow mirror output to the” anti-DDOS attack protection device “, once detected for a server IP (or IP network segment) after the attack,” anti-DDOS attack protection device ” will generate the target traffic flow matching rules and send them to the ” Network Inline Bypass ” through the dynamic policy delivery interface. The ” Network Inline Bypass ” can update the “traffic traction dynamic” after receiving the dynamic policy rules Rule pool “and immediately” rule hit the attack server traffic “traction to the” anti-DDoS attack protection and detection “equipment for processing, to be effective after the attack flow and then re-injected into the network.
The application scheme based on the ” Network Inline Bypass ” is easier to implement than the traditional BGP route injection or other traffic traction scheme, and the environment is less dependent on the network and the reliability is higher.
“Network Inline Bypass ” has the following characteristics to support dynamic policy security detection protection:
1, ” Network Inline Bypass ” to provide outside the rules based on WEBSERIVCE interface, easy integration with third-party security devices.
2, ” Network Inline Bypass ” based on the hardware pure ASIC chip forwarding up to 10Gbps wire-speed packets without blocking switch forwarding, and “traffic traction dynamic rule library” regardless of the number.
3, ” Network Inline Bypass ” built-in professional BYPASS function, even if the protector itself failure, can also bypass the original serial link immediately, does not affect the original link of normal communication.
Post time: Dec-23-2021