Financial institution executives believe that cybersecurity threats will present the greatest challenge to their industry in 2021, according to a recent survey conducted by core technology provider CSI. And consider this story from securitymagazine.com, where hackers attacked a bank’s security system and took over their cameras. Even after the bank replaced the cameras, the hackers were so embedded that the bank had to replace its entire security system. The lesson? Don’t underestimate the risk of a cyberattack.
Blended threats
Many financial institutions believe that their current security program is good enough—but is it? The threats we face are dynamic, emerging, and global, and they often keep one foot on each side of the physical and digital divide. These blended threats require connecting data, building new capabilities, and gaining new insights, thereby eroding the distance between the roles and responsibilities of physical and cybersecurity teams.
The need for physical security isn’t going away, so it’s imperative that physical security teams and cybersecurity teams work together to ensure a holistic approach to financial institution security. So, how can your financial institution benefit from a collaborative working relationship between the physical security team and the cybersecurity team?
Adopt emerging technologies with confidence
As new IoT devices enter the market they can open up a lot of security vulnerabilities. Imagine the scenario where an attacker successfully gains entry to a server room or data center and installs malware or devices to capture confidential, sensitive data—or even brings down the network entirely. How would a financial institution with a conjoined physical and cybersecurity strategy mitigate this situation?
In this instance, cybersecurity teams faced with intruders could quickly connect the cyber footprint to a physical location. By mapping cyber and physical presence against one another, it’s possible to understand where threats originate. If an intrusive device is planted within an environment, cybersecurity teams can track its presence to its origin and identify those responsible for bringing it in via video surveillance footage. This provides a better view of the threat and more tools to protect valuable assets.
Additionally, consider developing the proper risk mindset and engage across the organization to innovate and behave collaboratively, thereby cultivating aninstitutionalized approach to governance, controls, and data protections. Cross-organizational cooperation can synergistically carve a path to adopting new IoT technology.
Deepen your customers’ trust
Online banking and mobile banking have skyrocketed with the pandemic. Extending a digital trust experience into branch locations and physical touch points with customers and members is imperative. 90% of consumers said they feel safer when they can see video surveillance cameras in their bank or credit union and would choose a financial institution with surveillance over one without, all other things being equal. In the age of COVID-19, consumers will be expecting physical distancing measures, cleaning protocols, and mask compliance. Addressing these challenges does not have to mean manual monitoring and processes. New physical security technologies with integrated artificial intelligence can look for multiple threats using multiple sensors in an integrated and seamless response.
Create synergies–branch transformation
As branches are redesigned to be more open with self-service kiosks and digital signage, tellers will not be behind a desk but will instead be roaming the branch to assist customers with more complex transactions, like home purchases, retirement, or the intricacies of starting a business. This leaves the opportunity for an integrated networked security solution in this physical domain that can provide critical customer experience data around people-counting and queue length/occupancy for branch performance metrics, but also cover perimeter security and asset protection concerns for both on-site and remote teams. Harnessing the insights from video data for evolving customer experiences becomes a competitive advantage to win.
Being successful today elicits a holistic approach to security to ensure there is consistent protection of consumer data, employees, brand reputation, and infrastructure. Digital transformation for the physical security world has evolved as innovation enables the harnessing of insights from video data to feed a dashboard of information for lines of business with revenue-generation initiatives. Together, physical and cybersecurity teams will be positioned to combat emerging threats, mitigate risk, and deliver value across the organization beyond their traditional roles.
Cisco recently hosted their annual Virtual Manufacturing Summit—which included manufacturing executives, solution providers, and industry thought leaders—to address the ways that manufacturers can provide a safer and more secure workplace while maintaining high levels of factory uptime and worker efficiency.
The two-day event focused on how IT and OT groups within manufacturers must work closely to ensure safe and reliable operations while increasing productivity and profitability. During the Summit, Cisco’s SVP of Global Manufacturing and Logistics shared best practices around business resiliency in a post-pandemic environment.
The summit also included a breakout session with Bossa Nova Robotics, a Cisco Meraki customer. Founded in 2005 as a spin-off from the Robotics Institute at Carnegie Mellon University, Bossa Nova is a developer of advanced robotics technology designed to enable retailers to collect and process real-time intelligence about their inventory. The robots autonomously roam store aisles multiple times per day to confirm that each product is on the right shelf and has the right price. Bossa Nova’s robots are currently operating in over 350 stores globally.
During the session, Todd Shipway, Director of IT & Robot Communications at Bossa Nova, discussed how they leverage Meraki solutions in conjunction with robots to monitor the plant floor for safety and security. Shipway discussed the need to automate as much as they can in a post-pandemic world when it comes to manufacturing. He also discussed how Cisco Meraki has impacted their workflow during the pandemic and beyond.
As Shipway puts it, “As of right now we are 99% remote. The robots are still there and being tested and the Meraki solution has allowed us to keep an eye on our infrastructure.” To learn more about how Bossa Nova utilizes Meraki, explore their case study.
Learn more about Meraki products and explore how our solutions address critical manufacturing scenarios by visiting our website to get a deeper dive.
Recently, we polled viewers of our Behind the Network series. Out of 81 responses, 51 confirmed that security and compliance is what worries them the most about shifting to a more remote workforce. It’s no surprise that security is always a top priority, even as our work environment changes. While most organizations prioritize protecting employees, devices, business applications, and sensitive data from cyberattacks, the task is no easy feat. Let’s take one aspect of security and break it down into actionable steps: securing mobile devices.
When it comes to securing mobile phones, IT administrators know the importance of using endpoint management software to provision, configure, and monitor those assets. Another critical step is asking key questions like:
What was the state of the device before we installed the management software?
Are we certain that our corporate applications are being deployed to a secure device?
Are we certain the applications themselves are secure?
There are two critical pillars in security are the device level and at the application level. When planning your mobile foundation, the combinedMeraki Systems Manager and Duo’s Trusted Endpoint featurehelps you address each of these areas. Meraki Systems Manager provides complete control over your mobile phones and Duo provides the best possible Multi-Factor Authentication (MFA), used from those secure devices, to ensure your users access corporate applications securely and with the highest level of authentication. Duo’s Trusted Endpoint feature, integrated with Systems Manager, ensures an extra level of trust based on a Duo issued certificate unique to each mobile device.
Whether your company buys phones for your employees or whether you manage BYOD phones, you can use Meraki Systems Manager to ensure the security of those devices. Configure password requirements, enforce GeoFencing policies, automatically deploy “Sentry WiFi” profiles for secure wireless, and track inventory to ensure the OS and apps are up-to-date. Additionally, for an even stronger foundation you can deploy company-purchased phones using Apple’s DEP or Zero Touch on Android phones, so that security is turned on at the factory before the shrink wrap is opened.
Given how important Duo’s MFA capability is to a defense-in-depth strategy, and how logically it builds on top of the OS security Meraki Systems Manager provides beneath it, you would be right to ask “what is the most secure process for deploying and configuring Duo on my mobile devices?” Duo’s Trusted Endpoint feature is the exact answer to this question.
Meraki Systems Manager now integrates directly with Duo and supports the Trusted Endpoint feature for securely deploying Duo to iOS and Android devices. Configuration takes just a few minutes. You can easily set up both Meraki and Duo from your couch at home given that both systems are managed using native cloud dashboards. Upon completion, you will have laid down the ultimate secure foundation for mobile OS management and MFA application security. Using the Duo Trusted Endpoint feature, Meraki Systems Manager is able to provision Duo automatically to each device while simultaneously configuring Duo so that it is enrolled in Duo’s PKI before the MFA actions are allowed.
Fast, scalable deployment of mobile devices requires a trusted foundation, otherwise you are building a very shaky structure for your business. Meraki Systems Manager, when combined with Duo’s Trusted Endpoint capability, is a comprehensive security solution for mobile devices. The operating system is configured and secured by Meraki—with security originating at the factory if zero touch provisioning is used. Your multi-factor authentication provided by Duo ensures that access to corporate applications is gated securely. And, critically, the security foundation for the Duo application itself is laid down using Meraki System Manager’s integration with the Trusted Endpoint feature.
For more information on this enterprise security feature, please join us on an upcoming live webinar co-presented by Meraki and DUO.
