Posts Tagged ‘mx’

Recap: Meraki Quarterly, July 2019

Last week, several members from the Meraki product management and product marketing teams huddled in the webinar room at our SF headquarters to present the Meraki Quarterly. The Quarterly takes place every three months and highlights new product innovations that took place over the last quarter. The intent of  the Quarterly is not only to keep customers informed about the latest and greatest updates from Meraki, but also to provide customers with an opportunity to get their questions answered by Meraki product experts.

While we were thrilled to see over one thousand registrants for last week’s webinar, we recognize that not all those who registered were able to attend and that some people would prefer a written summary over watching an hour-long webinar. For these folks, here’s a recap of what we discussed.

1. Meraki MV: Small improvements, big impact

The MV smart camera line took a major step forward in April when we introduced the MV32 — our first fisheye camera with the capability  to capture 180° of footage — and Motion Recap 2.0, which helps IT admins see motion at a glance by capturing motion in a single image. In the last few months, we’ve made Motion Recap more useful by making the images it captures available in Motion Alert emails and by providing admins the option to disable Motion Recap for bandwidth-constrained networks. 

But Motion Recap isn’t the only thing we’ve been working on in the world of MV. We also introduced export checksums, which helps admins ensure that exported footage hasn’t been tampered with, and we extended the retention of exported video to 12 months. Admins now also have the ability to retain captured video when moving a camera from one network to another — e.g., from one office location to another. Finally, a small but useful improvement in the Meraki dashboard is that users no longer lose the tab they’re on (e.g., “Quality and Retention” or “Analytics”) when paging through different cameras.

2. Systems Manager: Playing games and taking names

Customers in every industry use Meraki Systems Manager (SM), Cisco’s official endpoint management tool, to manage devices of all stripes. But there’s one industry that’s particularly excited about SM: education. To help IT admins in education, teachers, and students get excited about SM, we hosted an escape room game at ISTE 2019, the largest K-12 technology show in the US. SM was a key part of the game, with players using SM to solve various puzzles by performing common tasks, like deploying apps and documents to devices.

This past quarter, we also announced a couple of enhancements to SM on the dashboard side. Building and deploying custom profiles is now a lot more scalable and simpler than before thanks to the ability to automate custom Apple profiles with variables; admins no longer have to manually build these profiles one by one. Additionally, end users who want access to corporate email can now upload their own identity certificates through the Self-Service Portal, so IT admins no longer have to create certificates for all their users. These certificates will appear in the Meraki dashboard, so admins will continue to be aware of all the end users with access to corporate email.

3. Why-Fi 6? We’ll tell you

One of our most exciting product launches in recent memory took place this past quarter as we debuted the newest Meraki wireless access points, the MR45 and MR55, equipped with Wi-Fi 6. The new wireless standard is far from a mere spec bump; Wi-Fi 6 is a meaningful step forward that enables higher throughput, higher density, and greater energy efficiency. With features like Target Wake Time, MU-MIMO, and dual 2.4 GHz and 5 GHz radios, the MR45 and MR55 set the standard for the next generation of wireless.

Of course, talking about Wi-Fi 6 isn’t as fun as seeing it deployed live. To that end, during the Quarterly, we highlighted a few real-life deployments of the MR45 and MR55. One of the first deployments of Meraki Wi-Fi 6 was McLaren, the automotive company, where the new APs proved so popular that different teams were moving the APs around to serve their own high density and high throughput purposes. Wi-Fi 6 also proved a popular draw at the US Open, where over 350 of the latest Meraki APs blanketed the course and allowed players and spectators to share, tweet, post, and communicate to their heart’s content. 

4. A switch in time saves nine

As any IT admin knows, switches are a crucial part of any network deployment. In the Quarterly, we started by discussing a few key trends we’ve recently observed that are shaping the world of switching: live video streaming & video-first services, more PoE-capable devices, a steady evolution of always-on, power-hungry IoT devices, and inadequate uplink capacity. To address these needs, we just introduced the MS125 access layer switch, which helps admins future-proof their networks by offering 4x10G SFP+ uplinks.

