Community Challenge: Ready, Get set....

CarolineS
Community Manager

 

 

UPDATE 20 Feb 2018: WHOOPS! My first email today linked to the wrong place! Please check out the February Community Challenge instead. Thanks, ya'll! <FACEPALM! />

 

 

 

--------

Go!… the Meraki Community team is launching our first Community Challenge!

 

MerakiCommunity-CommunityChallenge.png

 

The Community Challenge will give you chance to share your Meraki-related experiences and best practices while competing for a grab bag of fun swag. We know you love our Meraki swag!

 

Winners

We will be selecting 2 Community Challenge winners.

  1. The Community Favorite — chosen by you, our fantastic Community members. Vote by kudoing your favorite post(s). The post with the most kudos will win!
  2. The Meraki Favorite — chosen by an internal Meraki panel of judges based on creativity, completeness, and accuracy. 

Challenge entries and kudos can be submitted now through Monday, November 20th at 5:00pm PT - just answer the challenge question by commenting on this blog post. Winners will be announced before Thanksgiving (November 23). Whether or not you enter the challenge, be sure to help us decide the winner by voting on your favorite entry!

 

The Challenge Question

 

Globally malicious web activity has morphed into a multi-billion dollar industry, threatening organizations large and small. How have you seen organizations leverage Meraki’s advanced security tools to combat emerging threats?

 

Good Luck!


 

Rules:

  1. Limit one entry per person per challenge contest.
  2. Contest will run from 8:00am PT November 15th to 5:00pm PT November 20th.
  3. Prize will be a grab bag of Meraki swag 
  4. Complete rules and eligibility can be found here.
33 Comments
Bin
Conversationalist

Delay on Meraki to do the basic line of defense: 

1. Deploy Meraki MXs to all locations, and keep them running at the latest firmware

2. Enroll with the advance security licensing to make sure all the antivirus, anti-malware, intrusion prevention, and other features are up to date

3. Make sure the AMP, Intrusion Prevention functions are turned on; and create all necessary firewall and traffic shaping rules.

 

Add another layer of monitoring on top

4. Utilize Splunk to monitor and analyse the system logs from Meraki into understand the network activities and be alerted when suspicious activity is spotted.

JeffShannon
Just browsing

Cisco Meraki Security appliances help our customers stay more secure than other firewall based security solutions and are a key part in our solution stack to protect our customers from malicious activity.

Other firewalls require a management server to store logging activity, definition files and other tools that enable their security offerings. This led to many situations for our SMB customers in the past where they would purchase a security appliance from us but they would be unwilling to spend the money on professional services or internal hardware/software resources to setup/configure/maintain/emable the security appliance. With Meraki, turning on security services is a 5 minute operation and showing customers how they can refine their own content control rulesets is empowering to them.

Computernations
Comes here often

We've deployed Meraki as our edge device in our country offices (Iraq, Congo, Rwanda, Nigeria, and Afghanistan by EOY), implemented filtering and traffic shaping and ensured devices stay updated.  This has been an awesome display of cloud management for all our IT staff and it has gone great.

Senan_Rogers
Getting noticed

 

We will need to Delpy the following:-

1. Apply some rules in the MX to block some ports / try to allow only Ports that is needed to work.

2. Apply some ACL/ NAT /PAT  mode in the MX  and try to use DMZ  to isolated some servers from the Local Server.

2. Deploy Meraki MXs to any locations, and keep them running at the latest firmware.

3. Enroll with the advance security licensing to make sure all the antivirus, anti-malware, intrusion prevention, and other features are up to date

4. Make sure the AMP, Intrusion Prevention functions are turned on; and create all necessary firewall and traffic shaping rules.

Thank you 

geoffbernard
Here to help

How have I seen organizations leverage Meraki’s advanced security tools to combat emerging threats?

 

There are numerous ways that Meraki security tools have helped our customer's combat threats.

 

  1. Cisco AMP is time-consuming to deploy on traditional ASA devices. With Meraki, I can setup AMP with 3 dropdown boxes in less than 10 seconds. This extreme time saving is appealing to every customer.
  2. Built in VPN functionality means even non-administrators can setup their own VPN client - no install required
  3. VPN means we can close public openings. We see RDP open on the Internet too many time. Customers will only use a solution if security is balanced with convenience.
  4. Dashboard reports enable even the non-technical user to have a view of the security.
  5. The client list - this is my favorite thing to show a client. It's priceless to hear them exclaim "I didn't realize there were so many devices on my network. Who is that? What device is THAT?!"
  6. Mobile app - I believe in empowering users. When you install the Meraki app & show a client they have 100% visibility to their network 24x7x365, they are always amazed.
  7. SOHO/Branch Office users no longer need a large security appliance or home-brew solution to add security. Meraki Z1 can be purchased & setup for little more than a high-end consumer device and they don't include client or site to site VPN.
  8. Firmware updates used to be an arduous task. Meraki not only automates updates but empowers administrators to control the upgrade window, version, and features. How many ransomware attach vectors use already patched flaws? Auto updates ensure you don't get hit by something that was fixed months ago.
  9. Many clients (including those running Cisco AMP & ISE) were infected with ransomware.
  10. 0% of our Meraki clients experienced ransomware attacks.