These days, as individuals carry multiple types of devices and expect to be connected at all times, the job of an IT admin becomes more complicated and stressful. Knowing what each end-user and device is trying to do on the network can be a burden. How can you feel confident that your network security will not be jeopardized while company assets remain contained?
Systems Manager, Cisco’s Mobile Device Management (MDM) solution, is evolving to address this need. We are introducing Meraki Trusted Access, which securely connects personal devices to business-critical resources without requiring an MDM profile to be installed.
Meraki Trusted Access enhances both the IT and end-user experience
For IT, Meraki Trusted Access means no longer dealing with tedious and manual onboarding processes. Granting secure network access to end devices becomes seamless and automated. With the Meraki dashboard, IT can sync their Active Directory server to create user profiles. From those user profiles, Trusted Access can then be enabled for specific Wi-Fi networks, specifying how many devices each user can onboard to get access and for how long. A user’s device gets access using a certificate, once that user is authenticated, the device is now “trusted”. A “trusted” device can now securely access resources.
Additionally, Meraki Trusted Access enables more control and manageability over certificate-based onboarding processes. Whether a user is managed or unmanaged, the certificate authentication is done with Meraki. This removes the need to engineer complex third-party integrations. Finally, Systems Manager also offers an open API platform for customized integrations, for more business-critical operations.
For end-users, Meraki Trusted Access means an easier way to access critical applications. By using the newly enhanced Meraki Self-Service Portal, end-users can sign into the portal and start onboarding their devices themselves. From there, they can download certificates directly to those devices, granting them secure access to business-critical applications they might need. On top of this intuitive method of getting their devices access, end-users will also be happy to know that their privacy stays intact. They will no longer need to enroll into an MDM solution in order to get the access they need.
Meraki Trusted Access is the easiest way to securely connect devices without an MDM
Enabling Meraki Trusted Access is simple. Meraki Trusted Access is enabled when you have both Meraki MR access points and Meraki Systems Manager in your network.
You can configure Meraki Trusted Access in 4 simple steps:
Enable Trusted Access on an SSID
Create an end-user profile under Systems Manager. You can automatically use Active Directory group tags to enable Trusted Access or configure users manually.
Select the end-user’s network access privileges and tie them to the SSID that has Trusted Access enabled
Share the Self-Service Portal link to the end-user so they can onboard their devices and download the trusted certificate.
Cisco’s MDM solution, Meraki Systems Manager, continues to provide end-users and end-devices network security with flexible authentication methods, automated device onboarding, and dynamic security policies.
If you are a current MR and SM customer, you can try Meraki Trusted Access today (just make sure you have enough SM licenses to cover the number of mobile devices). Start by reading our Meraki Trusted Access documentation guide for a smooth set-up. If you’d like to learn more aboutSystems Manager, you can connect with the Meraki team to start a 30-day free trial, no strings attached.
A puzzle is a picture broken up into hundreds of pieces. An individual piece doesn’t offer much insight into the big picture, but as more pieces are connected, the story becomes clearer. Physical security is similar in that one piece of information about a single event doesn’t always provide a clear picture of what actually happened.
Say that a security team receives an alert with two pieces of information:
A door was propped open for 60 seconds.
An employee badge, Sarah’s to be specific, was used to unlock the door.
What should the security team do? The answer depends on the circumstances. Was it actually Sarah using her badge? Why was the door open for so long? Was there tailgating, and if so, who else came in? Video can help answer these questions, but how do you know when and where to look? To make sense of events faster and get the complete picture, video and access control systems need to work together.
Get Answers More Quickly
Fortunately, Meraki MV smart camera APIs make it easy to provide video context to establish the validity of things like access control logs. The video link API can be used to pair video footage with access control events. The snapshot API can retrieve a snapshot from the relevant camera for more immediate context on a given event, in this case a person badging in.
This means when there is an alert, or an event needs to be reviewed, it’s easy for the user to quickly understand what happened. With this type of integration in the scenario above, security could have easily looked at the snapshot or accessed the relevant video in the dashboard to verify that it was Sarah using her badge, and that she propped open the door to carry in a couple of boxes.
