We run a very layered, security focused approach on our networks. We run mostly hotels, but we also use the Meraki stack for our corporate office and other business ventures. Network Wide: Alerts - setup alerts for rogue AP, any device going offline, DHCP pool exhausted, rogue DHCP server detected, malware is downloaded/blocked. General - collect destination hostnames. Change default local credentials. Add a syslog server to your environment for further monitoring and post incident logs. Enable SNMP v3 with secure username/password. MX Setup: VLANs. Segregate traffic based on activity. Production network, guest network, CCTV network, etc. Create ACLs to prevent inter-vlan traffic where not desired. DHCP - Only offer DHCP on networks where it is required, and limit scope. Activate DHCP snooping and rogue DHCP server detection. Firewall - Prevent inter-vlan traffic when not desired. Apply appropriate Layer 7 rules, such as filtering out P2P. Only create port forwarding for absolutely required services, limit connecting IPs to only those needing to access. Active Directory - Integrate to allow better tracking of resources and for any post breach research, if necessary. Also create groups to allow specific filtering profiles (management, line staff, etc.) Threat Protection - AMP Enabled at all times. For IDS, Prevention and Security methods selected. Content filtering - Unless otherwise overruled, standard set is to block: Bot Nets, Confirmed SPAM Sources, Keyloggers & Monitoring, Open HTTP Proxies, Parked Domains, Peer to Peer, Phising and Other Frauds, Proxy Avoidance, SPAM Urls, Spyware and Adware. This is also done on our guest networks for enhanced protection. For production network, add: Adult and Pornography. Choose full site list instead of Top sites only. Security Center: Review on a weekly (or shorter, depending on your needs) interval. Setup scheduled email reports accordingly. MR Setup: Access Control - Even for guest networks, recommended setup is for WPA2 (only). Enable Adaptive 802.11r. Access Control - For secure networks, authenticate with RADIUS and use Systems Manager Sentry to ensure only authorized devices are connected. Access Control - Make sure appropriate VLANs are being used, and guest traffic is prohibited from reaching any other subnet/network. Firewall - Deny Wireless clients accessing LAN as appropriate. Enable L7 rules for blocking P2P. SSID Availability - Considering disabling unneeded SSIDs during closed times. Enable SSIDs on APs only where they are needed. Air Marshal - Contain rogue APs seen on the LAN PCI Report - run at regular intervals Physical setup - ensure APs are mounted in locations not easily tampered with, or if within reach, in a secure box/environment to prevent physical tampering. MS Setup: IPv4 ACL: Setup as appropriate for your organization Access policies - Setup SME Sentry for connected device and guest VLANs - use either Meraki authentication or ideally, your RADIUS server. Switch Ports - disable unused ports. SME Setup: Security Policies - Create policies for different devices (stationary vs mobile for example). Security Policies - Enable screen lock, login required, firewall enabled, disk encryption, antivirus running, passcode lock, device is not compromised, and minimum OS version check. Geofencing - Enable appropriate policies based on device. Very limited for stationary devices, more broad for mobile depending on the user. Setup alerts to notify admins when fence is breached. MDM Settings - Require password to removal profile. Set appropriate restrictions, password policies, WiFi sentry, etc. as needed based on the business. This helps keep us safe, in addition to the non-Meraki procedures we follow. Every bit of the layer helps!
... View more