Fail-closed: blocks all traffic on failure — maximizes security, risks availability.
Fail-open: passes all traffic on failure — maintains availability, risks security.
Security-critical inline devices (IPS, firewalls) should fail-closed. Passive monitoring devices (IDS, network TAP) should fail-open. Choose based on environment: data center IPS fail-closed; hospital patient monitoring fail-open (availability critical).