There was a post to the sguil-users mailing list asking for recommended fail-open network cards in the hopes that it would be less expensive than alternatives. Richard Bejtlich pointed out that the long-term costs and lower downtime make bypass switches worth the initial expense. This make a lot of sense.
One thing people need to note when talking about inline devices and fail-open hardware is that many devices will only fail open in a powered off state. For example, if you're running Snort inline with a fail-open NIC and the Snort process dies, then the box will no longer pass traffic. Your link is down unless you fix the problem by restarting Snort or you shut off the system completely, which will then cause the fail-open NIC to cross-connect and pass traffic.
If a system only fails open when the power is off, you still need to be aware that an operating system or application failure can take down your link if the fail-open hardware remains powered on. NetOptics has some bypass switches that have a heartbeat feature to address this problem.
An exclusive Heartbeat feature monitors link status between the Bypass and monitoring tools for enhanced reliability. A configurable Heartbeat packet is injected into the monitor port link to help determine availability of attached monitoring tools. For instance, the Bypass Switch can automatically switch network traffic around an unresponsive IPS appliance – even if the IPS is still powered on. Once the IPS re-establishes a connection, traffic is re-routed to the monitor port for continued operation.This is a better solution than a NIC that will only fail open when the power is off, but not all bypass switches have the feature. If anyone knows of other vendors or hardware that have a similar feature, please let me know.
It's also important to know that the use of the terms "fail open" and "fail closed" is not always consistent.