Cloud-Managed Security for Distributed Networks with Cisco Meraki MX Joe Aronow, Product Architect
Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot#
About the Cisco Meraki MX
Simplifying IT with cloud management A complete cloud managed IT solution Wireless, switching, security, SD-WAN, communications, EMM, and security cameras Integrated hardware, software, and cloud services Leader in cloud managed IT Among Cisco s fastest growing portfolios Over 140,000 unique customers Over 2 million Meraki network devices online 5
The Meraki full stack MR Wireless MX Security and WAN MS Switching Systems Manager EMM MC IP Telephony MV Security Cameras A complete cloud managed IT portfolio Single pane of glass management 6
A complete connectivity and threat management solution Security Next generation firewall AES encrypted VPN Intrusion prevention (IPS) Malware protection Geo-IP firewalling Networking 3G / 4G failover Branch routing WAN balancing and failover High Availability Intelligent path control Application Control Bandwidth shaping URL content filtering Quality of Service control 7
Why customers choose the Cisco Meraki MX Powerful security that s easy to implement Robust suite of Cisco Security technologies Intuitive GUI-based configuration Seamless updates from the cloud Exceptional scalability Zero-touch provisioning with cloud brokered VPN Easy centralized management with built-in remote troubleshooting tools Multi-location configuration templates Industry-leading visibility Fingerprints users, applications, devices, and threats Monitor one location or an entire deployment Unified monitoring and reporting with other Cisco Meraki technologies 8
Ironclad security Next Generation Firewall Intrusion Prevention (IPS) URL Content Filtering Geo-based security Application aware firewalling Based on Cisco Snort With over 80 categories and over 4 billion categorized URLs Allow or block traffic by country Malware Protection Automatic updates PCI compliance Cisco AMP and Threat Grid Software and security updates delivered from the cloud PCI 3.2 certified cloud management backend 9
Backed by Cisco Talos threat intelligence Internet-wide scanning 1.5 million malware samples / day 600 billion email messages / day 16 billion web requests / day Over 250 full time threat researchers Millions of telemetry agents 4 global data centers Telemetry Honeypots Over 100 threat intelligence partners Internal vulnerability discovery Open source communities Over 1100 threat traps 10
Reliable, cost effective connectivity with Meraki SD-WAN Dual uplink ports LTE failover Site to site VPN Intelligent path control Branch Routing High Availability Traffic shaping 2 uplink support on all MX models for load balancing and redundancy USB modem support in all models with automatic failover Cloud orchestrated VPN (Meraki Auto VPN) with load balancing and self-healing capabilities Policy based routing and performance based dynamic path selection Automatic route distribution via Auto VPN OSPF route advertisement BGP support coming soon Active/passive hardware redundancy Application bandwidth limiting and prioritization 11
Automated site-to-site VPN (Auto VPN) Simple Automatic Resilient Create VPN tunnels between locations with easy point-and-click interface, or apply configuration templates to enable and configure VPN at many locations at once VPN configuration generated and deployed automatically from the cloud create a mesh or hub-and-spoke topology with only a few clicks Automatically adjusts to changes in order to maintain secure connectivity during an ISP or datacenter outage, hardware failure, or IP address update 12
Application-aware intelligent path control Dual active VPN Load balance your VPN traffic over your hybrid WAN Policy based routing Select the preferred path for traffic based on protocol, port, source and destination IP, or even application Dynamic Path Selection Select the best VPN tunnel for traffic automatically based on performance The only solution to combine cutting edge SD-WAN with industry leading security technology 13
Extend Auto VPN and Meraki SD-WAN into AWS / Azure Datacenter 1 Branch Auto VPN SD-WAN AWS vmx Datacenter 2 14
Network Security use cases Cisco Meraki MX Cisco Firepower & ASA Existing Meraki customer Prizes simplicity first / Lean IT organization Needs high WAN performance with low cost Internet links (SD-WAN) Branch or distributed enterprise deployment Internet edge Enterprise edge deployment Datacenter Needs sophisticated threat investigation Existing Firepower, TrustSec, AMP for Endpoints customer 15
What s new
MX250 and MX450 Security Appliances Expanding the MX portfolio with new, high performance options High Throughput Flexible Interface types Modular redundant power 17
MX250 and MX450 Security Appliances MX250 MX450 Interfaces WAN 2 x 10G SFP+ 2 x 10G SFP+ LAN 8 x 1G RJ45 8 x 1G SFP 8 x 10G SFP+ 8 x 1G RJ45 8 x 1G SFP 8 x 10G SFP+ Firewall Throughput 4 Gbps 6 Gbps Recommended Clients 2,000 10,000 VPN Throughput 1 Gbps 2 Gbps 18
Z3 Teleworker Gateway Meraki Z1 Meraki Z3 New WAN 1 x 1GbE 1 x 1GbE LAN 4 x 1GbE 4 x GbE (1 x PoE) WLAN 802.11n 802.11ac wave 2 Firewall Throughput 50 Mbps 100 Mbps VPN Throughput 10 Mbps 50 Mbps 802.1x port authentication No Yes Vertical desktop mount No Yes Recommended clients 5 5 19
vmx100 for Azure Virtual MX now available for Microsoft Azure 500 Mbps VPN throughput Available in Azure Marketplace Full SD-WAN capabilities Same license 20
New release candidate firmware: MX 13.28 Security Threat Grid FQDN/hostname firewall rules Syslog export of AMP events DNS-based Google safesearch and Youtube restriction (Google s recommended method) Full list URL filtering cloud lookups for HTTPS flows based on cert request Connectivity Layer 7 SD-WAN policies OSPF advertisement on LAN of NAT mode MX 1:Many NAT over AutoVPN BGP for VPN route redistribution Uplink IP configuration from Dashboard MX load monitoring Loss and Latency reporting (Uplink SLA) capabilities now enabled in Passthrough mode 21
