Did you know the creator of Snort and founder of Sourcefire, the world’s most popular network intrusion detection and prevention technology, is now the chief architect for Cisco’s Security division? The Meraki MX family of Security Appliances has been protecting networks with embedded Sourcefire technology and malware detection since 2012. With both solutions now under the Cisco umbrella, there’s no doubting we have a formidable, industry-leading security platform to offer our customers. Today we’ll recap the reporting and configuration tools provided for intrusion detection and prevention in the dashboard.
The Internet is a wild place, and connecting an MX directly to the internet with a public IP address on its WAN interface will quickly reveal this, with the Security Report page lighting-up with intrusion attempts. Here’s an example, with a snapshot taken just 24 hours after security monitoring was turned on, prior to any action being taken.
Firstly, the potential threats are grouped into threat levels, high, medium and low. These are not arbitrary classifications, but are based on the Common Vulnerability Scoring System (CVSS) which seeks to standardize the rating of IT related security threats. The threat descriptions themselves are based on the Common Vulnerability and Exposures (CVE), which is effectively a dictionary of publicly known network threats seen around the world. With a multitude of sources for these threats – government agencies, vendor software patches, AV software – the CVEs help by using a common language and means to synthesize threat information sources.
The security report will generate a list of intrusion attempts and the Meraki dashboard will make its best attempt to decipher these for the network admin. Here’s an example:
In this case the admin clicked on the first signature description to obtain further details. Note the hyperlinks pointing to related CVE descriptions. Occasionally these will be links to articles or blogs which detail the threat. The Rule ID itself is a rather cryptic reference which follows this format:
<threat category> : <signature> : <version number>
If we take the signature from the Rule ID in the example above and use a search engine to search for “sourcefire 26233”, the first entry which comes back contains an explanation of the signature.
In this case, the CVSS was a High, indicating action should be taken. The security event list includes details of the source and destination for the threat as well as a timestamp. The network admin could simply work with the owner of the local device to ensure any potential vulnerability is contained and patched. Alternatively, if Intrusion Prevention is switched on then, depending on the ruleset selected, attacks like these could be blocked altogether before they ever enter the LAN environment. The ruleset merely determines above which CVSS level identified threats are proactively blocked. More details can be found on our documentation page and in this previous blog post which outlines the mechanism the MX used to lock down Heartbleed within a day of its discovery. As a timely sidenote which underscores this fast reaction time, our customers using Meraki MX with Intrusion Detection turned on have already received signatures enabling them to identify the Shellshock vulnerability which was announced only yesterday.
Tuning security filtering takes a little practice to ensure only undesirable traffic is blocked. Fortunately the dashboard makes it easy to take account of so–called false positives, providing a means to whitelist specific domains, sub–domains or URLs, very useful for customizing the way in which your network environment is locked-down.
Finally, Kaspersky Malware Detection is also featured on the MX, enabling the appliance to filter traffic which could be considered malware, trojan horses or phishing websites, whether destined to, or originating from the LAN.
Working with our colleagues in Cisco, our customers can rest assured that the security of their networks is in safe hands and we’re ready to react quickly when the next Internet gremlin gets out into the wild.