Focusing on security: building a cloud-managed network using Cisco Meraki MX equipment
When building a modern network, not only bandwidth, but safety and reliability, are increasingly coming to the fore. As one of the options for building such a network, with a rich set of functions providing security and stability of work, we suggest that you consider the Cisco Meraki MX security system.
The Cisco Meraki MX security system provides a complete set of tools and solutions for most situations right out of the box. This means that purchasing this product will not need to make other purchases and incur additional costs. Unfolding network is very simple. Purchased equipment is delivered and installed at the site. After installation, the devices automatically connect to the Cisco Meraki cloud via SSL, register the network and download configurations for it. Thus, the SD-WAN is formed - your separate software-configured network as part of the Cisco wide area network. This allows you to have access to the administration of the entire network via the Internet, as well as to configure, diagnose with a few mouse clicks due to the high level of automation of the system.
')
The main function of the Meraki MX system is to ensure the integrated security of the constructed network. To do this, there are many software tools in it that, together with the Cisco Meraki cloud, make it easy to configure the network and manage the system. Solutions provided through the MX Security Appliances include:
- Reliable firewall . With the proliferation of modern applications and mixed-type networks, a security system based on control of hosts and ports is no longer enough. The Cisco Meraki Firewall gives the administrator complete control over user actions, including content and applications. It deeply analyzes network traffic, determining the type of data transmitted, as well as applications and users who are responsible for this network traffic. Based on this data, various filters are applied that the administrator has configured before. Thus, for example, it is possible on the one hand to block data transmission from online cinemas, and on the other hand, to give the highest priority to the traffic of the videoconferencing system. Branded firewall can even work with peer-to-peer traffic of applications, which are passed by many other firewalls. At the same time, setting up the system is quite simple - in the corresponding window you just need to select the data type or specific resources and applications that will be blocked or vice versa allowed.
To prevent network attacks in the Cisco Meraki firewall, you use an engine based on one of the most common open source security tools - Sourcefire Snort . Security is provided on the basis of a combination of different tools - signature verification, protocol analysis, anomaly search system, etc.
Also, the network screen uses the recognition of connected devices. It automatically detects devices based on iOS, Android, Windows, Mac OS and other operating systems and can apply rules to them based on the parameters predefined by the administrator. Specific rules may apply to all connected devices, as well as to a specific type of device. For example, all iPad tablets can automatically get the Read Only access level.
- Advanced protection against malware . Meraki MX has an advanced anti-malware system - Cisco Advanced Malware Protection. It provides reliable anti-virus protection using all modern methods. Among them are file scanning by signatures. The database contains more than 500 million known files, and about 15 million new objects are added to it every day. It also uses contextual file analysis, sandbox, retrospective analysis and other tools.
All files downloaded via the network are scanned in real time. Reporting comes to administrators so that they can see the main sources of threats at the moment and respond promptly to them. And the system of retrospective analysis allows you to learn about malicious files even if they have passed through the network and are on the device. This happens very rarely when a file is downloaded before various security systems identify it as malicious.
- Prevention of intrusions . Each network is a potential target for intrusions and malicious attacks. MX Security Appliances have a variety of highly customizable countermeasures. Intrusion prevention system (IPS) works with the help of rule sets that are executed on the Sourcefire Snort engine. It is a combination of predefined security policies that define the required level of protection and operate completely offline. Their updates are released daily and automatically installed on your devices within an hour after publication. This provides round-the-clock protection against a wide variety of threats — rootkits, viruses, exploits, etc.
All data on the operation of the security system is provided in real time through the Meraki web control panel. Information is displayed in the form of reports and graphs both on the system as a whole, and on specific networks, devices and applications. Based on this information, the administrator makes decisions about the need to take certain measures, can make changes to the settings and carry out other necessary operations, as well as assess the overall vulnerability of the system.
Another plus for administrators is the ease of sweeping the intrusion prevention system. When a whole set of tools is used for this, which are manually configured, the human factor can creep in, due to which safety will be compromised. In the case of Meraki MX, the intrusion prevention system is deployed in seconds and a few clicks on the respective control panels. These clicks are needed to enable and select the required set of rules for the Sourcefire engine.