The Sequr Platform make it easy to access relevant video from your MV smart cameras
MV Integration is Built into the Sequr Platform
While the APIs are available for anyone to use, Sequr has made it even easier for customers using their cloud access control system. The Sequr platform integration with Meraki MV smart cameras make it quick and easy to get started. Once the API key has been entered, simply map cameras to doors and start monitoring access control logs with Meraki MV smart cameras.
In the Sequr platform, a video link to the relevant feed will appear next to each event. Selecting the link will launch the camera in the Meraki dashboard and play video for the event. Sequr users can also configure the system to create a short video clip, viewable in the Sequr platform. The videos can also be included in alerts, sent via email or to a messaging platform, making it even easier for teams to quickly assess events.
MV smart camera video clips can be included with alerts on the Sequr platform
To learn more about our MV smart camera APIs, visit the Meraki Developer Hub on DevNet. To learn more about the Sequr cloud access control system, check out the Meraki Marketplace.
The internet can be a dangerous place, with malware, ransomware, worms and botnets to name just a few things. How can you keep your organization and its data safe? The Meraki MX leverages some industry-leading security technologies and puts them in the hands of users, network operators and partners whilst simultaneously making them easy to enable.
In this blog post, we will explore one of the security technologies that Meraki utilizes to help keep users safe, namely Snort, which is an open-source network intrusion detection system/intrusion prevention systems (IDS/IPS).
What exactly is IDS/IPS?
Before we talk about why we think Snort is great, we first need to talk about what an IDS/IPS is.
IDS/IPS systems are devices or software that monitors networks or computers to detect malicious or anomalous behavior. An IDS simply alerts the network or system operators of malicious or anomalous behavior, whereas IPS will also actively prevent this behavior.
To provide an analogy, think of a firewall as a door securing access in and out of a controlled area. The IDS is akin to a security camera pointing at the door, whereas an IPS is a security camera with frickin’ lasers!
image credit: thinkgeek.com
Why is Snort #1 in the industry?
For a start, Snort, under the guise of Cisco, has consistently been in the upper right-hand corner of Gartner’s Magic Quadrant for IPS for many years. Fundamentally, Snort is the #1 IPS in the world because it is the most widely deployed, with over 4 million downloads open-source variant alone. That doesn’t even take into account the variants running on Cisco FirePower Firewalls, Cisco ASA with FirePower services firewalls, and Cisco Meraki MX security appliances.
The open source nature of Snort’s development provides the following benefits:
Rapid response – Cisco Talos is constantly (24x7x365) updating the rulesets that Snort uses, meaning organizations that leverage Snort are quickly protected from emerging threats.
Greater accuracy – The rulesets running on Snort are reviewed, tested, and improved upon by the community of users, which means organizations using Snort are leveraging the knowledge of security teams worldwide.
High adaptability – The open source nature of Snort means that companies and organizations can build the power of Snort directly into their own applications.
Snort isn’t a silver bullet on its own, but no security technology is. That is why at Meraki we expose the threat information identified by Snort and other technologies in a single pane of glass, enabling network defenders to quickly and easily understand whether a threat is targeted (and hence serious) or part of the background of the internet.
That single panel of glass is the Meraki Security Center, and it allows network defenders to see all threat data in a given network for 30 days and, in three or four clicks, lock in on a potential issue whilst cutting through the noise.
Talos?
In its own words, Cisco Talos is the industry-leading threat intelligence group fighting the good fight! They are a team of exceptionally talented women and men who peer into the dark corners of the internet to protect your organization’s people, infrastructure and data. Their researchers, data scientists and engineers deliver protection against attacks and malware that underpins the entire Cisco security ecosystem, Meraki included.
If you would like to learn more about Cisco Talos, then we recommend subscribing to the ‘Beers with Talos’ podcast and listen to Mitch, Craig, Joel, Matt & Nigel break down the latest threats and trends. With the exception of Nigel (who does support the best football team in the world, so he gets a pass), the Beers with Talos team runs Meraki MX Security Appliances in their home networks!
Conclusion
The implementation of Snort on Meraki’s MX security appliances typifies Meraki’s philosophy; we take an industry leading, best-in-class technology and we make it simple to enable and configure. All while making the data you get from it both easy to understand and to act on.
