Posts Tagged ‘security’

Go Deep

With so many feature additions to Systems Manager, we have decided to create a recurring series of specialist webinars focusing on how to make the most of them. These specialist webinars will be scheduled regularly and cover two important feature sets available in Systems Manager, Sentry and Teacher’s Assistant. Listen to the podcast below to learn about all the features, functionality, and use cases that will be covered in these sessions.

 

 

Sentry

Systems Manager Sentry provides simple automatic security that is context aware. Sentry dramatically simplifies previously complex security configurations due to the native integration of Meraki networking products with Systems Manager MDM. In the Sentry-specific webinar, we will cover how Sentry works, highlight where it can be used, and go through live demonstrations of the individual features including:

Teacher’s Assistant

With Systems Manager Teacher’s Assistant, integrating technology such as iPads into your lesson plan becomes a cinch. Teachers remain in control, ensuring that students’ learning benefits from the inclusion of mobiles devices, rather than them proving a classroom distraction. The Teacher’s Assistant specialist webinar covers examples of how mobile devices can be successfully used in education by looking at use cases, and providing a live demonstration of how to use features such as:

What are you waiting for?

With so many ways to use Systems Manager, the amount of choice can sometimes seem overwhelming. Shortcut the learning process and attend one of these specialist webinars for further guidance on how to make the most of Systems Manager. These webinars assume attendees have a basic understanding of Meraki Systems Manager by having attended an introductory webinar such as Introduction to Cloud-Based Mobile Device Management, or having used the product with a trial. Sign up today for a Sentry session or a Teacher’s Assistant session.

 

Sentry WiFi Security

In June we announced Systems Manager Sentry, a set of features which provide simple, automatic security that is context aware. It can do this due to the integration between the Meraki networking products and Systems Manager.

Sentry Wi-Fi security is a feature enabled on Meraki MR wireless networks with Systems Manager. It takes the typically complex Wi-Fi access control method, EAP-TLS, and simplifies it to a couple of clicks.

sentry_wifi_sec_user

To understand the power of this feature let’s quickly review Extensible Authentication Protocol (EAP) – Transport Layer Security (TLS). EAP is an authentication framework that is used for providing access to a network. As the extensible part of the EAP acronym implies, the framework can support multiple authentication protocols, from basic passwords to more secure certificate based authentication. Think of it as a cook book for a cake. Depending on the ingredients in the recipe you end up with a different cake, but still a cake.

EAP with Transport Layer Security (TLS) is considered one of the most secure network authentication mechanisms (the tastiest cake recipe). This is because it uses certificates to authenticate and secure the network connection using asymmetric cryptography. The problem with certificates, as an ingredient of this authentication mechanism, is that they are complex to setup and deploy.

complex_certificate

There are two main reasons certificates can be complex to setup and deploy. The first is the infrastructure that is needed, something called a certificate authority. This issues the certificates and allows devices to check if a service is genuine. The second reason is that every client needs its own unique certificate. With a handful of clients this isn’t too much work, but with hundreds of thousands of clients this could be a daunting prospect. The tastiest cake results from a bake time of weeks or months, and looks less attractive as a result.

Sentry Wi-Fi security provides EAP-TLS for a Meraki MR wireless network while eliminating all the complexity. It can do this because of the certificate infrastructure that already exists for every Systems Manager customer. This eliminates the need for the configuration of a certificate authority and distribution of certificates to clients. A gourmet cake from an
instant-bake ready-mix pack.

cake
Make deploying EAP-TLS a piece of cake with Systems Manager Sentry. To find out more listen to Paul Wolfe (Product Specialist for Systems Manager) and George Bentinck (Solutions Architect) discuss Sentry Wi-Fi security in the following podcast. Alternatively attend one of our upcoming Systems Manager webinars, or if you already have Meraki MR access points, try Sentry out today by signing up for Systems Manager.

Launching Systems Manager Sentry

Simple. Secure. Sentry.

To allow IT to be capable of meeting the varied and often conflicting demands of users and security, we have developed Systems Manager Sentry. Sentry brings together the mass of data available in a Cisco Meraki IT infrastructure, to provide context aware automatic security. Hear more about the headline features in Sentry in the following podcast with June Odongo (Product Manager for Systems Manager) and George Bentinck (Solutions Architect).

 

Let’s for a minute stop to think about the importance of context. Imagine an iPhone that belongs to the VP of operations for a high street retailer. This VP of operations needs to check inventory levels on a company server to make sure they get their manufacturing orders placed on time.

One evening an iPhone accesses the server over a VPN and looks at the stock levels. 
 