Coincidence? I think not. 

 

I ❤️ Meraki

JamesDocherty
Comes here often

Implement the appropriate Meraki MX device with the Advanced Security License! Enable the Advanced feature set! Have fun education session to familiarize users with Phishing attacks so they don't "Open any doors to attack!" Let the MX do it's job!

Jurumani
Conversationalist

To start, its easy:

  • Plug-in, turn on, click, click, click, save and done! Like everything else Meraki.
  • As long as you have IPS and AMP enabled you're mostly done, Meraki takes care of the rest.
  • Check back on the Security Center Dashboard daily initially, mitigate threats detected and tweak the firewall rule-sets.
  • As you reduce the number of detected attacks you can reduce your Security Center visits to weekly level with some alerting for abnormal spikes.

In order to extend the security to devices operating outside of the perimitere of the MX, add Umbrella and AMP for Endpoints,

KapilA
Conversationalist

Hello,

We are seeing a trend where internet bound threats are mostly originated from a handful of countries. The customers really like the "Geography based firewall rule" which is part of the Meraki advance security license suite. it's super simple for organizations to prevent data leak to undesired countries around the world with just a few clicks. AMP/ Anti malware is another great features organizations love. With Cisco's continued focus in AMP development clubbed with the expertise provided by TALOS, organizations are leveraging these tools heavily to combat the emerging security threats. 

 

tx

Kapil

DavidR
Comes here often

"How have you seen organizations leverage Meraki’s advanced security tools to combat emerging threats?"

 

-I have not seen most organizations use Meraki gear, thats why we still have a b multi-billion dollar industry, threatening organizations large and small.

Meraki need an influencer in each continent to actually show how several attacks are stopped while a normal router gets owned in mere seconds.

 

Its all about marketing. Its all about money. Its all about security.

Or you are broke.

Atul
Comes here often

Integration of critical Cisco security technologies like Snort and Advanced Malware Protection into Cisco Meraki MX platform ensures that customers who choose Meraki enjoy world-class protection for their valuable network assets

Mr_IT_Guy
A model citizen
  1. Meraki and the MX line handles the bulk of the workload in mitigating this threat. Ensuring our MX devices are on the latest firmware is a crucial first step as it ensures that these threats cannot exploit old vulnerabilities in the gear.
  2. Meraki's Advanced Security Licensing. This gives access to tools such as AMP and IPS/IDS. By properly configuring these services, you add another layer of security to the equation.
  3. Utilization of Layer 3 and Layer 7 Firewall rules. Using Layer 3 rules you can block traffic to certain locations and Layer 7 rules can deny traffic from countries. 
  4. Content filtering rules. Understanding that Meraki uses BrightCloud as the basis for Content Filtering categories, we need to make sure that we blocking/allowing access to sites that BrightCloud sees as safe/unsafe appropriately. We must also check in periodically to ensure this information is updated in a timely fashion.
  5. URL FIows. Meraki has the ability to see where your traffic is flowing to/from (i.e. you can see when you are hitting the Microsoft site in CA or the UK). Know where your traffic is flowing from and what is "normal traffic" to develop your baseline is essential to fighting these threats.
  6. Packet captures/Syslogs. Make sure that traffic is somewhere for long term collection. Utilizing products such as PRTG to monitor Netflow and Syslog can add in this. Meraki also has built in packet capture capability. Using these tools has help in making sure our data is going in and out as intended and allows us to see when things are looking suspicious.
  7. Creation of routes. Make sure that we are only allowing routes that need to be shared in VPN connections and keeping all others out of site to site participation. Additionally, when creating routes use the smallest subnet when possible (I.e. using 10.0.0.0/22 instead of 10.0.0.0/8).
  8. Client VPN. Use a LONG password (minimum of 16 characters). Meraki VPN uses Aggressive Mode VPN. The longer the password, the better.

There's sooo much more, but that's what I can think of a before running into my meeting.

 

GOOD LUCK EVERYONE!

JaiminPatel
Here to help

Advanced Malware Prevention (AMP) inspects all HTTP file downloads through a Security Appliance and blocks/allows file to be downloaded based on threat intelligence salvaged from the AMP cloud.

