cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Community Challenge: Ready, Get set....

Community Manager

 

 

UPDATE 20 Feb 2018: WHOOPS! My first email today linked to the wrong place! Please check out the February Community Challenge instead. Thanks, ya'll! <FACEPALM! />

 

 

 

--------

Go!… the Meraki Community team is launching our first Community Challenge!

 

MerakiCommunity-CommunityChallenge.png

 

The Community Challenge will give you chance to share your Meraki-related experiences and best practices while competing for a grab bag of fun swag. We know you love our Meraki swag!

 

Winners

We will be selecting 2 Community Challenge winners.

  1. The Community Favorite — chosen by you, our fantastic Community members. Vote by kudoing your favorite post(s). The post with the most kudos will win!
  2. The Meraki Favorite — chosen by an internal Meraki panel of judges based on creativity, completeness, and accuracy. 

Challenge entries and kudos can be submitted now through Monday, November 20th at 5:00pm PT - just answer the challenge question by commenting on this blog post. Winners will be announced before Thanksgiving (November 23). Whether or not you enter the challenge, be sure to help us decide the winner by voting on your favorite entry!

 

The Challenge Question

 

Globally malicious web activity has morphed into a multi-billion dollar industry, threatening organizations large and small. How have you seen organizations leverage Meraki’s advanced security tools to combat emerging threats?

 

Good Luck!


 

Rules:

  1. Limit one entry per person per challenge contest.
  2. Contest will run from 8:00am PT November 15th to 5:00pm PT November 20th.
  3. Prize will be a grab bag of Meraki swag 
  4. Complete rules and eligibility can be found here.
33 Comments
Comes here often

For our company, we believe Meraki MX will replace our traditional VPN concentrators running Advanced License.  We are now testing this across 10 sites across the globe and recommend everyone to make this into a template:

 

1. Segregate corporate LAN and guest network into different VLAN and do not publish in VPN for the latter

2. For network ports please do consider setting up Access Policy (with on-prem Radius server or try JumpCloud) and you can use a combination of 802.1x and MAB to identify untrusted connected clients then associate them in guest VLAN
** We did not enable Splash Page for Guest VLAN but may be worth considering **

3. Content Filtering with Full List (better coverage) and apply whitelisted URL patterns for any needed

4. Enable both AMP and IDP/IPS under threat protection

 

When you have a new site, you may create a network and clone from the above template.  This way you save a lot of time especially on Content Filtering which took us about 30 minutes for the first time.  After deployment you may also want to perform the following for daily operations:

 

a.  Setup an upgrade window like Sunday 3am local time so that you get the latest firmware before start of business week automatically

b.  Setup Alerts and send to 24/7 ServiceDesk via Service-Now to assign tickets:

- Rogue DHCP Server is detected

- Warm Spare failover occurs

- Malware is block

- Malware is downloaded

c.  Schedule Email Report

 

We receive weekly summary report and from there we also know top blocked sites by URL & Categories plus top security threats by signature.  On demand you will also receive MX Security Report which informs about security events, affected clients, threats, affected operating systems, and source of threats.  With MX Security Report received, Security Administrators should immediately review Security Centre in Meraki Dashboard to perform a number of mitigation tasks.  (My personal favorite :

Block IP in Security Centre automatically creates firewall rules with comments so that rollback is easy.  )

 

Apart from the above, we also know there is a team of friendly Meraki Support folks who we can email / ring up from the Advance Security hotline found in Get Help of Meraki Dashboard. 

Comes here often

The-Meraki-Way.jpg#fool.pr00f

Comes here often

customer want higher security, visibillity and control. Savings on cost of MPLS could be an option.

 

1. Customer has MPLS in most branches, and in some Internet/VPN based on routers.

2. All sites get MX - sec licens for AMP/IPS ofc.

3. 2 main sites get MX400 - sec licens

 

Since QoS on MPLS is nessesary right now, customer wont change it. Instead MPLS lines in the same country is replaced with internet, and SD-WAN from smaller sites to one "main" site. From the country main site, MPLS with QoS connects to the 2 main datacenters. Should the "main site" in country X fail, small sites will connect directly to MX400 in the datacenters.

 

Customers gets:

 

* Higher security, IPS/AMP

* HA based on MPLS Hub/spoke, but with fallback if main MPLS lines fail (no QoS though) - and 4G backup as well, not possible before

* Full visibility of their user, world wide, big issue solved.

* Umbrella on top of Meraki, and for clients going offsite.

 

Customer now understands the importance of security and control, so next step is AMP for end points for all clients. Wireless replacement from X to Meraki in storage and offices - and a plan for replacing all switches with MS.