Here’s how the MS125 compares with the MS120 and MS210:

5. Getting Cloudy

Meraki was, of course, born in the cloud, so this is an area of intense excitement for us. First up, this last quarter, we introduced the Meraki Developer Hub and APIs Marketplace, one-stop shops with everything you need to build or buy solutions on top of the Meraki platform. Second, we announced new partner integrations with PagerDuty, Ansible, and OneLogin to help customers make the most of their Meraki deployments. Third, we highlighted action batches and several new endpoints. Finally, we announced that Meraki will be included in a few brand new DevNet certifications coming in early 2020.

That’s a lot of cloud and API announcements! To get a full sense for the Meraki APIs story, sign up for our next Cloud Services and APIs webinar. 

6. Security and SD-WAN

Over the last quarter, the Meraki MX team has been hard at work to make our security and SD-WAN appliances more flexible and easier to manage. One of the ways we’ve done that is by debuting a whole new host of API endpoints so developers can use other applications to configure and manage an MX, whether they want to update the MX Layer 7 firewall rules for an MX network or view and update content filtering settings for group policies. 

Something we know lots of our customers will be excited about is the news that HTTPS inspection is now in beta. We haven’t yet announced a final release date, but if you’d like to give this feature a try on your own network, contact your sales engineer, sales rep, or Meraki support!

7. Insight into Insight

With Slack and Office 365 recently suffering server outages, we published a couple of blog posts in the last few weeks about Meraki Insight, our network assurance tool. That doesn’t mean our product team wasn’t making Insight better; over the last quarter, we’ve enhanced Meraki Insight with some great new UI improvements designed to make it easier to use and navigate. First, a new Web App Health Details interface improves the troubleshooting experience and helps admins make correlations quicker:

Second, in the WAN Health section, two new fields are available: % capacity, which shows what percentage of upload and download capacity are being used on a particular uplink, and a notes field, which admins can use to take any notes they want about one or more uplinks.  

7. Last, but not least

Aside from product updates, we’ve focused on improving the customer experience in a couple of new areas this past quarter. If you haven’t heard already, we have a new podcast, Meraki Unboxed, to give you an inside look at our company. Additionally, the always-thriving Meraki Community recently announced its first set of All-Stars, ten outstanding contributors to our community forum. Congrats to these winners — keep the conversations flowing!


If you made it all the way down here, a sincere thank you for reading all about the latest developments at Meraki. Make sure to tune in to our next Quarterly in October. We don’t want to spoil anything now, but we promise that we’ll have lots more news to share then!

Exploring Snort

 

Introduction

The internet can be a dangerous place, with malware, ransomware, worms and botnets to name just a few things. How can you keep your organization and its data safe?  The Meraki MX leverages some industry-leading security technologies and puts them in the hands of users, network operators and partners whilst simultaneously making them easy to enable.  

In this blog post, we will explore one of the security technologies that Meraki utilizes to help keep users safe, namely Snort, which is an open-source network intrusion detection system/intrusion prevention systems (IDS/IPS).

What exactly is IDS/IPS?

Before we talk about why we think Snort is great, we first need to talk about what an IDS/IPS is.  

IDS/IPS systems are devices or software that monitors networks or computers to detect malicious or anomalous behaviour.  An IDS simply alerts the network or system operators of malicious or anomalous behaviour, whereas IPS will also actively prevent this behaviour.  

To provide an analogy, think of a firewall as a door securing access in and out of a controlled area.  The IDS is akin to a security camera pointing at the door, whereas an IPS is a security camera with frickin’ lasers!

image credit: thinkgeek.com

Why is Snort #1 in the industry?

For a start, Snort, under the guise of Cisco, has consistently been in the upper right-hand corner of Gartner’s Magic Quadrant for IPS for many years.  Fundamentally, Snort is the #1 IPS in the world because it is the most widely deployed, with over 4 million downloads open-source variant alone. That doesn’t even take into account the variants running on Cisco FirePower Firewalls, Cisco ASA with FirePower services firewalls, and Cisco Meraki MX security appliances.  