If you think your organization could benefit from the power and simplicity of Snort in the Meraki MX Security Appliance, contact Meraki sales today.
Si trabaja en el sector de tecnología de red, probablemente habrá escuchado del término SD-WAN muchas veces en los últimos meses. En esta publicación, desarrollaremos algunos de los conceptos para ayudar a mostrar por qué SD-WAN podría ser de gran beneficio para su negocio.
SD-WAN significa diferentes cosas para diferentes proveedores, sin mencionar todo el hardware dedicado, el software y las licencias necesarias para ejecutar estas soluciones. El objetivo de SD-WAN es permitir a las organizaciones ahorrar dinero y atender sus necesidades de conectividad más rápido.
En Cisco Meraki, tenemos una solución SD-WAN incluída con la licencia base (licencia para empresas) en todos los dispositivos de seguridad Meraki MX SD-WAN y no requiere de servidores ni hardware adicionales. Solo conéctelo, configúrelo en el panel de Meraki y comience a ahorrar dinero, agregue valor en otras áreas del negocio.
SD-WAN es un acrónimo de (Software-Defined Wide Area Network) y es una tecnología que forma la familia de tecnologías de red definida por software (SDN), con otro ejemplo que es el acceso definido por software. El estar definido por software significa que las decisiones sobre cómo el tráfico puede enrutarse entre todos los sitios en la WAN están definidas por la política, y su comportamiento se adapta a la condición de la WAN en lugar de tener una configuración fija.
Las soluciones SD-WAN logran esto a través de una serie de funciones, tales como resistencia, seguridad, calidad de servicio, optimización de aplicaciones y mucho más. La solución Meraki SD-WAN utiliza una combinación única de estas tecnologías para crear una solución que sea fácil de configurar, implementar y administrar.
Si no está roto, no lo arregles
Si bien este suele ser un buen consejo, el dilema del innovador también nos enseña que si no introduces la tecnología disruptiva en un espacio establecido, como la WAN, ¡alguien más lo hará! MPLS ha visto mucha innovación, pero sería justo decir que esa innovación es, en su mayor parte, para los proveedores de servicios que ejecutan y ofrecen servicios WAN en la parte superior de las redes MPLS.
La simplicidad de Meraki SD-WAN significa que la potencia y la flexibilidad están directamente en manos del cliente o proveedor de servicios. Lo que significa que sin la necesidad de dispositivos, servicios o actualizaciones adicionales, los clientes pueden crear o beneficiarse de una conectividad de red más rentable.
Si bien este tipo de enrutamiento preferencial está disponible en las redes MPLS tradicionales, por lo general, solo está disponible a nivel premium, en un conjunto de clases limitadas y para redes o aplicaciones predefinidas. Mientras que Meraki SD-WAN combina la detección de aplicaciones basada en la capa 7 que viene en todo el stack de Meraki para lograr esto de una manera más breve
¿Por qué Meraki entonces?
A menudo bromeamos diciendo que la SD-WAN es solo un esparcimiento mágico basado en políticas construido sobre la VPN automática de Cisco Meraki. Sin embargo, utiliza tecnología abierta basada en estándares que probablemente ya haya usado. A lo que nos referimos específicamente aquí es una tecnología creada originalmente en Google, pero más tarde de código abierto, que está incorporada en la mayoría de sus productos (por ejemplo, Gmail, Google Drive).
Los dispositivos de seguridad y SD-WAN MX utilizan esta tecnología para inferir la latencia, la fluctuación de fase y la pérdida de paquetes de rutas virtuales entre 2 MX, como se muestra a continuación. Estas tres cosas juntas nos brindan la capacidad de calcular una Puntuación de opinión media (MOS), que se puede usar para calificar la aceptabilidad de una ruta WAN para el tráfico de voz.
Esto significa que una de las políticas que viene preconfigurada es la capacidad de elegir la ruta virtual que sea mejor para el tráfico de voz: una ganancia rápida para todos. En el caso de que cambie la mejor ruta virtual para la voz, el MX moverá automáticamente los flujos a la siguiente ruta más apropiada.
