Disable WAN1 and WAN2 ports to isolate a site under cyberattack

Solved
Racer22
Conversationalist

Disable WAN1 and WAN2 ports to isolate a site under cyberattack

We have multiple sites each with their own pair of MX's that are configured with WAN1 for ISP1 (primary) and WAN2 for ISP2 (failover).  If we receive a report that a ransomware message appears on a client's PC, we want to remotely disconnect that entire site from the internet (and our VPN).  

 

One way to do this is to simply power off the MX's or disable their network connectivity.  However, we (IT admins) are not at each site and we don't know how to do this remotely.  I understand from another post on this forum that you cannot remotely disable both WAN ports.

 

Please advise on a solution?  With the increasing threat of ransomware, we need a "red button" to push so we can quickly isolate a site from the network.

1 Accepted Solution
Fabian1
Getting noticed

In that case I would simply disable the Auto-VPN of that site. There is no need to disable the WAN ports. 

You could also set a firewall rule that denies any traffic to your WAN.

You could also script that and use the API, there you could program your red button.

View solution in original post

3 Replies 3
Johnfnadez
Building a reputation

Hello!

 

I dont consider that disconnecting and isolating the network manually is a good practice for ransomware attacks, the best way is to configure policy enforcements in case of device compromising.

 

In my experience I would consider a three alternatives:

 

Using System Manager we can mark devices in quarintine 

 

https://documentation.meraki.com/SM/Monitoring_and_Reporting/Selective_Wipe_and_Device_Quarantine_in...

 

We can include devices in a Block List

 

Captura de Pantalla 2022-08-17 a la(s) 22.22.10.png

 

Or we can try to use Cisco ISE to enforce ACLs on the switchport and block any potential traffic.

 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/admin_guide/b_ISE_26_admin_guide/b_ISE_admin_...

Johnny Fernandez
Network & Security Engineer
CCNP | JNCIP-SEC | CMNA
Racer22
Conversationalist

I'm not concerned about the MX itself being compromised.  I want to prevent the ransomware from spreading to other sites on the VPN.  So I'm looking for a way to disable it remotely and quickly.

Fabian1
Getting noticed

In that case I would simply disable the Auto-VPN of that site. There is no need to disable the WAN ports. 

You could also set a firewall rule that denies any traffic to your WAN.

You could also script that and use the API, there you could program your red button.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels