MX84 - Isolate Client Device

Solved
PeterG
Here to help

MX84 - Isolate Client Device

Interested in how the MX84 (or similar) device actually isolates a device it recognizes as having malware.  Does it turn off the switch port (if so how does it do this) or is there some other mechanism it uses to isolate the device and protect other connect devices on the LAN.

1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal

It does not do anything to protect other devices on the LAN.

 

If you use Systems Manager, you can have it check the antivirus/antivirus on the machine and if that reports the machine is infected you can have a group policy applied.

 

If it is plugged into a Meraki switch or connected via Meraki WiFi it could be isolated at that point in time.

View solution in original post

6 Replies 6
PhilipDAth
Kind of a big deal
Kind of a big deal

It does not do anything to protect other devices on the LAN.

 

If you use Systems Manager, you can have it check the antivirus/antivirus on the machine and if that reports the machine is infected you can have a group policy applied.

 

If it is plugged into a Meraki switch or connected via Meraki WiFi it could be isolated at that point in time.

PeterG
Here to help

So coupled with a Meraki Switch it can instruct the Switch to turn off the port?

PhilipDAth
Kind of a big deal
Kind of a big deal

No.  You you can have it apply a firewall rule blocking all the traffic.

PeterG
Here to help

I guess my point is the blocking of the device is only out through the firewall so whether the switches are Meraki switches or other Cisco switches (or other Managed switches) the blocking function is still the same and the LAN is still exposed other than manual intervention?

PhilipDAth
Kind of a big deal
Kind of a big deal

I have looked into this further.  L3 and L7 firewall rules for group policy can only be applied to MX and MR, and not MS.  So it can not be done at the switch port level.

https://documentation.meraki.com/MR/Group_Policies_and_Blacklisting/Creating_and_Applying_Group_Poli...

 

You should be able to do this using 802.1x and Cisco ISE, but that is a very complex setup.

You should be able to do this using 802.1x and Microsoft NPS using a health policy, but that is a fairly complex setup.

Adam
Kind of a big deal

I assume you are referring to the Advanced Malware Protection (AMP)?  If so, "When enabled, all HTTP traffic will be analyzed for malware. Files determined to be malicious will automatically be blocked before they reach the client. For a description of file types that will be evaluated, visit our  Security Filtering Documentation Page"  

 

So basically it just protects/stops the malware.  It doesn't isolate or, in any way, contain the entire clients traffic.  Only the malware identified traffic that the client is trying to participate in. 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
Get notified when there are additional replies to this discussion.