Para rastrear aplicaciones con diferentes características a la voz, simplemente puede agregar una clase de rendimiento personalizada que le permita establecer un umbral compatible para latencia, fluctuación de fase, pérdida de paquetes o cualquier combinación de las tres. A continuación, se puede hacer referencia a este criterio como criterio para la selección de ruta virtual en una única política de UI, como se muestra a continuación:
Finalmente, y completamente integrado en la solución, está la capacidad de ver cómo los flujos atraviesan las rutas virtuales de su red casi en tiempo real e históricamente de manera más poderosa:
Meraki ha estado simplificando tecnología compleja durante más de una década y SD-WAN es solo otro ejemplo en el que hemos aplicado la magia de Meraki para permitir que las organizaciones se centren en su misión. También vale la pena señalar que Meraki ha estado ofreciendo SD-WAN desde 2016, lo que la convierte en una de las plataformas tecnológicas más establecidas y estables en este espacio.
Miles de clientes en todo el mundo ya han elegido Meraki SD-WAN y miles más ya lo estan probando. Conoce más en nuestros webinars con demo en vivo de SD-WAN, registro aquí.
You are probably aware of the increasing use of cloud-hosted applications, as well as the worldwide availability of reliable LTE coverage. You’ve almost certainly witnessed the increasing use of mobile devices, growth of video traffic, and increasing security threats. These trends challenge modern organizations to adapt to a complex landscape with higher bandwidth requirements, multiple uplinks, and threats that can take down networks. Despite these complexities, IT admins can use new technologies to position their branch networks for a successful future.
What’s new?
Today, we are excited to announce brand new additions to our MX and Z products, with multiple new MX security & SD-WAN appliances, along with a new Z-Series teleworker and IoT device. With upgraded and improved hardware, the additions to the MX line feature higher throughputs, faster Wi-Fi, and integrated LTE modems. The built-in modems will offer a greatly simplified way to connect remote locations or provide failover redundancy via LTE.
The MX67 and MX68 lineup
The new MX products benefit from state of the art new hardware features designed to deal with an evolving branch environment:
Up to 450 Mbps Throughput
802.11ac Wave 2 Wireless
Integrated 300 Mbps CAT 6 LTE cellular modem
The MX family adds six new models to the highly successful MX64 and MX65 small branch security & SD-WAN appliances. The new MX67 and MX68 products include models with wired, wireless, cellular, and PoE+ capabilities. Both the MX67C and MX68CW feature region-specific SKUs to accommodate separate cellular bands. Meraki is partnering with mobile providers to fully certify the cellular platforms across all regions. For more details of MX67, MX67W, MX68, MX68W, and the cellular MX67C, MX68CW visit the MX datasheet.
The new Z-Series
We are also delighted to add a new model to our feature-packed Z-Series teleworker gateway family with the Meraki Z3C, now with LTE. A built-in 100 Mbps CAT 3 LTE modem in the Z3C provides an elegant way to add redundancy for teleworker deployments. Our customers are also excited about using the Z3C to securely connect remote or isolated machinery such as vending machines, ATMs, and kiosks.
LTE in the dashboard
Similar to the rest of Meraki’s products, these new cellular MX and Z-Series models offer exceptional visibility via the Meraki dashboard. For these models, IT admins can monitor current traffic and historical performance, as well as the ability to troubleshoot and configure their LTE connections. For example, the dashboard allows users to configure and reset their cellular connection with a few clicks of a button. There will be a new LTE API, and the dashboard will make it simple to manage devices at scale using templates.
The Meraki MX continues to march forward in its mission to provide market-leading threat intelligence and an intuitive SD-WAN offering to keep customers connected and secure. Try out the new devices for yourself with a free trial, and let us know what you think.
One more thing…
Speaking of free trials, for those purchasing the new MX and Z-Series models in the next three months, we have an additional treat: a free 45-day trial of Meraki Insight, our intuitive tool for monitoring and troubleshooting WAN and application performance. With Insight, IT admins can monitor the status of all uplinks in the organization, and troubleshoot any network outages within seconds. It also provides detailed performance metrics to understand the root cause of ISP outages. Contact a Meraki sales representative for more information.
