The difference between fail-open and fail-close IPS lies in how the system handles a failure condition.
As stated simply, failing closed means that a device or system stops or otherwise shuts down and prevents further operation when a failure condition occurs. In contrast, failing open means that the error is essentially ignored and the system or device operation proceeds as if everything was operating normally.
This core concept applies directly to Intrusion Prevention Systems (IPS), which sit inline in the network path to inspect traffic and block malicious activity. Their failure mode is critical because if the IPS fails, the network traffic flow must be handled in some way.
Fail-Closed IPS Explained
A fail-closed IPS prioritizes security over availability. If the IPS device experiences a failure (e.g., power loss, software crash, hardware malfunction), it defaults to a state where it blocks all network traffic from passing through.
- Behavior on Failure: Stops traffic flow.
- Priority: Maximum security, preventing potential threats from bypassing the failed system.
- Potential Impact: Can cause a network outage or disrupt critical communications if the IPS fails unexpectedly.
Choosing fail-closed is typical in environments where preventing any unauthorized traffic is paramount, even at the risk of temporarily halting legitimate traffic.
Fail-Open IPS Explained
A fail-open IPS, on the other hand, prioritizes network availability over strict security during a failure. If the IPS device fails, it enters a state where it allows all network traffic to bypass it unimpeded.
- Behavior on Failure: Allows traffic flow to continue.
- Priority: Maximum network availability, ensuring business operations are not interrupted by an IPS failure.
- Potential Impact: While traffic continues, the network is left unprotected from threats during the failure period, as traffic is no longer being inspected.
Choosing fail-open is often preferred in environments where network uptime is critical and a temporary lapse in security is considered less damaging than an outage. Many modern IPS devices include hardware bypass mechanisms (like a relay) that automatically switch to a fail-open state upon power loss.
Key Differences Summarized
Here is a table highlighting the main distinctions:
| Feature | Fail-Closed IPS | Fail-Open IPS |
|---|---|---|
| Behavior on Failure | Stops traffic flow | Allows traffic to bypass |
| Primary Goal | Maximize Security | Maximize Availability |
| Risk | Network Outage | Unprotected Network Traffic |
| Traffic Flow | Interrupted | Uninterrupted (but uninspected) |
| Typical Scenario | High-security zones, critical data | High-availability networks, business continuity |
When to Choose Which Mode
The decision between fail-open and fail-closed depends on the specific needs and risk tolerance of your network and organization:
- Choose Fail-Closed if the consequence of a security breach during an IPS failure is more severe than the consequence of a network outage.
- Choose Fail-Open if the consequence of a network outage caused by an IPS failure is more severe than the consequence of uninspected traffic during the failure period.
Many organizations deploy critical IPS devices in fail-open mode to maintain network connectivity while having backup security controls or monitoring in place to detect potential issues during the IPS downtime.
