Organizations are preparing for a digital future faster than ever before. More than half a million customers, including a majority of the Fortune 100, have now modernized their networks with Cisco Meraki. Cloud-management has created a fundamental shift away from on-site controllers, time-consuming troubleshooting, and complex security to a model that can be operated 100% remotely. To help organizations on this journey, we are doubling the size of our Wi-Fi CERTIFIED 6™ family by releasing three new Wi-Fi 6 access points, adding enhanced troubleshooting capabilities, and additional security features.
The new Meraki Wi-Fi 6 Family
New Wi-Fi 6 access points
Organizations are experiencing increases in the use of bandwidth-hungry mobile video conferencing, Wi-Fi calling, and mobile device use. Wi-Fi 6 helps to deliver these mobile experiences seamlessly, and now Meraki can deliver Wi-Fi 6 both indoors and outdoors.
We are happy to announce three new Wi-Fi CERTIFIED 6™ ruggedized and external antenna access points to deliver the newest Wi-Fi 6 standard to outdoor areas, and focused coverage areas. The MR46E, MR76, and MR86 join the MR36, MR46, and MR56 to offer screaming fast, high-performance Wi-Fi 6 everywhere.
MR46E, MR76, and MR86 Highlights
All three models are Wi-Fi CERTIFIED 6™, supporting high-density features such as MU-MIMO, OFDMA, and power saving features such as target wake time (TWT). They all feature a quad-radio architecture with 2.4 GHz, 5GHz, security scanning, and IoT radios.
MR86 is an IP67 rated, rugged 4×4:4 Multigigabit access point, with a 3.5 Gbps max data rate for high-density outdoor environments
MR76 is an IP67 rated, rugged outdoor 2×2:2 access point with 1.7 Gbps max data rate
The MR46E is a 4×4:4 Multigigabit access point, 3.5 Gbps max data rate, with automatically-detectable external antennas. MR46E can re-use the same external antennas as MR53E.
The new outdoor access points enable organizations to extend Wi-Fi beyond current dense indoor areas. Retail shops or schools may be wanting to offer more Wi-Fi outdoors to accommodate social distancing. MR46E is able to offer focused wireless coverage, using directional antennas, for warehouses or manufacturing plants with high ceilings, or hospitals and schools with long hallways.
Simplifying wireless troubleshooting
As discussed in a recent blog post, Meraki dramatically simplifies the ability to troubleshoot a network from end-to-end. We are now excited to release deeper insights and analytics into wireless performance metrics. With historical color-coded performance metrics for signal quality and wireless latency, identifying and correlating problems has never been easier.
Want to know how your CEO’s Wi-Fi was performing today, yesterday, or even weeks ago? Want to know the impact a configuration change had on wireless latency or signal quality at one of your remote locations? It’s now all at your fingertips with expanded Meraki Health statistics.
Client Health Signal Quality
By deliveringCisco security technologies from the cloud, Meraki helps organizations get back to what they do best. The newest wireless firmware release includes security capabilities to help secure their networks.
Adaptive Policy is now available on Wi-Fi 5 and Wi-Fi 6 access points, to help simplify policy administration using SGTs (Secure Group Tags). Profiling users, devices, services, and setting time of access has never been easier.
Identity PSK is now available without the need for a RADIUS server. IoT devices can be authenticated using the Meraki cloud.
WPA3 is now available across Wi-Fi 5 and Wi-Fi 6 access points, which enables higher levels of encryption and more robust password-based authentication. This will be a welcome upgrade for organizations with sensitive data such as financial services and healthcare organizations.
New firmware upgrade option
To help simplify firmware upgrades, Meraki has released a new upgrade strategy to minimize client downtime. The network never has to go offline during a firmware upgrade, minimizing impact on end-users and devices are minimized during the upgrade. This new upgrade strategy option helps minimize disruption to mission critical wireless networks such as manufacturing, healthcare, warehouses, and airports.
We may not see it or feel it, but it’s happening. IoT devices are growing in number all around us, and improving our lives. Sensors help organizations streamline operations at a hospital, and point-of-sale devices improve our experience at the local coffee shop. But, securing IoT can be complicated, especially when contending with outdated devices, and deploying them across multiple sites. IoT devices typically lack 802.1X support and can be hacked in 5 minutes on average. In our recent “Security Made Simple” launch, we discussed a new feature called Identity PSK that simplifies IoT security.
