UPDATE 20 Feb 2018: WHOOPS! My first email today linked to the wrong place! Please check out the February Community Challenge instead. Thanks, ya'll! <FACEPALM! />
Go!… the Meraki Community team is launching our first Community Challenge!
The Community Challenge will give you chance to share your Meraki-related experiences and best practices while competing for a grab bag of fun swag. We know you love our Meraki swag!
We will be selecting 2 Community Challenge winners.
Challenge entries and kudos can be submitted now through Monday, November 20th at 5:00pm PT - just answer the challenge question by commenting on this blog post. Winners will be announced before Thanksgiving (November 23). Whether or not you enter the challenge, be sure to help us decide the winner by voting on your favorite entry!
Globally malicious web activity has morphed into a multi-billion dollar industry, threatening organizations large and small. How have you seen organizations leverage Meraki’s advanced security tools to combat emerging threats?
Delay on Meraki to do the basic line of defense:
1. Deploy Meraki MXs to all locations, and keep them running at the latest firmware
2. Enroll with the advance security licensing to make sure all the antivirus, anti-malware, intrusion prevention, and other features are up to date
3. Make sure the AMP, Intrusion Prevention functions are turned on; and create all necessary firewall and traffic shaping rules.
Add another layer of monitoring on top
4. Utilize Splunk to monitor and analyse the system logs from Meraki into understand the network activities and be alerted when suspicious activity is spotted.
Cisco Meraki Security appliances help our customers stay more secure than other firewall based security solutions and are a key part in our solution stack to protect our customers from malicious activity.
Other firewalls require a management server to store logging activity, definition files and other tools that enable their security offerings. This led to many situations for our SMB customers in the past where they would purchase a security appliance from us but they would be unwilling to spend the money on professional services or internal hardware/software resources to setup/configure/maintain/emable the security appliance. With Meraki, turning on security services is a 5 minute operation and showing customers how they can refine their own content control rulesets is empowering to them.
We've deployed Meraki as our edge device in our country offices (Iraq, Congo, Rwanda, Nigeria, and Afghanistan by EOY), implemented filtering and traffic shaping and ensured devices stay updated. This has been an awesome display of cloud management for all our IT staff and it has gone great.
We will need to Delpy the following:-
1. Apply some rules in the MX to block some ports / try to allow only Ports that is needed to work.
2. Apply some ACL/ NAT /PAT mode in the MX and try to use DMZ to isolated some servers from the Local Server.
2. Deploy Meraki MXs to any locations, and keep them running at the latest firmware.
3. Enroll with the advance security licensing to make sure all the antivirus, anti-malware, intrusion prevention, and other features are up to date
4. Make sure the AMP, Intrusion Prevention functions are turned on; and create all necessary firewall and traffic shaping rules.
How have I seen organizations leverage Meraki’s advanced security tools to combat emerging threats?
There are numerous ways that Meraki security tools have helped our customer's combat threats.
Coincidence? I think not.
I ❤️ Meraki
Implement the appropriate Meraki MX device with the Advanced Security License! Enable the Advanced feature set! Have fun education session to familiarize users with Phishing attacks so they don't "Open any doors to attack!" Let the MX do it's job!
To start, its easy:
In order to extend the security to devices operating outside of the perimitere of the MX, add Umbrella and AMP for Endpoints,
We are seeing a trend where internet bound threats are mostly originated from a handful of countries. The customers really like the "Geography based firewall rule" which is part of the Meraki advance security license suite. it's super simple for organizations to prevent data leak to undesired countries around the world with just a few clicks. AMP/ Anti malware is another great features organizations love. With Cisco's continued focus in AMP development clubbed with the expertise provided by TALOS, organizations are leveraging these tools heavily to combat the emerging security threats.
"How have you seen organizations leverage Meraki’s advanced security tools to combat emerging threats?"
-I have not seen most organizations use Meraki gear, thats why we still have a b multi-billion dollar industry, threatening organizations large and small.
Meraki need an influencer in each continent to actually show how several attacks are stopped while a normal router gets owned in mere seconds.
Its all about marketing. Its all about money. Its all about security.
Or you are broke.
Integration of critical Cisco security technologies like Snort and Advanced Malware Protection into Cisco Meraki MX platform ensures that customers who choose Meraki enjoy world-class protection for their valuable network assets
There's sooo much more, but that's what I can think of a before running into my meeting.
GOOD LUCK EVERYONE!
Advanced Malware Prevention (AMP) inspects all HTTP file downloads through a Security Appliance and blocks/allows file to be downloaded based on threat intelligence salvaged from the AMP cloud.