Should anyone be concerned by this? The answer is you don’t know without context. Let’s look at the same situation again.

One evening the VP’s iPhone accesses the server over a VPN and looks at the stock levels. The iPhone is no longer in Paris where the VP lives, it is in Bulgaria and the time there is 3:39AM. 
 

With context can come automation, and with automation comes an agile, simple, and secure IT world. The IT team no longer needs to be alerted by a user that their device needs sensitive information removed due to it being lost or stolen. Dynamic policies can look at device specifics and using the context available, such as the current owner of the device and the location, it can act automatically.

In the past it was difficult to collect, store, and then find information, but today it is trivial to access data on almost anything; from the latest weather to the morning news, or your friend’s location to what restaurant to go to. The challenge now is taking this overwhelming wealth of data, and making sense of it all.

Sentry is unique in the EMM market for being a complete solution for enabling the secure dynamic network of the future. This gives the IT team time to work with the organisation on defining policies, not being tied up with configuration. Device on-boarding, settings assignment, application management, and network access, are just some IT responsibilities that can be simplified, automated, and dynamically updated with Sentry.

Cisco Meraki Systems Manager is a best in class Enterprise Mobility Management (EMM) solution founded on Meraki’s pioneering cloud architecture. We understand the IT challenges faced by technology users in enterprises, education, or government based on our extensive experience of next generation cloud deployments.

Contact your Cisco Meraki representative today to find out how Systems Manager Sentry can provide automation to your IT world, and simplify your security. Alternatively sign up to a specialist Sentry webinar here or watch a recorded version of the webinar below.

 

Once is Enough

When configuring large distributed networks, small insignificant tasks become time consuming and laborious quite quickly. Meraki cloud managed networking products eliminate a lot of the complexity of this type of deployment with features such as configuration templates and AutoVPN. With configuration templates you are able to rapidly deploy hundreds or thousands of remote sites and connect them together with a VPN in a few clicks.

As we recently announced in our Quarterly update, there have been some enhancements to the features on the MX which allow further automation of multiple site deployments. It is now possible to add firewall rules to your configuration template that are dynamically generated to match the appropriate networks.

A recap on templates

A template is a configuration which can be applied to tens, hundreds, or thousands of MX Security appliances. Networks within a Meraki dashboard Organization can be bound to this template so that they inherit these settings and only has to be configured once. If this configuration is no longer required they can be bound to a different template, or reverted to the configuration state they had before they were bound. This reduces monotonous administrative tasks and prevents human error.

One of the advantages of templates is that they can dynamically allocate subnets and IP addresses for each site. In some instances it may be desirable to have identical subnet and IP configurations at each site, but when this is not the case, unique configurations are required per site. Using templates, a network administrator can choose to have subnets and MX interface IPs created automatically, so there is no subnet duplication or IP overlap.

template_vlan_config

Making security easy

With many retailers taking advantage of Meraki’s solutions for their stores, PCI 3.0 security is an important concern. The Meraki MX’s built in security features such as anti-malware and Intrusion Detection & Prevention (IDS/IPS) make it simple to deploy a robust security solution. However there is still a need to configure relevant firewall settings to safeguard payment processing systems in a retail environment, or confidential business data in an enterprise.

The new firewall objects functionality in the Meraki dashboard allows network administrators to summarize detailed firewall configurations and replicate them to many sites with templates. This has a huge impact on the amount of work required, firewall rules are only configured once for the template, no matter how many remote sites you have. In an organization of 500 remote sites, with a simple firewall rule set of only 10 lines, that’s a saving of 490 lines of configuration or 98% less work !

It’s all in the name

When configuring an MX template an administrator will create the VLANs and associated subnets that need to be replicated at each site. The key step in this process is assigning a name to this VLAN. This name is the object identifier that is referenced on the firewall page.

Now when configuring the firewall rules for the template, the name of the VLAN can be selected. This means that no matter what network mask is automatically generated for that site, the firewall rule will reflect the subnet correctly. For example in the screenshots below, ‘home’ and ‘corp’ are referenced as aliases for the actual subnet at that site.

firewall_rule_template_source

If the firewall rule needs to be specific to a particular host within the subnet, the ‘Add host bits’ button allows you to define a specific host for the site at which this rule applies. Again this is exceptionally useful in retail environments, where it is common for devices to have specific host addresses. A good example of this is that every cash register on every site could have addresses .5, .6, & .7

firewall_rule_template_destination
Talking Templates

Extensible Firewall Templates are a flexible and easy to use feature for configuring your Meraki networks. From corporate branch sites, to retail outlets and large scale teleworking using the Meraki Z1, templates improve the operational efficiency of the network administrator and allow lean IT teams to respond quickly to business needs on tight deadlines.

