MX Firewall vs BrandX

Crpence3
Here to help

MX Firewall vs BrandX

I will start this off by say all of our network is Meraki except for our firewall.  We have evaluated the Meraki MX every time we renew a security device.  In the past it had not had this or that.  So we moved on to other firewalls.  We are a decent sized non-profit business in the health care field.  So security is very important to us.  So now I am looking again as Brand X is back up for renewal.  I am wondering from the security community how they feel the MX stacks up now with the Advanced security package to other brand firewalls and if the advanced threat grid is important to have?  Any advice or help would be greatly appreciated. 

12 REPLIES 12
CptnCrnch
Kind of a big deal
Kind of a big deal

Depending on where the MX is to be placed, you‘re stuck either with mandatory NAT or having to run a possibly not „ready“ No-NAT implementation.

 

From a technology point of view, MX is kinda comparable even to Cisco Firepower: it also runs Snort and uses the same AMP engine (you already mentioned Threat Grid). If you want to have more possibilities than „activate IDS / IPS with a specific ruleset and whitelist rules“, you‘ll not be very happy with it (which is similar to e.g. Check Point from what I‘ve heard). The simplicity on the other hand is unbeatable here.

AMP and Threat Grid are great security products but only if they‘re able to see the traffic. With the current percentage of encrypted traffic the MX will have a hard time „seeing“ / analyzing threats unless the TLS decryption is officially available (if it makes sense or not though). Decryption performance on current MX seems way lower than Firepower though.

 

After all, there‘s one thing you won‘t ever beat with Meraki: the dashboard as single pane of glass for everything regarding your network which is of course very favorable when it comes down to OPEX.

@Crpence3 I am in the same boat as you with in regard to our main firewall. I find in its current state the MX is not granular enough for my liking. 

 

Would I love to have Meraki gear in every part of my networks yes but at the end of the day I have to have the best equipment for the job and sometimes that means going with another vendor. 

I agree.  I have until March of 20 to do our renewal from our current firewall.  I have some time but I am hoping for some good things to happen down the end of this year to see if Meraki might be a good fit.  

 

@Crpence3  What particular area are you concerned about exactly so we can help with your decision. 

@BlakeRichardson and @PhilipDAth I guess the one thing is with our current firewall the sandboxing is a great feature to have.  I know if we go with threat grid its good but more expensive so that could be an issue.  Also the SSL inspection is another aspect that currently is disappointing that this has not been put to the MX box yet.  So those are just a couple of items that have me concerned.  We have our demo tomorrow with are Var and Meraki so it will be interesting to see how that shakes out. 

PhilipDAth
Kind of a big deal
Kind of a big deal

I've had a play with the beta SSL inspection.  I don't plan on recommending customers use this.  Basically your MX drops to having only 10% of its original throughput if you enable it for all clients.  Or to put it another way, you need to buy an MX ten times bigger that you originally wanted.  Note that you can use SSL inspection via group policy, so you can choose to apply it to just a group of users (such as internal only).

 

For customers that want this I intend to point them towards using an MX plus Umbrella.  Umbrella allows you to do "full proxy" for web sites that are questionable, everything else can go direct.  Umbrella does use sandboxing.

@PhilipDAth so say if you had roughly 330 users you could buy the MX and 330 Umbrella licenses and do things that way?  

@Crpence3  The thing with SSL inspection is you are essentially creating a man in the middle breaking the SSL encryption and then re-encrypting that traffic.

 

That man in the middle becomes a point of failure when it comes to security. 

>That man in the middle becomes a point of failure when it comes to security. 

 

Imagine if someone got hold of your root certificate you use for re-signing and creating dummy certificates.  You'd be screwed as an attacked could fake any secure site to your users.

PhilipDAth
Kind of a big deal
Kind of a big deal

>@PhilipDAth so say if you had roughly 330 users you could buy the MX and 330 Umbrella licenses and do things that way?  

 

This is where it becomes interesting.  If you only care about protecting users behind the MX then it is much cheaper to buy a "device" licence.  This covers everything behind the MX.  These licences are quite cheap.

 

In my case, I prefer per-user licences.  Most of my clients have notebooks that leave the office, so I like the idea of installing the Umbrella agent on the machines so they have the same protection when outside of the office.

@PhilipDAth and @BlakeRichardson  you have been very helpful and help me thing of other possibilities.  I will for sure investigate this to the fullest before making any decision.  I appreciate all you advice.  

PhilipDAth
Kind of a big deal
Kind of a big deal

When I'm choosing between Cisco Firepower or Cisco Meraki MX I usually look at what things the client needs that the MX can not do.  If I run into any of these, then I can not use an MX and I go with Cisco Firepower.

  • Need good client VPN capabilities (such as per user or per group ACLs, easy Duo integration).
  • Have medium or complex site to site VPN requirements (such as NATing in and out a VPNs address space, unique encryption domains like a /32, IKEv2 support, strong crypto like Suite-B).
  • Source NATing with more than one source.
  • Dynamic routing support like RIP, EIGRP, or needing to talk BGP to an ISP or other partners to the company.
  • Customisable IPS policies.
  • Live monitoring of ACLs.

 

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels