Thanks, @PhilipDAth . What I'm mainly looking for are benchmarks for secure configurations. I was looking through some best practice documentation, but it was more general and broadly addressed administration and configurations on making things work correctly, rather than putting a focus on security.

I'm not aware of any security focused best practise guides.

 

Did you have a particular device family in mind, or were you concerned around the dashboard itself?

We use various MS switches and MR access points in our environment, so focusing on those for now. 

Something I really dislike is how in the dashboard you can expose a WPA PSK. I have not tested, but i suspect the admin config password can be exposed as well.

---

@Aaron_Wilson wrote:
Something I really dislike is how in the dashboard you can expose a WPA PSK. I have not tested, but i suspect the admin config password can be exposed as well.

---

Yes, you can expose a WPA PSK and the local admin password from accounts with read/write access. You can get the PSK for a third party tunnel using an API call.

 

If you're in an environment where you're worried about people having access to your wireless PSK, I'd really recommend finding a way to use 802.1x instead. Then at least you've theoretically got one credential per person.

 

@MW0013 What's your end goal? If these products were from another vendor, what functions would you want to implement? It's hard to give a best practices when one doesn't know what you need them to do.

 

For switching, a lot of the basics are the basics. Network segmentation, port security, 802.1x if you can swing it, only permitting known DHCP servers... The same thing you would do with any other model of switch. Just with a white and green GUI.

 

The biggest Meraki-specific thing is to set a password on Network -> Configure -> General for your local status page, and disable the local status page unless you really need it. Also audit your administrators carefully, and ensure that people have the correct level of access and no more.

The end goal is a document of best practices around secure design and configuration as it relates to Meraki devices. If we look at the CIS benchmarks for other vendor equipment, it provides detailed info on what to configure and step-by-step on how to configure the devices to provide a secure baseline config. Vulnerability scanners, such as Rapid7, even have policy scans using the CIS benchmarks where you can scan that equipment and see how it matches up against the benchmarks, which is extremely handy when working with the teams to guide them on improving security on their devices.