Security is a top priority for people in IT. Everyone knows how important security is to an organization, its devices, and most significantly, its people.
While putting a firewall in your network is the first line of defense, another primary foundation to network security is the enforcement of access security policies. Permitting or denying access to specific resources establishes security in your network. For example, guests should not be able to access business servers. Organizations can have long lists of access policies, dictating who can access what. But how many organizations have a clear and concise policy list they easily understand, manage, and configure?
Access control lists are daunting in most environments. This is due to how access policies are built. Access policies are based on an IP architecture, where sources and destinations are defined by your network topology. While this works, IP-based access policies do not easily scale with large scale environments, businesses with distributed sites, and frequently changing organizations.
Most are familiar with policy lists that look something like this:
Would you be able to tell what these IP addresses represent? Is XXX.XXX.XXX.XXX your cloud server? Or the HR team?
The point is, it’s difficult to tell. It also becomes more troublesome as your business needs change, such as a growing business dealing with company acquisitions, a university expanding their campus with new sites, or a firm that’s redesigning their entire organizational structure. In every one of these cases, access policies must be re-configured to mirror the way the network topology changes.
What if access policies no longer needed to be dependent on network topology; no longer IP-based, and instead, based on the intent of the user, device, or service?
Today’s the day – we’re introducing Adaptive Policy.
*(Beta available H1CY2020)
Adaptive Policy is a new solution where revolutionary Cisco Security Group Tag (SGT) technology meets the most powerful Cisco Meraki switch hardware yet. This software feature addresses the shortcomings of traditional policy administration using Cisco SGT and the MS390. With Cisco SGT, numerical tags are used to profile users, devices, services, and time of access. Tags can be assigned using a RADIUS server like Cisco Identity Services Engine (ISE). When Cisco ISE is used, the tag is transmitted to all devices in the network — every packet is tagged and decisions based on the tag are made by the MS390.
How does Adaptive Policy actually work?
IT team creates an access policy whereby the sales team cannot access a product roadmap application.
When a salesperson connects their laptop to the network, Cisco ISE will authenticate the user using Active Directory, then assign a tag, let’s pretend, tag 4 for the salesperson. The MS390 will receive tag 4 sent from ISE and will then add the tag 4 to every packet coming the salesperson’s device. If the salesperson tries to connect to the product roadmap server, which only allows tag 5, the MS390 will deny the request. But let’s say the salesperson moves to the product team, the user profile changes based on Active Directory, and now this user can access the roadmap application without having to re-configure all the switches in the network.
This policy enforcement process has become scalable, effective, and automatic. Adaptive Policy utilizes Cisco SGT to determine traffic intent and can help scale and reinforce security for customers of any deployment size.
With Adaptive Policy, security is agnostic to network topology, making security orchestration and mass configuration changes consistent. Furthermore, instead of using IP addresses, we can now use natural language to determine how a policy is adjusted and implemented. Instead of seeing XXX.XXX.XXX.XXX, you’ll find yourself reading “Marketing team”.
Adaptive Policy is built with flexibility.
Adaptive Policy is a new feature built with a Meraki API-first strategy that will guarantee full consumption. Together with Cisco, we are able to provide interoperability with an open implementation of tagging, which means it won’t be tied to only one vendor. Thanks to Cisco SGT’s open and extensible technology, Adaptive Policy provides maximum potential across Cisco and 3rd party vendors, giving you flexibility for your networking needs.
MR customers can take advantage of Adaptive Policy too!
Customers who have Meraki MR access points (ac Wave 2 and above) but do not have the MS390 can still deploy Adaptive Policy. Under a hybrid environment, current Cisco Catalyst switch (3K to 9K series) customers with Meraki MR can implement Adaptive Policy utilizing inline-SGTs.
How can I enable Adaptive Policy?
Adaptive Policy is available as an advanced feature on the MS390. You will need the MS390 switch along with the MS390 Advanced licensing to enable this new feature.
To learn more about Adaptive Policy and the MS390 switch, watch the launch webinar or read the MS390 blog. Starting early 2020, you can also give Adaptive Policy a whirl by starting a free trial.
