Wednesday, May 09, 2012

The origin of Ethernet "bypass" switches

In networking, a hardware "bypass" is a device that is inert when powered off, connecting copper wires or fiber optics straight through. But, when powered on, it flips relays, and redirects network traffic through an intermedia device, such as an IPS, load balancer, web accelerator, or web-app-firewall. If these devices fail, relays switch back, and traffic continues to flow as normal. You don't use these things for traditional firewalls, because you want things to "fail safe", to stop all traffic in case of failure, but you use these for pretty much every other inline device.

The first bypass I know of was created by me back in 1998 for BlackICE Guard (the first IPS). This was back in the days with 100-mbps copper, when such devices could be built with simple relay switches. If I remember correctly, our first unit was an external device powered by the keyboard connection, and we used the serial port to communicate with it (level triggering with one of the RS-232 control pins). One startup, we first put the Ethernet adapters into forwarding mode, then sent a signal to flip the relays and insert ourselves into the traffic. We'd then ping the device on a regular basis to keep the relays open, so that if our software crashed, within a quart second, the relays would switch back again, allowing traffic to flow normally.

The solution couldn't work for gigabit Ethernet, so we worked with a contract manufacturer to build one for us into the Ethernet card itself, who then immediately marketed it to other clients.

None of our early IPS competitors had bypass, they assumed customers wanted an IPS to "fail safe" like a firewall, and was a major selling point for us. Now all IPSs have bypasses.

We had to invent our own because we could find no existing solution, but these days, such things are quite common. There is a wikipedia page on it, and such cards readily available everywhere, such as from NewEgg.com.

So my question is this: were we really the first? or does somebody know of an Ethernet bypass adapter that predates 1998? Also, does anybody have a picture of the first BlackICE bypass unit?

4 comments:

Anonymous said...

Silicom claims they've been in the industry for over 20 years -> 1992-ish, but whether they made bypass cards before 1998 is a good question, since it seems they were making laptop cards around then.

Anonymous said...

Can you elaborate on why bypass relays don't work for gigabit copper links?

I understand the full-duplex nature of each pair in a gigabit link, but don't see why you can't jam relays in there and re-terminate the link yourself.

Anonymous said...

Ask Juancho, he'll remember!!!

Unknown said...

I understand the full-duplex nature of each pair in a gigabit link, but don't see why you can't jam relays in there and re-terminate the link yourself. Thanks for sharing this nice blog