Introducing Meraki Insight
Sound familiar? This is IT. How can I help? The network is slow My Wi-Fi is broken My Internet is down 22
External Internal What contributes to poor end user experience? LAN congestion Rogue actors Network design Network capacity limits WAN congestion Deploy Meraki Dashboard Tools (Traffic shaping, QoS, Air Marshal) Address with training, more infrastructure Application errors Application server processing time Authentication / DNS server response time Apply Meraki Insight 23
Meraki Insight Provides end-to-end visibility into how your end-users are experiencing their SaaS applications. Assists with application performance management and troubleshooting. QUESTION: How does this differ from what is built in? This offers data for external factors, including the entire Wide Area Network, ISPs and SaaS applications like Office 365, Salesforce.com, etc Similar to 3 rd party tools such as SolarWinds, Netscout, ThousandEyes 24
Meraki Insight in the dashboard 25
Meraki Insight in the dashboard Insight into both the network and application layers 26
Meraki Insight in the dashboard 27
Our first probe for Meraki Insight Meraki MX 28
Cisco Security Integrations and portfolio positioning
Analytics and Insights Threat Intelligence Cloud and Web Security Posture and Policy Security Architecture Network Infrastructure Malware Firewall Meraki MX Cisco ISE and TrustSec Remote Access Intrusion Prevention Endpoint Management = Limited integration or interoperability = Deeper integration = Active development or beta 31
Current integrations - Stealthwatch Integration details NetFlow export from MX can be consumed by Stealthwatch or Stealtwatch Cloud Key limitations No Flexible NetFlow No NAT flow stitching 32
Network-wide > General 33
Current integrations - ISE Integration details RADIUS authentication using ISE for wired connections on all MX64/MX65/Z3 models RADIUS authentication using ISE for wireless connections on MX64W/MX65W Key limitations No TrustSec capability on MX 34
ISE / Meraki feature compatibility matrix 35
Current integrations - Umbrella Integration details Use Umbrella resolvers for DNS resolution when serving DHCP from MX Key limitations No edns forwarding capability No visibility into applied Umbrella policies in Meraki Dashboard 36
Security Appliance > DHCP 37
Current integrations - AMP Integration details AMP for Networks with Threat Grid sandboxing on MX Native malware event visibility in Meraki Dashboard via Security Center Retrospective alerting via Dashboard and email alerts Key limitations No correlation/trajectory between AMP on MX and AMP for Endpoints Only files downloaded via HTTP are inspected on MX 38
AMP and Threat Grid integration with MX 1 2 3 Service File Reputation File Analysis File Retrospection Function Blocking of known malicious files Behavior analysis of unknown files Retrospective alerting upon disposition change Powered by AMP Cloud Threat Grid AMP Cloud *Trigger 39
Architecture? File Threat Analysis Grid File Analysis File AMP Reputation Cloud File Reputation Threat Intelligence Threat Intelligence NGFW NGIPS ISR ESA / CES WSA / Umbrella Endpoint Email Web Host ISE Stealthwatch Meraki MX Network Attached Controls 40
Meraki Security Center events Aggregated view of security events: File Analysis and Disposition Changes Quick drill into file analysis results Event filtering capabilities 41
Meraki Security Center events Aggregated view of security events Quick drill into file analysis results Identify clients and networks that are potentially infected 42
Current integrations Snort IPS Integration details Three curated IPS rulesets for detection or prevention Native IDS/IPS event visibility in Meraki Dashboard via Security Center Key limitations No customization of IPS rule sets Single-packet flows will not be blocked due to Snort not being run in-line 43
Organization > Security Center 44
Security Appliance > Threat protection 45
Two way communication with Talos Inbound Talos threat research and intelligence informs Snort signatures and the AMP malware database used on the MX Outbound Snort IPS telemetry data is provided back to Talos to inform threat research activities AMP lookup data from MXes is available to Talos, just like with other platforms 46
Demo
MX Product Portfolio
Simple, use case driven licensing Enterprise License Advanced Security License Next Generation Firewall Site-to-site and client VPN Intelligent path control Link bonding and failover Bandwidth shaping and QoS Branch routing All enterprise features, plus Content filtering (with Google SafeSearch enforcement) Cisco Advanced Malware Protection Snort IDS/IPS Threat Grid integration* Geo-based firewall rules Web caching Active/Passive high availability *additional Threat Grid subscription required 49
MX portfolio Teleworker Small Branch Medium Branch New Z1 Z3 ~5 users 802.11ac Wireless & PoE MX64 MX65 ~50 users 802.11ac wireless & PoE MX84 ~200 users FW throughput: 500 Mbps MX100 ~500 users FW throughput: 750 Mbps FW throughput: 50-100 Mbps FW throughput: 250 Mbps Large Branch, Campus or Concentrator New New Virtual New MX250 MX400 MX450 MX600 vmx100 for AWS & Azure ~2,000 users FW throughput: 4 Gbps ~2,000 users FW throughput: 1 Gbps ~10,000 users FW throughput: 6 Gbps ~10,000 users FW throughput: 1 Gbps FW throughput: 750 Mbps VPN & SD-WAN features All MX devices support 3G/4G 50
Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot#
Please complete your Online Session Evaluations after each session Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt All surveys can be completed via the Cisco Live Mobile App or the Communication Stations Complete Your Online Session Evaluation Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at www.ciscolive.com/global/on-demand-library/.
Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Tech Circle Meet the Engineer 1:1 meetings Related sessions 53
Thank you