Focusing on Security: Building a Cloud-Managed Network with Cisco Meraki MX Equipment
When building a modern network, questions of bandwidth rather than bandwidth and safety and reliability are increasingly coming to the forefront. As one of the options for building such a network, with a rich set of functions that ensure security and stability, we suggest considering the Cisco Meraki MX security system.
The Cisco Meraki MX Security System provides a complete set of tools and solutions for most situations right out of the box. This means that by purchasing this product, you will not need to make other purchases and incur additional costs. The network is deployed very simply. Purchased equipment is delivered and mounted at the facility. After installation, devices automatically connect to the Cisco Meraki cloud via SSL, register a network and download configurations for it. In this way, SD-WAN is formed - your separate software-configured network as part of the Cisco Wide Area Network. This allows you to access the administration of the entire network via the Internet, as well as to configure, diagnose with a few clicks of the mouse due to the high level of automation of the system.
The main function of the Meraki MX system is to ensure the integrated security of the built network. To do this, it has many software tools that, in conjunction with the Cisco Meraki cloud, make it easy to configure the network and manage the system. Solutions provided by the MX Security Appliances include:
- A robust firewall. With the spread of modern applications and mixed-type networks, a security system based on host and port control is no longer enough. The Cisco Meraki firewall gives the administrator complete control over user actions, including content and applications. He deeply analyzes network traffic, determining the type of data transferred, as well as the applications and users who are responsible for this network traffic. Based on this data, various filters are applied that the administrator has previously configured. Thus, for example, you can block the transfer of data from online movie theaters on the one hand, and give the highest priority to the traffic of the video conferencing system. A proprietary firewall can even work with peer-to-peer application traffic, before which many other firewalls pass.
To prevent network attacks, the Cisco Meraki firewall uses an engine based on one of the most common open source security tools, Sourcefire Snort . Security is provided through a combination of various tools - signature verification, protocol analysis, anomaly search system, etc.
The firewall also recognizes connected devices. It automatically detects devices based on iOS, Android, Windows, Mac OS and other operating systems and can apply rules to them based on parameters predefined by the administrator. Specific rules can apply to all connected devices, as well as to a specific type of device. For example, all iPad tablets can automatically receive a read-only access level.
- Advanced malware protection. Meraki MX has an advanced anti-malware system - Cisco Advanced Malware Protection. It provides reliable anti-virus protection using all modern methods. Among them are scanning files by signature. The database contains more than 500 million known files, and about 15 million new objects are added to it every day. It also uses contextual file analysis, sandboxing, flashback analysis and other tools.
All files downloaded through the network are scanned in real time. Reporting is sent to administrators so that they can see the main sources of threats at the moment and respond quickly to them. A retrospective analysis system allows you to find out about malicious files even if they went through the network and ended up on the device. This happens very rarely when a file is downloaded before a variety of security systems identify it as malicious.
- Intrusion Prevention. Each network is a potential target for intrusions and malicious attacks. The MX Security Appliances has a variety of easily customizable tools to counter them. The intrusion prevention system (IPS) works using sets of rules that are executed on the Sourcefire Snort engine. This is a combination of predefined security policies that determine the required level of protection and work completely offline. Their updates are released daily and are automatically installed on your devices within an hour after publication. This ensures round-the-clock protection against a wide variety of threats - rootkits, viruses, exploits, etc.
All data on the operation of the security system is provided in real time through the Meraki web-based control panel. Information is shown in the form of reports and graphs both on the system as a whole and on specific networks, devices and applications. Based on this information, the administrator makes decisions about the need to take certain measures, can make changes to settings and perform other necessary operations, as well as assess the overall vulnerability of the system.
Another plus for administrators is the ease of deployment of an intrusion prevention system. When a whole range of manually configurable tools is used for this, a human factor can creep in, because of which security will be compromised. In the case of Meraki MX, an intrusion prevention system is deployed in seconds and a few clicks on the corresponding control panels. These clicks are needed to enable and select the necessary set of rules for the Sourcefire engine.