- Automatic VPN . Using MX Security Appliances you will get a reliable virtual network between your devices, which will be independently configured, monitored and maintained. When deployed, the system will automatically configure the VPN settings necessary to create and maintain VPN sessions. All peers and routes are automatically connected through a secure WAN (Wide Area Network) and maintained up to date in dynamic IP environments. All security features, such as key exchange, authentication, and security policies, are automatically implemented through MX Security VPN peers. And with the help of a number of tools, the administrator can monitor the network status in real time.
The system has full support for the configuration of split tunneling (split-tunneling) and full tunneling (full-tunneling), which is configured in one click. The creation and use of star-shaped (Hub-and-spoke) and fully mesh (full mesh) network topologies is supported for easier and flexible deployment. And the built-in firewall and security policies make it easy to manage the entire VPN network entirely.
- Content filtering . The Cisco Meraki content blocking system allows users of your network to surf the Internet absolutely safe while remaining protected from sites with unwanted, harmful or shocking content. A variety of policies can be applied to specific groups of users wherever Active Directory is used. For this there are whitelists with the possibility of exceptions for specific users. Active Directory group policies are regulated through the control panel, it is also possible to send direct requests to the Active Directory server. In this case, everything is intuitive and there is no need to install various Active Directory agents, which simplifies working with the system.
Content and sites are filtered this way: when a device wants to visit a particular resource, its address is checked against the existing URL database. It is checked in several stages for compliance with various parameters. Thus, for example, on one site some pages may be available for visiting, while others may not. Specific URLs can be added to the white list - then they will take precedence over the filter and will be able to bypass it. Content filtering in the system occurs in more than 80 categories that can be blocked for all users, except for those who are on the white list.
The MX Security Appliances synchronize with the Cisco Meraki cloud in the background, so that all databases, policies, subscriptions, and categories always remain up to date, eliminating the need for an administrator to manually upgrade.
- Fault tolerance . Cisco Meraki MX Security Appliances support multiple levels of redundancy, which provides a permanent connection to the WAN, uninterrupted access to devices and a seamless transition to backup resources in the event of a failure. Each Meraki MX device supports dual WAN connectivity, which allows you to instantly switch to another resource in the event of an attack or a broken connection. If this happens, the built-in traffic prioritization will redirect the flows and distribute the power to the new devices, which will ensure stable operation of the network in emergency situations. Such a connection to the WAN is supported both by the Gigabit Ethernet protocol and by means of cellular communication — including the WCDMA, HSPA (3G), LTE and WiMAX (4G) protocols.
The administrator can specify which data center to use as the main resource for common subnets, and also define a list of other priority nodes that will be used in case of failure of the main data center during a power outage or in the event of an attack. Thus, if the primary node goes offline, the system will automatically redirect the flows to the specified resources.
- Control over the programs . The technology of checking and filtering network packets by their content Deep Packet Inspection (DPI) allows you to reliably control the use of certain programs on the network and, if necessary, block their work. The system analyzes not only IP addresses, hosts, ports, and packet headers, but also uses heuristic traffic analysis. This allows you to detect even the traffic of such programs that are disguised as other applications.
With the help of a convenient search system, the administrator can find applications and users that generate the most traffic. With the help of traffic prioritization policies, they can be limited or lowered / increased in priority. Traffic priority can be allocated automatically based on group membership.
Also in the Cisco Meraki system there is a cloud base of application signatures. It is constantly updated and supplemented, so the administrator does not need to manually install trusted programs and their updates.
Meraki MX has eight models of wired and wireless network gateways (see below for specific devices). They differ in technical characteristics (for example, throughput of the firewall) and the number of clients served, but they also have a common feature - an embedded security system, about which elements we spoke above, as well as reliable hardware. What is inside of them we consider the example of the model MX400. There is a capacious hard disk for caching, a central processor providing multi-level traffic analysis and other functions, RAM for operating the content filtering system and a number of network interfaces for connecting network devices and other devices (for example, 3G / 4G modems).
Small gateways
The MX64 is an entry level device for connecting 50 clients. It has a 250 Mbps firewall throughput and a 85-100 Mbps VPN. The gateway has five gigabit ports and the ability to connect a USB 3G / 4G modem. His fellow MX64W has the same features, but is additionally equipped with a WiFi 802.11ac module.