To learn more about the MX67 and MX68 models, as well as the Z3C, watch the launch webinar or visit the What’s New page.
The pace at which new security threats are being introduced and propagated online has reached exponential levels, gaining speed with each passing year. Organizations have more locations and devices to protect, and threats are using many different ports to try to gain access or exfiltrate data. Security teams are often understaffed and struggle with complex, siloed systems that do not integrate or share intelligence in a programmatic way. These teams need solutions that are easy to deploy, simple to manage, can scale exponentially, and can integrate with other tools.
Securing your wireless users from malicious attacks — particularly these “DNS blind spots” that exist in many networks and are exploited by 97% of advanced malware — is of paramount importance. Unfortunately, recent surveys indicate that 75% of organizations do not actively monitor and apply security for DNS.
It is within this context that we are excited to announce support for integration between Meraki MR wireless access points (APs) and Cisco Umbrella (formerly OpenDNS).
Umbrella is the industry’s first secure internet gateway, a cloud-delivered first line of defense against threats like malware, ransomware, and phishing. Umbrella enforces security at the DNS layer by identifying requested web domains hosting nasty stuff — malware, phishing, etc. — and block end user access to them. Umbrella also enables more secure DNS querying through a tool called DNSCrypt, which automatically encrypts DNS queries between your network and Umbrella’s servers, effectively eliminating the chance that your queries will be the victim of eavesdropping or man-in-the-middle (MITM) attacks. This secures the “last mile” of a client’s internet connection, which is often left exposed and vulnerable.
There is no additional cost or charge for taking advantage of this integration (which is available to all Meraki wireless customers who have upgraded to our latest MR26.x firmware), but Meraki wireless customers who wish to integrate with Umbrella will need a separate Umbrella license and account with that service.
Enabling Umbrella integration
So, what does this mean for admins of Meraki wireless networks? This integration with Umbrella enables Meraki admins who obtain Umbrella licenses (WLAN, Professional, Insights, or Platform) to seamlessly assign DNS filtering via Meraki group policy or SSID to specific subsets of wireless clients, or to them all.
Enabling Umbrella integration takes only a few steps. First, the Meraki and Umbrella dashboards must be linked via the Umbrella Network Devices API key. Once this API key is generated from within the Umbrella dashboard, it needs to be copied into the Meraki dashboard by navigating to Network-wide > General.
Enabling Meraki + Umbrella integration within the Meraki dashboard.
Once the Meraki and Umbrella dashboards have been configured, linking a Meraki SSID or group policy to an Umbrella security policy is easy (note: Meraki group policies must be set to use ‘Custom SSID Firewall & Shaping Rules’ to link an Umbrella policy to them). After this initial setup, a unique identifier is generated behind the scenes for the specified Meraki SSID or group policy and is used by Umbrella to determine how to evaluate traffic from that Meraki network moving forward.
To link a Meraki SSID to an Umbrella policy, navigate to the Wireless > Configure > Firewall & Traffic Shaping section of the Meraki dashboard. There, you will find a button to link Umbrella policies.
Linking an Umbrella policy to a Meraki SSID.
By default, the last policy physically listed in the Umbrella dashboard’s ordered policy list will be inherited by a Meraki SSID unless a different policy is selected from the dropdown list.
To link a Meraki group policy to an Umbrella security policy, navigate to the Network > Configure > Group policies page in the Meraki dashboard and choose the specific Meraki group policy that you want to link. Under the ‘Layer 7 firewall rules’ section of that policy, you’ll be able to choose which Umbrella policy you’d like to apply.
Applying an Umbrella DNS policy to the Meraki ‘VIP Umbrella Clients’ group policy.
Once a Meraki SSID or group policy has been successfully linked to an Umbrella security policy, clients connecting to that SSID or who have been applied that group policy will have their DNS queries encrypted (if the AP supports 802.11ac) and verified against the corresponding Umbrella policy. Encrypting DNS queries between Meraki APs and Umbrella DNS endpoints helps secure the ‘last mile’ of client web browsing and protects against devastating MITM attacks or packet snooping that can reveal which websites client devices are browsing.