The open source nature of Snort’s development provides the following benefits:

  • Rapid responseCisco Talos is constantly (24x7x365) updating the rulesets that Snort uses, meaning organizations that leverage Snort are quickly protected from emerging threats.
  • Greater accuracy – The rulesets running on Snort are reviewed, tested, and improved upon by the community of users, which means organizations using Snort are leveraging the knowledge of security teams worldwide.
  • High adaptability – The open source nature of Snort means that companies and organizations can build the power of Snort directly into their own applications.

Snort isn’t a silver bullet on its own,  but no security technology is.  That is why at Meraki we expose the threat information identified by Snort and other technologies in a single pane of glass, enabling network defenders to  quickly and easily understand whether a threat is targeted (and hence serious) or part of the background of the internet.

That single panel of glass is the Meraki Security Center, and it allows network defenders to see all threat data in a given network for 30 days and, in three or four clicks, lock in on a potential issue whilst cutting through the noise.

Talos?

In its own words, Cisco Talos is the industry-leading threat intelligence group fighting the good fight!  They are a team of exceptionally talented women and men who peer into the dark corners of the internet to protect your organization’s people, infrastructure and data.  Their researchers, data scientists and engineers deliver protection against attacks and malware that underpins the entire Cisco security ecosystem, Meraki included.

If you would like to learn more about Cisco Talos, then we recommend subscribing to the ‘Beers with Talos’ podcast and listen to Mitch, Craig, Joel, Matt & Nigel break down the latest threats and trends.  With the exception of Nigel (who does support the best football team in the world, so he gets a pass), the Beers with Talos team runs Meraki MX Security Appliances in their home networks!

Conclusion

The implementation of Snort on Meraki’s MX security appliances typifies Meraki’s philosophy; we take an industry leading, best-in-class technology and we make it simple to enable and configure.  All while making the data you get from it both easy to understand and to act on.

If you think your organization could benefit from the power and simplicity of Snort in the Meraki MX Security Appliance, contact Meraki sales today.

References 

Optimize Performance of Office 365

The rise of Microsoft Office 365 (as a cloud service) has been nothing short of meteoric. It launched in 2011 and the 3 years between 2015 to 2018 saw the number of active users more than double, from 60 million to over 150 million.¹ To put that into perspective, the estimated number of active users for Uber in 2018 was 100 million.²

Today one in five corporate employees globally uses at least one Office 365 cloud application.³ With such widespread adoption of a business-critical cloud service, organizations are closely scrutinizing the performance of SaaS applications, such as Office 365, resulting in nervous ‘gulps’ from IT teams around the world.

Advice from Microsoft themselves to optimize Office 365 recommends to not backhaul traffic through a datacenter or HQ but instead allow it direct internet access. That’s sensible advice on the surface, i.e. don’t let the journey through a DC/HQ add latency in particular to your Office 365 apps. However, out of the window (pardon the pun) goes the visibility and security traditionally provided by backhauling traffic.

Help is at hand though…

 

Branch security

The Cisco Meraki MX security and SD-WAN appliance seamlessly delivers some of the most powerful industry-leading security technologies (AMP, threat grid, SNORT) directly to the branch. The MX’s security capabilities are continually informed by Cisco’s Talos organization – an elite team of 250 of the world’s most sought-after security researchers analyzing billions of security signatures and postures everyday and delivering their findings back into millions of MX appliances with zero touch.

So… security, comprehensive check. What about visibility?

 

Visibility over the public internet

In general, there are three main phases a web application like Office 365 will need to successfully negotiate when a request is initiated by a client: LAN, WAN, and application server.

When sending Office 365 traffic over a public internet link you might feel like you’re crossing your fingers and hoping for the best, as you’re effectively blind beyond your own LAN. However, with Meraki Insight you can take out the nervous guesswork by tracking the performance of critical web applications such as Office 365 travelling via a direct internet breakout or VPN tunnels against network-admin defined thresholds. Meraki Insight analyzes WAN traffic and server response times for web applications to build a simple view of the health of the application across the LAN, WAN, and application server.

At-a-glance health of Office 365

Should the performance of Office 365 drop below its defined performance threshold, Meraki Insight will elegantly summarize its vast telemetry collected into an ‘X’ or ‘check mark’ across the LAN, WAN, and server to pinpoint where the degradation lies.