A better way of securing IoT
Many IoT devices are not compatible with 802.1X, leaving IT admins no choice but to use WPA2 or a pre-shared key for authentication. Unfortunately, both methods come with well-documented security flaws. Identity PSK provides a way to assign users and devices unique keys, build identity-based groups, and scale them across the network. For example, a hospital might have wireless infusion pumps and patient monitoring tools for which they would like to apply different group policies. With IPSK, the hospital IT administrator can now assign those devices unique groups and separate VLANs. The IT admin will also be able to reset or change the keys on entire groups of devices at the same time.
With IPSK, it will become easier to secure devices across multiple industries. An IT admin at a manufacturing plant will segment barcode scanners and sensors into different groups. Retail point-of-sale devices and smart thermostats will connect to one SSID, yet have different security policies. On a college campus, gaming devices, RFID card readers, and printers are easily segmented when connecting to Wi-Fi. Hotels can onboard wireless users quickly and provide granular control over their access in a more simple and secure way.
Configuring Identity PSK
Identity PSK provides the simplicity of PSK with the benefits of 802.1X, and is available today in the Meraki dashboard. Configuration is located in the wireless access control section of the dashboard. The current implementation uses a RADIUS server for authentication, allowing organizations to leverage existing services such as Cisco ISE. When a client associates to a Meraki access point, the AP will send the MAC address of the device to the RADIUS server. The RADIUS server is able to respond with the PSK, which then allows the access point to authenticate the device.
You can learn more here about how Meraki is simplifying security for every layer of the network, from client to application. For a further deep dive on Meraki Wireless, join us for an upcoming live webinar.
We’re excited to welcome new additions to Meraki Go, a networking solution created by Cisco Meraki and built specifically for small businesses with fewer than 50 employees. Meraki Go is an easy cloud-based solution that allows business owners to self-manage the internet and Wi-Fi at their businesses.
The newest products—a security gateway and network switches–are entirely app-managed and do not require any recurring fees. For additional security, users can purchase a Meraki Go Security Subscription, powered by Cisco Umbrella.
It’s been a little over a year since we launched Threat Grid integration with the Meraki MX, and since then, it’s become an invaluable tool for the customers that have enabled this integration. But the customers who haven’t enabled it may not understand why this integration isn’t just important for them — it’s also important for everyone on the internet!
This isn’t the first time we’ve talked about Threat Grid on the Meraki blog. Since its debut, both Threat Grid and the MX have gotten better, but they have also gotten better together. In this blog post we will explore in more technical detail what Threat Grid is and how it fits into the Meraki security architecture. Most importantly, we’ll explore why it’s made the internet a safer place for everyone.
AMP + Threat Grid
Cisco Advanced Malware Protection (AMP) is an intrinsic part of the Meraki MX advanced security offering and has been for over two years. Over that time AMP has scanned hundreds of million of files per week, blocked hundreds of thousands of malicious files per week, and sent thousands of retrospective alerts per week. This is particularly important when you consider that the volume of malware has increase by 10x in the last two years.
As you’d expect, Meraki does this by leveraging cloud technology. Once upon a time, there was a startup company called Immunet AV and they had a super smart solution for telling whether a file was good, bad or hadn’t been seen before; in security geek language, files were labeled “Clean,” “Malicious,” or “Unknown.” That company was acquired by SourceFire, who in turn was acquired by Cisco, just like Meraki. Today, Meraki MX leverages this technology, resulting in customers getting real-time protection from known malicious files across multiple file types and multiple threat vectors.
OK, that’s great, but what about those scary “day-zero” exploits that we hear about in the news all the time? Whilst it’s still true that you shouldn’t believe everything you read, day-zero exploits certainly exist, as after all someone has to get hit first with every exploit. Though we are all tempted to think “it won’t happen to me,” there is a tangible probability that it will. If you’re the person responsible for information security risk management at your organization, then it’s your responsibility to demonstrate duty of care and mitigate as much risk as possible.
This is what Threat Grid helps you do by authoritatively and quickly letting you know if “unknown” files going through your MX are day-zero malware or not.
Threat Grid Deep Dive
As you would expect, Threat Grid is super easy to enable for a MX network. Once enabled, it starts working immediately. When a file is downloaded through the MX, the hash of the partial file is compared against the AMP cloud; if it is unknown to AMP, then it gets sent straight to Threat Grid, as shown below:
The file is then detonated, which is a fancy way of saying opened up and allowed to do its thing, in a virtual Microsoft Windows sandbox environment that is completely separate and distinct from the customer infrastructure. Threat Grid now both actively and passively observes how the file behaves, by looking at how it interacts with system software, services, and network resources. At the same time, Threat Grid parses the things the file does through around 900 behavioral indicators to understand whether the file is malicious or not.