¿Eres de los que constantemente está leyendo sobre lo último en IT? ¿Te has imaginado que nos espera en el futuro? Cisco Live Cancún, es un espacio único para conocer y experimentar la tecnología simplificada, segura e inteligente de Cisco Meraki que permite a las organizaciones transformarse digitalmente.
Cisco Live Cancún será del 28 al 31 de octubre y quisiéramos compartirte algunas razones para animarte a vivir esta experiencia con nosotros:
Sesiones técnicas: Meraki está incluido en siete sesiones técnicas. Estas sesiones se centran en tecnologías, estrategias de arquitectura, aplicaciones de solución de problemas para las soluciones o tecnologías de Cisco. Regístrese para las sesiones, ya que serán 100% Meraki. Los asistentes de Cisco Live pueden registrarse para estas presentaciones iniciando sesión en su cuenta en línea de Cisco Live e ingresando al catálogo de sesiones.
Vertical summits: hay un total de siete sesiones verticales en Cisco Live Cancún y Meraki es patrocinador de tres. Manténgase actualizado, conozca las historias de éxito de otras compañías que ahora son una referencia en su industria, haga crecer su red y comience o adapte su estrategia tecnológica para llevar a su compañía un paso por delante de su competencia en las sesiones para gobierno, educación y salud.
Zona DevNet: visite las sesiones de Meraki DevNet para obtener más información. Meraki tendrá seis sesiones en la zona DevNet. Los asistentes de Cisco Live pueden registrarse para estas presentaciones iniciando sesión en su cuenta en línea de Cisco Live e ingresando al Catálogo de sesiones.
Demos (World of solutions): como complemento a todas las sesiones de aprendizaje, en el World of Solutions, podrá ver las soluciones de Cisco y sus partners. También podrá encontrar a Meraki en una variedad de demos en todo el Cisco Showcase:
Launch | WiFi 6 Launch
Security | Meraki Security
Branch | Branch Security & SD-WAN powered by Meraki
Branch | Work Simple, Digital Workplace
Campus | Assurance in the Cisco Meraki Platform
Campus | High Density Wireless for Campus
5. Certificaciones: si necesita certificarse en las soluciones Cisco y reforzar su currículum, durante Cisco Live tiene la oportunidad de presentar cualquiera de los exámenes de certificación.
Además de todo lo que podrá aprender en este evento, Cisco Live Cancún también ofrece actividades divertidas y de ocio, como la tradicional carrera de 5 km, sesiones de yoga, el cóctel de apertura del WoS y la fiesta de clausura del evento.
Are you excited about all the new Apple innovation coming in iOS 13 and macOS 10.15 Catalina? Great, so are we! Both iOS 13 and macOS Catalina are introducing significant changes to Apple’s enterprise management capabilities and we are excited to announce that Cisco Meraki Systems Manager will support new settings and features on both platforms. Here are some of the planned changes coming to Meraki Systems Manager to support iOS 13 and macOS Catalina.
Changes to Device Restrictions
Between iOS 13 and macOS Catalina, Meraki Systems Manager will support a grand total of seventeen device restriction settings changes. The changes include six new restriction settings and eleven settings that are changing supervision requirements.
Allow Find My Device in the Find My app (iOS)
Allow Find My Friends in the Find My app (iOS)
Force Wi-Fi power on (iOS)
Allow Files Network Drive Access (iOS)
Allow Files USB Drive Access (iOS)
Allow continuous path keyboard (iOS)
Allow Handoff (New to macOS)
Supervision Requirement Changes
Now Requires Supervision:
Allow adding Game Center friends
Allow installing apps
Allow use of camera
Allow cloud Keychain sync
Allow document sync
Allow explicit music and podcasts
Allow use of iTunes Store
Allow use of Safari
Allow users to use saved passwords in Safari and AutoFill Passwords feature
No Longer Requires Supervision:
Allow remote screen observation by the Classroom app
Restrictions settings that are changing status in iOS 13 and macOS 10.15, will retain their configured effect if an unsupervised device is upgraded. For example, if camera use is blocked by restrictions settings on an unsupervised device running iOS 12.4 and lower, the restriction setting will continue to block the Camera app when the device is upgraded to iOS 13.