 

Intrusion Detection and Prevention

Intrusion detection strengthen all packets flowing between the LAN and Internet interfaces as well in-between VLANs and records the produced alerts to the Security Report. 

Intrusion prevention blocks all the traffic that is identified as malicious, rather than just generating alerts.

 

Whitelisting signatures

You can create list of specific signatures by clicking Whitelist an IDS signature. Any signatures for which matching traffic has been seen by the appliance will appear in the Select an Option drop-down so that you can select which signature or signatures you wish to whitelist.

 

Security Report

The report delivers you a graphical depiction of Intrusion Detection events in your network.

CatesBro
Comes here often

We use AMP and IDP, IDP in detect mode only right now. We plan on implementing an MDR solution next year and would end the logs from our devices to the solution provider for analysis. Right now I review the security dashboard daily.

Ryan-Zimmerle
Getting noticed

The Challenge Question: 

 

Globally malicious web activity has morphed into a multi-billion dollar industry, threatening organizations large and small. How have you seen organizations leverage Meraki’s advanced security tools to combat emerging threats?

 

The Challenge Response: 

 

Advanced Malware Protection (read more) and IPS/IDS (read more) are the features that immediately come to mind when thinking about combating malicious web activity.  Furthermore, Meraki in June of 2017 released support for Threat Grid (read more), this add-on strengthens the advanced security tools portfolio.  Lastly, Meraki has other features such as content filtering, identity based firewall, layer 3 rules, layer 7 rules, ACLs, and others  that help organizations in this capacity that may not be "advanced security tools" but are still helpful in the fight.  What I love about these three advanced offerings (AMP, IDS/IPS, and Threat Grid) is that Meraki allows organizations to deliver ubiquitous protection to combat emerging threats, and best of all, sticking to the mission statement, we now have cloud managed security tools that simply work!  This simplification of powerful security tools has allowed organizations to deploy protections where the users may have previously been left in the dark due to various barriers such as, technical know-how, budget constraints, and systems management overhead.  Organizations now have the freedom to focus their passions rather than spending time worrying about these threats and tools, Merakified* security! 

 

*(v. past part. merakified) to add soul, creativity or love to something, improving its performance through innovation, simplicity and flair!

 

Merakify-Email-Banner_v2-01-768x358.jpg

 

 

 

 

WadeAlsup
A model citizen

(I didn't mean to write a book, it just kinda happened... Feel free to skip to the last paragraph if you want to know how it turned out for me)

 

I would say the company I work for is a small to mid sized business. We have about 275 employees in a small town in North-Central Texas. When I first started working for Air Tractor (shameless plug), we had a single aDSL connection coming into an office on the opposite side of our single campus from our "Server Room" where our core switch was located. This pitiful setup and connection was supporting around 90 workstations internally and a guest wireless network. I'll never forget those first few weeks... I was hardly surprised to hear complaints about internet speeds or synchronization issues with email. It was easy to understand why we were having intermittent internet "outages" when the CPU on our undersized firewall would max out due to poorly setup content filtering while trying to handle throughput and client vpn routing. Seeing the rats nest of cables surrounding the switch rack in that tiny, hot, server room...no wonder everyone was afraid to touch anything. None of this surprised me. 

 

I spent more time those first few weeks observing. Listening. Not simply to hardware or configurations. No. Listening to the employees. Listening to the workers on our production floor that are used to these issues and seeing that they never brought them up because they've become the norm. Listening to office staff and understanding their simple requests that have only gone unnoticed. Still, nothing was surprising as I learned. I had walked into a previously non-existent position created out of necessity and everything uncovered from my users was absolutely expected. 

 

It wasn't until I had a real chance to sit down with the faces I recognized from my interview that I was pleasantly surprised. I say "pleasantly" because it was refreshing. Refreshing in a sense that they realized the potential threat of the outside world and how it could jeopardize everything they had worked so hard to build and protect over the years. Refreshing that it instilled in me a deeper respect for everyone I had met and listened to the past few weeks. Refreshing that I really had a potential to grow into my position and know that I would be looked upon as more than just a desktop support technician. Refreshing...and absolutely terrifying. (I'm sure glad they saw a confidence I didn't know I had yet)

 

The following months I grew a little more comfortable with my daunting, originally unrealized role as I dove into creating a game plan for how we could both update our network AND focus more easily on security. With little background on hardware and solution procurement...wow. There were probably 10 times as many options as I had ever imagined there would be when it comes to firewalls. WHO KNEW? (well, at the least, I didn't know) But there was one conversation I had with a former colleague that changed the game. How she was getting by with minimal IT resources with a network I imagined was 3 times my size. There was a brand mentioned that I had never heard before. Meraki How could Cisco have another player in the ring that I had never heard of? I don't know how or why it came up, but I'm very grateful for that quick conversation in passing. 

