Network security platform vendors often need to use a special technology, that is, Bypass. So what is Bypass and how is the Bypass device implemented? Next I will give a brief introduction and description of the Bypass technology.
1. What is Bypass.
As you know, network security devices are generally used between two or more networks, such as between the Intranet and the Internet, applications in network security devices will analyze their network packets to determine whether a threat exists. After processing, they will forward the packets according to certain routing rules, if the network security device fails, for example, after a power failure or a crash, the network segment will be lost because it connects to the device, in this case, if the network needs to be connected to each other, you must use Bypass.
Bypas, as its name implies, is a bypass function, that is, two networks can be physically turned on without passing through the network security device system through a specific trigger state (power failure or crash. After Bypass is enabled, when the network security device fails, the network connected to the device can be turned on to each other, of course, this network device will not process packets in the network at this time.
The following illustration illustrates the Bypass method. On the left side, the packets in both networks are transmitted after being processed by the application software. On the right side, when the device is in Bypass, the application of the device no longer processes network packets.
498) this. style. width = 498; "border = 0>
Ii. Bypass classification is the application method:
Bypass is generally divided by control mode or trigger mode. It can be divided into the following methods:
1. triggered by power supply. In this mode, the Bypass function is enabled when the device is not powered on. If the device is powered on, the Bypass function is immediately switched off.
2. It is controlled by GPIO. After entering the OS, you can use GPIO to operate on specific ports to control the Bypass switch.
3. It is controlled by Watchdog. This is actually an extension of method 2. You can use Watchdog to control the Enable and disable the GPIO Bypass program, so as to control the Bypass status. When this method is used, if the platform crashes, Watchdog can enable Bypass.
In practical applications, these three States often exist at the same time, especially in the 1 and 2 modes.
Is the Bypass State Description of Yan Hua FWA-3140 series, you can refer to it.
498) this. style. width = 498; "border = 0>
In practical applications, these three States often exist at the same time, especially in the 1 and 2 modes. The general application method is: when the power is down, the device is in the Bypass status, and after the device is powered on, because the BIOS can operate on the Bypass, after the BIOS takes over the device, bypass is still enabled, and then the OS starts. After the OS is started, the GPIO's Bypass program is generally executed and the Bypass program is closed, so that the application can play a role.
That is to say, almost no network Disconnection will occur during the entire startup process. The network is disconnected only when the device is powered on to the BIOS for a short period of 2-3 seconds. For more specific application, you can refer to the following article, this article is to study the FWA-3140 as an example, do an application, address:Http://www.panabit.com/document/panabit_bypass.html
Iii. Principle Analysis of Bypass implementation
The above briefly describes the Bypass control method. The following briefly describes the working principle of Bypass, mainly from the hardware and software aspects. The research object of FWA-3140 series products of inghua
1. hardware layer.
In terms of hardware, the main use of Bypass is relay. These relays are mainly connected to each network port signal line of two Bypass ports. One of the signal lines is used to describe how the relays work.
Taking power supply as an example, when power is down, the switch in the relay will jump to the 1 status, that is, the Rx on the RJ45 interface of LAN 1 is directly connected to the Tx RJ45 of LAN2, when the device is powered on, the switch will be turned on to 2, so that if you want to make the network communication between LAN1 and LAN2, You need to implement it through the application on this device.
498) this. style. width = 498; "border = 0>
2. software layer.
Previously, we talked about the GPIO and Watchdog methods in the Bypass classification to control and trigger Bypass. In fact, both methods operate on GPIO, then GPIO is used to control the relays on the hardware for the corresponding jump. Specifically, if the corresponding GPIO is set to a high level, the relay will jump to position 1 accordingly. On the contrary, if the GPIO cup is set to a low level, the relay will jump to position 2. The Method Controlled by GPIO of FWA-3140 is illustrated by the example of inghua FWA-3140.
498) this. style. width = 498; "border = 0>
For example, if you write "0" or "1" to the Bit3 of GPIO27, you can switch the Bypass consisting of LAN 1/2. Similarly, if the operation object is GPIO 28, you can control LAN3/4 Bypass.
In DOS, you can use the following Debug program to test the control method and status of Bypass.
498) this. style. width = 498; "border = 0>
With the above instance, you can completely control the Bypass status by the software.
In addition, Watchdog Bypass is actually added to Control Bypass based on the above GPIO control. First, the system activates the Watchdog function. Traditionally, when Watchdog takes effect, the system will Reset. However, if you use the Watchdog Bypass function, the system will not Reset after Watchdog takes effect, instead, the corresponding network port Bypass is opened to display the device as a Bypass status. Actually, this kind of Bypass is controlled by GPIO. However, in this case, Watchdog is used to write low-level data to GPIO, and no additional programming is required to write GPIO.
It is worth noting that if you use Watchdog Bypass, Watchdog will no longer be able to Reset the system. Take Yan Hua FWA-3140 as an example, the FWA-3140 on the motherboard, there will be a 3PIN jumper, if jump to 1-2 then Watchdog to achieve the traditional Reset action, if the jumper is set to 2-3, the Watchdog Bypass function will be selected. In this case, if Watchdog takes effect, the system will enable the Bypass function.