I would love to use the Meraki full stack in my environment but the network is subject to LEIN audits every three years. Devices that pass criminal justice information are required to hold a valid FIPS 140-2 certificate. I have heard from many sources that Meraki is in the process of acquiring these certs. Does anyone know more?
I would like this too. It is a big hold up being to implement full stack Meraki in a Criminal Justice environment.
I haven't heard of any rumours of Meraki applying for FIPS140-2 compliance (to be specific, FIPS140-2 relates to VPN and crypto).
However the 15.x code train (not available to the public yet) has significant changes on the VPN side - and perhaps those changes might make FIPS140-2 possible.
One significant issue is that FIPS140-2 is given to specific software versions. This would mean you could not upgrade the firmware to maintain compliance. This kinda violates the whole Merai principle where the software is kept up to date automatically for you.
The last part of this year is going to prove to be exciting in this area!
@PhilipDAth the encryption Meraki uses for its VPN tunnels is likely FIPS 140-2 compliant but getting the actual devices certified is what we'd be after. Cisco already does this with their ASA line of products and those have regular updates available. So I don't see why Cisco couldn't do this for its Meraki line of products as well. It cuts out a big chunk of law enforcement and criminal justice customers otherwise.
>Cisco already does this with their ASA line of products and those have regular updates available
Note that specific software releases are certified FIPS140-2 for the ASA. You can not just upgrade the ASA software and maintain your FIPS140-2 certification.
I have just heard a rumor...mind you it is just a rumor and is not substantiated at all, but I heard that Meraki devices will be on the FIPS 140-2 compliance list as soon as May of 2020.
Due to confidentiality and non-disclosure agreements, I cannot share the content of the signed letter I received from an SVP in Meraki. I can tell you that though the Meraki devices may not be on the FIPS compliancy list by May, the intent is to be by May.
Since it is not May as you state, I have not heard anything more. I'm going to at least wait until then to start asking more questions.
It is May! I have been tracking this thread for at least a year, and now that we are here I wanted to see if there were updates.
In a previous life as an MSP, Meraki was a great solution. In my current role, we must have FIPS to purchase, and our ASAs are due for replacement.
Please tell me there is a solution, or if one is on the roadmap still and when. I would prefer to purchase Meraki over the others but need to have this in the pocket before I can.
From my rep at Meraki...
So Fortinet it is.. who knows how long this next wait will be.. I can't risk further deployment of Meraki gear with this unknown not being handled in a reasonable amount of time.
Thank you for that. A ton.
Meraki is obviously not following this thread. I spent a lot of time looking for roadmaps and news. They don't want to say "FIPS, the concept breaks our system and putting that burden on every customer for the DoD / DOJ / etc isn't worth it, ever." They should say that.
Cisco should step up and say "ASA and Firepower our our platforms for customers who require FIPS."
I will also be giving up on this, I don't have 15 more months to hope that they support it.
That's your choice. I'll just continue to buy the cheapest FP1010 for FIPS and run Meraki everywhere else until Meraki gets up to speed. I love Meraki and their concepts. Now with the muscle of Cisco, I can wait. I'm patient.
I wish I was in that situation. We aren't in a place where we could run two solutions. 99% of our employees and data requires protection.
I see that the Cisco website shows version 16 of the MX firmware as compliant. I've only seen version 15 so far (beta).
Here is the page on the Cisco site showing version 16 as compliant:
Is there a "special" beta of version 16 available? Is it perhaps just for some particular physical models?
We just need everyone to upgrade to 15.x, then it will become the new stable release, the 14.x train will be dropped, and 16.x will become the new public beta which everyone can use.
@martin-netx I see from that link that the next beta for wireless, switching and firewalling are all going to be FIPS compliant.
We're running 27.x on MRs, 14.x on MSs* and 15.x on MXs so if the rest of you all follow, as @PhilipDAth said, we'll have FIPS compliance all the sooner.
*Not on an L3 stack of 3x MS210s as it is sorely unstable on that configuration as of 14.10.'
I'm really glad we held out for Meraki's FIPS compliancy. This is going to just make everything much nicer in my realm.
I work for a Cisco partner and we run beta versions on most of our own Meraki kit already. Got quite a few customers running version 15 on the MX's too.
I've heard on the grape vine that only certain models of MX are going to be FIPS compliant. Don't know if this is down to the physical encryption processors in use. I'd be very happy to hear anything back from Meraki about this.
@martin-netx I'd think you'll be correct. I imagine some of the smaller older devices (MX64/65 etc.) will not be able to go to MX16 at all or perhaps only in a limited way.
From my Meraki rep,
Meraki MX450, MX250, and any MX6x will become FIPS compliant, but the rest of the MXs will not. So for instance, the MX84 will never be FIPS compliant.
Yeah those model numbers correspond with what I've heard. Shame about the MX84 and MX100 in particular.
For the MX84 and MX100, they are currently in development for replacements that will be FIPS 140-2 compliant that have similar price points and throughput, but the current MX84 and MX100 will not be unfortunately. At least that is what my reps and Cisco/Meraki engineers are telling me.
I'd hope the replacements are somewhat more performant for a similar cost, especially in terms of raw throughout as that would then be a worthwhile improvement.