 

The meraki story was perfect for this customer. A small IT department, but with visions. But with over 20 locations world wide, and 3 guys to manage, those visions was just not possible - Meraki solved this 🙂

Conversationalist

We have seen some of our clients take a broad range of meraki products in order to help secure their network edge, from various models of the MX AP's both indoor and outdoor to utilising Z1's and Z3's for secure access for their teleworkers and travelling staff. Landing the VPN's from those Z*'s on both MX devices and ASA's alike. Taking advantage of the radius authentication capabilities for both wired and wireless clients as well as utilising AMP for further protection helps a great deal in keeping a tight network edge. In addition to this as a solutions and support provider we find the meraki estate a pleasure to work with, configuration is a breeze, updating devices on each network is simple, and visibility right up to layer seven makes it easy to show customers where their bandwidth is being used and by whom. It's clear to us that Cisco and Meraki are leading the way in the SDM field, and long may it continue!

Already In the purchase phase, when Customer are looking for a solution for protect their organization, it´s important to present threats and Cisco-Meraki possibilities to Customers business owners. If Customer has good knowledge of solutions and business benefits of Meraki´s solutions for their business.

Business owners and their decision are safe and wise with great result´s.
Customer should have MX their ever site, They should have Advanced licences for protection of larger scale of threats and they should use also Cisco ISE and Umbrella for access control and DNS protection. Mobility management is another part of wise protection of their company, That´s why Meraki SM should be in their use and Profiles should be made correctly to reach intelligent full protection for their company.

If still something happens, call us or Meraki support 🙂

This was just a Business Value architect commercial opinion. Have a nice day

Conversationalist

Merakify'ing the hell out of this place!

 

started with MR... tick

what's this a router with a 4G, cloud managed, yup! count me in!... tick

what? we need a new warehouse and can't get a connection from the openreach dudes.... MX... tick

perfect MR placement... tick

alerting in Hipchat room :D... tick

every store online every time with MX, MS and MR 😄

someone's unplugged a cable, yea we know, stop doing that please, bam!

 

someone said once "the future's bright" did they say GREEN?

 

Well it is here !!!

 

New year, new challenges.... bring em on!

Kind of a big deal

@SergeRobert1 I wish I could give you more Kudo's.  So far I like your answer best - because you have shown how Meraki security is not just a point product like MX, but a complete "full stack" approach, and is integrated into everything.

Here to help

We worked with a federal agency to deploy Meraki MX and MR access points with a 3G/4G modem in countries like Chad, Turkey, Haiti and Ghana in support of the Syrian Refugee Camps. Paper based immigration files would be confiscated at borders. Meraki allowed the agency to send a backpack that extended IT services and security to very remote locations (and I mean VERY. like, no roads or running water).

 

The different Government agencies would all access their digital immigration applications, not only decreasing the amount of time a refugee must stay in the harsh camp conditions, but also keeping the records secure and allowing the different US agencies to collaborate much easier. The security features of the MX allowed the solution to be approved by some of our very security conscious Government Agencies.

 

This same project spawned an initiative with a non-profit that focuses on refugee education. The "Meraki in a backpack" solution is being used to bring teachers and students from the US to schools in Ghana via video. Although AMP, ThreatGrid (And don't forget Umbrella/OpenDNS!) are invisible to the students and teachers, It's been very successful so far. It allows us to teach children how to use the internet safely, while keeping them secure.

 

https://www.refugeeoutreachclub.org/ - If anyone is interested.

Kind of a big deal

In the most strict full stack Meraki environment here is an overview of our security.

 

Security Appliance (MX) - Redundant

  • Security Appliance>Content Filtering
    • Make sure to enable Full List
    • content filter.PNG
  • Security Appliance>Threat Protection
    • AMP Enabled
    • Intrusion Detection and Prevention set to Prevention/Balanced
  • Security Appliance>Firewall
    • Deny Peer-to-Peer (P2P) All P2P
    • Deny Countries Traffic to/from
      • layer7.PNG
    • Firewall rules to deny all traffic from our guest Vlan to other internal networks
    • We maintain a public guest vlan/network and a private internet only vlan/network.  One of the lesser considered issue is that if one of your devices fails over to the guest Vlan that could be the very same Vlan that public computers are on.  Your protected machine could inadvertently fail 802.1x and end up on the public Vlan due to expired AD password etc.  To combat this we have a separate internet only vlan/network for credit card machines, 802.1x failing devices, etc.  This helps prevent the co-mingling of public devices with our trusted internal devices. 