- Automatic VPN. Using the MX Security Appliances you will get a reliable virtual network between your devices, which will be independently configured, monitored and maintained. Upon deployment, the system will automatically configure the VPN settings necessary to create and maintain VPN sessions. All peers and routes are automatically connected through a secure WAN (Wide Area Network) and are kept up to date in dynamic IP environments. All security features, such as key exchange, authentication, and security policies, are implemented automatically through MX Security VPNs. And with the help of a number of tools, the administrator can monitor the network status in real time.
The system has full support for split-tunneling and full-tunneling configurations, which are configured in one click. The creation and use of star-shaped (Hub-and-spoke) and fully-connected (full mesh) network topologies for easier and more flexible deployment is supported. A built-in firewall and security policies make it easy to manage the entire VPN network.
- Content Filtering. The content blocking system at Cisco Meraki allows users of your network to surf the Internet absolutely safely, while remaining protected from sites with unwanted, harmful or shocking content. A variety of policies can be applied to specific user groups wherever Active Directory is used. To do this, there are whitelists with the possibility of exceptions for specific users. Active Directory group policies are regulated through the control panel, it is also possible to send direct requests to the Active Directory server. At the same time, everything is intuitive and there is no need to install various Active Directory agents, which simplifies working with the system.
Filtering content and sites occurs in this way: when a device wants to visit a particular resource, its address is checked against the existing database of URLs. It is checked in several stages for compliance with various parameters. Thus, for example, on one site some pages may be available for visiting, while others may not. Specific URLs can be added to the white list - then they will take precedence over the filter and will be able to bypass it. Content filtering in the system occurs in more than 80 categories, which can be blocked for all users, except those who are included in the white list.
MX Security Appliances synchronizes with the Cisco Meraki cloud in the background so that all databases, policies, subscriptions and categories are always up to date, eliminating the need for an administrator to manually update.
- Fault tolerance. Cisco Meraki MX Security Appliances support multiple levels of redundancy, which provides continuous WAN connection, uninterrupted access to devices and seamless transition to backup resources in the event of a failure. Each Meraki MX device supports dual WAN connection, which allows you to instantly switch to another resource in case of an attack or disconnection. If this happens, the built-in traffic prioritization will redirect the flows and distribute the power to the new devices, which will ensure stable operation of the network in emergency situations. Such a connection to a WAN is supported both via the gigabit Ethernet protocol and via cellular communication - including the WCDMA, HSPA (3G), LTE and WiMAX (4G) protocols.
The administrator can specify which data center to use as the main resource for shared subnets, and also determine the list of other priority nodes that will be used in case of failure of the main data center during a power outage or in the event of an attack. Thus, if the main node goes offline, the system will automatically redirect flows to the specified resources.
- Program Control. The technology of checking and filtering network packets by their contents Deep Packet Inspection (DPI) allows you to reliably control the use of certain programs on the network and, if necessary, block their work. The system analyzes not only IP addresses, hosts, ports and packet headers, but also uses heuristic traffic analysis. This allows even the traffic of such programs to be disguised as other applications to be detected.
Using a convenient search system, the administrator can find the applications and users that generate the most traffic. Using traffic prioritization policies, they can be limited or reduced / increased in priority. Priority traffic can be automatically allocated based on group membership.
Cisco Meraki also has a cloud-based application signature database. It is constantly updated and supplemented, so the administrator does not need to manually install trusted programs and their updates.
Meraki MX has eight models of wired and wireless network gateways (see below for specific devices). They differ in technical characteristics (for example, the bandwidth of the firewall) and the number of clients served, but they also have a common feature - the built-in security system, about the elements of which we spoke above, as well as reliable hardware. What is inside them we will consider using the MX400 as an example. There is a capacious hard drive for caching, a central processor providing multi-level traffic analysis and other functions, RAM for the operation of the content filtering system and a number of network interfaces for connecting network devices and other devices (for example, 3G / 4G modems). MX64
Small Gateways
- An entry-level device designed to connect 50 clients. It has a 250 Mbps firewall throughput and 85-100 Mbps VPN. The gateway has five gigabit ports and the ability to connect a USB 3G / 4G modem. His fellow MX64W has the same capabilities, but is additionally equipped with a WiFi 802.11ac module.
