bump-in-the-wire (BITW)
“Bump-in-the-wire” (BITW) refers to a network security device or system that is inserted into the network flow to inspect, and potentially modify or block, traffic without the need for any significant reconfiguration of the network or awareness by the end systems. It is often used in the context of firewalls, proxies, or other security devices that are designed to be transparent to the systems sending and receiving traffic[1][2].
The term “bump-in-the-wire” comes from the idea that the device is a small “bump” in the network “wire” that traffic has to pass through. It is designed to be as unobtrusive as possible, hence the term “bump” rather than a more significant obstacle. The device is typically placed at a strategic point in the network, such as a gateway, where it can monitor and control the traffic flowing into and out of a network[1][2].
These devices can perform a variety of functions, such as filtering out malicious traffic, encrypting data, or forwarding traffic to other devices for additional processing. They can be physical devices or virtualized network functions[3][6]. For example, in an Industrial Control System (ICS) network, bump-in-the-wire devices can be used to protect critical endpoints. However, these devices can be complex to manage and one is typically needed per host. To address these challenges, virtual bump-like solutions, such as vBump, have been proposed, which allow the insertion of virtual bumps in front of Ethernet-based legacy ICS devices[4][6].
In the context of cloud services like AWS, the bump-in-the-wire approach can be used to design firewall deployments for internet ingress traffic flows. Endpoints are inserted into the traffic transparently as a ‘bump-in-the-wire’ using VPC Subnet routing and an IGW Ingress Route[7].
In summary, a bump-in-the-wire is a network security mechanism that inspects and potentially modifies network traffic in a manner that is transparent to the end systems. It can be implemented as a physical device or a virtual function, and is used in a variety of contexts, including corporate networks, industrial control systems, and cloud services.
Citations:
[1] https://security.stackexchange.com/questions/10236/http-proxy-vs-bump-in-wire
[2] https://www.datasunrise.com/professional-info/types-of-firewalls/
[3] https://www.qtechsolutions.net/cloud/aws/aws-gwlb-and-firewall-integration-explained/
[4] https://dl.acm.org/doi/abs/10.1145/3462633.3483983
[5] https://apenwarr.ca/log/20180808
[6] https://publications.cispa.saarland/3612/1/vBump.pdf
[8] https://www.paloaltonetworks.com/resources/infographics/cloud-ngfw-for-aws
"Bump-in-the-wire" (BITW) is a term used to describe a network interception technique that monitors and modifies network traffic as it passes through a device. This device, known as a "bump in the wire," is placed between two network devices or endpoints. The concept is closely related to the idea of a man-in-the-middle (MITM) attack, where network traffic between two devices is intercepted and modified. However, in the case of a BITW, the interception and modification are performed by a legitimate device placed within the network, rather than an attacker[2].
BITW can be implemented using a variety of different network devices, including routers, switches, firewalls, and specialized hardware appliances. These devices can run applications such as a firewall, packet filtering, and data interception[3]. For example, a transparent proxy firewall, also known as a bump in the wire, resides on the gateway and intercepts requests from clients. Clients are given the impression that they are connecting to the actual server, unaware that there is a proxy server mediating their requests[4].
BITW is typically used in the context of security and surveillance operations, where the goal is to detect and prevent malicious activity on the network. However, the use of a BITW may raise privacy concerns, particularly if it involves the monitoring or modification of personal or sensitive data. To address these concerns, organizations that deploy BITWs typically implement a range of privacy and security safeguards, such as data encryption, access controls, and auditing and monitoring tools[2].
In the context of cloud computing, a BITW function can be a virtual appliance that sits in the network path. These can be firewalls, inline analytics, or other inline functions that have traditionally been referred to as network appliances[1].
In summary, a "bump-in-the-wire" is a network device or function that intercepts and potentially modifies network traffic for purposes such as security, surveillance, or analytics. It operates transparently, often unbeknownst to the end users, and is a common technique used in network security and management.
Citations:
[1] https://aws.amazon.com/blogs/networking-and-content-delivery/introducing-aws-gateway-load-balancer-supported-architecture-patterns/
[2] https://www.telecomtrainer.com/bitw-bump-in-the-wire/
[3] https://docs.oracle.com/cd/E39109_01/html/E26351/z40018141409174.html
[4] https://www.datasunrise.com/professional-info/types-of-firewalls/
[5] https://ine.com/blog/2008-09-28-transparent-firewall-things-that-go-bump-on-the-wire
[6] https://apenwarr.ca/log/20180808
[7] https://www.design-reuse.com/articles/5583/an-ethernet-security-development-platform.html
[8] https://community.cisco.com/t5/network-access-control/a-bump-in-the-wire/td-p/3055000
[9] https://www.reddit.com/r/openbsd/comments/yfw2hb/creating_a_bumpinthewire_with_pf/
[10] https://www.juniper.net/documentation/us/en/software/csrx/csrx-contrail-vrouter/topics/concept/security-csrx-contrail-hbf.html
[11] https://configtoolbox.com/config-toolbox-blog/f/bump-on-a-wire---what
[12] https://security.stackexchange.com/questions/10236/http-proxy-vs-bump-in-wire
[13] https://link.springer.com/chapter/10.1007/978-3-030-34647-8_14
[14] https://dl.acm.org/doi/abs/10.1145/3462633.3483983
[15] https://www.etsi.org/images/files/ETSIWhitePapers/etsi_wp24_MEC_deployment_in_4G_5G_FINAL.pdf
[16] https://publications.cispa.saarland/3612/1/vBump.pdf
[17] https://aws.amazon.com/blogs/networking-and-content-delivery/design-your-firewall-deployment-for-internet-ingress-traffic-flows/
[18] https://aviatrix.com/learn-center/answered-transit/how-can-i-avoid-snat-when-using-inline-next-generation-firewalls-in-aws-and-multicloud-environments/
[19] https://www.missionsecure.com/blog/industrial-control-system-ics-security-and-segmentation