New Settings Updates
Along with the Restrictions payload, Apple has updated a number of different settings with enhanced options to affect behavior on devices. Meraki Systems Manager will also support changes to the following payloads at the time of release:
Wi-Fi – Support for WPA3 authentication
Exchange ActiveSync – Manage synching of Contacts, Calendars, and Mail independently on iOS
Web Content Filter – macOS support for Filter Data Providers
Privacy Preferences Policy Control – Manage new permissions in macOS
Single App Mode – Manage Voice Control settings on iOS or tvOS
Automated Device Enrollment Changes
Automated Device Enrollment (also known as DEP) will now enforce mandatory enrollment in Meraki Systems Manager. Also, we have introduced a new option to skip “Dark Mode” setup on iOS and macOS.
In the weeks following the launch of iOS 13 and macOS Catalina, Meraki Systems Manager will continue the momentum by rolling out support for more advanced features and functionality. This includes, but is not limited to:
Support for brand new macOS Catalina settings payloads
New Extensible Single Sign On capabilities to allow for native Apple Kerberos SSO and 3rd-party integration
Custom enrollment webpage to more readily personalize and secure the enrollment process on devices
If you would like to learn more about Systems Manager, join us for an upcoming webinar (where you can qualify to earn free System Manager licenses), or call the Meraki sales line to start a risk-free evaluation.
The pace at which new security threats are being introduced and propagated online has reached exponential levels, gaining speed with each passing year. Organizations have more locations and devices to protect, and threats are using many different ports to try to gain access or exfiltrate data. Security teams are often understaffed and struggle with complex, siloed systems that do not integrate or share intelligence in a programmatic way. These teams need solutions that are easy to deploy, simple to manage, can scale exponentially, and can integrate with other tools.
Securing your wireless users from malicious attacks — particularly these “DNS blind spots” that exist in many networks and are exploited by 97% of advanced malware — is of paramount importance. Unfortunately, recent surveys indicate that 75% of organizations do not actively monitor and apply security for DNS.
It is within this context that we are excited to announce support for integration between Meraki MR wireless access points (APs) and Cisco Umbrella (formerly OpenDNS).
Umbrella is the industry’s first secure internet gateway, a cloud-delivered first line of defense against threats like malware, ransomware, and phishing. Umbrella enforces security at the DNS layer by identifying requested web domains hosting nasty stuff — malware, phishing, etc. — and block end user access to them. Umbrella also enables more secure DNS querying through a tool called DNSCrypt, which automatically encrypts DNS queries between your network and Umbrella’s servers, effectively eliminating the chance that your queries will be the victim of eavesdropping or man-in-the-middle (MITM) attacks. This secures the “last mile” of a client’s internet connection, which is often left exposed and vulnerable.
There is no additional cost or charge for taking advantage of this integration (which is available to all Meraki wireless customers who have upgraded to our latest MR26.x firmware), but Meraki wireless customers who wish to integrate with Umbrella will need a separate Umbrella license and account with that service.
Enabling Umbrella integration
So, what does this mean for admins of Meraki wireless networks? This integration with Umbrella enables Meraki admins who obtain Umbrella licenses (WLAN, Professional, Insights, or Platform) to seamlessly assign DNS filtering via Meraki group policy or SSID to specific subsets of wireless clients, or to them all.
Enabling Umbrella integration takes only a few steps. First, the Meraki and Umbrella dashboards must be linked via the Umbrella Network Devices API key. Once this API key is generated from within the Umbrella dashboard, it needs to be copied into the Meraki dashboard by navigating to Network-wide > General.
Enabling Meraki + Umbrella integration within the Meraki dashboard.
Once the Meraki and Umbrella dashboards have been configured, linking a Meraki SSID or group policy to an Umbrella security policy is easy (note: Meraki group policies must be set to use ‘Custom SSID Firewall & Shaping Rules’ to link an Umbrella policy to them). After this initial setup, a unique identifier is generated behind the scenes for the specified Meraki SSID or group policy and is used by Umbrella to determine how to evaluate traffic from that Meraki network moving forward.
To link a Meraki SSID to an Umbrella policy, navigate to the Wireless > Configure > Firewall & Traffic Shaping section of the Meraki dashboard. There, you will find a button to link Umbrella policies.
Linking an Umbrella policy to a Meraki SSID.