The MX65 also has similar characteristics, but the number of gigabit ports in it has been increased to 12, and two of them support Power over Ethernet (PoE) technology - the ability to transfer electrical power over twisted-pair cables. The MX65W is also equipped with a 802.11ac WiFi module.
Middle Gateways
These gateways differ from small ones not only in increased bandwidth and size, but also in the support of star-shaped (Hub-and-spoke) topologies, in which they act as central nodes (hubs).
The MX84 model has a bandwidth of 500 Mbps firewall and 200-250 Mbps VPN, designed to connect 200 clients. It has 10 gigabit ports, two SFP modules and the ability to connect a USB modem. As a hub, the MX84 can provide 100 spokes. Web caching is also available in this model.
To the MX100 Gateway500 clients can connect. Its bandwidth is 750 Mbps for the firewall and 350 to 500 Mbps for the VPN. There are nine gigabit ports, two SFP modules and the ability to connect a USB modem. As a hub, it can accept connections from 250 devices. Web caching is also present.
Large gateways
One of the main features of the most advanced MX models, in addition to high bandwidth, is the ability to connect additional modules. Thanks to this, gateways can be scaled according to needs. MX400
devicedesigned to connect 2000 clients. The bandwidth of its firewall is 1 Gbit / s, VPN - from 900 Mbit / s to 1 Gbit / s. The number of gigabit ports is up to 20, up to 16 SFP and up to four SFP + are also present. It is also possible to connect a USB 3G / 4G modem. As a hub, the model can connect up to 1000 devices, there is a web caching system and a backup power source.
The number of ports in the MX1000 is the same as in the previous one. But 10,000 clients can connect to it, as a hub it accepts up to 5,000 devices. The firewall throughput is 1 Gbit / s, VPN - from 900 Mbit / s to 1 Gbit / s. It is possible to connect a USB modem, web caching and an additional power source.
Building a secure cloud-based network based on Cisco Meraki MX equipment is no problem. The system is deployed very quickly, configuration is mostly automatic, just like management - it is done using Cisco cloud resources with minimal administrator intervention. Built-in security features allow you to create a comfortable stay for users. Guests will be protected from inappropriate content, and for employees organized the highest priority for the performance of official tasks.
A variety of firewalls allows you to choose exactly the equipment that you need for a particular organization, without overpaying for unnecessary performance.
The Cisco Meraki MX Security System provides a complete set of tools and solutions for most situations right out of the box. This means that by purchasing this product, you will not need to make other purchases and incur additional costs. The network is deployed very simply. Purchased equipment is delivered and mounted at the facility. After installation, devices automatically connect to the Cisco Meraki cloud via SSL, register a network and download configurations for it. In this way, SD-WAN is formed - your separate software-configured network as part of the Cisco Wide Area Network. This allows you to access the administration of the entire network via the Internet, as well as to configure, diagnose with a few clicks of the mouse due to the high level of automation of the system.
Security
The main function of the Meraki MX system is to ensure the integrated security of the built network. To do this, it has many software tools that, in conjunction with the Cisco Meraki cloud, make it easy to configure the network and manage the system. Solutions provided by the MX Security Appliances include:
- A robust firewall. With the spread of modern applications and mixed-type networks, a security system based on host and port control is no longer enough. The Cisco Meraki firewall gives the administrator complete control over user actions, including content and applications. He deeply analyzes network traffic, determining the type of data transferred, as well as the applications and users who are responsible for this network traffic. Based on this data, various filters are applied that the administrator has previously configured. Thus, for example, you can block the transfer of data from online movie theaters on the one hand, and give the highest priority to the traffic of the video conferencing system. A proprietary firewall can even work with peer-to-peer application traffic, before which many other firewalls pass.
To prevent network attacks, the Cisco Meraki firewall uses an engine based on one of the most common open source security tools, Sourcefire Snort . Security is provided through a combination of various tools - signature verification, protocol analysis, anomaly search system, etc.
The firewall also recognizes connected devices. It automatically detects devices based on iOS, Android, Windows, Mac OS and other operating systems and can apply rules to them based on parameters predefined by the administrator. Specific rules can apply to all connected devices, as well as to a specific type of device. For example, all iPad tablets can automatically receive a read-only access level.