Intrusion Detection and Prevention
Intrusion detection strengthen all packets flowing between the LAN and Internet interfaces as well in-between VLANs and records the produced alerts to the Security Report.
Intrusion prevention blocks all the traffic that is identified as malicious, rather than just generating alerts.
You can create list of specific signatures by clicking Whitelist an IDS signature. Any signatures for which matching traffic has been seen by the appliance will appear in the Select an Option drop-down so that you can select which signature or signatures you wish to whitelist.
The report delivers you a graphical depiction of Intrusion Detection events in your network.
We use AMP and IDP, IDP in detect mode only right now. We plan on implementing an MDR solution next year and would end the logs from our devices to the solution provider for analysis. Right now I review the security dashboard daily.
The Challenge Question:
Globally malicious web activity has morphed into a multi-billion dollar industry, threatening organizations large and small. How have you seen organizations leverage Meraki’s advanced security tools to combat emerging threats?
The Challenge Response:
Advanced Malware Protection (read more) and IPS/IDS (read more) are the features that immediately come to mind when thinking about combating malicious web activity. Furthermore, Meraki in June of 2017 released support for Threat Grid (read more), this add-on strengthens the advanced security tools portfolio. Lastly, Meraki has other features such as content filtering, identity based firewall, layer 3 rules, layer 7 rules, ACLs, and others that help organizations in this capacity that may not be "advanced security tools" but are still helpful in the fight. What I love about these three advanced offerings (AMP, IDS/IPS, and Threat Grid) is that Meraki allows organizations to deliver ubiquitous protection to combat emerging threats, and best of all, sticking to the mission statement, we now have cloud managed security tools that simply work! This simplification of powerful security tools has allowed organizations to deploy protections where the users may have previously been left in the dark due to various barriers such as, technical know-how, budget constraints, and systems management overhead. Organizations now have the freedom to focus their passions rather than spending time worrying about these threats and tools, Merakified* security!
*(v. past part. merakified) to add soul, creativity or love to something, improving its performance through innovation, simplicity and flair!
(I didn't mean to write a book, it just kinda happened... Feel free to skip to the last paragraph if you want to know how it turned out for me)
I would say the company I work for is a small to mid sized business. We have about 275 employees in a small town in North-Central Texas. When I first started working for Air Tractor (shameless plug), we had a single aDSL connection coming into an office on the opposite side of our single campus from our "Server Room" where our core switch was located. This pitiful setup and connection was supporting around 90 workstations internally and a guest wireless network. I'll never forget those first few weeks... I was hardly surprised to hear complaints about internet speeds or synchronization issues with email. It was easy to understand why we were having intermittent internet "outages" when the CPU on our undersized firewall would max out due to poorly setup content filtering while trying to handle throughput and client vpn routing. Seeing the rats nest of cables surrounding the switch rack in that tiny, hot, server room...no wonder everyone was afraid to touch anything. None of this surprised me.
I spent more time those first few weeks observing. Listening. Not simply to hardware or configurations. No. Listening to the employees. Listening to the workers on our production floor that are used to these issues and seeing that they never brought them up because they've become the norm. Listening to office staff and understanding their simple requests that have only gone unnoticed. Still, nothing was surprising as I learned. I had walked into a previously non-existent position created out of necessity and everything uncovered from my users was absolutely expected.
It wasn't until I had a real chance to sit down with the faces I recognized from my interview that I was pleasantly surprised. I say "pleasantly" because it was refreshing. Refreshing in a sense that they realized the potential threat of the outside world and how it could jeopardize everything they had worked so hard to build and protect over the years. Refreshing that it instilled in me a deeper respect for everyone I had met and listened to the past few weeks. Refreshing that I really had a potential to grow into my position and know that I would be looked upon as more than just a desktop support technician. Refreshing...and absolutely terrifying. (I'm sure glad they saw a confidence I didn't know I had yet)
The following months I grew a little more comfortable with my daunting, originally unrealized role as I dove into creating a game plan for how we could both update our network AND focus more easily on security. With little background on hardware and solution procurement...wow. There were probably 10 times as many options as I had ever imagined there would be when it comes to firewalls. WHO KNEW? (well, at the least, I didn't know) But there was one conversation I had with a former colleague that changed the game. How she was getting by with minimal IT resources with a network I imagined was 3 times my size. There was a brand mentioned that I had never heard before. Meraki How could Cisco have another player in the ring that I had never heard of? I don't know how or why it came up, but I'm very grateful for that quick conversation in passing.
