There was a recent blog on APMdigest by Pete Goldin — Protecting Network Performance is as Essential as Securing the Network — that I wanted to follow up on.
As mentioned in the blog, performance issues and outages are possible when security tools (like an IPS, WAF, etc.) are inserted inline. However, one easy way to mitigate this concern is to deploy a bypass switch before the inline tool. This creates a fail-over mechanism to let traffic continue to flow downstream, should there be a tool failure. Heartbeat signals between the bypass switch and the tool can create a self-healing architecture that restores normal traffic inspection protocols once the security tool comes back online.
While some tools have internal bypass switches, these internal bypass switches can actually lower the mean time between failure (MTBF) for that type of deployment scenario. External bypass switches deliver an improved confidence in network and application reliability without costing an arm and a leg.
In addition, should you want to remove the tool from service altogether (or perform maintenance upgrades), the bypass switch can accommodate that with minimal (on the order of milliseconds) service disruption.
Another concern raised from the SANS report referenced in the blog was that some of features do not get activated on inline tools because of the performance hit associated with many of those features (e.g., SSL decryption, deduplication). A quick solution to this is deploy a network packet broker (NPB). The best place to insert the NPB is between the bypass switch and the security tool(s), as this can provide an even stronger level of network reliability, especially if traffic load balancing or high availability features are deployed on the NPB.
From a performance perspective though, this is where you can really see a benefit. Instead of activating SSL decryption on your firewall and slowing the throughput to a crawl, perform the decryption/encryption functionality on the NPB (which should have dedicated resources to perform the function). Now you can perform the decryption functions you need to inspect for encrypted malware and also maintain the level of network performance that your internal and external customers demand.