Once this is complete, Threat Grid automatically creates a report with both a high level “Threat score” and links to forensic investigation tools, also built into the platform. An example of this report is shown below:
Finally, if the file was malicious, you’ll receive an email to let you know that something bad got through and with links to Security Center and any relevant remediation steps you need to follow to get back to safety.
The cloud just got smarter
Now if anyone else sees that file come through their Meraki MX, Cisco FirePower, Cisco WSA or AMP for Endpoints-enabled smartphone, it will be instantly blocked because Threat Grid updated the disposition state of the file in the Cisco AMP Cloud. Meaning that you not only detected and can stop the bad guys on your network, but you also stopped the bad guys for the rest of the world!
The people who make this automatic protection happen are Cisco Talos and they are a team of hundreds of guys and girls who are the internet security equivalent of the Justice League (or Avengers, if you prefer). They have had a hand in defusing, deconstructing and protecting against every internet threat you have heard about in the past 2 years. And once they’ve figured out how to stop the bad guys, they pump that knowledge right back in the Meraki MX and other Cisco products. This means that, indirectly, you are helping make the internet a safe place just by being a Meraki customer, more so if you have Threat Grid.
Talos also takes threat intelligence information from many other Cisco security products, including lots that run on or are integrated natively with the Meraki MX, as shown below:
So, if you are already one of the many Meraki customers with an MX network, walk a little taller, because Talos has your back. And if you really need to know whether or not that file the CEO just downloaded was a cat video or a piece of ransomware, then Threat Grid is for you.
Reach out to your local Meraki sales rep to discuss further and start helping make the internet a safer place through simple, powerful cloud technology.
On August 4, 2018, a new method to exploit a known vulnerability was announced by Jens Steube from the Hashcat project for wireless networks that use WPA1/WPA2-PSK (pre-shared key), allowing attackers to obtain the PSK being used for the particular SSID. The vulnerability affects most wireless vendors using roaming technologies, including Cisco Meraki, and targets information exchanged between the client and AP via management frames during roaming inherent in the 802.11 protocol. Customers using Meraki APs are vulnerableif using fast roaming (802.11r) with PSK.
The attack is an alternative approach to gather information for existing attacks that can be used to determine the PSK. The attack exploits the case wherein the PSK is transferred over the air in a hashed manner. Using PSK to secure Wi-Fi networks is not considered the most secure approach, as networks are still prone to social engineering attacks wherein the PSK can be distributed to the users outside the organization.
Meraki has already identified at-risk customers and notified them about the vulnerability. Additionally, a warning has been added to the Meraki dashboard notifying customers if their configuration makes them vulnerable. SSIDs using WPA/WPA2-Enterprise are not affected by this vulnerability as the key generation process is very different as compared to PSK.
What is the attack?
Roaming technologies were developed to improve the access point handoff experience of wireless client devices as they physically move about a given network and, by virtue of distance and signal strength, automatically associate and disassociate with various access points (APs). Associating with a new AP takes time due to the necessary authentication. Fast Roaming (FT) speeds up the authentication and association process for roaming clients, helping to protect against packet loss and poor performance in high-bandwidth applications like VoIP calls or streaming content.
As part of the attack, an attacker can target the re-association process to obtain the unique master key ID used for the specific client. The master key ID is derived from the master key (also PSK) and name, AP MAC address and client MAC address. Since the master key is derived from the PSK and other details can be easily obtained, an attacker can obtain the key. Because this attack uses a dictionary attack to determine the PSK being used, it is highly recommended that admins use strong passwords that are not susceptible to guessing attempts.
Am I affected?
Only customers using FT with WPA/WPA2-PSK on Meraki APs are affected. To gauge impact, customers can leverage a new tool available in the Meraki dashboard by going to Announcements > KRACK & PMKID Vulnerability Impact to check any networks that might be affected. Customers can easily turn off 802.11r (FT) for all affected networks directly from the tool. Only customers affected by the PMKID and/or KRACK vulnerability will see the tool in the dashboard.
To determine whether 802.11r is enabled for a given Meraki wireless network, navigate to Wireless > Configure > Access Control in the Meraki dashboard, and look under Network Access:
We strongly urge all customers to disable 802.11r when used with PSK. Our technical support staff is available to assist with any questions or concerns you may have.