cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

General best practices for secure configurations?

Comes here often

General best practices for secure configurations?

I'm starting to create benchmarks for device/OS configurations based off of the Center for Information Security's (CIS) benchmarks. They currently don't have any benchmarks for Meraki. I haven't found any documentation so far about best practices for secure Meraki configurations. Does anyone have any resources they could point me to for more information on the topic?

7 REPLIES 7
Kind of a big deal

Re: General best practices for secure configurations?

There are several meraki best practice guides.  Can you narrow the scope a bit and I can probably give you a link for something.  Otherwise this will find several of them for you ...

 

https://lmgtfy.com/?q=meraki+best+practices&s=g 

Comes here often

Re: General best practices for secure configurations?

Thanks, @PhilipDAth . What I'm mainly looking for are benchmarks for secure configurations. I was looking through some best practice documentation, but it was more general and broadly addressed administration and configurations on making things work correctly, rather than putting a focus on security.

Kind of a big deal

Re: General best practices for secure configurations?

I'm not aware of any security focused best practise guides.

 

Did you have a particular device family in mind, or were you concerned around the dashboard itself?

Comes here often

Re: General best practices for secure configurations?

We use various MS switches and MR access points in our environment, so focusing on those for now. 

Building a reputation

Re: General best practices for secure configurations?

Something I really dislike is how in the dashboard you can expose a WPA PSK. I have not tested, but i suspect the admin config password can be exposed as well.
Kind of a big deal

Re: General best practices for secure configurations?


@Aaron_Wilson wrote:
Something I really dislike is how in the dashboard you can expose a WPA PSK. I have not tested, but i suspect the admin config password can be exposed as well.

Yes, you can expose a WPA PSK and the local admin password from accounts with read/write access. You can get the PSK for a third party tunnel using an API call.

 

If you're in an environment where you're worried about people having access to your wireless PSK, I'd really recommend finding a way to use 802.1x instead. Then at least you've theoretically got one credential per person.

 

@MW0013 What's your end goal? If these products were from another vendor, what functions would you want to implement? It's hard to give a best practices when one doesn't know what you need them to do.

 

For switching, a lot of the basics are the basics. Network segmentation, port security, 802.1x if you can swing it, only permitting known DHCP servers... The same thing you would do with any other model of switch. Just with a white and green GUI.

 

The biggest Meraki-specific thing is to set a password on Network -> Configure -> General for your local status page, and disable the local status page unless you really need it. Also audit your administrators carefully, and ensure that people have the correct level of access and no more.

Comes here often

Re: General best practices for secure configurations?

The end goal is a document of best practices around secure design and configuration as it relates to Meraki devices. If we look at the CIS benchmarks for other vendor equipment, it provides detailed info on what to configure and step-by-step on how to configure the devices to provide a secure baseline config. Vulnerability scanners, such as Rapid7, even have policy scans using the CIS benchmarks where you can scan that equipment and see how it matches up against the benchmarks, which is extremely handy when working with the teams to guide them on improving security on their devices. 

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.