Network TAP INLINE Network Security Solution based on NetTAP® Strategic Traffic Protector
High Flexible Network Security Solution
Security device Inline Deployed in the network is dangerous, the more, the more dangerous!
- Complex Architecture
- Single Point of Failure
- Lack of Flexible Management
- Expensive Cost
Implement a security pool inline security tool
Monitoring Security Tools Status is depend on Heartbeat Package
SPAN Switch & NPB Introduction
NT-MBYP Modular Strategy Traffic Protector
1- Support 1G/10G/40G/100G Interface
•Warning when traffic utilization is abnormal
•Inline Connection, support Service Chain, support Heartbeat Package Settings
2- All ports are Wire Speed
•Inline Connection, support Service Chain, support Band Custom Heartbeat Package
•Dual power/fan module
•Extensive Packet Filtering Capabilities (Layer2-4)
•Dual Failover Modes
•HA High availability working mode
3- Why external Bypass? Compare with integrated Bypass
•External Bypass Five times as reliable
•MTBF (Mean Time Between Failures)
•External Bypass: 450,000
•Integrated Bypass: 80,000
•Easy to replace damaged equipment
•No need to stop network
•Standard 19”1U equipment
4- 1RU Cabinet, multiple Business Module supported
•100G Inline Business Module/Monitor Business Module
•40G Inline Business Module/Monitor Business Module
•10G Inline Business Module/Monitor Business Module
Active Heartbeat Detection
Prevent Overload or Crash of Safety Tools
Benefits:
•External Bypass function, keep network without interruption during the direct connected equipment downtime or maintenance
•Abnormal Traffic Utilization Warning
• Improve online time
•Heartbeat packet monitors the system status of directly connected devices
Strategic Traffic Protection
Traffic Distribution Based on Strategy
•Network Packer Broker called NPB, Loading Balance to the WAF & DBM devices,NO need their Inline Connection
•Reduce the Cost of Monitoring, improve the Efficiency of Monitoring
IPS/FW/WAF Dual Machine Deployment Solution in Transparent Mode
1- Dual-machine deployment is related to upstream and downstream equipment, and traffic turnover depends on the switching protocol of upstream and downstream equipment
2- All four devices run the OSPF dynamic routing protocol in the same area
3- The Host Link side Traffic Guidance is determined by the Routing “cost” value of this side
4- Link switching is realized by OSPF routing convergence
5- IPS/FW/WAF Dual Machine Work Mode Points
•Transparent Mode
•The primary & backup device status should be turned on for forwarding
•Session state requires synchronization
6- Fault Switching Features
•Fast Convergence of Link Faults (OSPF triggered update)
•Low Convergence Rate when Equipment Failure (OSPF Adjacency Timeout)
Dual Machine Hot Standby Switch Based on VRRP
Traffic Distribution Based on Strategy
1- Dual Machine Hot Standby is based on the switch of upper and lower VRRP to achieve
2- Failover depends on the following factors:
•STP enabled, the STP BPDU timeout to regenerate the topology, and refresh the address table
•STP disabled, the backup firewall must turn off the forwarding, and the convergence speed will be faster
3- Control of primary and secondary links
•STP enabled, the main link is controlled by STP
•STP disabled, the main link is determined by the firewall
Idea of Inline optimization Solution
1- Two Security Tools for Primary and Secondary Upgrade - Increase Equipment Utilization
2- Two Security Tools run independently
•BYPASS Protector to achieve Load Balance Distribution
•BYPASS Protector for Status Monitoring and Fault Switching - More Faster
•BYPASS protector achieve consistency assurance of Asymmetric Routing Session
3- Turn Inline Mode to SPAN Mode - improves reliability
4- BYPASS protector is highly reliable
BYPASS Dual Machine Deployment
Load Sharing [increase equipment utilization rate]
Mutual backup [faster and more accurate fault switching]
Strategy Traffic Traction [reduce equipment load]
Solving Asymmetric Routing [ensuring Load Session consistency upstream and downstream]
Solution Optimization of Network TAP INLINE Network Security Solution based on NetTAP® Strategic Traffic Protector
Before:
1- The IPS(or NGFW) can become a performance bottleneck and a single point of failure along links
2- Two WAFs work separately, making it easy for performance bottlenecks or single points of failure
3- All traffic goes through WAF, including non-HTTP/HTTPS traffic that WAF can't handle, making an additional burden on WAF reducing performance
4- Cutover needs to break the network with a long time, complex operation, high risk
5- In asymmetric routing environment, the network loses security protection
After:
1- Load sharing & backup of two IPS(or NGFW) to improve the performance and reliability of IPS(or NGFW)
2- Load sharing & backup between two WAFs to improve WAF performance and reliability
3- WAF only needs to handle HTTP/HTTPS traffic, which greatly improves the actual processing power of WAF
4- Replace faulty equipment is simple, fast and low risk, the most important is: no longer cut off the network during cutover!
5- Thoroughly solved the problem of asymmetric routing network security