Instantly pinpoint the cause of performance issues

Stay Alert – NEW
Meraki Insight now also has an option to send an email alert when a tracked application like Office 365 has fallen below its performance thresholds.

Automated email alerts when poor application performance is detected

 

All-in-one appliance

  • Best-in-class security at the branch to allow Office 365 direct internet access
  • Visibility into Office 365 beyond the LAN to pinpoint causes of performance issues
  • Automated email alerts if performance falls below preset thresholds


Maintain peak Office 365 performance and security with one simple appliance

Delivering powerful industry-leading security and advanced visibility into web applications, such as Office 365, is achieved using only one device: the Meraki MX security & SD-WAN appliance. The MX is already established as one of the go-to appliances for security & SD-WAN, and with the addition of a Meraki Insight license can also track the health of web applications such as Office 365, all in a single appliance. Test for yourself how easy it is to optimize Office 365 using the Meraki MX appliance for free.

 


¹ https://www.petri.com/office-365-soars-155-million-active-users
² https://www.statista.com/statistics/833743/us-users-ride-sharing-services
³ https://www.skyhighnetworks.com/cloud-security-blog/7-charts-reveal-the-meteoric-rise-of-office-365

 

Our Topology Icons Speak Volumes

Communicating technical topics to a broad audience can be challenging. Photos, illustrations, and video are all helpful tools designed to simplify complex subjects, but it’s easy to go overboard when describing a product as intricate as a switch or security appliance.

To help everyone represent Cisco Meraki products and related concepts more clearly, Meraki has released a set of official topology icons (in png and svg formats) to encourage collaboration and discussion.

 

Speaking a single language

The icons help to describe key networking ideas more consistently across our entire product line. The products covered include our switches, access points, smart cameras, security and SD-WAN devices, virtual appliances, and other generic networking items. The images can be used freely, with attribution, as a part of the Creative Commons terms of use. We envision the icons being used in topology diagrams for deployment documents, blogs, forums, and social media.

 

Below is a symbol legend for some select icons you will find inside our larger icon set in the Meraki Library.

 

Topology Set Icons

Left-to-Right Arrows for Layer 2 – The two sets of arrows going right and left indicate communication between devices at Layer 2. Available on MS device icons. Example:

 

Diagonal Arrows for Layer 3 – Our Layer 3 icon adds diagonal arrows to indicate the routing capabilities available on MS and MX products. Example:

 

Wireless – The icon represents a device that has Wi-Fi capabilities. Available on MR wireless, select MX security appliances, and Z-Series teleworker appliances. Example:

 

MX SD-WAN and security specific symbols – The MX icon includes symbols for inspecting traffic (magnifying glass), diagonal arrows for routing, and a brick wall for protection against bad actors. Example:

 

Dotted Line for Virtual Appliances – The virtual appliance provides Meraki security and SD-WAN services for migrating IT services to Amazon Web Services and or Microsoft Azure. Example:

 

Server – The server icon has several sub-icons to highlight important characteristics. Available with cloud, directory, domain, file, web, and Meraki servers. Example:

 

If you would like to get started, consider downloading our full icon set to begin incorporating the images into your topology maps, Meraki community messages, personal blogs, and Twitter posts.


Meraki Topology Icons by Cisco Meraki are licensed under a Creative Commons Attribution 4.0 International License.

Threat Grid + Meraki MX: A Win-Win

 

Introduction

It’s been a little over a year since we launched Threat Grid integration with the Meraki MX, and since then, it’s become an invaluable tool for the customers that have enabled this integration. But the customers who haven’t enabled it may not understand why this integration isn’t just important for them — it’s also important for everyone on the internet!

This isn’t the first time we’ve talked about Threat Grid on the Meraki blog. Since its debut, both Threat Grid and the MX have gotten better, but they have also gotten better together.  In this blog post we will explore in more technical detail what Threat Grid is and how it fits into the Meraki security architecture. Most importantly, we’ll explore why it’s made the internet a safer place for everyone.

