Network Data Processor - Deep Content Inspection At Wire Line Speeds
Deployment Mode
Transparent Bridge Configuration – Proxy Mode
In this mode, BeSecure is installed as a Layer 2 transparent bridge into the traffic path. No network reconfiguration is required. The BeSecure however is assigned an IP address. Non-scanned traffic passes through transparently; however, for scanned traffic the BeSecure appears as a transparent proxy: traffic to external devices will be stamped with the BeSecure’s IP address. This configuration is particularly useful for firewalls that are sensitive to IP-address spoofing.
Transparent Bridge Configuration – Transparent IP Mode
In this mode, BeSecure is installed as a Layer 2 transparent bridge into the traffic path. No network reconfiguration is required. In this case, the BeSecure is not assigned an IP address. Traffic to external devices will remain stamped with the internal devices’ IP addresses. This configuration is particularly useful for firewalls that provide usage reporting and auditing.
Figure 1 illustrates BeSecure
in Transparent bridge configuration. Both the Proxy and Transparent IP
modes are supported by this configuration. 
Figure 1: BeSecure Transparent Bridge Configuration – for both Proxy and Transparent IP Modes
Router Configuration
In this mode, BeSecure acts as the gateway for all protected devices. This will require that either (a) the devices are assigned the BeSecure’s IP address for the default gateway which is possible through the DHCP server making such assignment; or b) a router routes all traffic from the original default gateway to the BeSecure’s IP address. This configuration is particularly useful when an enterprise requires the BeSecure appliance be installed out-of-band, but yet provides anti-malware protection for select devices.
Figure 2 illustrates the
BeSecure in Router Configuration. 
Figure 2: Bescure Router Configuration
High Availability
BeSecure provides the highest reliability to the network with the following mechanisms:
- Stand Alone: Select BeSecure models (NDP-1020NX and NDP-2040NX) provide LAN bypass (or fail-open): with this enabled, any unexpected outages, such as power failure, etc, will not cause interruptions to the IP data flow.
- Transparent Bridge Configuration: All BeSecure models provide RSTP high availability for a cluster of bridged BeSecure systems. With this enabled, network path redundancy is provided. If the active BeSecure fails, within 2 to 3 seconds, the RSTP (IEEE 802.1W) ability of BeSecure systems automatically routes IP traffic to the other BeSecure appliances in the cluster. This configuration is shown in Figure 3.
Figure 3: Besecure High Availability Transparent Bridge Configuration – For Both Proxy And Transparent IP Modes
- Router Configuration: All BeSecure models provide Linux HA clustering support. With this enabled, all router-configured cluster of BeSecures will have one virtual IP address to provide redundancy. If the active BeSecure fails, within a couple of seconds, the network payload will be routed to another backup BeSecure in the cluster.
Figure 4: Bescure High Availability Router Configuration