 

You wished, we granted: new K-12 features for the MX!

If you manage a K-12 network, keeping kids from unsafe sites may be the most important responsibility you’re tasked with.  Kids are curious, and stumbling into seedy digital alleyways is easy to do.  If you’ve ever wished you could barricade the Internet’s underbelly from creeping into your users’ online experience, or if you’ve ever wished for granular control over users, devices, and applications at the perimeter level, we’ve been listening.  We’re excited to announce several new features for the MX security appliance targeted at the K-12 space.  They include:

  • Improved content filtering, including SafeSearch (Google, Yahoo!, and Bing)

  • The ability to block encrypted search

  • YouTube for Schools

  • Group-based policy support

  • Web caching

In a nutshell: these features protect your network from unsafe content and bandwidth abuse.

Content filtering

We’ve made several improvements to the MX series to strengthen content filtering. Appliances will now utilize real-time URL lookups with our content filtering partners in the event that a URL isn’t in the local database. This allows us to provide a significantly larger universe of content aware URLs while still providing fast filtering throughput.

Additionally, the MX series now offers SafeSearch filtering, which keeps unsafe content at bay.  Simply enable “Web search filtering” in the Configure > Content filtering dashboard page, and immediately a SafeSearch filter will be applied to all Google, Yahoo!, and Bing HTTP-based searches.  This beats manually configuring these browsers to filter unsafe content.

Enabling safe search filtering on the MX.

Blocking encrypted search

“Now, wait!” you say, “that’s all well and good, but kids can be crafty, too — what if they use encrypted search to deliberately look for unsafe content?”  We’ve got you covered: you can enable “Block encrypted search” to disallow this behavior with Google searches (Yahoo! and Bing don’t support encrypted search at this time.  Note, though, that due to Google limitations, this will disable access to Google products using SSL except Gmail).

SafeSearch filtering can also be used alongside Meraki’s regular content filtering to powerfully restrict unsafe material from manifesting in search results or being generally accessible.

YouTube for Schools

YouTube has become an increasingly important component of education, with thousands of free, high-quality education videos available on the site. The YouTube for Schools program allows students to watch educational videos while limiting access to other, non-educational videos on the site. With the MX, administrators can now enforce that policy for an entire network, ensuring that requests to YouTube are routed properly into the school’s YouTube policy.

Group-based security policies

The MX series now gives administrators greater control over users, devices, and applications.  You can configure bandwidth limits, firewall rules, traffic shaping, SafeSearch and YouTube for School settings, and security and content filters for specific users, user groups, and VLANs.  This allows you to translate the deep insight about the type of traffic and devices accessing your network into granular control at the perimeter level.  For example, now you could have separate policies applied by the MX that give teachers one level of security and content filtering, while ensuring students are more restricted.


Group-based policies can be applied to users, groups of users, individual VLANs, and network-wide.

Web caching

Organizations typically have several people accessing the same sites in a given time frame, and schools in particular can have entire classrooms using one web page or watching the same video. The MX series now allows administrators to cut down on their bandwidth bills and speed up the download experience with built-in web caching.  Web caching allows frequently accessed web content to be served from the MX appliance, rather than the originating web server.

Available now

Current MX customers can schedule an immediate upgrade by calling Meraki support. We’re excited to offer these new features on the MX, so please tell us what you think!

If you’re interested in trying out an MX at your organization, we offer risk-free evaluations of all of our gear — and we’ll pay the shipping costs both ways — so it’s easy to see how well an MX can work in your environment.

Detect rogue DHCP servers with Meraki switches

It’s never fun when your network suddenly stops working, especially when the problem turns out to be more subtle than those configuration changes you just saved.  Even worse: your network seems to be smoothly humming along, but you’ve been compromised unknowingly. What could cause such catastrophic behavior?  Rogue DHCP servers on your network.

DHCP is one of those Layer 2 protocols you never notice until it crashes or misbehaves.  But, while DHCP may often be treated like the proverbial ugly stepchild, neglecting DHCP security comes with significant risk.  After all, DHCP provides clients connecting to your network with IP addresses and configuration parameters such as subnet mask, default gateway, and DNS server information.

If these parameters become corrupted, the smooth flow of network traffic can abruptly halt.  Worse, if a setting such as the default gateway is maliciously defined, network security is immediately jeopardized but you may not immediately notice.  This makes detecting rogue DHCP servers paramount, especially given the ease with which they can be deployed.