 

So enough about beginnings and the sentiments of green IT guy...now we fast forward a few years. If you have somehow managed to make it through my ramblings thus far, I congratulate you and say "Thanks!" Secondly, if you're not using a Meraki MX device with the Advanced Security license...well, then, I'm sorry. Also, go get one. Right Now. Just click right here and get one. It was the best decision I ever made, maybe it can be the same for you. 

 

As an all-in-one person IT department, I find myself too often needing to be a little...creative with my time-management. On the fly access to Meraki's Security Center is perfect for my intensely varying days in and out of the office. At a glance, I can see which systems at which site are being hit the most, and literally where in the world it's coming from. From a compliance standpoint, I can block an entire country's traffic from reaching my network in just a few clicks. The use of Bright Cloud's updated category listing for content filtering helps keep my users off of malicious sites. I consider our MX 100 as my hardest working employee. Whether I'm busy at work, or I'm sleeping at home, or on vacation with no signal in the mountains...the Master Chief (as I have named him, any Halo fans?) is hard at work. While I'm always on call, he's always on duty. I take pride in the fact that I have the leader of network security (Cisco) backing my departments employee of the month (going on 2 years straight, I doubt I'll ever claim that title at this rate). The Cisco AMP (Advanced Malware Protection) integration alerts me and lets me know if something may have slipped through. The retrospective aspect of this has greatly improved incident response time (and my confidence in our other security layers when I see it's caught by another means). This single appliance has helped mold our companies culture around security and has helped me create a better security posture out of one that simply was not there before.  

ARiK_LeV
Conversationalist

I manage a network for my kid's school and we run an MX.  With 400 students that bring their own devices as well as parents, teachers, administrators, and guests jumping on the network with all sorts of random mobile devices,   every week is a learning experience.  

 

1.  Threat Prevent is setup  Enable, Protect, Secure options.  Detect is for suckers!

2. We segmented the network into vlans and setup access controls to restrict   east west access for clients.

3.  We  go big brother style on content filtering because my kids and the kids for all my friends and neighbors are in the school and I care about all of them like they're my own.  My goal is to add at least one domain per week to  the Blocked URL patterns.

4.  Layer 7 rules block several categories of apps like P2P, Gaming, file sharing, and more.

5. I review security center  weekly.

6.  We have the MDM on all internal systems.

7.   I review Org Hosted Logs and look for domains and categories that are accessed and make updates.

8.   For other domains and services,  I have multiple rules in Traffic shaping  to limit bandwidth  for non essentials.   So apple.com and icloud.com    are limited to 100kbps.

9. Finally, i look at the clients list and sort by bandwidth utilization to see who is doing what.  When someone pushes lots of data through they get blocked or we check out what they accessed.

 

In the past 6 months, we haven't had a virus, malware or anything else hit the internal systems.

 

SergeRobert1
Conversationalist

Many important points that have been explained in previous comments.

 

From my point of view, one of the great strengths of Meraki is a "Full Stack" approach to security with right consideration at each level.
The continuity of protection is valid from access to applications.

 

With on the MR and MS:
- security from access (802.1X, Privat VLAN, RADIUS authentication, ...).
- Protection of WLAN accesses (WPA2, WIDS / WIPS, NAC, Auto Tunneling VPN Technology, Air Marshal, ..)
- filtering (URL, access list, ...) to avoid connections that involve threats.
- proactively discover DHCP rogue
- application layer visibility.
-...

Directly with MX:
- IDS / IPS
- AMP, Threat Grid, TALOS experience,
- Auto VPN, SD-WAN,
- different security functions already mentioned for the MX in the other comments.

 

With IP video surveillance:
- MV with a secure connection (see https://ics-cert.us-cert.gov/advisories/ICSA-17-124-01)

 

With mobile devices:
- SM / EEM
- Mobile Device Management
- Mobile Application Management
- Mobile Content Management
- Mobile Content Management
-..

Against these threats, the solution is an addition of protection efforts at each level.

RYN0
Here to help

If you need to deploy security at the edge quickly, MX appliances with Adv. Sec. licensing is the way to go. Deployment is very simple and very fast. AMP does a great job of catching malicious threats. Layer that with the IPS and Content Filtering to protect your network from exploits and other web based threats. We are looking into deploying ThreatGrid for analyzing unknown files and their behavior.

 

LUX-Merakifyer
Here to help

I think MERAKI permits enterprises to better combat against threat on multiple levels.