An example Umbrella policy may prohibit access to known malicious web domains or websites that host specific types of content, like gambling or peer-to-peer domains. If the client’s request for access to a given website is allowed, Umbrella will return an encrypted DNS response with the appropriate IP address. If the request is denied, then an encrypted DNS response pointing to the Umbrella block page will be returned instead.
Taken together, Meraki wireless and Umbrella integration provide a significantly more robust security framework for IT admins looking to protect clients from web threats in a more proactive way. Instead of waiting for a malicious site to infect a machine and then using tools like antivirus to detect and remediate, Meraki MR customers can rest easy knowing that they are protected from ever reaching harmful sites in the first place.
Interested customers should contact Meraki Support to have this feature enabled. This feature requires an early-release MR firmware version that can be enabled with Meraki support assistance.
The newest blog post from the Cisco Talos intelligence team, one of the largest commercial threat intelligence teams in the world, highlights VPNFilter, the newest malware threat spreading across the Internet. This attack can lead to stolen website credentials, IoT device vulnerabilities, Internet connection cut-offs, and devices potentially rendered completely unusable.
At this point in time, no Meraki devices are known to be affected. Meraki and Talos are conducting ongoing investigations into this threat and its signatures. Meraki MX users who use the Advanced Security license have the capability to protect their network from security vulnerabilities such as VPNFilter.
MX Ensures Security
The Meraki MX makes it very easy to implement powerful Cisco security technologies like Snort and Advanced Malware Protection (AMP). In addition to AMP and Snort, Meraki MX allows for intuitive URL blocking, as well as Layer 3 firewall rules to ban nefarious IP addresses. These capabilities play an integral role in keeping networks safe from malware.
With Cisco Snort technologies enabled, the MX performs real-time traffic analysis and can generate alerts or take actions based on a constantly updated database of threat signatures. For example, Snort has already updated and pushed out rulesets to allow identification and prevention of VPNFilter malware for Meraki MX users who have IPS enabled. IPS rulesets are updated every 24 hours and pushed out to the MX, constantly keeping you safe from new threats. The Meraki cloud also delivers firmware, bug, and feature updates to the MX.
Example of Meraki MX blocking VPNFilter exploit with Intrusion Prevention
In addition to IDS/IPS, the MX’s integrated AMP technology can detect malware and block it from being downloaded on the network. AMP can also retroactively detect files that have been downloaded on the network that have malicious markers. VPNFilter is known to infect networks by downloading files to the network from specific URLs. Fortunately, Cisco AMP has already updated its malware database for file hashes associated with VPNFilter and pushed these updates over the cloud to Meraki MX users with AMP enabled. The Meraki MX is helping protect your network by delivering these technologies via the cloud directly to your doorstep.
Blocking Threats in 3 Steps with Meraki MX
As highlighted in the detailed post from Talos, action can be taken on a list of identified URLs, IP addresses, Snort signatures, and AMP file identifiers related to VPNFilter. All of these threats can be easily neutralized within the Meraki dashboard. To enable AMP, Snort, and URL blocking features on the MX, an Advanced Security license is required. The Layer 3 firewall rules are incorporated in both MX licenses (Enterprise License and the Advanced Security License).
Following Step 1 is most important, and only takes 15 seconds, while Steps 2 & 3 take less than one minute each. Being able to secure your network easily is the hallmark of Meraki MX.
1. Enabling AMP & Snort
Visit the Security appliance > Configure > Threat protection section. A few simple clicks allow you to enable AMP and set Snort IPS to ‘Prevention’ mode with the ‘Security’ ruleset.
2. URL Blocking
Go to Security appliance > Content filtering to block the URLs listed in the Cisco Talos blog post.
3. Blocking nefarious IP addresses
Under Security appliance > Firewall you have the ability to deny traffic to all known IP addresses associated with VPNFilter malware, as listed by Cisco Talos.
For more detailed information on VPNFilter, please refer to this post from Cisco Talos. We will continue to monitor the threat landscape and work with our Talos team to provide you updates on VPNFilter and other security vulnerabilities as they develop. To learn more about the many capabilities of the Meraki MX, including SD-WAN and Security, visit the Meraki website or sign up for one of our webinars.