The MX65 model also has similar characteristics, but the number of Gigabit ports in it has been increased to 12, and two of them support Power over Ethernet (PoE) technology - the ability to transmit electrical power over a twisted pair. The MX65W is also equipped with a WiFi 802.11ac module.
Medium Gateways
These gateways differ from small ones not only in increased bandwidth and size, but also in support of star-shaped (Hub-and-spoke) topologies, in which they act as central nodes (hubs).
The MX84 model has a 500 Mbps firewall throughput and a 200-250 Mbps VPN, designed to connect 200 clients. It has 10 gigabit ports, two SFP modules and the ability to connect a USB modem. As a hub, the MX84 can connect up to 100 peripheral points (spokes). Also in this model is available web caching.
500 clients can connect to the MX100 . Its bandwidth is 750 Mbps for a firewall and 350 to 500 Mbps for VPN. There are nine gigabit ports, two SFP modules and the ability to connect a USB modem. As a hub, it can accept connections from 250 devices. Web caching is also present.
Large gateways
One of the main features of the most advanced MX models, in addition to large bandwidth, is the ability to connect additional modules. Due to this, it is possible to scale the gateways depending on the needs.
The MX400 is designed to connect 2000 customers. The capacity of its firewall is 1 Gbps, VPN is from 900 Mbps to 1 Gbps. The number of gigabit ports is up to 20, up to 16 SFPs and up to four SFP + are also present. It is also possible to connect a USB 3G / 4G-modem. As a hub, the model can connect up to 1000 devices, there is a web caching system and a backup power source.
The number of ports in the MX1000 model is the same as in the previous one. But 10,000 clients can connect to it, as a hub it accepts up to 5,000 devices. Firewall throughput is 1 Gbps, VPN is from 900 Mbps to 1 Gbps. It is possible to connect a USB-modem, web caching and an additional power source.
Building a secure cloud-managed network based on Cisco Meraki MX equipment poses no difficulty. The system is deployed very quickly, the configuration is mainly automatic, just like the management - it is carried out using Cisco cloud resources with minimal interference from administrators. Built-in security features allow users to create a comfortable stay environment. Guests will be protected from inappropriate content, and staff will be given the highest priority for completing official tasks.
A variety of firewalls allows you to choose exactly the equipment you need for a particular organization, without overpaying for excess performance.
The Cisco Meraki MX security system provides a complete set of tools and solutions for most situations right out of the box. This means that purchasing this product will not need to make other purchases and incur additional costs. Unfolding network is very simple. Purchased equipment is delivered and installed at the site. After installation, the devices automatically connect to the Cisco Meraki cloud via SSL, register the network and download configurations for it. Thus, the SD-WAN is formed - your separate software-configured network as part of the Cisco wide area network. This allows you to have access to the administration of the entire network via the Internet, as well as to configure, diagnose with a few mouse clicks due to the high level of automation of the system.
')
Security
The main function of the Meraki MX system is to ensure the integrated security of the constructed network. To do this, there are many software tools in it that, together with the Cisco Meraki cloud, make it easy to configure the network and manage the system. Solutions provided through the MX Security Appliances include:
- Reliable firewall . With the proliferation of modern applications and mixed-type networks, a security system based on control of hosts and ports is no longer enough. The Cisco Meraki Firewall gives the administrator complete control over user actions, including content and applications. It deeply analyzes network traffic, determining the type of data transmitted, as well as applications and users who are responsible for this network traffic. Based on this data, various filters are applied that the administrator has configured before. Thus, for example, it is possible on the one hand to block data transmission from online cinemas, and on the other hand, to give the highest priority to the traffic of the videoconferencing system. Branded firewall can even work with peer-to-peer traffic of applications, which are passed by many other firewalls. At the same time, setting up the system is quite simple - in the corresponding window you just need to select the data type or specific resources and applications that will be blocked or vice versa allowed.
To prevent network attacks in the Cisco Meraki firewall, you use an engine based on one of the most common open source security tools - Sourcefire Snort . Security is provided on the basis of a combination of different tools - signature verification, protocol analysis, anomaly search system, etc.
Also, the network screen uses the recognition of connected devices. It automatically detects devices based on iOS, Android, Windows, Mac OS and other operating systems and can apply rules to them based on the parameters predefined by the administrator. Specific rules may apply to all connected devices, as well as to a specific type of device. For example, all iPad tablets can automatically get the Read Only access level.