Switches

  • All ports enabled for 802.1x and will failover to guest Vlan
  • Mac Whitelist used for ports with printers
  • Switch>IPv4 ACLs to restrict certain traffic to/from sensitive devices

Wireless

  • Private subnet isn't advertised, deployed using Group Policy so machines know what to connect to
  • Pulic Guest Vlan using Meraki DHCP and Deny access to Local LAN

Non Meraki

  • AV and Patching
  • OpenDNS Umbrella - This has been one of the biggest tools for helping our users prevent getting malware/crypto.  I hope know that Cisco owns this product that it eventually takes the place of Meraki's Content Filter.

 

Comes here often

Our own Organization has recently installed a full Meraki suite over the course of this year, one of our primary goals as a retailer is protecting the storage and transmission of customer card data and PII. With Meraki products we were able to design a robust, current, and all-encompassing security landscape of MX Routers, MS Switches, MR Access Points to execute this requirement and support our goal of hardened Network/Information security.

 

We accomplished this in three ways. First, we utilize AMP and IDS and Content Filtering in all of our MX Devices, we have had good experience with AMP in the past as we have a centralized Source fire IPS architecture, now we can extend this to the appliance level to stop threats closer to the source. We Respond to an investigate suspicious clients and react to malicious download or block notifications. Because the backend is managed by the experts, and is current, we trust the integrity of the definitions and the probability that emerging threats are contained.  

 

Secondly, we extensively use the Meraki Group Policy, Security Center, Tagging, and Firewall Framework to isolate sensitive systems and client access both inbound and outbound. We can tag certain SSIDs to be broadcasted for special events for vendors, we can also Tag networks and clients to inherit specific rules based on the needs of those sections, this makes it very easy to manage and easily add or revoke access.

 

Lastly, we report on Traffic Analytic, Syslog’s and use the API to investigate unusual traffic or application/port anomalies to verify that this is expected or malicious behavior. By keeping these tools in the cloud we save time in maintenance and management of those systems. Having a single repository of information helps to correlate unusual activity and account for our inventory and access design.

Conversationalist

Meraki Devices made it easy to install, configure and protect the enviroment within minutes. Network Security has been made easy to implement. Bugfixing is done within minutes, all in one place

A model citizen

We run a very layered, security focused approach on our networks. We run mostly hotels, but we also use the Meraki stack for our corporate office and other business ventures.

 

Network Wide:

 

  • Alerts - setup alerts for rogue AP, any device going offline, DHCP pool exhausted, rogue DHCP server detected, malware is downloaded/blocked.
  • General - collect destination hostnames. Change default local credentials. Add a syslog server to your environment for further monitoring and post incident logs. Enable SNMP v3 with secure username/password.

 

MX Setup:

 

  • VLANs. Segregate traffic based on activity. Production network, guest network, CCTV network, etc. Create ACLs to prevent inter-vlan traffic where not desired.
  • DHCP - Only offer DHCP on networks where it is required, and limit scope. Activate DHCP snooping and rogue DHCP server detection.
  • Firewall - Prevent inter-vlan traffic when not desired. Apply appropriate Layer 7 rules, such as filtering out P2P. Only create port forwarding for absolutely required services, limit connecting IPs to only those needing to access.
  • Active Directory - Integrate to allow better tracking of resources and for any post breach research, if necessary. Also create groups to allow specific filtering profiles (management, line staff, etc.)
  • Threat Protection - AMP Enabled at all times. For IDS, Prevention and Security methods selected.
  • Content filtering - Unless otherwise overruled, standard set is to block: Bot Nets, Confirmed SPAM Sources, Keyloggers & Monitoring, Open HTTP Proxies, Parked Domains, Peer to Peer, Phising and Other Frauds, Proxy Avoidance, SPAM Urls, Spyware and Adware. This is also done on our guest networks for enhanced protection. For production network, add: Adult and Pornography. Choose full site list instead of Top sites only.
  • Security Center: Review on a weekly (or shorter, depending on your needs) interval. Setup scheduled email reports accordingly.

MR Setup:

 

  • Access Control - Even for guest networks, recommended setup is for WPA2 (only). Enable Adaptive 802.11r.
  • Access Control - For secure networks, authenticate with RADIUS and use Systems Manager Sentry to ensure only authorized devices are connected. 
  • Access Control - Make sure appropriate VLANs are being used, and guest traffic is prohibited from reaching any other subnet/network.
  • Firewall - Deny Wireless clients accessing LAN as appropriate. Enable L7 rules for blocking P2P. 
  • SSID Availability - Considering disabling unneeded SSIDs during closed times. Enable SSIDs on APs only where they are needed.
  • Air Marshal - Contain rogue APs seen on the LAN
  • PCI Report - run at regular intervals
  • Physical setup - ensure APs are mounted in locations not easily tampered with, or if within reach, in a secure box/environment to prevent physical tampering.