Meraki’s switches operate at the same TCP/IP layer as the DHCP protocol and record which devices are sending DHCP server traffic.  You can easily see if a non-authorized device is replying to DHCP requests from connecting clients.

Screen Shot 2013-03-26 at 7.26.46 PM

View a list of all network devices replying to DHCP requests for the last month.

The image above shows that a device named Godzilla is replying to DHCP requests made by several clients on Meraki’s network.  You can see Godzilla’s MAC address, as well as the VLANs and subnets it is servicing DHCP requests for.  To get a more detailed view of any particular reply, you can click view packet:

Screen Shot 2013-03-15 at 3.50.48 PM

View individual replies to client DHCP requests and learn what IP parameters may be corrupted.

This view provides the details of a DHCP server reply, including the IP address being offered to the connecting client and additional parameters such as lease time, subnet mask, default gateway, and DNS server information.

If Godzilla were not an authorized DHCP server, we could easily contain it.  Simply search for Godzilla’s MAC address in the Monitor > Clients page to determine which switch and port it is connected to.  Click into the connected switch and drill down to the individual port.

Port-level view of Godzilla, giving more details about the device.

Click “Edit configuration” and disable the port servicing Godzilla.  This immediately disconnects the device from your LAN.

Port configuration settings allow you to disable a port and make several other useful changes

Detecting and disabling a rogue DHCP server is as simple as that.  With the immediate threat contained, you can now track down the physical location of the rogue device.  Re-enabling the port is as simple as repeating the steps above and selecting “enabled” in the port configuration menu.

Recent updates have made this DHCP server visibility possible at the switch level, so stay tuned for more posts detailing new features!

Leave the bug spray to us

Cisco recently issued a security advisory about several serious vulnerabilities for its wireless LAN controllers, including DoS, privilege escalation, and ACL bypass vulnerabilities. These liabilities could allow attackers to modify your controller’s configuration or bypass your ACLs—so if it were my network, I’d certainly want a fix.

Cisco issued software updates, but they’re no quick-snap remedy. Here’s what I’d need to do before I could download the new release:

  1. Follow Cisco’s instructions on the command-line to determine which software version is running on my controller.
  2. Verify if my software version is an affected release. If it is, confirm which versions are “fixed” and note the “recommended release.”
  3. Download and install the patch.
Cisco Patch Compatibility

A few of the steps for determining patch compatibility from cisco.com

The real kicker is what I’m signing up for when I actually install the patches.  From Cisco’s advisory:

In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release…  Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment.

We don’t mean to pick on Cisco here, and we certainly aren’t implying that one vendor’s products are more secure than another’s.  With any complex system, bugs and security patches will happen.  But the customer experience of dealing with these patches for traditional, behind-the-firewall appliances like wireless controllers is a royal pain. At best, they result in headaches, downtime, and frustration.  At worst, administrators miss patches altogether, and their systems are vulnerable.  Fortunately, The Cloud points to a better way.

The Cloud Controller, like other cloud applications such as Gmail and Salesforce.com, is always up to date.  We push out new features, bug fixes, performance improvements, etc. several times a day.  This is completely invisible to the customer, save for new features appearing from time to time.  (How we do this, and maintain quality, is pretty interesting, but we’ll save that for another post.)

But what about the firmware running on our APs?  They aren’t in the cloud…  Are they resigned to the fate of traditional patch management?

Fortunately, an AP that can be managed from the cloud can also be upgraded from the cloud, seamlessly and automatically.  Our Cloud Controller knows with certainty that all of the Meraki access points deployed around the world are up to date, with the latest features, fixes, and yes, security patches.

Since we can install firmware seamlessly, over the web, we’ve been able to release new firmware every three months or so, continually delivering new features to our customers. We just did one, in fact – with firmware support for application-aware traffic shaping.

Here’s what our customers saw in their dashboard before the update:

Meraki Upgrade Notification

Firmware Upgrade Notification in the Meraki Dashboard

Customers can let the upgrade happen on its own, schedule it when they want it, or click “Upgrade Now” to get it right away. It’s worth noting that the upgrade process was engineered to be completely fault tolerant.  Say, for example, you lose power in the middle of a firmware update.  No problem, the AP will boot up with its previous firmware once power is restored.  This technology has let us do quarterly upgrades for four years straight and keep customers happy.

We’re excited about how this system has not only eliminated headaches for our customers, but has also enabled us to innovate much faster.  We hope to see this architecture spread to other types of infrastructure, so patch management nightmares some day become a thing of the past.