- Advanced protection against malware . Meraki MX has an advanced anti-malware system - Cisco Advanced Malware Protection. It provides reliable anti-virus protection using all modern methods. Among them are file scanning by signatures. The database contains more than 500 million known files, and about 15 million new objects are added to it every day. It also uses contextual file analysis, sandbox, retrospective analysis and other tools.
All files downloaded via the network are scanned in real time. Reporting comes to administrators so that they can see the main sources of threats at the moment and respond promptly to them. And the system of retrospective analysis allows you to learn about malicious files even if they have passed through the network and are on the device. This happens very rarely when a file is downloaded before various security systems identify it as malicious.
- Prevention of intrusions . Each network is a potential target for intrusions and malicious attacks. MX Security Appliances have a variety of highly customizable countermeasures. Intrusion prevention system (IPS) works with the help of rule sets that are executed on the Sourcefire Snort engine. It is a combination of predefined security policies that define the required level of protection and operate completely offline. Their updates are released daily and automatically installed on your devices within an hour after publication. This provides round-the-clock protection against a wide variety of threats — rootkits, viruses, exploits, etc.
All data on the operation of the security system is provided in real time through the Meraki web control panel. Information is displayed in the form of reports and graphs both on the system as a whole, and on specific networks, devices and applications. Based on this information, the administrator makes decisions about the need to take certain measures, can make changes to the settings and carry out other necessary operations, as well as assess the overall vulnerability of the system.
Another plus for administrators is the ease of sweeping the intrusion prevention system. When a whole set of tools is used for this, which are manually configured, the human factor can creep in, due to which safety will be compromised. In the case of Meraki MX, the intrusion prevention system is deployed in seconds and a few clicks on the respective control panels. These clicks are needed to enable and select the required set of rules for the Sourcefire engine.
- Automatic VPN . Using MX Security Appliances you will get a reliable virtual network between your devices, which will be independently configured, monitored and maintained. When deployed, the system will automatically configure the VPN settings necessary to create and maintain VPN sessions. All peers and routes are automatically connected through a secure WAN (Wide Area Network) and maintained up to date in dynamic IP environments. All security features, such as key exchange, authentication, and security policies, are automatically implemented through MX Security VPN peers. And with the help of a number of tools, the administrator can monitor the network status in real time.
The system has full support for the configuration of split tunneling (split-tunneling) and full tunneling (full-tunneling), which is configured in one click. The creation and use of star-shaped (Hub-and-spoke) and fully mesh (full mesh) network topologies is supported for easier and flexible deployment. And the built-in firewall and security policies make it easy to manage the entire VPN network entirely.
- Content filtering . The Cisco Meraki content blocking system allows users of your network to surf the Internet absolutely safe while remaining protected from sites with unwanted, harmful or shocking content. A variety of policies can be applied to specific groups of users wherever Active Directory is used. For this there are whitelists with the possibility of exceptions for specific users. Active Directory group policies are regulated through the control panel, it is also possible to send direct requests to the Active Directory server. In this case, everything is intuitive and there is no need to install various Active Directory agents, which simplifies working with the system.
Content and sites are filtered this way: when a device wants to visit a particular resource, its address is checked against the existing URL database. It is checked in several stages for compliance with various parameters. Thus, for example, on one site some pages may be available for visiting, while others may not. Specific URLs can be added to the white list - then they will take precedence over the filter and will be able to bypass it. Content filtering in the system occurs in more than 80 categories that can be blocked for all users, except for those who are on the white list.
The MX Security Appliances synchronize with the Cisco Meraki cloud in the background, so that all databases, policies, subscriptions, and categories always remain up to date, eliminating the need for an administrator to manually upgrade.
- Fault tolerance . Cisco Meraki MX Security Appliances support multiple levels of redundancy, which provides a permanent connection to the WAN, uninterrupted access to devices and a seamless transition to backup resources in the event of a failure. Each Meraki MX device supports dual WAN connectivity, which allows you to instantly switch to another resource in the event of an attack or a broken connection. If this happens, the built-in traffic prioritization will redirect the flows and distribute the power to the new devices, which will ensure stable operation of the network in emergency situations. Such a connection to the WAN is supported both by the Gigabit Ethernet protocol and by means of cellular communication — including the WCDMA, HSPA (3G), LTE and WiMAX (4G) protocols.
