The newest blog post from the Cisco Talos intelligence team, one of the largest commercial threat intelligence teams in the world, highlights VPNFilter, the newest malware threat spreading across the Internet. This attack can lead to stolen website credentials, IoT device vulnerabilities, Internet connection cut-offs, and devices potentially rendered completely unusable.
At this point in time, no Meraki devices are known to be affected. Meraki and Talos are conducting ongoing investigations into this threat and its signatures. Meraki MX users who use the Advanced Security license have the capability to protect their network from security vulnerabilities such as VPNFilter.
MX Ensures Security
The Meraki MX makes it very easy to implement powerful Cisco security technologies like Snort and Advanced Malware Protection (AMP). In addition to AMP and Snort, Meraki MX allows for intuitive URL blocking, as well as Layer 3 firewall rules to ban nefarious IP addresses. These capabilities play an integral role in keeping networks safe from malware.
With Cisco Snort technologies enabled, the MX performs real-time traffic analysis and can generate alerts or take actions based on a constantly updated database of threat signatures. For example, Snort has already updated and pushed out rulesets to allow identification and prevention of VPNFilter malware for Meraki MX users who have IPS enabled. IPS rulesets are updated every 24 hours and pushed out to the MX, constantly keeping you safe from new threats. The Meraki cloud also delivers firmware, bug, and feature updates to the MX.
Example of Meraki MX blocking VPNFilter exploit with Intrusion Prevention
In addition to IDS/IPS, the MX’s integrated AMP technology can detect malware and block it from being downloaded on the network. AMP can also retroactively detect files that have been downloaded on the network that have malicious markers. VPNFilter is known to infect networks by downloading files to the network from specific URLs. Fortunately, Cisco AMP has already updated its malware database for file hashes associated with VPNFilter and pushed these updates over the cloud to Meraki MX users with AMP enabled. The Meraki MX is helping protect your network by delivering these technologies via the cloud directly to your doorstep.
Blocking Threats in 3 Steps with Meraki MX
As highlighted in the detailed post from Talos, action can be taken on a list of identified URLs, IP addresses, Snort signatures, and AMP file identifiers related to VPNFilter. All of these threats can be easily neutralized within the Meraki dashboard. To enable AMP, Snort, and URL blocking features on the MX, an Advanced Security license is required. The Layer 3 firewall rules are incorporated in both MX licenses (Enterprise License and the Advanced Security License).
Following Step 1 is most important, and only takes 15 seconds, while Steps 2 & 3 take less than one minute each. Being able to secure your network easily is the hallmark of Meraki MX.
1. Enabling AMP & Snort
Visit the Security appliance > Configure > Threat protection section. A few simple clicks allow you to enable AMP and set Snort IPS to ‘Prevention’ mode with the ‘Security’ ruleset.
2. URL Blocking
Go to Security appliance > Content filtering to block the URLs listed in the Cisco Talos blog post.
3. Blocking nefarious IP addresses
Under Security appliance > Firewall you have the ability to deny traffic to all known IP addresses associated with VPNFilter malware, as listed by Cisco Talos.
For more detailed information on VPNFilter, please refer to this post from Cisco Talos. We will continue to monitor the threat landscape and work with our Talos team to provide you updates on VPNFilter and other security vulnerabilities as they develop. To learn more about the many capabilities of the Meraki MX, including SD-WAN and Security, visit the Meraki website or sign up for one of our webinars.