By default, the last policy physically listed in the Umbrella dashboard’s ordered policy list will be inherited by a Meraki SSID unless a different policy is selected from the dropdown list.
To link a Meraki group policy to an Umbrella security policy, navigate to the Network > Configure > Group policies page in the Meraki dashboard and choose the specific Meraki group policy that you want to link. Under the ‘Layer 7 firewall rules’ section of that policy, you’ll be able to choose which Umbrella policy you’d like to apply.
Applying an Umbrella DNS policy to the Meraki ‘VIP Umbrella Clients’ group policy.
Once a Meraki SSID or group policy has been successfully linked to an Umbrella security policy, clients connecting to that SSID or who have been applied that group policy will have their DNS queries encrypted (if the AP supports 802.11ac) and verified against the corresponding Umbrella policy. Encrypting DNS queries between Meraki APs and Umbrella DNS endpoints helps secure the ‘last mile’ of client web browsing and protects against devastating MITM attacks or packet snooping that can reveal which websites client devices are browsing.
An example Umbrella policy may prohibit access to known malicious web domains or websites that host specific types of content, like gambling or peer-to-peer domains. If the client’s request for access to a given website is allowed, Umbrella will return an encrypted DNS response with the appropriate IP address. If the request is denied, then an encrypted DNS response pointing to the Umbrella block page will be returned instead.
Taken together, Meraki wireless and Umbrella integration provide a significantly more robust security framework for IT admins looking to protect clients from web threats in a more proactive way. Instead of waiting for a malicious site to infect a machine and then using tools like antivirus to detect and remediate, Meraki MR customers can rest easy knowing that they are protected from ever reaching harmful sites in the first place.
Interested customers should contact Meraki Support to have this feature enabled. This feature requires an early-release MR firmware version that can be enabled with Meraki support assistance.
We don’t talk enough about Meraki Systems Manager’s role in the larger Cisco story. Being a part of Cisco gives our Systems Manager team access to a broad range of Cisco products and initiatives, from security to networking and collaboration. As Cisco’s endpoint management solution, Systems Manager strengthens Cisco’s position in endpoint security and enables smarter decisions about device access and policies on Cisco networks.
Earlier this year, Systems Manager played an important role in the launch of Cisco’s cloud-based endpoint security portfolio for managed security service providers. This portfolio offers scalable solutions for visibility and control of endpoint devices and highlights key products for service providers to deploy.
In another example of how Cisco and Meraki are leading the industry in endpoint security, Cisco announced that Cisco Security Connector (CSC) is now available for purchase! Cisco Security Connector is a powerful tool to help organizations with supervised iOS devices ensure compliance, block phishing attacks and malicious links, understand application and device behaviors, and investigate security incidents across deployments.
Building CSC was a collaborative effort between Apple, Systems Manager, Cisco Umbrella, and AMP for Endpoints. Only Cisco has been able to achieve this type of cross-product alignment at scale. Having access to and information about upcoming security initiatives gives us at Meraki the opportunity to find compelling ways to collaborate across products at Cisco.
There’s work underway to bring even more cross-product value to customers. Look out for future launches with our larger Cisco family!
Learn more about Cisco Security Connector hereor contact us to get started using Systems Manager to deploy and manage this powerful iOS application!
If you noticed a new tab that says “Analytics” pop up in your Cisco Meraki MV dashboard last week, you weren’t dreaming. MV has officially taken its first step into the video analytics world.
Specifically, the MV team is delighted to announce the launch of heat maps, which will give customers valuable insights into customer behavior, school safety, and more. Staying true to one of the team’s core principles which drive product decision making—business value through intelligence—developing heat maps is just the first step in delivering advanced analytics tools to our customers.
Heat maps show an overview of the last week’s worth of motion data, on a per-day basis, giving insight into how a space is being used by students—are they using the playground equipment on the weekends?—or how customers are moving through a retail store location.
Most importantly, as with all Meraki products, cloud management means that every existing MV user will now automatically have this heat map tool available to them (as a public beta): no software installation, payments, or configuration required. Simply log in to your dashboard account to try it out for yourself.
In the enterprise technology industry it is often common practice for important customers, partners, and industry analysts to be presented a roadmap. This long established tradition communicates the vendor’s goals and aspirations for their product, while setting the expectations for the recipient.