AMP + Threat Grid

Cisco Advanced Malware Protection (AMP) is an intrinsic part of the Meraki MX advanced security offering and has been for over two years. Over that time AMP has scanned hundreds of million of files per week, blocked hundreds of thousands of malicious files per week, and sent thousands of retrospective alerts per week. This is particularly important when you consider that the volume of malware has increase by 10x in the last two years.

As you’d expect, Meraki does this by leveraging cloud technology. Once upon a time, there was a startup company called Immunet AV and they had a super smart solution for telling whether a file was good, bad or hadn’t been seen before; in security geek language, files were labeled “Clean,” “Malicious,” or “Unknown.”  That company was acquired by SourceFire, who in turn was acquired by Cisco, just like Meraki. Today, Meraki MX leverages this technology, resulting in customers getting real-time protection from known malicious files across multiple file types and multiple threat vectors.

OK, that’s great, but what about those scary “day-zero” exploits that we hear about in the news all the time? Whilst it’s still true that you shouldn’t believe everything you read, day-zero exploits certainly exist, as after all someone has to get hit first with every exploit. Though we are all tempted to think “it won’t happen to me,” there is a tangible probability that it will. If you’re the person responsible for information security risk management at your organization, then it’s your responsibility to demonstrate duty of care and mitigate as much risk as possible.

This is what Threat Grid helps you do by authoritatively and quickly letting you know if “unknown” files going through your MX are day-zero malware or not.

Threat Grid Deep Dive

As you would expect, Threat Grid is super easy to enable for a MX network. Once enabled, it starts working immediately.  When a file is downloaded through the MX, the hash of the partial file is compared against the AMP cloud; if it is unknown to AMP, then it gets sent straight to Threat Grid, as shown below:

The file is then detonated, which is a fancy way of saying opened up and allowed to do its thing, in a virtual Microsoft Windows sandbox environment that is completely separate and distinct from the customer infrastructure. Threat Grid now both actively and passively observes how the file behaves, by looking at how it interacts with system software, services, and network resources. At the same time, Threat Grid parses the things the file does through around 900 behavioral indicators to understand whether the file is malicious or not.

Once this is complete, Threat Grid automatically creates a report with both a high level “Threat score” and links to forensic investigation tools, also built into the platform. An example of this report is shown below:

If you want to see this report and the forensic tools being used in a demo, take a look at this great Meraki webinar.

Finally, if the file was malicious, you’ll receive an email to let you know that something bad got through and with links to Security Center and any relevant remediation steps you need to follow to get back to safety.

The cloud just got smarter

Now if anyone else sees that file come through their Meraki MX, Cisco FirePower, Cisco WSA or AMP for Endpoints-enabled smartphone, it will be instantly blocked because Threat Grid updated the disposition state of the file in the Cisco AMP Cloud. Meaning that you not only detected and can stop the bad guys on your network, but you also stopped the bad guys for the rest of the world!

The people who make this automatic protection happen are Cisco Talos and they are a team of hundreds of guys and girls who are the internet security equivalent of the Justice League (or Avengers, if you prefer). They have had a hand in defusing, deconstructing and protecting against every internet threat you have heard about in the past 2 years.  And once they’ve figured out how to stop the bad guys, they pump that knowledge right back in the Meraki MX and other Cisco products. This means that, indirectly, you are helping make the internet a safe place just by being a Meraki customer, more so if you have Threat Grid.

Talos also takes threat intelligence information from many other Cisco security products, including lots that run on or are integrated natively with the Meraki MX, as shown below:

Conclusion

So, if you are already one of the many Meraki customers with an MX network, walk a little taller, because Talos has your back. And if you really need to know whether or not that file the CEO just downloaded was a cat video or a piece of ransomware, then Threat Grid is for you.  

Reach out to your local Meraki sales rep to discuss further and start helping make the internet a safer place through simple, powerful cloud technology.

A New MX Lineup for the Modern Branch

You are probably aware of the increasing use of cloud-hosted applications, as well as the worldwide availability of reliable LTE coverage. You’ve almost certainly witnessed the increasing use of mobile devices, growth of video traffic, and increasing security threats. These trends challenge modern organizations to adapt to a complex landscape with higher bandwidth requirements, multiple uplinks, and threats that can take down networks. Despite these complexities, IT admins can use new technologies to position their branch networks for a successful future.

