Meraki

Community

MX series - SSL Inspection

Solved
alphatango
Conversationalist
‎Nov 29 2023 6:23 AM
‎Nov 29 2023 6:23 AM

MX series - SSL Inspection

Hello,

 

Just wondering if traditional SSL Inspection is a thing on Meraki. (with any of the licenses)

I digging through the internet and found it was in a Meraki beta version, but I cannot find any articles on it.

 

More specifically, looking for outbound SSL inspection where the firewall acts as a proxy for encrypted traffic. (IE with the CA signed cert)

 

Let me know,

 

Thanks! 

Labels:
0 Kudos
1 Accepted Solution
BlakeRichardson
Kind of a big deal
Kind of a big deal
‎Nov 29 2023 10:58 AM
‎Nov 29 2023 10:58 AM

Not supported, it has its uses I grant you that however you are breaking SSL encryption which isn't a good thing and it's a pain because some online systems i.e. ChromeOS management and Apple services will not work if SSL inspection is used and it becomes a game of cat and mouse as you try to get the data you are looking for but not break things. 

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

View solution in original post

10 Replies 10
alemabrahao
Kind of a big deal
Kind of a big deal
‎Nov 29 2023 6:31 AM
‎Nov 29 2023 6:31 AM

I will use the @MilesMeraki words.

 

 

"I'm under the assumption that this might be removed/no longer available. The HTTPS feature on the MX's caused severely degraded throughput once enabled plus an array of other issues.

 

I think the direction now going forward will be to perform the HTTPS/TLS decryption by a SASE security service like Umbrella in-line between the MX and the Internet/SaaS traffic. If you have a look at the updated Sizing guides this also seems to be the "recommended" approach. (https://meraki.cisco.com/product-collateral/mx-sizing-guide/?file).

 

This isn't necessarily a bad thing. SASE security architectures allow for the same security posture and enforcement to be maintained no matter the user's location. This would effectively mean that their HTTPS/TLS traffic would be still decrypted when either on a trusted network or on an un-trusted/un-managed network. Most vendors are now taking this approach to security."

 

Original post: https://community.meraki.com/t5/Security-SD-WAN/HTTPS-Inspection-on-MX/m-p/135063

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
alphatango
Conversationalist
‎Nov 29 2023 6:38 AM
‎Nov 29 2023 6:38 AM

is there a way I can get a confirmation from Meraki TAC? 

0 Kudos
In response to alphatango
alemabrahao
Kind of a big deal
Kind of a big deal
‎Nov 29 2023 6:40 AM
‎Nov 29 2023 6:40 AM

You can open a case or call them.

 

https://meraki.cisco.com/meraki-support/overview/

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
alphatango
Conversationalist
‎Nov 29 2023 7:22 AM
‎Nov 29 2023 7:22 AM

Update. TAC is giving me the run around. They can't find any article to support this works. 

Claim that HTTPS inspection will do what we need but they can't find any articles to prove it.... more updates later.

0 Kudos
In response to alphatango
alemabrahao
Kind of a big deal
Kind of a big deal
‎Nov 29 2023 7:29 AM
‎Nov 29 2023 7:29 AM

The HTTPS Inspection feature on Meraki MX devices was in beta testing as of 2019.It seems that the feature might have been removed or is no longer available. The HTTPS feature on the MX’s caused severely degraded throughput once enabled plus an array of other issues.

 

The option I see that you can use instead is integration with Cisco Umbrella.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
CptnCrnch
Kind of a big deal
Kind of a big deal
‎Nov 29 2023 7:52 AM
‎Nov 29 2023 7:52 AM

No, SSL Decryption was pulled sometime ago from the MX (for good reasons). IF you really want to decrypt SSL, you'd have to stick to another firewall like Firepower or another vendor's solution.

 

Your best option though is to go the cloud-native way with something linke Cisco Secure Access that will handle a lot more of your (future) tasks.

BlakeRichardson
Kind of a big deal
Kind of a big deal
‎Nov 29 2023 10:58 AM
‎Nov 29 2023 10:58 AM

Not supported, it has its uses I grant you that however you are breaking SSL encryption which isn't a good thing and it's a pain because some online systems i.e. ChromeOS management and Apple services will not work if SSL inspection is used and it becomes a game of cat and mouse as you try to get the data you are looking for but not break things. 

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
In response to BlakeRichardson
Ibanez1998
Just browsing
‎Sep 29 2024 10:56 AM
‎Sep 29 2024 10:56 AM

Breaking SSL security to scan for malware about to enter at the edge of the network is a VERY GOOD thing.  A real SSL inspection service will allow trusted connections to bypass SSL encryption like data traversing to and from banks, or to trusted cloud services like Google Search, but can be selectively implemented on new or unknown services to help protect the user from downloading backdoors and trojans.  It doesn't have to be an on/off service, but how can you call ANY network secure without having some semblance of SSL inspection or deep packet inspection?  You can't.  Don't believe me?  Go to Eicar.org and test the efficacy of your edge security.  Without packet inspection you're not going to be able to stop viruses from entering your network.  If your local AV software is alerting about the download then that's your last line of defense and your security posture is crap.

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Nov 29 2023 11:42 AM
‎Nov 29 2023 11:42 AM

What everyone is saying is correct - the old traditional SSL native inspection future was removed - because there was a better solution.

 

Cisco Meraki and Cisco Umbrella natively integrate together.  In fact, the integration is even across multiple product families (MX and MR).
https://documentation.meraki.com/MR/Other_Topics/Automatically_Integrating_Cisco_Umbrella_with_Merak... 

 

And then this evolved even a step further, and (especially for MX) the current iteration is now:

https://documentation.meraki.com/CiscoPlusSecureConnect 

Basically you buy your MX and a "Foundations Essentials" licence.  You can read more about the licence options here:
https://documentation.meraki.com/CiscoPlusSecureConnect/Cisco__Secure_Connect_Now-_Sites/Cisco__Secu... 

 

So traditional SSL inspection - no.  Modern SSL inspection - yes.

 

If you are in Greenfields, I would jump directly to Foundation Essentials.

Ibanez1998
Just browsing
‎Sep 29 2024 10:47 AM
‎Sep 29 2024 10:47 AM

Which means that in an attempt not to break things we can't decrypt traffic to scan for viruses, backdoors etc... So in the name of functionality let's disable a feature that keeps the network safe.  See, all an attacker needs to do now is use a cheap GoDaddy SSL cert or upload their payload to a product or service that's already credible and secured and voila! they've just bypassed all our enhanced security and the entire network is now targeted for bad actors. 

I hear what you're saying about usability, yet somehow Fortinet has solved this challenge and we've successfully deployed working networks without SSL inspection on trusted services while keeping SSL inspection on for less than trusted services.  It can be done on target IP, or up to Layer 7 application aware.  Right now I can't even seem to get Meraki to disallow P2P but allow Skype which uses P2P.  I'm pretty disappointed with Meraki.  Massive cost and a great WiFi platform, but the licensing costs are astronomical for missing on so many security points.  How does a real network even get secured using this platform?  Must be lots and lots of third party products running to give any kind of semblance of network security because Cisco just doesn't cut it at all these days.  Can't believe this company is as big and complex as they are considering they can't handle basic security needs of customers.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.