In a rapidly changing world this traditional approach can hamper the productivity of small, highly agile teams like those at Meraki. It can artificially force a focus on feature delivery, not on solving customer problems. To ensure the MV team can respond quickly to market changes and customer needs, the team follows a set of goals that help communicate the intent and vision for the future of the product.
The goals underpinning the development plans are split into three areas. These drive our internal discussions and allow parties external to the organisation to determine our priorities, taking the place of a feature by feature roadmap.
Cost reduction through architectural simplification
Firstly we must deliver immediate value. This must be simple to understand and easy to achieve. In the context of MV this is our architecture: centralized cloud control with video stored at the edge. Eliminating the Network Video Recorder (NVR) and Video Management Server (VMS) has immediate up front savings and continued operational savings.
Operational simplification through automation
Next we must ensure that customers benefit during day-to-day operations. An example of this goal is Motion Search’s elimination of the dull and highly time consuming process of reviewing video. MV processes all video on the camera and lets users quickly find the footage of interest.
Business value through intelligence
Finally, we look at how security cameras can offer value beyond their primary purpose. 90+% of recorded video is never viewed, but what if the camera can analyze what it sees without human intervention? Can a camera be seen as a sensor in the context of marketing or occupational safety? MV has not yet delivered in this area, but it is an area of intense interest that will shape the future capability of the product.
The recent launch of Meraki MV security cameras is just the first step on the road. As has been the case with the development of other Meraki products, early adopters of cloud managed technology continue to benefit from ongoing feature development. As Meraki continues to deliver solutions to challenging problems, so existing customers investment in Meraki continues to improve.
When Apple and Cisco announced their partnership last year, Meraki customers were left on the edge of their seats awaiting the arrival of the improvements that would be coming down the pipeline for them. Now, there’s exciting news out of Apple’s Worldwide Developers Conference that sheds some light on the details of what the companies have been working on and when to expect them. Here’s what customers can look forward to, and an overview of how these improvements can be utilized by Meraki enthusiasts in the fall, when iOS 10 is scheduled to be released:
Enhanced roaming capabilities for iOS devices on Cisco (including Meraki) APs — With iOS 10, iPads and iPhones will be able to recognize the most optimal AP on a Cisco network with which to connect. This means Apple devices roaming on a Meraki network will become even more streamlined, eliminating worries of losing WiFi connectivity while on a VoIP or video call.
Fast lane for business critical apps — Meraki networking customers have long enjoyed the simplicity and variety of implementations of QoS for layer 7 web applications. Now, with iOS 10, Systems Manager customers will be able to apply that same level of QoS ease to iOS apps. Prioritize business critical apps while limiting bandwidth usage for, say, video streaming apps that might not be necessary for work. Couple this functionality with existing Systems Manager tools like geofencing, dynamic tagging, and scheduled policies, and the possibilities for customizability are practically limitless.
Cisco Spark calls on the iPhone, just like native calls — When iOS 10 launches, Spark customers will be able answer Spark calls from the lock screen. They’ll also be able to initiate these calls directly from their address books and answer Spark calls from the lock screen. This is an exciting update for our customers using Cisco Spark.
If you want to read more about the Apple and Cisco partnership, check out the details on Apple & Cisco’s websites, and stay tuned for future news from the Meraki side!
Following the the exciting announcements at Cisco Live! Milan in January, the team will be heading out to Australia for Cisco Live! Melbourne from the 17th to the 20th of March. San Francisco Members of the product management and marketing teams from San Francisco will be joining the local Meraki team for demos, presentations and labs.
We will be exhibiting at the World of Solutions where there will be live one-on-one demos. Make sure you come by, say hello, and learn the latest from Meraki. It is also an ideal opportunity to meet your regional Meraki representative, if you have not done so already.
Apart from the world of solutions, there will be a number of labs and presentations throughout the week. Check the Cisco Live! website for availability and registration for the sessions.
