What did you wish for this holiday season? Perhaps some shiny new Meraki Wireless LAN features such as PCI reports, WIPS enhancements, group policies by device type, or Teleworker VPN split tunnels? If so, you’re in luck because our engineering elves have been hard at work. There’s something for everyone including retail, enterprise, education, and remote workers. Even better, these enhancements don’t cost you a thing. Thanks to our cloud-based architecture, there’s nothing you need to do to install or enable them. Just wait for them to show up intime for the holidays! For now, here’s a quick preview.
(Oh, if your wish is to build awesome features like these, then apply to join our Engineering Elves!) (more…)
Retailers rely on us to provide a wireless solution that helps them meet PCI DSS (Payment Card Industry Data Security Standards) compliance requirements, and the feedback on some of our security features such as two-factor authentication has been very positive. Meraki has passed a level 1 PCI DSS v2 audit and earned the corresponding Report on Compliance (RoC), providing an additional layer of security for retail and other sensitive environments.
Customers have been using Meraki to build PCI-compliant networks for years, and since Meraki’s cloud architecture is out-of-band, our cloud is out-of-scope of a retailer’s PCI audit. However, we wanted to go above and beyond and deliver an additional level of reassurance. To increase our security, we submitted our cloud networking environment to a complete, on-site level 1 PCI DSS audit (the most rigorous audit level), including audits of our data centers.
Level 1 PCI DSS certified
Even though the Meraki data centers are out-of-band and thus out-of-scope for a retailer’s PCI audit, those who need to meet the requirements of a PCI audit now have the additional reassurance that Meraki’s out-of-band cloud networking architecture also meets those requirements. As the only cloud networking wireless provider to pass a level 1 PCI DSS v2 audit, we’re leading the way to provide the highest level of confidence for security-conscious customers, including those who are looking for infrastructure that meets the same PCI DSS requirements they must adhere to. This also streamlines the audit process for customers going through their own PCI DSS audit.
Meraki’s security features address all of the PCI DSS requirements and help customers to build and maintain a secure network, protect cardholder data, maintain a vulnerability management program, implement strong access control measures, and monitor network security. Retailers who use Meraki to maintain a secure retail environment include Starbucks, Burger King, United Colors of Benetton UK, Design Within Reach, and Applebee’s. You can read about their deployments, and other retailers’ deployments, at http://meraki.com/customers/retail.
Design Within Reach uses Meraki for secure WiFi at all 47 stores nationwide
Join us for a free webinar: 10 Steps to PCI Compliant WiFi
Centrally managed from the cloud, Meraki makes it easy and cost effective to deploy, monitor, and verify PCI compliant WiFi across distributed networks of any size. Unlike traditional wireless LANs, Meraki’s security infrastructure eliminates the management complexities, manual testing, and ongoing maintenance challenges that lead to vulnerabilities. Find out more by registering for our free webinar, 10 Steps to PCI Compliant WiFi, on Thursday, November 17 at 11am PT. You can also read more about our out-of-band architecture, security and reliability, and compliance on the PCI section of our website.
As showed in a previous blog post, site to site connectivity can be greatly simplified using the MX router’s built-in, self-configuring VPN. The MX can also significantly lower branch connectivity costs and make sure your branch prioritizes bandwidth for critical applications, thus virtualizing the WAN into a high performance service while reducing cost at the same time.
Getting the most out of branch connectivity
Internet connectivity at each branch in a large, multi-site network can vary widely in performance, cost, and reliability. Sites are often connected via MPLS or other dedicated lines, which provide high reliability at a high price. Typically, these lines are dropped in to support applications such as VoIP. Consider that a T1 or MPLS connection can range in the hundreds of dollars — and that’s per month, per site! As an organization grows and adds sites to its network, connecting all of them via MPLS can be prohibitively expensive.
As an alternative to high cost leased lines, the MX70 can aggregate multiple uplink connections, such as DSL or cable connections. These links don’t individually have the service levels of a leased line, but they can be aggregated together to provide very high uptime at a much lower cost. This also means you don’t have to give up the low latency of a dedicated line. Instead of upgrading the dedicated line to support growing bandwidth needs, you can augment it with a consumer-grade connection and still keep the dedicated line for business-critical applications, like VoIP. The second link can then be used for non-critical applications, such as web traffic.
Uplink bandwidth can be allocated on a per-connection basis using traffic preferences in the MX70. This lets administrators push web traffic (or other recreational traffic types) over a lower quality link and reserve a higher reliability link for applications such as VoIP and video conferencing. The example below shows web traffic configured to flow over Internet 2 (for example, a cable or DSL line), and all other traffic to flow over Internet 1 (an MPLS or T1 line in this example).
Figure 1: MX uplink traffic shaping
Aggregating multiple links also increases the overall reliability of the WAN connection for your network. The MX70 detects the availability of connected WAN interfaces and automatically performs failover in case one of the links temporarily goes down. This happens when a cable is physically unplugged from a WAN port, and it also happens if the MX detects it can no longer connect to the internet, through layer 3 detection.
Controlling congestion through traffic prioritization
Assigning traffic among uplink connections helps ensure that expensive WAN links are used for the most critical applications. It’s also important that application traffic is properly prioritized for each WAN link. Real time prioritization maximizes the utility of the WAN connection by ensuring your most important applications take precedence over others, especially in cases where the uplink connection is in heavy use.
The MX70’s per-flow traffic prioritization minimizes congestion and ensures critical applications take priority over others during times of heavy use. Figure 2 shows an example for an organization that relies heavily on VoIP / video conferencing. Email is also important, but it isn’t more time-critical than a VoIP call, and online backups are the least time-critical and can be set to low priority.
Figure 2: Traffic prioritization
Connecting branches securely using multiple links maximizes WAN utility at each location, allowing organizations to create a virtualized WAN that enables them to deploy services such as VoIP and video conferencing, seamlessly share information between branches, and support bandwidth-intensive applications. Combined with the MX’s built-in multi-site network management, the virtualized WAN brings significant cost savings and lets network administrators support business-critical applications and services across the entire organization, regardless of location.