Bypass operating principle
This section presents Information regarding bypass components, their interactions and communication modes, as well as how bypass operates.
Bypass components and interactions
Microcontroller
The microcontroller (or uController) is an essential component of the bypass. When it triggers the bypass mechanism, the bypass communication mode changes. This change is known as a "switch".
There are two possible types of switch:
- When the bypass mechanism is enabled (ready to be triggered), and a critical hardware or software failure occurs on the SNS firewall, the microcontroller triggers the bypass mechanism, which switches the communication mode from normal to bypass mode. Depending on the type of failure, the microcontroller will immediately trigger the bypass mechanism, or wait for the watchdog to time out.
- When the bypass mechanism has been triggered, the communication mode remains in bypass mode as long as the bypass mechanism has not been reset. Resetting the bypass mechanism switches the communication mode from bypass to normal mode.
Watchdog
The watchdog, which is built into the microcontroller, serves as a timer, which can be configured in the SNS firewall's settings.
When the status of the watchdog can no longer be refreshed by the SNS firewall hardware manager, especially when the SNS firewall's operating system is no longer responding or is saturated, the timer will start counting down. When the timer is at zero, this means that the idle timeout has been reached, and the microcontroller triggers the bypass mechanism (switch to bypass mode).
Bypass segments
A bypass segment consists of two interfaces that are associated as a pair. This association is set in the hardware and cannot be changed.
When the bypass mechanism is triggered (switch to bypass mode), all network traffic from the bypass segment will be diverted from one interface to the other, and passes through the SNS firewall without being analyzed.
Bypass communication modes and switching
Bypass communication mode switching depends on the bypass mechanism. When the mechanism is triggered, the communication mode on the interfaces in the bypass segment switches from one mode to another.
There are two bypass communication modes.
Normal communication mode
This is the default communication mode for the bypass.
In this mode, network interface connections on the bypass segment are connected to network controllers. The SNS firewall's security rules then apply to the network traffic.
Bypass communication mode
This mode is used only when the bypass mechanism has been triggered.
In this mode, network interface connections on the bypass segment are disconnected from network controllers, and diverted to the other interface to create a looped crossover connection. All network traffic is then diverted from one interface to the other, and passes through the SNS firewall without being analyzed.
Switch time
This is the time that the bypass mechanism needs to switch from one communication mode to another. This takes approximately 100 ms.
IMPORTANT
The switch time does not correspond to the recovery time as other elements have to be taken into consideration. This duration is explained in the section Configuring bypass in Safety mode.
Bypass operating modes
Two operating modes enable interaction with bypass's communication modes.
Security mode |
Safety mode |
|
Prioritizes network security and protection. |
Prioritizes service continuity. |
|
Default operating mode when Safety mode is not enabled. |
Operating mode that needs to be manually enabled in the SNS firewall configuration. |
|
The bypass function remains permanently disabled.
The bypass communication mode permanently remains in normal mode. |
The bypass mechanism is enabled, meaning that it is ready to be triggered.
When a triggering event occurs, the bypass mechanism is then triggered, which will switch the bypass mechanism's communication mode. |
NOTE
Safety mode is explained in the section Configuring bypass in Safety mode.