So enough about beginnings and the sentiments of green IT guy...now we fast forward a few years. If you have somehow managed to make it through my ramblings thus far, I congratulate you and say "Thanks!" Secondly, if you're not using a Meraki MX device with the Advanced Security license...well, then, I'm sorry. Also, go get one. Right Now. Just click right here and get one. It was the best decision I ever made, maybe it can be the same for you.
As an all-in-one person IT department, I find myself too often needing to be a little...creative with my time-management. On the fly access to Meraki's Security Center is perfect for my intensely varying days in and out of the office. At a glance, I can see which systems at which site are being hit the most, and literally where in the world it's coming from. From a compliance standpoint, I can block an entire country's traffic from reaching my network in just a few clicks. The use of Bright Cloud's updated category listing for content filtering helps keep my users off of malicious sites. I consider our MX 100 as my hardest working employee. Whether I'm busy at work, or I'm sleeping at home, or on vacation with no signal in the mountains...the Master Chief (as I have named him, any Halo fans?) is hard at work. While I'm always on call, he's always on duty. I take pride in the fact that I have the leader of network security (Cisco) backing my departments employee of the month (going on 2 years straight, I doubt I'll ever claim that title at this rate). The Cisco AMP (Advanced Malware Protection) integration alerts me and lets me know if something may have slipped through. The retrospective aspect of this has greatly improved incident response time (and my confidence in our other security layers when I see it's caught by another means). This single appliance has helped mold our companies culture around security and has helped me create a better security posture out of one that simply was not there before.
I manage a network for my kid's school and we run an MX. With 400 students that bring their own devices as well as parents, teachers, administrators, and guests jumping on the network with all sorts of random mobile devices, every week is a learning experience.
1. Threat Prevent is setup Enable, Protect, Secure options. Detect is for suckers!
2. We segmented the network into vlans and setup access controls to restrict east west access for clients.
3. We go big brother style on content filtering because my kids and the kids for all my friends and neighbors are in the school and I care about all of them like they're my own. My goal is to add at least one domain per week to the Blocked URL patterns.
4. Layer 7 rules block several categories of apps like P2P, Gaming, file sharing, and more.
5. I review security center weekly.
6. We have the MDM on all internal systems.
7. I review Org Hosted Logs and look for domains and categories that are accessed and make updates.
8. For other domains and services, I have multiple rules in Traffic shaping to limit bandwidth for non essentials. So apple.com and icloud.com are limited to 100kbps.
9. Finally, i look at the clients list and sort by bandwidth utilization to see who is doing what. When someone pushes lots of data through they get blocked or we check out what they accessed.
In the past 6 months, we haven't had a virus, malware or anything else hit the internal systems.
Many important points that have been explained in previous comments.
From my point of view, one of the great strengths of Meraki is a "Full Stack" approach to security with right consideration at each level.
The continuity of protection is valid from access to applications.
With on the MR and MS:
- security from access (802.1X, Privat VLAN, RADIUS authentication, ...).
- Protection of WLAN accesses (WPA2, WIDS / WIPS, NAC, Auto Tunneling VPN Technology, Air Marshal, ..)
- filtering (URL, access list, ...) to avoid connections that involve threats.
- proactively discover DHCP rogue
- application layer visibility.
Directly with MX:
- IDS / IPS
- AMP, Threat Grid, TALOS experience,
- Auto VPN, SD-WAN,
- different security functions already mentioned for the MX in the other comments.
With IP video surveillance:
- MV with a secure connection (see https://ics-cert.us-cert.gov/advisories/ICSA-17-124-01)
With mobile devices:
- SM / EEM
- Mobile Device Management
- Mobile Application Management
- Mobile Content Management
- Mobile Content Management
Against these threats, the solution is an addition of protection efforts at each level.
If you need to deploy security at the edge quickly, MX appliances with Adv. Sec. licensing is the way to go. Deployment is very simple and very fast. AMP does a great job of catching malicious threats. Layer that with the IPS and Content Filtering to protect your network from exploits and other web based threats. We are looking into deploying ThreatGrid for analyzing unknown files and their behavior.
I think MERAKI permits enterprises to better combat against threat on multiple levels.
Of course Advanced-Sec version of MX is quite powerful thanks to AMP and IPS/IDS with a quick and easy way of configuration, but this is not the only action to take.
A key advantage with Meraki is to have natively a complete set of actions to coordinate for a better global security. For instance on the Wi-Fi part you can use NAT mode to isolate each single user behind a NAT like a container, and consequently being protected of other users potentially propagating a virus or a malware attack.
With Firewall & traffic shaping, from the source of the connectivity you can avoid enterprisesâ€™ users to go to non-desired/suspicious traffic categories on internetâ€¦
And on top if you couple your enterpriseâ€™s strategy with the embedded MDM (SM) to register all your corporatesâ€™ devices, with Sentry you can automatically deploy your internal policies to any devices and contain or limit the possible security breaches.