Of course Advanced-Sec version of MX is quite powerful thanks to AMP and IPS/IDS with a quick and easy way of configuration, but this is not the only action to take.

 

A key advantage with Meraki is to have natively a complete set of actions to coordinate for a better global security. For instance on the Wi-Fi part you can use NAT mode to isolate each single user behind a NAT like a container, and consequently being protected of other users potentially propagating a virus or a malware attack.

With Firewall & traffic shaping, from the source of the connectivity you can avoid enterprises’ users to go to non-desired/suspicious traffic categories on internet…

And on top if you couple your enterprise’s strategy with the embedded MDM (SM) to register all your corporates’ devices, with Sentry you can automatically deploy your internal policies to any devices and contain or limit the possible security breaches.

 

To conclude, the Meraki cloud solution is a quite complete mix of way to configure new modern networks, efficiently and easily. I would just propose to think about a partnership with a third party AV client to deploy via SM, again on a cloud based like the unified Next-Generation Endpoint Protection Sentinel-One solution.

ShibuR
Comes here often

Meraki give us the power to manage our Network Infrastructure seamlessly and effectively. We are using Meraki’s Advanced Security protection features such as Threat Protection, content Filtering, URL Blocking, Search Filtering etc.  to protect our environment, form any malicious attacks. With Meraki Security Appliance and Layer 7 visibility, I can happily confirm that none of our users were affected by recent Ransomware outbreak, and also KRACK vulnerabilities. Another great think about Meraki infrastructure is their firmware updates which are quite effective , flexible and can be done impeccably. With addition to MDM (SM) is a bonus as now we can manage mobile devices error free in a secure mode.

sg_marklim88
Comes here often

For our company, we believe Meraki MX will replace our traditional VPN concentrators running Advanced License.  We are now testing this across 10 sites across the globe and recommend everyone to make this into a template:

 

1. Segregate corporate LAN and guest network into different VLAN and do not publish in VPN for the latter

2. For network ports please do consider setting up Access Policy (with on-prem Radius server or try JumpCloud) and you can use a combination of 802.1x and MAB to identify untrusted connected clients then associate them in guest VLAN
** We did not enable Splash Page for Guest VLAN but may be worth considering **

3. Content Filtering with Full List (better coverage) and apply whitelisted URL patterns for any needed

4. Enable both AMP and IDP/IPS under threat protection

 

When you have a new site, you may create a network and clone from the above template.  This way you save a lot of time especially on Content Filtering which took us about 30 minutes for the first time.  After deployment you may also want to perform the following for daily operations:

 

a.  Setup an upgrade window like Sunday 3am local time so that you get the latest firmware before start of business week automatically

b.  Setup Alerts and send to 24/7 ServiceDesk via Service-Now to assign tickets:

- Rogue DHCP Server is detected

- Warm Spare failover occurs

- Malware is block

- Malware is downloaded

c.  Schedule Email Report

 

We receive weekly summary report and from there we also know top blocked sites by URL & Categories plus top security threats by signature.  On demand you will also receive MX Security Report which informs about security events, affected clients, threats, affected operating systems, and source of threats.  With MX Security Report received, Security Administrators should immediately review Security Centre in Meraki Dashboard to perform a number of mitigation tasks.  (My personal favorite :

Block IP in Security Centre automatically creates firewall rules with comments so that rollback is easy.  )

 

Apart from the above, we also know there is a team of friendly Meraki Support folks who we can email / ring up from the Advance Security hotline found in Get Help of Meraki Dashboard. 

LB
Comes here often

The-Meraki-Way.jpg#fool.pr00f

Boldsen
Comes here often

customer want higher security, visibillity and control. Savings on cost of MPLS could be an option.

 

1. Customer has MPLS in most branches, and in some Internet/VPN based on routers.

2. All sites get MX - sec licens for AMP/IPS ofc.

3. 2 main sites get MX400 - sec licens

 

Since QoS on MPLS is nessesary right now, customer wont change it. Instead MPLS lines in the same country is replaced with internet, and SD-WAN from smaller sites to one "main" site. From the country main site, MPLS with QoS connects to the 2 main datacenters. Should the "main site" in country X fail, small sites will connect directly to MX400 in the datacenters.

 

Customers gets:

 

* Higher security, IPS/AMP

* HA based on MPLS Hub/spoke, but with fallback if main MPLS lines fail (no QoS though) - and 4G backup as well, not possible before

* Full visibility of their user, world wide, big issue solved.

* Umbrella on top of Meraki, and for clients going offsite.

 

Customer now understands the importance of security and control, so next step is AMP for end points for all clients. Wireless replacement from X to Meraki in storage and offices - and a plan for replacing all switches with MS.

