A look inside: Meraki intrusion detection

We’ve integrated Sourcefire’s Snort IDS into our MX Security Appliances. Here’s a closer look at how it works.

With millions of packets flowing across the network every day, how do you spot potentially harmful traffic? Simple visibility of all traffic isn’t practical since the sheer volume is far beyond what a human could process. An intrusion detection tool, however, can identify malicious activity, categorize potential threats, facilitate reporting, and alert a network administrator when necessary.

Integrated Snort technology

The latest software update for the MX Security Appliances now includes IDS capabilities. We’ve taken Sourcefire’s Snort engine, the industry standard in network intrusion detection, and made it accessible to network administrators everywhere through the Meraki dashboard.

Snort IDS technology has been highly respected in the security community for nearly 15 years. It’s open source, so it’s continually tested, worked-on, and refined by a broad community of security professionals. Most importantly, in a world where new security threats emerge on a daily basis, the open nature of the platform means new threats are identified and added into the engine far more quickly than a handful of developers working in a closed proprietary system could hope to achieve.

 
 
Here’s a peek into how the MX’s IDS looks in the Meraki dashboard:

IDS timeline viewed by client

 

Intuitive, organization-wide reporting

When MXs receive their scheduled over-the-cloud upgrade over the next several weeks, network administrators will find a new reporting tool: Organization > Security report. Note this requires an Advanced Security license for the MX. This provides an intuitive GUI to the Snort engine, enabling organization-wide threat status to be established at a glance. Information is presented in real-time, with a configurable historical view that allows admins to quickly identify the regularity with which threats are being seen. Admins can search their organization by:

  • Threat signature
  • Network
  • Client
  • Source and/or destination IP

For large, distributed networks, the MX’s organization-wide reporting eliminates the need to log in to the security appliance at every site and check the IDS status at each. Potential security threats are ranked and summarized by severity, with details presented in a timeline, a pie chart, and in summary tables. For those digging for even more information, the complete list of events is also shown. The Snort Signature ID links to a detailed description, including suggested actions to remediate the threat. Intrusion Detection typically displays many false positives and negatives, so a detailed description helps the administrator to focus their energy on addressing the real threats as they emerge.

 

IDS event log


 
What was once only available to highly trained and expensive security experts can now be seen and analyzed with a few clicks of a mouse. Meraki’s IDS implementation is the latest example of how we’re revolutionizing the world of network administration and helping our customers achieve more with their precious IT resources.

You can learn more about Meraki’s Intrusion Detection and its role in our next-generation firewall here.