To conclude, the Meraki cloud solution is a quite complete mix of way to configure new modern networks, efficiently and easily. I would just propose to think about a partnership with a third party AV client to deploy via SM, again on a cloud based like the unified Next-Generation Endpoint Protection Sentinel-One solution.
Meraki give us the power to manage our Network Infrastructure seamlessly and effectively. We are using Meraki’s Advanced Security protection features such as Threat Protection, content Filtering, URL Blocking, Search Filtering etc. to protect our environment, form any malicious attacks. With Meraki Security Appliance and Layer 7 visibility, I can happily confirm that none of our users were affected by recent Ransomware outbreak, and also KRACK vulnerabilities. Another great think about Meraki infrastructure is their firmware updates which are quite effective , flexible and can be done impeccably. With addition to MDM (SM) is a bonus as now we can manage mobile devices error free in a secure mode.
For our company, we believe Meraki MX will replace our traditional VPN concentrators running Advanced License. We are now testing this across 10 sites across the globe and recommend everyone to make this into a template:
1. Segregate corporate LAN and guest network into different VLAN and do not publish in VPN for the latter
2. For network ports please do consider setting up Access Policy (with on-prem Radius server or try JumpCloud) and you can use a combination of 802.1x and MAB to identify untrusted connected clients then associate them in guest VLAN
** We did not enable Splash Page for Guest VLAN but may be worth considering **
3. Content Filtering with Full List (better coverage) and apply whitelisted URL patterns for any needed
4. Enable both AMP and IDP/IPS under threat protection
When you have a new site, you may create a network and clone from the above template. This way you save a lot of time especially on Content Filtering which took us about 30 minutes for the first time. After deployment you may also want to perform the following for daily operations:
a. Setup an upgrade window like Sunday 3am local time so that you get the latest firmware before start of business week automatically
b. Setup Alerts and send to 24/7 ServiceDesk via Service-Now to assign tickets:
- Rogue DHCP Server is detected
- Warm Spare failover occurs
- Malware is block
- Malware is downloaded
c. Schedule Email Report
We receive weekly summary report and from there we also know top blocked sites by URL & Categories plus top security threats by signature. On demand you will also receive MX Security Report which informs about security events, affected clients, threats, affected operating systems, and source of threats. With MX Security Report received, Security Administrators should immediately review Security Centre in Meraki Dashboard to perform a number of mitigation tasks. (My personal favorite :
Block IP in Security Centre automatically creates firewall rules with comments so that rollback is easy. )
Apart from the above, we also know there is a team of friendly Meraki Support folks who we can email / ring up from the Advance Security hotline found in Get Help of Meraki Dashboard.
customer want higher security, visibillity and control. Savings on cost of MPLS could be an option.
1. Customer has MPLS in most branches, and in some Internet/VPN based on routers.
2. All sites get MX - sec licens for AMP/IPS ofc.
3. 2 main sites get MX400 - sec licens
Since QoS on MPLS is nessesary right now, customer wont change it. Instead MPLS lines in the same country is replaced with internet, and SD-WAN from smaller sites to one "main" site. From the country main site, MPLS with QoS connects to the 2 main datacenters. Should the "main site" in country X fail, small sites will connect directly to MX400 in the datacenters.
* Higher security, IPS/AMP
* HA based on MPLS Hub/spoke, but with fallback if main MPLS lines fail (no QoS though) - and 4G backup as well, not possible before
* Full visibility of their user, world wide, big issue solved.
* Umbrella on top of Meraki, and for clients going offsite.
Customer now understands the importance of security and control, so next step is AMP for end points for all clients. Wireless replacement from X to Meraki in storage and offices - and a plan for replacing all switches with MS.
The meraki story was perfect for this customer. A small IT department, but with visions. But with over 20 locations world wide, and 3 guys to manage, those visions was just not possible - Meraki solved this 🙂
We have seen some of our clients take a broad range of meraki products in order to help secure their network edge, from various models of the MX AP's both indoor and outdoor to utilising Z1's and Z3's for secure access for their teleworkers and travelling staff. Landing the VPN's from those Z*'s on both MX devices and ASA's alike. Taking advantage of the radius authentication capabilities for both wired and wireless clients as well as utilising AMP for further protection helps a great deal in keeping a tight network edge. In addition to this as a solutions and support provider we find the meraki estate a pleasure to work with, configuration is a breeze, updating devices on each network is simple, and visibility right up to layer seven makes it easy to show customers where their bandwidth is being used and by whom. It's clear to us that Cisco and Meraki are leading the way in the SDM field, and long may it continue!