 

The meraki story was perfect for this customer. A small IT department, but with visions. But with over 20 locations world wide, and 3 guys to manage, those visions was just not possible - Meraki solved this 🙂

PhilSmith-ADL
Conversationalist

We have seen some of our clients take a broad range of meraki products in order to help secure their network edge, from various models of the MX AP's both indoor and outdoor to utilising Z1's and Z3's for secure access for their teleworkers and travelling staff. Landing the VPN's from those Z*'s on both MX devices and ASA's alike. Taking advantage of the radius authentication capabilities for both wired and wireless clients as well as utilising AMP for further protection helps a great deal in keeping a tight network edge. In addition to this as a solutions and support provider we find the meraki estate a pleasure to work with, configuration is a breeze, updating devices on each network is simple, and visibility right up to layer seven makes it easy to show customers where their bandwidth is being used and by whom. It's clear to us that Cisco and Meraki are leading the way in the SDM field, and long may it continue!

Ari-EvenetGroup
New here

Already In the purchase phase, when Customer are looking for a solution for protect their organization, it´s important to present threats and Cisco-Meraki possibilities to Customers business owners. If Customer has good knowledge of solutions and business benefits of Meraki´s solutions for their business.

Business owners and their decision are safe and wise with great result´s.
Customer should have MX their ever site, They should have Advanced licences for protection of larger scale of threats and they should use also Cisco ISE and Umbrella for access control and DNS protection. Mobility management is another part of wise protection of their company, That´s why Meraki SM should be in their use and Profiles should be made correctly to reach intelligent full protection for their company.

If still something happens, call us or Meraki support 🙂

This was just a Business Value architect commercial opinion. Have a nice day

MarkNaylor
Conversationalist

Merakify'ing the hell out of this place!

 

started with MR... tick

what's this a router with a 4G, cloud managed, yup! count me in!... tick

what? we need a new warehouse and can't get a connection from the openreach dudes.... MX... tick

perfect MR placement... tick

alerting in Hipchat room :D... tick

every store online every time with MX, MS and MR 😄

someone's unplugged a cable, yea we know, stop doing that please, bam!

 

someone said once "the future's bright" did they say GREEN?

 

Well it is here !!!

 

New year, new challenges.... bring em on!

PhilipDAth
Kind of a big deal

@SergeRobert1 I wish I could give you more Kudo's.  So far I like your answer best - because you have shown how Meraki security is not just a point product like MX, but a complete "full stack" approach, and is integrated into everything.

LeeVG
Here to help

We worked with a federal agency to deploy Meraki MX and MR access points with a 3G/4G modem in countries like Chad, Turkey, Haiti and Ghana in support of the Syrian Refugee Camps. Paper based immigration files would be confiscated at borders. Meraki allowed the agency to send a backpack that extended IT services and security to very remote locations (and I mean VERY. like, no roads or running water).

 

The different Government agencies would all access their digital immigration applications, not only decreasing the amount of time a refugee must stay in the harsh camp conditions, but also keeping the records secure and allowing the different US agencies to collaborate much easier. The security features of the MX allowed the solution to be approved by some of our very security conscious Government Agencies.

 

This same project spawned an initiative with a non-profit that focuses on refugee education. The "Meraki in a backpack" solution is being used to bring teachers and students from the US to schools in Ghana via video. Although AMP, ThreatGrid (And don't forget Umbrella/OpenDNS!) are invisible to the students and teachers, It's been very successful so far. It allows us to teach children how to use the internet safely, while keeping them secure.

 

https://www.refugeeoutreachclub.org/ - If anyone is interested.

Adam
Kind of a big deal

In the most strict full stack Meraki environment here is an overview of our security.

 

Security Appliance (MX) - Redundant

  • Security Appliance>Content Filtering
    • Make sure to enable Full List
    • content filter.PNG
  • Security Appliance>Threat Protection
    • AMP Enabled
    • Intrusion Detection and Prevention set to Prevention/Balanced
  • Security Appliance>Firewall
    • Deny Peer-to-Peer (P2P) All P2P
    • Deny Countries Traffic to/from
      • layer7.PNG
    • Firewall rules to deny all traffic from our guest Vlan to other internal networks
    • We maintain a public guest vlan/network and a private internet only vlan/network.  One of the lesser considered issue is that if one of your devices fails over to the guest Vlan that could be the very same Vlan that public computers are on.  Your protected machine could inadvertently fail 802.1x and end up on the public Vlan due to expired AD password etc.  To combat this we have a separate internet only vlan/network for credit card machines, 802.1x failing devices, etc.  This helps prevent the co-mingling of public devices with our trusted internal devices. 