- Advanced malware protection. Meraki MX has an advanced anti-malware system - Cisco Advanced Malware Protection. It provides reliable anti-virus protection using all modern methods. Among them are scanning files by signature. The database contains more than 500 million known files, and about 15 million new objects are added to it every day. It also uses contextual file analysis, sandboxing, flashback analysis and other tools.
All files downloaded through the network are scanned in real time. Reporting is sent to administrators so that they can see the main sources of threats at the moment and respond quickly to them. A retrospective analysis system allows you to find out about malicious files even if they went through the network and ended up on the device. This happens very rarely when a file is downloaded before a variety of security systems identify it as malicious.
- Intrusion Prevention. Each network is a potential target for intrusions and malicious attacks. The MX Security Appliances has a variety of easily customizable tools to counter them. The intrusion prevention system (IPS) works using sets of rules that are executed on the Sourcefire Snort engine. This is a combination of predefined security policies that determine the required level of protection and work completely offline. Their updates are released daily and are automatically installed on your devices within an hour after publication. This ensures round-the-clock protection against a wide variety of threats - rootkits, viruses, exploits, etc.
All data on the operation of the security system is provided in real time through the Meraki web-based control panel. Information is shown in the form of reports and graphs both on the system as a whole and on specific networks, devices and applications. Based on this information, the administrator makes decisions about the need to take certain measures, can make changes to settings and perform other necessary operations, as well as assess the overall vulnerability of the system.
Another plus for administrators is the ease of deployment of an intrusion prevention system. When a whole range of manually configurable tools is used for this, a human factor can creep in, because of which security will be compromised. In the case of Meraki MX, an intrusion prevention system is deployed in seconds and a few clicks on the corresponding control panels. These clicks are needed to enable and select the necessary set of rules for the Sourcefire engine.
- Automatic VPN. Using the MX Security Appliances you will get a reliable virtual network between your devices, which will be independently configured, monitored and maintained. Upon deployment, the system will automatically configure the VPN settings necessary to create and maintain VPN sessions. All peers and routes are automatically connected through a secure WAN (Wide Area Network) and are kept up to date in dynamic IP environments. All security features, such as key exchange, authentication, and security policies, are implemented automatically through MX Security VPNs. And with the help of a number of tools, the administrator can monitor the network status in real time.
The system has full support for split-tunneling and full-tunneling configurations, which are configured in one click. The creation and use of star-shaped (Hub-and-spoke) and fully-connected (full mesh) network topologies for easier and more flexible deployment is supported. A built-in firewall and security policies make it easy to manage the entire VPN network.
- Content Filtering. The content blocking system at Cisco Meraki allows users of your network to surf the Internet absolutely safely, while remaining protected from sites with unwanted, harmful or shocking content. A variety of policies can be applied to specific user groups wherever Active Directory is used. To do this, there are whitelists with the possibility of exceptions for specific users. Active Directory group policies are regulated through the control panel, it is also possible to send direct requests to the Active Directory server. At the same time, everything is intuitive and there is no need to install various Active Directory agents, which simplifies working with the system.
Filtering content and sites occurs in this way: when a device wants to visit a particular resource, its address is checked against the existing database of URLs. It is checked in several stages for compliance with various parameters. Thus, for example, on one site some pages may be available for visiting, while others may not. Specific URLs can be added to the white list - then they will take precedence over the filter and will be able to bypass it. Content filtering in the system occurs in more than 80 categories, which can be blocked for all users, except those who are included in the white list.
MX Security Appliances synchronizes with the Cisco Meraki cloud in the background so that all databases, policies, subscriptions and categories are always up to date, eliminating the need for an administrator to manually update.
- Fault tolerance. Cisco Meraki MX Security Appliances support multiple levels of redundancy, which provides continuous WAN connection, uninterrupted access to devices and seamless transition to backup resources in the event of a failure. Each Meraki MX device supports dual WAN connection, which allows you to instantly switch to another resource in case of an attack or disconnection. If this happens, the built-in traffic prioritization will redirect the flows and distribute the power to the new devices, which will ensure stable operation of the network in emergency situations. Such a connection to a WAN is supported both via the gigabit Ethernet protocol and via cellular communication - including the WCDMA, HSPA (3G), LTE and WiMAX (4G) protocols.
