An attacker wanting to eavesdrop on a network has several methods at their disposal to cause harm, notably with “man-in-the-middle” attacks where an attacking device pretends to be a valid member of the network to intercept traffic.
That method of attack is called “spoofing” which enables visibility into the device’s traffic and provides an option for attackers to use more aggressive network-disrupting tactics.
Device spoofing is a significant security threat, and it’s vital that your network have strong defenses. With our MS 10 firmware, Meraki is working to ensure your network remains secure with Dynamic ARP Inspection.
How does spoofing occur?
The attack works by deactivating the regular connection that switches use to pass information to client devices. The attacking device then misdirects traffic through itself by announcing its hardware address to devices that can hear it. The client devices aren’t smart enough to know the difference between the fake and real messages, so they begin forwarding potentially sensitive information to an attacking device.
The attacker can then spy on the traffic before forwarding the message to the correct device without anyone being the wiser.
How to defend against spoofing
Dynamic ARP Inspection (DAI) places safeguards at Layer 2 where bad actors may manipulate these important messages (ARP requests). DAI calls upon the network to verify whether the device handling the ARP requests is real or fake by checking whether that device has been seen before on the network. If the device hasn’t been seen, then messages from the attacking device are ignored.
Configuring DAI with Meraki is easy with MS 10. Note that to avoid disruption to your network, it’s essential to follow the steps in order.
In the Meraki dashboard, first, navigate to Switch > Switch Port and select the port associated with a DHCP Server or Relay. Select “Edit.”
Then navigate to “Trusted” and toggle to “enabled”.
Finally, navigate to Switch > DHCP Servers& ARP > DAI Status and select “Enabled.”
As with all things Meraki, the configuration of Dynamic ARP Inspection can be completed in seconds with our easy-to-use dashboard.
To learn more about other improvements in MS 10, please visit our documentation page or attend a webinar for a demonstration.
We are happy to announce the availability of our MS 10 firmware update for Meraki switches. The update introduces new features that improve the overall security, efficiency, and resilience of your network.
Let’s take a moment to review several of MS 10’s most notable features!
Security: Multi-Auth/Multi-Host
MS 10 introduces 802.1x Multi-Auth and Multi-Host authentication options to Meraki switches.
Multi-Authentication requires each host on a shared port to authenticate individually to gain network access. This log-in process is vital for network security in deployments with many autonomous clients.
Multi-Host Authentication allows a single host to open port access for subsequent clients after a single authentication. For example, someone using a desktop with multiple VMs would only need to authenticate a single time to gain access for all of her virtual machines. This reduces the frustration of needing to log-in multiple times when only a single authentication is needed.
Resilience: Enhanced Storm Control
Network storms occur when a set of switches endlessly forward packets between themselves, which clogs network bandwidth and causes normal network traffic to grind to a halt.
Enhanced Storm Control provides greater protection against network storms by allowing administrators to set limits on how much bandwidth can be allocated for certain types of traffic. If a storm does occur, damaging traffic will be limited to only a percentage of your total bandwidth capacity.
Resilience: Unidirectional Link Detection (UDLD)
Unidirectional link issues happen when a fiber cable is damaged or misinstalled and causes a loop that has the potential to disrupt the entire network.
A switch with UDLD prevents this type of loop by shutting down the port where a unidirectional link is detected. This keeps your network stable and more resilient against common causes of fiber-link errors.
Efficiency: Equal-Cost Multi-Path (ECMP)
Meraki uses OSPF routing which directs packets by determining the lowest-cost path to a destination. However, in situations where multiple equal-cost paths are available, some paths may be underutilized.
With Equal-Cost Multi-Path (ECMP), traffic is automatically load-balanced across up to 16 OSPF-learned paths which promote greater network efficiency.
Efficiency: Port Anomaly Detection
Port Anomaly Detection (formally called Spanning Tree Protocol /LAN Anomaly Detection) encompasses multiple enhancements for identifying and resolving spanning-tree and link issues. With the upgrade, the switch port icon indicates physical link errors and excessive link-status changes (STP issues). The individual switch ports will also display orange or red in the dashboard when these types of issues are detected.
More broadly, Anomaly Detection furthers Meraki’s mission of providing in-depth visibility into your network. By providing detection of erroneous network behavior, we help ensure network stability and scalability.
Increase your network’s resilience
If you would like to learn more about MS 10’s improvements, please visit our Knowledge Base or contact us directly.
For a full list of improvements, please login to your dashboard for more information:
Cisco recently issued a security advisory about several serious vulnerabilities for its wireless LAN controllers, including DoS, privilege escalation, and ACL bypass vulnerabilities. These liabilities could allow attackers to modify your controller’s configuration or bypass your ACLs—so if it were my network, I’d certainly want a fix.
Cisco issued software updates, but they’re no quick-snap remedy. Here’s what I’d need to do before I could download the new release:
Follow Cisco’s instructions on the command-line to determine which software version is running on my controller.
Verify if my software version is an affected release. If it is, confirm which versions are “fixed” and note the “recommended release.”
Download and install the patch.
A few of the steps for determining patch compatibility from cisco.com
The real kicker is what I’m signing up for when I actually install the patches. From Cisco’s advisory:
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release… Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment.
We don’t mean to pick on Cisco here, and we certainly aren’t implying that one vendor’s products are more secure than another’s. With any complex system, bugs and security patches will happen. But the customer experience of dealing with these patches for traditional, behind-the-firewall appliances like wireless controllers is a royal pain. At best, they result in headaches, downtime, and frustration. At worst, administrators miss patches altogether, and their systems are vulnerable. Fortunately, The Cloud points to a better way.
The Cloud Controller, like other cloud applications such as Gmail and Salesforce.com, is always up to date. We push out new features, bug fixes, performance improvements, etc. several times a day. This is completely invisible to the customer, save for new features appearing from time to time. (How we do this, and maintain quality, is pretty interesting, but we’ll save that for another post.)
But what about the firmware running on our APs? They aren’t in the cloud… Are they resigned to the fate of traditional patch management?
Fortunately, an AP that can be managed from the cloud can also be upgraded from the cloud, seamlessly and automatically. Our Cloud Controller knows with certainty that all of the Meraki access points deployed around the world are up to date, with the latest features, fixes, and yes, security patches.
Since we can install firmware seamlessly, over the web, we’ve been able to release new firmware every three months or so, continually delivering new features to our customers. We just did one, in fact – with firmware support for application-aware traffic shaping.
Here’s what our customers saw in their dashboard before the update:
Firmware Upgrade Notification in the Meraki Dashboard
Customers can let the upgrade happen on its own, schedule it when they want it, or click “Upgrade Now” to get it right away. It’s worth noting that the upgrade process was engineered to be completely fault tolerant. Say, for example, you lose power in the middle of a firmware update. No problem, the AP will boot up with its previous firmware once power is restored. This technology has let us do quarterly upgrades for four years straight and keep customers happy.
We’re excited about how this system has not only eliminated headaches for our customers, but has also enabled us to innovate much faster. We hope to see this architecture spread to other types of infrastructure, so patch management nightmares some day become a thing of the past.