MS Setup:

 

  • IPv4 ACL: Setup as appropriate for your organization
  • Access policies - Setup SME Sentry for connected device and guest VLANs - use either Meraki authentication or ideally, your RADIUS server.
  • Switch Ports - disable unused ports.

 

SME Setup:

 

  • Security Policies - Create policies for different devices (stationary vs mobile for example).
  • Security Policies - Enable screen lock, login required, firewall enabled, disk encryption, antivirus running, passcode lock, device is not compromised, and minimum OS version check.
  • Geofencing - Enable appropriate policies based on device. Very limited for stationary devices, more broad for mobile depending on the user. Setup alerts to notify admins when fence is breached.
  • MDM Settings - Require password to removal profile. Set appropriate restrictions, password policies, WiFi sentry, etc. as needed based on the business.

 

This helps keep us safe, in addition to the non-Meraki procedures we follow. Every bit of the layer helps!

Here to help
  • Place a Mx device with advanced license in every office
  • Setup site to site vpn, block subnets from accessing subnets they don't need to (i.e. branch office to branch office, when they just need branch office to HQ)
  • Utilize VPN for office to HQ (datacenter) communications rather than the open internet.
  • Set up client vpn to HQ for users who need to remotely access servers
    • Find out that Meraki's windows split tunnel implementation is not reliable and prone to failures on a regular basis.
      • Deploy Z1/Z3 to home users or find another VPN client  solution as the one built in leaves much to be desired.
  • Turn on advanced features like AMP, IDS, etc.
    • Turn off AMP for all those users who run into false positives and find that AMP blocks the download of routine PDF files and similar.
      • Put in support tickets, await resolution in a future version of firmware, try out new firmware, go back to not using AMP as it's still broken.
  • Set the firewall to block traffic to countries/domains/categories that you don't need users to access
    • White-list those sites that have been misclassified by BrightCloud (Webroot) that Meraki uses on for their categorization
      • Submit mis-categorized urls to Brightcloud so that they aren't a problem going forward
    • Unblock countries / categories that you routinely have problems with because of the way that webroot classifies them and doesn't allow for the whitelisting of certain URLs/IP
    • Debate with yourself and support whether or not full list or default is the correct setting.  Contacting support about a problem with this usually results in them suggesting you pick the opposite setting of whatever you have selected.  Expect to be told that you are overloading the device by running it in full list mode.
    • Have the Meraki classify sites not only based on domain, but also based on underlying IP address - creating lots of false positives for things like Content Delivery Networks and others that often use the same IP to deliver different sites.
  • Copy those rules to other offices.  Curse the fact that there is no way to reliably have a global whitelist or blacklist.
  • Create groups of users that need exceptions to the default categories blocked, i.e. HR people who need access to job search sites.
  • Hope that a firmware update doesn't break something else that used to work without a problem.
  • Hope when an office internet connection drops out for a bit that the site to site vpn set's itself back up automatically.  If not watch out for the email alerts that it failed and reboot the MX device.
  • Monitor Meraki logs using another program
    • Learn that Meraki doesn't log things like a power cycle as such, and learn the terminology used to indicate a reboot.
  • Contact support with the bugs you find
  • Deploy end point protection to pick up on what the meraki didn't catch
  • Use openDNS family safe and friendly filtered servers 208.67.222.123, 208.67.220.123 (vs their open ones).  Wish that they had an easy one click integration with a company that Cisco Owns.  
    • FamilyShield will always block domains that are categorized in our system as: Tasteless, Proxy/Anonymizer, Sexuality and Pornography.
      • Ponder why it doesn't block malware and a few other categories
  • Deploy Systems Manager on a few endpoints for testing.
    • Find out it is lacking in most areas of what you need a systems management solution
    • Trial out other RMM solutions
      • Pick another all the while wondering why it can't integrate with your firewall.
  • If you are looking into MXNNw lines - i.e. the ones with wireless built in - stop - buy an MX device and a separate access point.  The built in wifi on the MX64W is terrible. 
    • Replace those wifi networks you rolled out with an MX64W with another brand access point.

All in all while Meraki does a lot, it's by no means a one stop solution for what you need.  It is a great way to have a site to site vpn setup super easy.  You can also block a lot of stuff really quickly, but plan on having the support phone number stored in your speed dial and memorizing your support pin code.