Already In the purchase phase, when Customer are looking for a solution for protect their organization, it´s important to present threats and Cisco-Meraki possibilities to Customers business owners. If Customer has good knowledge of solutions and business benefits of Meraki´s solutions for their business.
Business owners and their decision are safe and wise with great result´s.
Customer should have MX their ever site, They should have Advanced licences for protection of larger scale of threats and they should use also Cisco ISE and Umbrella for access control and DNS protection. Mobility management is another part of wise protection of their company, That´s why Meraki SM should be in their use and Profiles should be made correctly to reach intelligent full protection for their company.
If still something happens, call us or Meraki support 🙂
This was just a Business Value architect commercial opinion. Have a nice day
Merakify'ing the hell out of this place!
started with MR... tick
what's this a router with a 4G, cloud managed, yup! count me in!... tick
what? we need a new warehouse and can't get a connection from the openreach dudes.... MX... tick
perfect MR placement... tick
alerting in Hipchat room :D... tick
every store online every time with MX, MS and MR 😄
someone's unplugged a cable, yea we know, stop doing that please, bam!
someone said once "the future's bright" did they say GREEN?
Well it is here !!!
New year, new challenges.... bring em on!
@SergeRobert1 I wish I could give you more Kudo's. So far I like your answer best - because you have shown how Meraki security is not just a point product like MX, but a complete "full stack" approach, and is integrated into everything.
We worked with a federal agency to deploy Meraki MX and MR access points with a 3G/4G modem in countries like Chad, Turkey, Haiti and Ghana in support of the Syrian Refugee Camps. Paper based immigration files would be confiscated at borders. Meraki allowed the agency to send a backpack that extended IT services and security to very remote locations (and I mean VERY. like, no roads or running water).
The different Government agencies would all access their digital immigration applications, not only decreasing the amount of time a refugee must stay in the harsh camp conditions, but also keeping the records secure and allowing the different US agencies to collaborate much easier. The security features of the MX allowed the solution to be approved by some of our very security conscious Government Agencies.
This same project spawned an initiative with a non-profit that focuses on refugee education. The "Meraki in a backpack" solution is being used to bring teachers and students from the US to schools in Ghana via video. Although AMP, ThreatGrid (And don't forget Umbrella/OpenDNS!) are invisible to the students and teachers, It's been very successful so far. It allows us to teach children how to use the internet safely, while keeping them secure.
https://www.refugeeoutreachclub.org/ - If anyone is interested.
In the most strict full stack Meraki environment here is an overview of our security.
Security Appliance (MX) - Redundant
Our own Organization has recently installed a full Meraki suite over the course of this year, one of our primary goals as a retailer is protecting the storage and transmission of customer card data and PII. With Meraki products we were able to design a robust, current, and all-encompassing security landscape of MX Routers, MS Switches, MR Access Points to execute this requirement and support our goal of hardened Network/Information security.
We accomplished this in three ways. First, we utilize AMP and IDS and Content Filtering in all of our MX Devices, we have had good experience with AMP in the past as we have a centralized Source fire IPS architecture, now we can extend this to the appliance level to stop threats closer to the source. We Respond to an investigate suspicious clients and react to malicious download or block notifications. Because the backend is managed by the experts, and is current, we trust the integrity of the definitions and the probability that emerging threats are contained.
Secondly, we extensively use the Meraki Group Policy, Security Center, Tagging, and Firewall Framework to isolate sensitive systems and client access both inbound and outbound. We can tag certain SSIDs to be broadcasted for special events for vendors, we can also Tag networks and clients to inherit specific rules based on the needs of those sections, this makes it very easy to manage and easily add or revoke access.
Lastly, we report on Traffic Analytic, Syslog’s and use the API to investigate unusual traffic or application/port anomalies to verify that this is expected or malicious behavior. By keeping these tools in the cloud we save time in maintenance and management of those systems. Having a single repository of information helps to correlate unusual activity and account for our inventory and access design.
Meraki Devices made it easy to install, configure and protect the enviroment within minutes. Network Security has been made easy to implement. Bugfixing is done within minutes, all in one place
We run a very layered, security focused approach on our networks. We run mostly hotels, but we also use the Meraki stack for our corporate office and other business ventures.
This helps keep us safe, in addition to the non-Meraki procedures we follow. Every bit of the layer helps!
All in all while Meraki does a lot, it's by no means a one stop solution for what you need. It is a great way to have a site to site vpn setup super easy. You can also block a lot of stuff really quickly, but plan on having the support phone number stored in your speed dial and memorizing your support pin code.