Switches

  • All ports enabled for 802.1x and will failover to guest Vlan
  • Mac Whitelist used for ports with printers
  • Switch>IPv4 ACLs to restrict certain traffic to/from sensitive devices

Wireless

  • Private subnet isn't advertised, deployed using Group Policy so machines know what to connect to
  • Pulic Guest Vlan using Meraki DHCP and Deny access to Local LAN

Non Meraki

  • AV and Patching
  • OpenDNS Umbrella - This has been one of the biggest tools for helping our users prevent getting malware/crypto.  I hope know that Cisco owns this product that it eventually takes the place of Meraki's Content Filter.

 

RandyN
Conversationalist

Our own Organization has recently installed a full Meraki suite over the course of this year, one of our primary goals as a retailer is protecting the storage and transmission of customer card data and PII. With Meraki products we were able to design a robust, current, and all-encompassing security landscape of MX Routers, MS Switches, MR Access Points to execute this requirement and support our goal of hardened Network/Information security.

 

We accomplished this in three ways. First, we utilize AMP and IDS and Content Filtering in all of our MX Devices, we have had good experience with AMP in the past as we have a centralized Source fire IPS architecture, now we can extend this to the appliance level to stop threats closer to the source. We Respond to an investigate suspicious clients and react to malicious download or block notifications. Because the backend is managed by the experts, and is current, we trust the integrity of the definitions and the probability that emerging threats are contained.  

 

Secondly, we extensively use the Meraki Group Policy, Security Center, Tagging, and Firewall Framework to isolate sensitive systems and client access both inbound and outbound. We can tag certain SSIDs to be broadcasted for special events for vendors, we can also Tag networks and clients to inherit specific rules based on the needs of those sections, this makes it very easy to manage and easily add or revoke access.

 

Lastly, we report on Traffic Analytic, Syslog’s and use the API to investigate unusual traffic or application/port anomalies to verify that this is expected or malicious behavior. By keeping these tools in the cloud we save time in maintenance and management of those systems. Having a single repository of information helps to correlate unusual activity and account for our inventory and access design.

Mfu
Conversationalist

Meraki Devices made it easy to install, configure and protect the enviroment within minutes. Network Security has been made easy to implement. Bugfixing is done within minutes, all in one place

BHC_RESORTS
Head in the Cloud

We run a very layered, security focused approach on our networks. We run mostly hotels, but we also use the Meraki stack for our corporate office and other business ventures.

 

Network Wide:

 

  • Alerts - setup alerts for rogue AP, any device going offline, DHCP pool exhausted, rogue DHCP server detected, malware is downloaded/blocked.
  • General - collect destination hostnames. Change default local credentials. Add a syslog server to your environment for further monitoring and post incident logs. Enable SNMP v3 with secure username/password.

 

MX Setup:

 

  • VLANs. Segregate traffic based on activity. Production network, guest network, CCTV network, etc. Create ACLs to prevent inter-vlan traffic where not desired.
  • DHCP - Only offer DHCP on networks where it is required, and limit scope. Activate DHCP snooping and rogue DHCP server detection.
  • Firewall - Prevent inter-vlan traffic when not desired. Apply appropriate Layer 7 rules, such as filtering out P2P. Only create port forwarding for absolutely required services, limit connecting IPs to only those needing to access.
  • Active Directory - Integrate to allow better tracking of resources and for any post breach research, if necessary. Also create groups to allow specific filtering profiles (management, line staff, etc.)
  • Threat Protection - AMP Enabled at all times. For IDS, Prevention and Security methods selected.
  • Content filtering - Unless otherwise overruled, standard set is to block: Bot Nets, Confirmed SPAM Sources, Keyloggers & Monitoring, Open HTTP Proxies, Parked Domains, Peer to Peer, Phising and Other Frauds, Proxy Avoidance, SPAM Urls, Spyware and Adware. This is also done on our guest networks for enhanced protection. For production network, add: Adult and Pornography. Choose full site list instead of Top sites only.
  • Security Center: Review on a weekly (or shorter, depending on your needs) interval. Setup scheduled email reports accordingly.

MR Setup:

 

  • Access Control - Even for guest networks, recommended setup is for WPA2 (only). Enable Adaptive 802.11r.
  • Access Control - For secure networks, authenticate with RADIUS and use Systems Manager Sentry to ensure only authorized devices are connected. 
  • Access Control - Make sure appropriate VLANs are being used, and guest traffic is prohibited from reaching any other subnet/network.
  • Firewall - Deny Wireless clients accessing LAN as appropriate. Enable L7 rules for blocking P2P. 
  • SSID Availability - Considering disabling unneeded SSIDs during closed times. Enable SSIDs on APs only where they are needed.
  • Air Marshal - Contain rogue APs seen on the LAN
  • PCI Report - run at regular intervals
  • Physical setup - ensure APs are mounted in locations not easily tampered with, or if within reach, in a secure box/environment to prevent physical tampering.