LABEN-1001 – Cisco Meraki Hands on Lab: Cloud Managed Networks
Presented by Joe Aronow & George Bentinck
Wednesday 18 Mar 1:00 PM – 2:30 PM
Thursday 19 Mar 2:45 PM – 4:15 PM
Friday 20 Mar 11:15 AM – 12:45 PM
This self-paced lab is designed to introduce you to the full Cisco Meraki suite of products – wireless, switching, security appliances and mobile device management. During this session we will walk through configuration of each product type, demonstrating the simplicity and power of the Meraki cloud managed solution.
BRKSEC-2900 – Cloud Managed Security with Meraki MX
Presented by Joe Aronow
Wednesday 18 Mar 2:45 PM – 4:15 PM
Meraki’s cloud managed networking portfolio includes out-of-the-box capabilities to help administrators secure their network environments. This session will provide an introduction to the Meraki architecture and a deep-dive into the Meraki MX security appliance product line. The presenter will feature a live demo of key features such as Auto VPN, client fingerprinting, identity-based policies, intrusion detection, and more.
BRKEWN-2013 – Cloud Managed Networking with Meraki
Presented by Peter Stephan
Friday 20 Mar 8:45 AM – 10:45 AM
Cisco Meraki’s cloud-managed networking solution provides the tools to implement scalable networks with dramatically simpler management and powerful network visibility. This session will provide an intermediate level of information about the Cisco Meraki unique cloud architecture, and a deep-dive into an entire network stack solution, including the latest 802.11ac offering, expanded switch portfolio, SourceFire enabled security appliance, and complete MDM offering. The presenter will provide live demonstrations and deployment strategies for key features platform including client fingerprinting, layer 7 traffic shaping, location services, integrated MDM, and hybrid models cloud / on-premise architectures.
Cisco recently issued a security advisory about several serious vulnerabilities for its wireless LAN controllers, including DoS, privilege escalation, and ACL bypass vulnerabilities. These liabilities could allow attackers to modify your controller’s configuration or bypass your ACLs—so if it were my network, I’d certainly want a fix.
Cisco issued software updates, but they’re no quick-snap remedy. Here’s what I’d need to do before I could download the new release:
Follow Cisco’s instructions on the command-line to determine which software version is running on my controller.
Verify if my software version is an affected release. If it is, confirm which versions are “fixed” and note the “recommended release.”
Download and install the patch.
A few of the steps for determining patch compatibility from cisco.com
The real kicker is what I’m signing up for when I actually install the patches. From Cisco’s advisory:
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release… Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment.
We don’t mean to pick on Cisco here, and we certainly aren’t implying that one vendor’s products are more secure than another’s. With any complex system, bugs and security patches will happen. But the customer experience of dealing with these patches for traditional, behind-the-firewall appliances like wireless controllers is a royal pain. At best, they result in headaches, downtime, and frustration. At worst, administrators miss patches altogether, and their systems are vulnerable. Fortunately, The Cloud points to a better way.
The Cloud Controller, like other cloud applications such as Gmail and Salesforce.com, is always up to date. We push out new features, bug fixes, performance improvements, etc. several times a day. This is completely invisible to the customer, save for new features appearing from time to time. (How we do this, and maintain quality, is pretty interesting, but we’ll save that for another post.)
But what about the firmware running on our APs? They aren’t in the cloud… Are they resigned to the fate of traditional patch management?
Fortunately, an AP that can be managed from the cloud can also be upgraded from the cloud, seamlessly and automatically. Our Cloud Controller knows with certainty that all of the Meraki access points deployed around the world are up to date, with the latest features, fixes, and yes, security patches.
Since we can install firmware seamlessly, over the web, we’ve been able to release new firmware every three months or so, continually delivering new features to our customers. We just did one, in fact – with firmware support for application-aware traffic shaping.
Here’s what our customers saw in their dashboard before the update:
Firmware Upgrade Notification in the Meraki Dashboard
Customers can let the upgrade happen on its own, schedule it when they want it, or click “Upgrade Now” to get it right away. It’s worth noting that the upgrade process was engineered to be completely fault tolerant. Say, for example, you lose power in the middle of a firmware update. No problem, the AP will boot up with its previous firmware once power is restored. This technology has let us do quarterly upgrades for four years straight and keep customers happy.
We’re excited about how this system has not only eliminated headaches for our customers, but has also enabled us to innovate much faster. We hope to see this architecture spread to other types of infrastructure, so patch management nightmares some day become a thing of the past.