How MX customers contained Heartbleed in a day

Why, with Sourcefire IPS, MX security for distributed sites is second to none.

Online threats abound, and securing a single network—let alone multiple networks—is a full-time job. The disclosure of the dangerous (and widespread) Heartbleed vulnerability has propelled public awareness of exploitable threats.  However, the challenge of providing a rapid security response across remote sites still looms large.

In this post we’ll explain how intrusion prevention (IPS) works on Cisco Meraki MX security appliances, and how we were able to protect our customers against Heartbleed within 24 hours of its revelation — faster than our competition.

 

How the MX protects your network

 

Even before Cisco acquired Sourcefire, the industry leader in intrusion prevention, Meraki MX security appliances integrated with Sourcefire IPS to deliver unparalleled threat detection.  Post-acquisition, a close engineering partnership between the Sourcefire and Meraki teams has improved backend performance and integration, providing the MX with the most secure, intuitive, and easily-deployed IPS solution available to organizations managing branch locations.

Preventing malicious activity with the MX is literally a two-click process.  First, though, it’s important to understand how Sourcefire IPS gets implemented.

Sourcefire Rulesets

The Meraki MX performs intrusion prevention via rulesets: pre-defined security policies that determine the level of threat protection needed. There are three rulesets: Connectivity, Balanced, and Security, and Sourcefire has defined threat metrics and criteria for each. For details, check Sourcefire’s blog post, but to summarize:

  • Connectivity ruleset: protects against the highest-priority threats discovered in the current year as well as the prior 2 years.

  • Balanced ruleset: protects against vulnerabilities identified in the Connectivity ruleset, as well as slightly less critical threats. Additionally, certain categories of threat (e.g. exploit kits and SQL injections) will be caught regardless of age.

  • Security ruleset: protects against vulnerabilities identified in the Connectivity and Balanced rulesets as well as lower-priority threats, but expands the age limit to vulnerabilities discovered within the last 4 years.  Additionally, an expanded list of threat categories will be caught, regardless of age.

Sourcefire refreshes rulesets automatically (adding newly discovered vulnerabilities where appropriate and purging older vulnerabilities that are past age limits), so MX customers don’t need to exert any effort in order to benefit from a well-tended, constantly pruned baseline level of security.

Configure IPS in less than 15 seconds

To ensure that a particular Sourcefire ruleset—Connectivity, Balanced, or Security—is enforced, simply enable IPS in the Configure > Security filtering dashboard page and then select the desired ruleset (you can whitelist signatures to fine-tune threat detection for your environment).

Screen Shot 2014-04-14 at 11.18.31 AM.png

Enabling MX intrusion prevention running the Sourcefire “Connectivity” ruleset in the Meraki dashboard.

 

That’s it! The Sourcefire rulesets are deployed by the MX, ensuring malicious traffic is contained.  Even better, these rulesets are updated daily and pushed within an hour to MX customers from the cloud—no manual staging or patching needed. So, with only a few seconds of effort, IT admins can enjoy up-to-date, best-in-class intrusion prevention while averting the “pilot error” that often plagues complex, manual configuration and patching of IPS.

 

Cloud managed is better

 

What about deploying and managing IPS across hundreds or thousands of remote sites?  No problem.  Configuration templates allow IT admins to make changes once to an MX serving as a master template for numerous networks bound to it. Any change on the master will propagate to bound MX networks. This means you can enable IPS on your master MX, select your Sourcefire ruleset policy, and sit back as IPS is enforced across your branch locations.

What about keeping everything — IPS rulesets and MX firmware — current for security purposes? Again, no problem. Since IPS rulesets are updated daily by Sourcefire and pushed within an hour to your MX, you can rest assured your IPS detects the latest threats. Since the MX receives its own firmware, bug, and feature updates seamlessly from the Meraki cloud, it is also up-to-date (or easily made so by scheduling updates from the Meraki dashboard).

What about reporting and visibility into detected threats?  The MX gives customers detailed, easily digested, real-time security reports about hazards on their networks, available from any Internet-accessible device.

In short: built-in intrusion prevention goes a long way towards locking down your network, simplifying security management, and saving you time. It’s only one of several security features the Meraki MX offers, but it’s one of the most important. If you want to hear about other MX features, check here, here, and here.