General best practices for secure configurations?

MW0013
Conversationalist

General best practices for secure configurations?

I'm starting to create benchmarks for device/OS configurations based off of the Center for Information Security's (CIS) benchmarks. They currently don't have any benchmarks for Meraki. I haven't found any documentation so far about best practices for secure Meraki configurations. Does anyone have any resources they could point me to for more information on the topic?

8 REPLIES 8
PhilipDAth
Kind of a big deal
Kind of a big deal

There are several meraki best practice guides.  Can you narrow the scope a bit and I can probably give you a link for something.  Otherwise this will find several of them for you ...

 

https://lmgtfy.com/?q=meraki+best+practices&s=g 

MW0013
Conversationalist

Thanks, @PhilipDAth . What I'm mainly looking for are benchmarks for secure configurations. I was looking through some best practice documentation, but it was more general and broadly addressed administration and configurations on making things work correctly, rather than putting a focus on security.

PhilipDAth
Kind of a big deal
Kind of a big deal

I'm not aware of any security focused best practise guides.

 

Did you have a particular device family in mind, or were you concerned around the dashboard itself?

MW0013
Conversationalist

We use various MS switches and MR access points in our environment, so focusing on those for now. 

Something I really dislike is how in the dashboard you can expose a WPA PSK. I have not tested, but i suspect the admin config password can be exposed as well.
Nash
Kind of a big deal


@Aaron_Wilson wrote:
Something I really dislike is how in the dashboard you can expose a WPA PSK. I have not tested, but i suspect the admin config password can be exposed as well.

Yes, you can expose a WPA PSK and the local admin password from accounts with read/write access. You can get the PSK for a third party tunnel using an API call.

 

If you're in an environment where you're worried about people having access to your wireless PSK, I'd really recommend finding a way to use 802.1x instead. Then at least you've theoretically got one credential per person.

 

@MW0013 What's your end goal? If these products were from another vendor, what functions would you want to implement? It's hard to give a best practices when one doesn't know what you need them to do.

 

For switching, a lot of the basics are the basics. Network segmentation, port security, 802.1x if you can swing it, only permitting known DHCP servers... The same thing you would do with any other model of switch. Just with a white and green GUI.

 

The biggest Meraki-specific thing is to set a password on Network -> Configure -> General for your local status page, and disable the local status page unless you really need it. Also audit your administrators carefully, and ensure that people have the correct level of access and no more.

MW0013
Conversationalist

The end goal is a document of best practices around secure design and configuration as it relates to Meraki devices. If we look at the CIS benchmarks for other vendor equipment, it provides detailed info on what to configure and step-by-step on how to configure the devices to provide a secure baseline config. Vulnerability scanners, such as Rapid7, even have policy scans using the CIS benchmarks where you can scan that equipment and see how it matches up against the benchmarks, which is extremely handy when working with the teams to guide them on improving security on their devices. 

TJ_Harris
New here

Good evening.

Did you find anything concerning CIS benchmarks for Meraki?

Get notified when there are additional replies to this discussion.