What’s new?

Today, we are excited to announce brand new additions to our MX and Z products, with multiple new MX security & SD-WAN appliances, along with a new Z-Series teleworker and IoT device. With upgraded and improved hardware, the additions to the MX line feature higher throughputs, faster Wi-Fi, and integrated LTE modems. The built-in modems will offer a greatly simplified way to connect remote locations or provide failover redundancy via LTE.

The MX67 and MX68 lineup

The new MX products benefit from state of the art new hardware features designed to deal with an evolving branch environment:

  • Up to 450 Mbps Throughput
  • 802.11ac Wave 2 Wireless
  • Integrated 300 Mbps CAT 6 LTE cellular modem

The MX family adds six new models to the highly successful MX64 and MX65 small branch security & SD-WAN appliances. The new MX67 and MX68 products include models with wired, wireless, cellular, and PoE+ capabilities.  Both the MX67C and MX68CW feature region-specific SKUs to accommodate separate cellular bands. Meraki is partnering with mobile providers to fully certify the cellular platforms across all regions. For more details of MX67, MX67W, MX68, MX68W, and the cellular MX67C, MX68CW visit the MX datasheet.

The new Z-Series

We are also delighted to add a new model to our feature-packed Z-Series teleworker gateway family with the Meraki Z3C, now with LTE. A built-in 100 Mbps CAT 3 LTE modem in the Z3C provides an elegant way to add redundancy for teleworker deployments. Our customers are also excited about using the Z3C to securely connect remote or isolated machinery such as vending machines, ATMs, and kiosks.

LTE in the dashboard

Similar to the rest of Meraki’s products, these new cellular MX and Z-Series models offer exceptional visibility via the Meraki dashboard. For these models, IT admins can monitor current traffic and historical performance, as well as the ability to troubleshoot and configure their LTE connections. For example, the dashboard allows users to configure and reset their cellular connection with a few clicks of a button. There will be a new LTE API, and the dashboard will make it simple to manage devices at scale using templates.

The Meraki MX continues to march forward in its mission to provide market-leading threat intelligence and an intuitive SD-WAN offering to keep customers connected and secure. Try out the new devices for yourself with a free trial, and let us know what you think.

One more thing…

Speaking of free trials, for those purchasing the new MX and Z-Series models in the next three months, we have an additional treat: a free 45-day trial of Meraki Insight, our intuitive tool for monitoring and troubleshooting WAN and application performance. With Insight, IT admins can monitor the status of all uplinks in the organization, and troubleshoot any network outages within seconds. It also provides detailed performance metrics to understand the root cause of ISP outages. Contact a Meraki sales representative for more information.

To learn more about the MX67 and MX68 models, as well as the Z3C, watch the launch webinar or visit the What’s New page.

Ensure you’re secure from VPNFilter

The newest blog post from the Cisco Talos intelligence team, one of the largest commercial threat intelligence teams in the world, highlights VPNFilter, the newest malware threat spreading across the Internet. This attack can lead to stolen website credentials, IoT device vulnerabilities, Internet connection cut-offs, and devices potentially rendered completely unusable.

At this point in time, no Meraki devices are known to be affected. Meraki and Talos are conducting ongoing investigations into this threat and its signatures. Meraki MX users who use the Advanced Security license have the capability to protect their network from security vulnerabilities such as VPNFilter.

MX Ensures Security

The Meraki MX makes it very easy to implement powerful Cisco security technologies like Snort and Advanced Malware Protection (AMP). In addition to AMP and Snort, Meraki MX allows for intuitive URL blocking, as well as Layer 3 firewall rules to ban nefarious IP addresses. These capabilities play an integral role in keeping networks safe from malware.

With Cisco Snort technologies enabled, the MX performs real-time traffic analysis and can generate alerts or take actions based on a constantly updated database of threat signatures. For example, Snort has already updated and pushed out rulesets to allow identification and prevention of VPNFilter malware for Meraki MX users who have IPS enabled. IPS rulesets are updated every 24 hours and pushed out to the MX, constantly keeping you safe from new threats. The Meraki cloud also delivers firmware, bug, and feature updates to the MX.

