IPS High Availability

Deploying an IPS sensor into the traffic stream (inline mode) introduces a new device in the data path that can possibly fail and prevent traffic from flowing.

High availability is defined as building into the network the capability of the network to cope with the loss of a component while preserving network functionality.

There are three possible solutions to resolve situations in which the inline IPS device may fail:

• Fail-open mechanism: A hardware or software fail-open mechanism that is able to detect problems and bypass the sensor, in the event of a device failure. Traffic stream should go uninterrupted through the device without inspection when required.

• Failover mechanism: A redundancy mechanism that can provide one or more data paths through the network to allow packets, in the event of a device failure. The secondary path can be set up to either go through a backup IPS sensor or through a plain wire.

• Load-balancing mechanism: A hardware or software load-balancing feature to split the traffic load across multiple devices; this can achieve both higher data rates and redundant paths in the event of a device failure.

The following sections take a closer look at these three solutions.

IPS Fail-Open Mechanism

One of the best case options is reliance on fail-open, but this strategy leaves the network with no protection and can bring down the entire network if intrusion is successful.

There are two possible options in fail-open—hardware and software fail-open:

• The hardware-based fail-open mechanism works by closing a circuit based on power loss, link failure, or potential software triggers. The hardware-based fail-open mechanism provides uninterrupted access to the network, thereby allowing packets to pass directly uninspected, bypassing the sensor. The hardware-based bypass is not efficient and remains a single point of failure because a physical layer failure or a problem in a device can still cause the network to shut down. This is true for all hardware bypass mechanisms.

• The software-based fail-open mechanism works by building the intelligence within the sensor software, through a built-in software feature that passes packets when a failure is detected. This feature is in most cases user configurable, allowing a user three choices: On, Off, and Auto. The Bypass Off prevents a bypass from occurring. This is designed for network instances where the flow of uninspected is not desired. The Bypass On forces the sensor to pass all packets uninspected. This is useful for troubleshooting when a network problem is detected dynamically, and the IPS device is a suspect. The Bypass Auto lets the sensor inspect packets until for some reason the sensor is not forwarding the packets. At that point, the Bypass Auto feature comes into action to ensure that traffic continues to flow uninterrupted and uninspected.

Failover Mechanism

As mentioned earlier, a good network design incorporates high availability into the network, and not into a single piece of hardware or software. Network failover allows the network to recover from a device or physical layer failure. There are two possible options in this scenario:

• Layer 3: PIX/ASA Failover, Cisco IOS HSRP

• Layer 2: Spanning Tree

Traditional IPS sensors (usually the non-Layer 3) cannot detect or control network failover. Traditional IPS sensors function like a wire, and a failure of the sensor would look like a failure of a wire. The network will respond accordingly. Fail-open capabilities may help but cannot truly solve the issue.

Fail-Open and Failover Deployments

Cisco IPS appliance sensor offers the following solutions:

• Deploy a standalone sensor in hardware bypass mode.

• Deploy redundant sensors using a spanning tree for active/passive failover.

• Deploy redundant sensors using a spanning tree for high availability (along with plain wire).

Load-Balancing Technique

Cisco IPS sensors can be deployed inline as part of an EtherChannel (EC) to provide redundancy.

• Allows up to eight sensors deployed, inspecting the same data set.

• Relies on an EC algorithm to split data flow among the different inspection detection system (IDS) modules. This cannot guarantee equal load, though.