Posts Tagged ‘talos’

Exploring Snort

 

Introduction

The internet can be a dangerous place, with malware, ransomware, worms and botnets to name just a few things. How can you keep your organization and its data safe?  The Meraki MX leverages some industry-leading security technologies and puts them in the hands of users, network operators and partners whilst simultaneously making them easy to enable.  

In this blog post, we will explore one of the security technologies that Meraki utilizes to help keep users safe, namely Snort, which is an open-source network intrusion detection system/intrusion prevention systems (IDS/IPS).

What exactly is IDS/IPS?

Before we talk about why we think Snort is great, we first need to talk about what an IDS/IPS is.  

IDS/IPS systems are devices or software that monitors networks or computers to detect malicious or anomalous behaviour.  An IDS simply alerts the network or system operators of malicious or anomalous behaviour, whereas IPS will also actively prevent this behaviour.  

To provide an analogy, think of a firewall as a door securing access in and out of a controlled area.  The IDS is akin to a security camera pointing at the door, whereas an IPS is a security camera with frickin’ lasers!

image credit: thinkgeek.com

Why is Snort #1 in the industry?

For a start, Snort, under the guise of Cisco, has consistently been in the upper right-hand corner of Gartner’s Magic Quadrant for IPS for many years.  Fundamentally, Snort is the #1 IPS in the world because it is the most widely deployed, with over 4 million downloads open-source variant alone. That doesn’t even take into account the variants running on Cisco FirePower Firewalls, Cisco ASA with FirePower services firewalls, and Cisco Meraki MX security appliances.  

The open source nature of Snort’s development provides the following benefits:

  • Rapid responseCisco Talos is constantly (24x7x365) updating the rulesets that Snort uses, meaning organizations that leverage Snort are quickly protected from emerging threats.
  • Greater accuracy – The rulesets running on Snort are reviewed, tested, and improved upon by the community of users, which means organizations using Snort are leveraging the knowledge of security teams worldwide.
  • High adaptability – The open source nature of Snort means that companies and organizations can build the power of Snort directly into their own applications.

Snort isn’t a silver bullet on its own,  but no security technology is.  That is why at Meraki we expose the threat information identified by Snort and other technologies in a single pane of glass, enabling network defenders to  quickly and easily understand whether a threat is targeted (and hence serious) or part of the background of the internet.

That single panel of glass is the Meraki Security Center, and it allows network defenders to see all threat data in a given network for 30 days and, in three or four clicks, lock in on a potential issue whilst cutting through the noise.

Talos?

In its own words, Cisco Talos is the industry-leading threat intelligence group fighting the good fight!  They are a team of exceptionally talented women and men who peer into the dark corners of the internet to protect your organization’s people, infrastructure and data.  Their researchers, data scientists and engineers deliver protection against attacks and malware that underpins the entire Cisco security ecosystem, Meraki included.

If you would like to learn more about Cisco Talos, then we recommend subscribing to the ‘Beers with Talos’ podcast and listen to Mitch, Craig, Joel, Matt & Nigel break down the latest threats and trends.  With the exception of Nigel (who does support the best football team in the world, so he gets a pass), the Beers with Talos team runs Meraki MX Security Appliances in their home networks!

Conclusion

The implementation of Snort on Meraki’s MX security appliances typifies Meraki’s philosophy; we take an industry leading, best-in-class technology and we make it simple to enable and configure.  All while making the data you get from it both easy to understand and to act on.

If you think your organization could benefit from the power and simplicity of Snort in the Meraki MX Security Appliance, contact Meraki sales today.

References 

Ensure you’re secure from VPNFilter

The newest blog post from the Cisco Talos intelligence team, one of the largest commercial threat intelligence teams in the world, highlights VPNFilter, the newest malware threat spreading across the Internet. This attack can lead to stolen website credentials, IoT device vulnerabilities, Internet connection cut-offs, and devices potentially rendered completely unusable.

At this point in time, no Meraki devices are known to be affected. Meraki and Talos are conducting ongoing investigations into this threat and its signatures. Meraki MX users who use the Advanced Security license have the capability to protect their network from security vulnerabilities such as VPNFilter.

MX Ensures Security

The Meraki MX makes it very easy to implement powerful Cisco security technologies like Snort and Advanced Malware Protection (AMP). In addition to AMP and Snort, Meraki MX allows for intuitive URL blocking, as well as Layer 3 firewall rules to ban nefarious IP addresses. These capabilities play an integral role in keeping networks safe from malware.

With Cisco Snort technologies enabled, the MX performs real-time traffic analysis and can generate alerts or take actions based on a constantly updated database of threat signatures. For example, Snort has already updated and pushed out rulesets to allow identification and prevention of VPNFilter malware for Meraki MX users who have IPS enabled. IPS rulesets are updated every 24 hours and pushed out to the MX, constantly keeping you safe from new threats. The Meraki cloud also delivers firmware, bug, and feature updates to the MX.

Example of Meraki MX blocking VPNFilter exploit with Intrusion Prevention

In addition to IDS/IPS, the MX’s integrated AMP technology can detect malware and block it from being downloaded on the network. AMP can also retroactively detect files that have been downloaded on the network that have malicious markers. VPNFilter is known to infect networks by downloading files to the network from specific URLs. Fortunately, Cisco AMP has already updated its malware database for file hashes associated with VPNFilter and pushed these updates over the cloud to Meraki MX users with AMP enabled. The Meraki MX is helping protect your network by delivering these technologies via the cloud directly to your doorstep.

Blocking Threats in 3 Steps with Meraki MX

As highlighted in the detailed post from Talos, action can be taken on a list of identified URLs, IP addresses, Snort signatures, and AMP file identifiers related to VPNFilter. All of these threats can be easily neutralized within the Meraki dashboard. To enable AMP, Snort, and URL blocking features on the MX, an Advanced Security license is required. The Layer 3 firewall rules are incorporated in both MX licenses (Enterprise License and the Advanced Security License).

Following Step 1 is most important, and only takes 15 seconds, while Steps 2 & 3 take less than one minute each. Being able to secure your network easily is the hallmark of Meraki MX.

1. Enabling AMP & Snort

Visit the Security appliance > Configure > Threat protection section. A few simple clicks allow you to enable AMP and set Snort IPS to ‘Prevention’ mode with the ‘Security’ ruleset.

2. URL Blocking

Go to Security appliance > Content filtering to block the URLs listed in the Cisco Talos blog post.

3. Blocking nefarious IP addresses

Under Security appliance > Firewall you have the ability to deny traffic to all known IP addresses associated with VPNFilter malware, as listed by Cisco Talos.

For more detailed information on VPNFilter, please refer to this post from Cisco Talos. We will continue to monitor the threat landscape and work with our Talos team to provide you updates on VPNFilter and other security vulnerabilities as they develop. To learn more about the many capabilities of the Meraki MX, including SD-WAN and Security, visit the Meraki website or sign up for one of our webinars.