Example of Meraki MX blocking VPNFilter exploit with Intrusion Prevention

In addition to IDS/IPS, the MX’s integrated AMP technology can detect malware and block it from being downloaded on the network. AMP can also retroactively detect files that have been downloaded on the network that have malicious markers. VPNFilter is known to infect networks by downloading files to the network from specific URLs. Fortunately, Cisco AMP has already updated its malware database for file hashes associated with VPNFilter and pushed these updates over the cloud to Meraki MX users with AMP enabled. The Meraki MX is helping protect your network by delivering these technologies via the cloud directly to your doorstep.

Blocking Threats in 3 Steps with Meraki MX

As highlighted in the detailed post from Talos, action can be taken on a list of identified URLs, IP addresses, Snort signatures, and AMP file identifiers related to VPNFilter. All of these threats can be easily neutralized within the Meraki dashboard. To enable AMP, Snort, and URL blocking features on the MX, an Advanced Security license is required. The Layer 3 firewall rules are incorporated in both MX licenses (Enterprise License and the Advanced Security License).

Following Step 1 is most important, and only takes 15 seconds, while Steps 2 & 3 take less than one minute each. Being able to secure your network easily is the hallmark of Meraki MX.

1. Enabling AMP & Snort

Visit the Security appliance > Configure > Threat protection section. A few simple clicks allow you to enable AMP and set Snort IPS to ‘Prevention’ mode with the ‘Security’ ruleset.

2. URL Blocking

Go to Security appliance > Content filtering to block the URLs listed in the Cisco Talos blog post.

3. Blocking nefarious IP addresses

Under Security appliance > Firewall you have the ability to deny traffic to all known IP addresses associated with VPNFilter malware, as listed by Cisco Talos.

For more detailed information on VPNFilter, please refer to this post from Cisco Talos. We will continue to monitor the threat landscape and work with our Talos team to provide you updates on VPNFilter and other security vulnerabilities as they develop. To learn more about the many capabilities of the Meraki MX, including SD-WAN and Security, visit the Meraki website or sign up for one of our webinars.

How One Retailer Took Over the Nation with Meraki

A Wireless Map

When Stephen Stanton, VP of IT at A Wireless, was told about upcoming plans to acquire 370 stores across the United States, he didn’t think it would be possible. Stanton knew the company would not be able to scale at that rate with their legacy networking solution. But that was four years ago. Today, A Wireless, a full-service Authorized Verizon Retailer, has about 1,170 stores across 46 states—an almost tenfold increase in store locations.

On Thursday, February 9th at 10 AM PT, Stanton will join us in a live conversation to share how A Wireless evaluated and decided on Cisco Meraki as their solution of choice for national expansion.

As A Wireless acquired new stores, they also acquired a mix of IT networking solutions and vendor products. They found themselves with a network built on varying technologies, configurations, and management systems. Implementing a standardized network and centralized management was essential for their continued success. 

Over a 3-year period, A Wireless have saved in excess of 80% in the total cost of ownership of the network, compared to a more traditional networking solution.

A Wireless TCO Cost Savings

A Wireless TCO Cost Savings

Over 670 stores already fitted with a full suite of Meraki solutions, including MX Security Appliances, MR Access Points, MS Switches, and even a few MC Phones. Now, Stanton and his team are ready to deploy the next 500 locations with the same products and by the final deployment, all 1,170 stores will be full Meraki shops without any other network vendor solutions.

View a recording of this webinar, A Wireless, A Verizon Premium Retailer: Scaling Nationally with Meraki, here: [Link]

 

How One Company Slashed IT Costs With SD-WAN

Liberty Behavioral Management

Liberty Behavioral Management operates both inpatient and outpatient facilities across New York state, providing rehabilitation and behavioral health services to adults and adolescents. In a special Meraki webinar on December 7th at 11AM PT, Chris Smith, CTO, shared his experience managing an entire network across 13 different sites with a lean IT team of two.

