Transparent Bridge Configuration – Proxy Mode
In this mode, BeSecure is installed as a Layer 2 transparent bridge into the traffic path. No network reconfiguration is required. The BeSecure however is assigned an IP address. Non-scanned traffic passes through transparently; however, for scanned traffic the BeSecure appears as a transparent proxy: traffic to external devices will be stamped with the BeSecure’s IP address. This configuration is particularly useful for firewalls that are sensitive to IP-address spoofing.
Transparent Bridge Configuration – Transparent IP Mode
In this mode, BeSecure is installed as a Layer 2 transparent bridge into the traffic path. No network reconfiguration is required. In this case, the BeSecure is not assigned an IP address. Traffic to external devices will remain stamped with the internal devices’ IP addresses. This configuration is particularly useful for firewalls that provide usage reporting and auditing.
Figure 1 illustrates BeSecure in Transparent Bridge Configuration. Both the Proxy and Transparent IP modes are supported by this configuration.
Figure 1: BeSecure Transparent Bridge Configuration – for both Proxy and Transparent IP Modes
Router Configuration
In this mode, BeSecure acts as the gateway for all protected devices. This will require that either (a) the devices are assigned the BeSecure’s IP address for the default gateway which is possible through the DHCP server making such assignment; or b) a router routes all traffic from the original default gateway to the BeSecure’s IP address. This configuration is particularly useful when an enterprise requires the BeSecure appliance be installed out-of-band, but yet provides anti-malware protection for select devices. Figure 2 illustrates the BeSecure in Router Configuration.
Figure 2: BeSecure Router Configuration
ICAP Configuration
If a network already has a web proxy that supports ICAP (Internet Content Adaptation Protocol), BeSecure scanning can be added to the list of services available to this proxy. BeSecure can scan HTTP traffic as an ICAP scanning service “out-of-line” from the data traffic.
WCCP Configuration
If a network router can act as a WCCP (Web Cache Communication Protocol) server, BeSecure scanning can be added out-of-line from the data traffic by placing BeSecure in the network, and configuring it to register itself as a WCCP client offering a service.
High Availability Configurations
(Please see link for more in-depth information on the High Availability Network Stack.)
BeSecure provides the highest reliability to the network with the following mechanisms:
-
Stand Alone: Select BeSecure models (NDP-1020NX and NDP-2040NX) provide LAN bypass (or fail-open): with this enabled, any unexpected outages, such as power failure, etc, will not cause interruptions to the IP data flow.
-
Transparent Bridge Configuration: All BeSecure models provide RSTP high availability for a cluster of bridged BeSecure systems. With this enabled, network path redundancy is provided. If the active BeSecure fails, within 2 to 3 seconds, the RSTP (IEEE 802.1W) ability of BeSecure systems automatically routes IP traffic to the other BeSecure appliances in the cluster. This configuration is shown in Figure 3.
Figure 3: BeSecure High Availability Transparent Bridge Configuration – For Both Proxy And Transparent IP Modes
-
Router Configuration: All BeSecure models provide Linux HA clustering support. With this enabled, all router-configured cluster of BeSecures will have one virtual IP address to provide redundancy. If the active BeSecure fails, within a couple of seconds, the network payload will be routed to another backup BeSecure in the cluster.
Figure 4: BeSecure High Availability Router Configuration