MS Setup:

 

  • IPv4 ACL: Setup as appropriate for your organization
  • Access policies - Setup SME Sentry for connected device and guest VLANs - use either Meraki authentication or ideally, your RADIUS server.
  • Switch Ports - disable unused ports.

 

SME Setup:

 

  • Security Policies - Create policies for different devices (stationary vs mobile for example).
  • Security Policies - Enable screen lock, login required, firewall enabled, disk encryption, antivirus running, passcode lock, device is not compromised, and minimum OS version check.
  • Geofencing - Enable appropriate policies based on device. Very limited for stationary devices, more broad for mobile depending on the user. Setup alerts to notify admins when fence is breached.
  • MDM Settings - Require password to removal profile. Set appropriate restrictions, password policies, WiFi sentry, etc. as needed based on the business.

 

This helps keep us safe, in addition to the non-Meraki procedures we follow. Every bit of the layer helps!

Warren
Getting noticed
  • Place a Mx device with advanced license in every office
  • Setup site to site vpn, block subnets from accessing subnets they don't need to (i.e. branch office to branch office, when they just need branch office to HQ)
  • Utilize VPN for office to HQ (datacenter) communications rather than the open internet.
  • Set up client vpn to HQ for users who need to remotely access servers
    • Find out that Meraki's windows split tunnel implementation is not reliable and prone to failures on a regular basis.
      • Deploy Z1/Z3 to home users or find another VPN client  solution as the one built in leaves much to be desired.
  • Turn on advanced features like AMP, IDS, etc.
    • Turn off AMP for all those users who run into false positives and find that AMP blocks the download of routine PDF files and similar.
      • Put in support tickets, await resolution in a future version of firmware, try out new firmware, go back to not using AMP as it's still broken.
  • Set the firewall to block traffic to countries/domains/categories that you don't need users to access
    • White-list those sites that have been misclassified by BrightCloud (Webroot) that Meraki uses on for their categorization
      • Submit mis-categorized urls to Brightcloud so that they aren't a problem going forward
    • Unblock countries / categories that you routinely have problems with because of the way that webroot classifies them and doesn't allow for the whitelisting of certain URLs/IP
    • Debate with yourself and support whether or not full list or default is the correct setting.  Contacting support about a problem with this usually results in them suggesting you pick the opposite setting of whatever you have selected.  Expect to be told that you are overloading the device by running it in full list mode.
    • Have the Meraki classify sites not only based on domain, but also based on underlying IP address - creating lots of false positives for things like Content Delivery Networks and others that often use the same IP to deliver different sites.
  • Copy those rules to other offices.  Curse the fact that there is no way to reliably have a global whitelist or blacklist.
  • Create groups of users that need exceptions to the default categories blocked, i.e. HR people who need access to job search sites.
  • Hope that a firmware update doesn't break something else that used to work without a problem.
  • Hope when an office internet connection drops out for a bit that the site to site vpn set's itself back up automatically.  If not watch out for the email alerts that it failed and reboot the MX device.
  • Monitor Meraki logs using another program
    • Learn that Meraki doesn't log things like a power cycle as such, and learn the terminology used to indicate a reboot.
  • Contact support with the bugs you find
  • Deploy end point protection to pick up on what the meraki didn't catch
  • Use openDNS family safe and friendly filtered servers 208.67.222.123, 208.67.220.123 (vs their open ones).  Wish that they had an easy one click integration with a company that Cisco Owns.  
    • FamilyShield will always block domains that are categorized in our system as: Tasteless, Proxy/Anonymizer, Sexuality and Pornography.
      • Ponder why it doesn't block malware and a few other categories
  • Deploy Systems Manager on a few endpoints for testing.
    • Find out it is lacking in most areas of what you need a systems management solution
    • Trial out other RMM solutions
      • Pick another all the while wondering why it can't integrate with your firewall.
  • If you are looking into MXNNw lines - i.e. the ones with wireless built in - stop - buy an MX device and a separate access point.  The built in wifi on the MX64W is terrible. 
    • Replace those wifi networks you rolled out with an MX64W with another brand access point.

All in all while Meraki does a lot, it's by no means a one stop solution for what you need.  It is a great way to have a site to site vpn setup super easy.  You can also block a lot of stuff really quickly, but plan on having the support phone number stored in your speed dial and memorizing your support pin code.