Over time, Liberty Behavioral Management’s network infrastructure became insufficient for their basic business needs. Smith would receive complaints that the Internet was too slow for web surfing or file sharing, or that there wasn’t enough bandwidth for hosted medical information systems. It was time to either increase their MPLS network speed or find an alternative solution. And when Smith was notified that increasing their MPLS usage would drive up costs, he knew he had to find a different option.

Smith looked for ease-of-use, data security features, and ways to improve site-to-site connectivity without increasing internet costs. Meraki fit the bill.

With Meraki MX Security Appliances, SD-WAN (that’s “software-defined WAN” for those who haven’t come across this acronym) enhanced existing internet connectivity at each of the branches by dynamically sending traffic between locations based on set policies, defined types of traffic, and optimal performance. By leveraging MPLS at the main hospitals and the MX SD-WAN capabilities for the branch sites, Liberty Behavioral management saved $1,127,170, or 76% of costs, over five years.

Savings with SD-WAN

Stay tuned for a complete TCO Analysis and case study to learn how Liberty Behavioral Management deployed and saved with Meraki cloud-based solutions.

Once is Enough

When configuring large distributed networks, small insignificant tasks become time consuming and laborious quite quickly. Meraki cloud managed networking products eliminate a lot of the complexity of this type of deployment with features such as configuration templates and AutoVPN. With configuration templates you are able to rapidly deploy hundreds or thousands of remote sites and connect them together with a VPN in a few clicks.

As we recently announced in our Quarterly update, there have been some enhancements to the features on the MX which allow further automation of multiple site deployments. It is now possible to add firewall rules to your configuration template that are dynamically generated to match the appropriate networks.

A recap on templates

A template is a configuration which can be applied to tens, hundreds, or thousands of MX Security appliances. Networks within a Meraki dashboard Organization can be bound to this template so that they inherit these settings and only has to be configured once. If this configuration is no longer required they can be bound to a different template, or reverted to the configuration state they had before they were bound. This reduces monotonous administrative tasks and prevents human error.

One of the advantages of templates is that they can dynamically allocate subnets and IP addresses for each site. In some instances it may be desirable to have identical subnet and IP configurations at each site, but when this is not the case, unique configurations are required per site. Using templates, a network administrator can choose to have subnets and MX interface IPs created automatically, so there is no subnet duplication or IP overlap.

template_vlan_config

Making security easy

With many retailers taking advantage of Meraki’s solutions for their stores, PCI 3.0 security is an important concern. The Meraki MX’s built in security features such as anti-malware and Intrusion Detection & Prevention (IDS/IPS) make it simple to deploy a robust security solution. However there is still a need to configure relevant firewall settings to safeguard payment processing systems in a retail environment, or confidential business data in an enterprise.

The new firewall objects functionality in the Meraki dashboard allows network administrators to summarize detailed firewall configurations and replicate them to many sites with templates. This has a huge impact on the amount of work required, firewall rules are only configured once for the template, no matter how many remote sites you have. In an organization of 500 remote sites, with a simple firewall rule set of only 10 lines, that’s a saving of 490 lines of configuration or 98% less work !

It’s all in the name

When configuring an MX template an administrator will create the VLANs and associated subnets that need to be replicated at each site. The key step in this process is assigning a name to this VLAN. This name is the object identifier that is referenced on the firewall page.

Now when configuring the firewall rules for the template, the name of the VLAN can be selected. This means that no matter what network mask is automatically generated for that site, the firewall rule will reflect the subnet correctly. For example in the screenshots below, ‘home’ and ‘corp’ are referenced as aliases for the actual subnet at that site.

firewall_rule_template_source

If the firewall rule needs to be specific to a particular host within the subnet, the ‘Add host bits’ button allows you to define a specific host for the site at which this rule applies. Again this is exceptionally useful in retail environments, where it is common for devices to have specific host addresses. A good example of this is that every cash register on every site could have addresses .5, .6, & .7

firewall_rule_template_destination
Talking Templates

Extensible Firewall Templates are a flexible and easy to use feature for configuring your Meraki networks. From corporate branch sites, to retail outlets and large scale teleworking using the Meraki Z1, templates improve the operational efficiency of the network administrator and allow lean IT teams to respond quickly to business needs on tight deadlines.