The administrator can specify which data center to use as the main resource for shared subnets, and also determine the list of other priority nodes that will be used in case of failure of the main data center during a power outage or in the event of an attack. Thus, if the main node goes offline, the system will automatically redirect flows to the specified resources.
- Program Control. The technology of checking and filtering network packets by their contents Deep Packet Inspection (DPI) allows you to reliably control the use of certain programs on the network and, if necessary, block their work. The system analyzes not only IP addresses, hosts, ports and packet headers, but also uses heuristic traffic analysis. This allows even the traffic of such programs to be disguised as other applications to be detected.
Using a convenient search system, the administrator can find the applications and users that generate the most traffic. Using traffic prioritization policies, they can be limited or reduced / increased in priority. Priority traffic can be automatically allocated based on group membership.
Cisco Meraki also has a cloud-based application signature database. It is constantly updated and supplemented, so the administrator does not need to manually install trusted programs and their updates.
Devices
Meraki MX has eight models of wired and wireless network gateways (see below for specific devices). They differ in technical characteristics (for example, the bandwidth of the firewall) and the number of clients served, but they also have a common feature - the built-in security system, about the elements of which we spoke above, as well as reliable hardware. What is inside them we will consider using the MX400 as an example. There is a capacious hard drive for caching, a central processor providing multi-level traffic analysis and other functions, RAM for the operation of the content filtering system and a number of network interfaces for connecting network devices and other devices (for example, 3G / 4G modems). MX64
Small Gateways
- An entry-level device designed to connect 50 clients. It has a 250 Mbps firewall throughput and 85-100 Mbps VPN. The gateway has five gigabit ports and the ability to connect a USB 3G / 4G modem. His fellow MX64W has the same capabilities, but is additionally equipped with a WiFi 802.11ac module.
The MX65 also has similar characteristics, but the number of gigabit ports in it has been increased to 12, and two of them support Power over Ethernet (PoE) technology - the ability to transfer electrical power over twisted-pair cables. The MX65W is also equipped with a 802.11ac WiFi module.
Middle Gateways
These gateways differ from small ones not only in increased bandwidth and size, but also in the support of star-shaped (Hub-and-spoke) topologies, in which they act as central nodes (hubs).
The MX84 model has a bandwidth of 500 Mbps firewall and 200-250 Mbps VPN, designed to connect 200 clients. It has 10 gigabit ports, two SFP modules and the ability to connect a USB modem. As a hub, the MX84 can provide 100 spokes. Web caching is also available in this model.
To the MX100 Gateway500 clients can connect. Its bandwidth is 750 Mbps for the firewall and 350 to 500 Mbps for the VPN. There are nine gigabit ports, two SFP modules and the ability to connect a USB modem. As a hub, it can accept connections from 250 devices. Web caching is also present.
Large gateways
One of the main features of the most advanced MX models, in addition to high bandwidth, is the ability to connect additional modules. Thanks to this, gateways can be scaled according to needs. MX400
devicedesigned to connect 2000 clients. The bandwidth of its firewall is 1 Gbit / s, VPN - from 900 Mbit / s to 1 Gbit / s. The number of gigabit ports is up to 20, up to 16 SFP and up to four SFP + are also present. It is also possible to connect a USB 3G / 4G modem. As a hub, the model can connect up to 1000 devices, there is a web caching system and a backup power source.
The number of ports in the MX1000 is the same as in the previous one. But 10,000 clients can connect to it, as a hub it accepts up to 5,000 devices. The firewall throughput is 1 Gbit / s, VPN - from 900 Mbit / s to 1 Gbit / s. It is possible to connect a USB modem, web caching and an additional power source.
Eventually
Building a secure cloud-based network based on Cisco Meraki MX equipment is no problem. The system is deployed very quickly, configuration is mostly automatic, just like management - it is done using Cisco cloud resources with minimal administrator intervention. Built-in security features allow you to create a comfortable stay for users. Guests will be protected from inappropriate content, and for employees organized the highest priority for the performance of official tasks.
A variety of firewalls allows you to choose exactly the equipment that you need for a particular organization, without overpaying for unnecessary performance.