The administrator can specify which data center to use as the main resource for common subnets, and also define a list of other priority nodes that will be used in case of failure of the main data center during a power outage or in the event of an attack. Thus, if the primary node goes offline, the system will automatically redirect the flows to the specified resources.
- Control over the programs . The technology of checking and filtering network packets by their content Deep Packet Inspection (DPI) allows you to reliably control the use of certain programs on the network and, if necessary, block their work. The system analyzes not only IP addresses, hosts, ports, and packet headers, but also uses heuristic traffic analysis. This allows you to detect even the traffic of such programs that are disguised as other applications.
With the help of a convenient search system, the administrator can find applications and users that generate the most traffic. With the help of traffic prioritization policies, they can be limited or lowered / increased in priority. Traffic priority can be allocated automatically based on group membership.
Also in the Cisco Meraki system there is a cloud base of application signatures. It is constantly updated and supplemented, so the administrator does not need to manually install trusted programs and their updates.
Devices
Meraki MX has eight models of wired and wireless network gateways (see below for specific devices). They differ in technical characteristics (for example, throughput of the firewall) and the number of clients served, but they also have a common feature - an embedded security system, about which elements we spoke above, as well as reliable hardware. What is inside of them we consider the example of the model MX400. There is a capacious hard disk for caching, a central processor providing multi-level traffic analysis and other functions, RAM for operating the content filtering system and a number of network interfaces for connecting network devices and other devices (for example, 3G / 4G modems).
Small gateways
The MX64 is an entry level device for connecting 50 clients. It has a 250 Mbps firewall throughput and a 85-100 Mbps VPN. The gateway has five gigabit ports and the ability to connect a USB 3G / 4G modem. His fellow MX64W has the same features, but is additionally equipped with a WiFi 802.11ac module.
The MX65 model also has similar characteristics, but the number of Gigabit ports in it has been increased to 12, and two of them support Power over Ethernet (PoE) technology - the ability to transmit electrical power over a twisted pair. The MX65W is also equipped with a WiFi 802.11ac module.
Medium Gateways
These gateways differ from small ones not only in increased bandwidth and size, but also in support of star-shaped (Hub-and-spoke) topologies, in which they act as central nodes (hubs).
The MX84 model has a 500 Mbps firewall throughput and a 200-250 Mbps VPN, designed to connect 200 clients. It has 10 gigabit ports, two SFP modules and the ability to connect a USB modem. As a hub, the MX84 can connect up to 100 peripheral points (spokes). Also in this model is available web caching.
500 clients can connect to the MX100 . Its bandwidth is 750 Mbps for a firewall and 350 to 500 Mbps for VPN. There are nine gigabit ports, two SFP modules and the ability to connect a USB modem. As a hub, it can accept connections from 250 devices. Web caching is also present.
Large gateways
One of the main features of the most advanced MX models, in addition to large bandwidth, is the ability to connect additional modules. Due to this, it is possible to scale the gateways depending on the needs.
The MX400 is designed to connect 2000 customers. The capacity of its firewall is 1 Gbps, VPN is from 900 Mbps to 1 Gbps. The number of gigabit ports is up to 20, up to 16 SFPs and up to four SFP + are also present. It is also possible to connect a USB 3G / 4G-modem. As a hub, the model can connect up to 1000 devices, there is a web caching system and a backup power source.
The number of ports in the MX1000 model is the same as in the previous one. But 10,000 clients can connect to it, as a hub it accepts up to 5,000 devices. Firewall throughput is 1 Gbps, VPN is from 900 Mbps to 1 Gbps. It is possible to connect a USB-modem, web caching and an additional power source.
Eventually
Building a secure cloud-managed network based on Cisco Meraki MX equipment poses no difficulty. The system is deployed very quickly, the configuration is mainly automatic, just like the management - it is carried out using Cisco cloud resources with minimal interference from administrators. Built-in security features allow users to create a comfortable stay environment. Guests will be protected from inappropriate content, and staff will be given the highest priority for completing official tasks.
A variety of firewalls allows you to choose exactly the equipment you need for a particular organization, without overpaying for excess performance.
Source: https://habr.com/ru/post/320248/
All Articles