Understanding Passive and Active Security Architectures

What is the difference, and how can both approaches be used to create a next generation security posture?

The evolution of network security

Cast your mind back, when the Millennium Bug was destined to drop planes from the skies, traffic lights were mysteriously going to cease to operate and cars would run in to each other like a scene in a post-apocalyptic horror movie. This was about the same time that the majority of internet related breaches were stopped by routers with ACL’s, firewalls and good antivirus software. 

Then came some smart tools that were fed from SPAN/Mirror ports and looked for matching signatures and rules that were deemed to be threatening and triggered alarms for investigation/remediation. 

Passive Security

This is what is known as Passive Security. Passive Security is where tools receive a copy of network data and can either use this to store, or alert when a potential breach or anomaly occurs on the network. Passive security as also moved on from having tools installed on SPAN or MIRROR ports, to the use of

Network TAPS and Network Packet Brokers

Network Test Access Ports (TAPs) enable a copy of network data to be directed to your tools without risk of dropping packets, or over-subscription of your SPAN port (think of trying to run 80% utilised FDx link out through a HDx Span port!) Packet Brokers are also a part of the visibility fabric of the network, they are usually deployed in conjunction with TAPs or from SPAN ports and allow additional features including aggregation, regeneration, de-duplication, media conversion, filtering etc.

Ixia Passive Security Packet Broker

Deploying Packet Brokers with Passive Tools

Packet Brokers have been such an important phase in the evolution of network security monitoring. They have not only helped to drastically reduce the cost of deploying passive tools, they also create the ability to replicate data to many tools, alleviating SPAN contention issues, enable you to aggregate feeds in to fewer tools, take the load off analysis tools by providing packet de-duplication and filtering.

The move to inline security architecture..

No sooner were enterprises comfortable with the results of their forensic and IDS systems, then naturally the desire to block threats came and to stop sensitive documents from being leaked outside of the organisation, or stolen. With these tools needing to be a integral part of the data flow, they now had to be deployed inline to be able to do their job. 

The use of inline tools is common place in enterprise networks, as we need to protect against a wide variety of attacks and data leakage originating from both internal and external sources.

Multiple Inline Tools

Challenges and considerations of deploying inline security

Once you start to consider deploying inline tools, then there are many things you must consider as these tools now become a ‘bump in the wire’ and are critical to the flow of data through your network:

  • How do I carry out maintenance on the tool (s)?
  • How will the network behave if one or more of the tools fail, either individually or at the same time?
  • Is the tool getting overloaded with traffic that it doesn’t need to see?
  • How do I protect against asymmetrically routed traffic?
These challenges are easily overcome with the use of Ixia Network Packet Brokers and Ixia Bypass TAPS, as well as providing you with a much more resilient inline security infrastructure and improved security posture. We can also deploy these in high availability configuration to retain network resilience.
Ixia Bypass Resiliance

This diagram shows how using Ixia’s Bypass solutions combined with Packet Brokers you can take inline tools, and deploy strategically and safely, by taking them away from the critical fault domain whilst retaining their ability to protect and stop attacks just as they were deployed to. Please view this video to understand how Bypass solutions should be deployed:


Out of Band vs Inline / Active Packet Brokering

Out of Band Packet Brokering

  • Traffic Sources; Network Taps, SPAN/Mirror Ports
  • One Direction
    Once sent to the tool it is forgotten about.
  • Traffic can be Filtered, Aggregated, Load Balanced, etc….
  • Advanced Features, such as AppStack & PacketStack, can help groom packets before being sent to tools.
  • Limited selection of SSL/TLS Ciphers can be decrypted.

Inline / Active Packet Brokering

  • Traffic Source ; Bypass Taps – Sits directly inline in traffic path
  • Bi-Directional
    Traffic is returned to the network or blocked following inspection by the tools.
  • Traffic can be Filtered, Aggregated, Load Balanced, etc….
  • Limited use case for Advanced Features. You don’t want to change live network traffic.
  • Most SSL/TLS Ciphers can be decrypted and then re-encrypted post inspection.

More information on Ixia’s range of  solutions and a link to some on our online shop can be found here

Ixia Taps & Packet Brokers

Or via Ixia’s site here:


Iris Networks carry the complete range of solutions for Ixia, should you wish to discuss your requirements in more detail please call us on 01925 357770 or email sales@irisnetworks.co.uk

Thankyou to Ixia for use of content for purposes of this blog.

Do NOT follow this link or you will be banned from the site!