Fail-open/fail-closed

3.2 Secure enterprise infrastructure

📘CompTIA Security+ (SY0-701)

Fail-Open vs. Fail-Closed

In enterprise security, systems often need to make a decision when something goes wrong. This is where fail-open and fail-closed configurations come in. They define what a system does if it fails or loses connection.

1. Fail-Open

Definition:

  • In a fail-open configuration, when a system fails or loses connectivity, it allows traffic or access to continue instead of blocking it.

Purpose:

  • The main goal is availability. Even if security components fail, users or services can still access the network or application.

Examples in IT environments:

  1. Firewalls: If a firewall fails and it’s configured to fail-open, network traffic continues to flow without filtering.
  2. Authentication servers (like Active Directory or RADIUS): If authentication fails and the system is fail-open, users might still be able to log in temporarily.
  3. Load balancers: If the load balancer fails and it’s fail-open, traffic might go directly to the servers without any checks.

Pros:

  • Ensures availability of services.
  • Good for critical systems where access is more important than strict security.

Cons:

  • Reduces security because potentially malicious traffic can enter unchecked.
  • Increases risk of breaches or attacks.

Exam Tip:

  • Remember: Fail-open = prioritize availability over security.

2. Fail-Closed

Definition:

  • In a fail-closed configuration, when a system fails or loses connectivity, it blocks traffic or access. Users or devices cannot continue until the system is restored.

Purpose:

  • The main goal is security. Even if services go down, the system ensures that nothing unsafe can get through.

Examples in IT environments:

  1. Firewalls: If the firewall fails and it’s fail-closed, all traffic is blocked until the firewall is restored.
  2. Door access systems (IT environment example – like secure server rooms): If the authentication system fails, doors remain locked.
  3. VPN gateways: If a VPN device fails, no remote users can access internal resources until the system is back online.

Pros:

  • Maintains security at all times.
  • Protects sensitive systems and data from attacks.

Cons:

  • Reduces availability, which can disrupt critical business operations.
  • Users may not be able to perform tasks until the system is fixed.

Exam Tip:

  • Remember: Fail-closed = prioritize security over availability.

3. Key Points for the Exam

  • Decision point: Fail-open and fail-closed are about what happens when a security device or system fails.
  • Trade-offs:
    • Fail-open → Availability > Security
    • Fail-closed → Security > Availability
  • Where it matters: Firewalls, IDS/IPS, VPNs, authentication servers, load balancers, and critical access controls.
  • Scenario-based questions: You may be asked which configuration is best for high-security vs high-availability environments.

Quick Memory Tip:

  • Open = keep it open → traffic continues → availability
  • Closed = lock it down → block traffic → security

Leave a Reply

Your email address will not be published. Required fields are marked *

Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by