Embed Size (px)
Citation preview
6th of October 2016.
Istvan Segyik (CCIE security #47531) – Escalations Engineer, Cisco GVE
Security Expert Call series
Cisco NGFW and UTM update
• Cisco Firepower NGFW overview
• Cisco NGFW platforms and software editions
• Firepower 6.1 – What is new?
• Cisco Meraki Cloud Managed networking overview
• Cisco Meraki MX security gateways
• Demo: quick impression on both systems
• Q&A
Today’s topics
Cisco Firepower NGFW
Cisco NGFW overview
Secure the perimeter and the DC while...
New
demands
More
things
Threats are harder to stopVisibility is more elusiveAccess is tougher to manage
Sophisticated
threatsGlobal collaboration
Private and Public
Cloud datacenters
Anywhere access,
BYOD
Sophisticated
penetration
Complex
malware
What Cisco offers is...
Detect earlier,
act faster
Gain more
insight
Reduce
complexity
Stop more
threats
Get more from
your network
Cisco Firepower™ NGFW
Fully IntegratedThreat Focused
Major NGFW system components
Security feeds
• URL
• IP
• DNS
0110110010101001010100
0010010110100101101101
Firewall
AVCSSL
Decryption
Engine
NGIPS
#$%*
• Dynamic and Static NAT
• High Availability
• High Bandwidth
Private Network
DMZ
@
www
DNS
Internet
Block
Allow
AMP file inspectionAMP Threat Grid
DNS Sinkhole
• Cisco NGFW can:• Inspect SMTP, POP3, IMAP, etc. traffic – as an application and transport method for data;
• Inspect the content, look for malware;
• Do these things fast.
• But E-mail security is more than a potentially added single anti-SPAM engine:• Multiple anti-SPAM engines, flexible SPAM quarantine;
• E-mail authentication, integration: SPF, DKIM, DMARC handling;
• Sophisticated filtering: application parameters, content, volumetric, etc.;
• Conditional email routing;
• Graymail detection, classification, proper control;
• Handling payload encryption (S/MIME, CRES, PGP, other proprietary...);
• Granular reporting;
• Etc..
• We recommend our market leading E-mail Security Appliance: www.cisco.com/go/esa
Wait! Where is anti-spam?! *+%#&
• All NGFW editions have Stateful inspection firewall functionality.
• The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the ASA (LINA) Firewall engine:• Which is the World’s most proven stateful inspection engine being continuously developed;
• Has sophisticated Application Level GW (ALG) functions to let modern applications safely passing the FW and address translation.
• Legacy Sourcefire appliances have a good firewall too.
NGFW components: Firewall
• By now all hardware platforms support SSL decryption.• ... but all of them do it software or minimal HW assistance on the data plane CPUs.
• The next generation platforms have high performance cryptographic accelerator ASICs:• At the moment they are used for IPsec acceleration only;
• Forthcoming software release is going to enable HW acceleration of SSL/TLS decryption.
• On the other hand be aware of big industry players’ intention to prevent Enterprise firewalls and proxies sniffing into TLS/SSL channels!
NGFW components: SSL decryption#$
%*
NGFW components: Application Visibility & Control (AVC)
OpenAppID
See and understand risks Enforce granular access control Prioritize traffic and limit rates Create detectors for custom apps
Cisco database (based
on OppenAppID):
• 4,000+ apps
Network & users
1
2
Prioritize traffic
NGFW components: web controls
Classify 280M+ URLs Filter sites using 80+ categories Manage “allow/block” lists easily Block latest malicious URLs
Category-based
Policy Creation
Allow Block
Admin
Cisco URL Database
DNS Sinkhole
01
00
10
10
10
0
00
10
01
01
10
1
Security feeds
URL | IP | DNS
NGFWFiltering
BlockAllow
Safe Search
gambling
• We have: dynamic URL category filtering and URL | IP | DNS reputation filtering capabilities.
• They are different technologies, mainly different purposes with very little overlap.
• Dynamic URL filtering:• Huge, cached DB of URLs with on-demand query in case of unknown URLs seen;
• 80 categories plus each URL has a reputation score;
• Now provides ‚Safe search’ capabilities too;
• Primary intention is enforcing acceptable web usage;
• Requires ‚URL’ license.
• URL and IP reputation filtering:• Cisco Talos provided or custom static list of categorized URLs and IP addresses – pre-downloaded and cached;
• URLs on this list can be handled together with Dynamic URL categories in an Access Control Policy rule – but this is a separate feed;
• They focus on known bad hosts;
• They are included in the ‚Threat license along with IPS functionality’.
NGFW components: web controls - explained
Security feeds
URL | IP | DNS
• DNS reputation filtering:• Talos provided list of domain names – pre-positioned and cached;
• This feeds the DNS sniffing and redirection engine;
• Included in the ‚Threat license’ along with IPS and IP | URL reputation feeds.
• Wait...! Open DNS?
• Not yet. Talos might use some information from ODNS for this feed but there is no direct API connection to ODNS cloud in this case.
• Still ODNS can be used in parallel with a Cisco NGFW.
• ... and that makes sense, ODNS is the best tool to prevent connection to suspicious hosts behind dynamically generated ‚fast flux’ domains.
NGFW components: web controls – explained cont.
Security feeds
URL | IP | DNS
• There are multiple Snort engines running in parallel.
• Cisco Talos provides signature updates and/or 3rd party feeds can be used as well.
• The IPS system is tightly integrated with the AVC engine which is based on OpenAppID
• Highly tunable:
• Custom policies and rules can be added over the GUI or imported in Snort rule format;
• Cloning policies, policy sections and rules can be done on the GUI;
• Access Control Policy can assign separate IPS policy to a rule;
• Intelligent Application Bypass can SECURELY optimize inspection for certain applications.
• Advanced pre-processors for:
• Protocol normalization;
• Fighting certain attacks like volumetric DoS;
• Increasing application protocol security, e.g. SIP or SCADA protocols.
NGFW components: Intrusion Prevention System
NGFW components: improved traffic control
Identity Integration
Target threats accurately
• ISE
• pxGrid
• VDI
Captive Portal
Enforce authentication
• Active/Passive
• NTLM
• Kerberos
Rate limiting
Control application usage
• Rule-based limits
• Reports
• QoS rules
True-IP Policy
Analyze headers in more depth
• X-Forwarded-For
• True-Client-IP
• Custom Headers
Tunnel Policy
Block unwanted traffic early
• Pre-filtering
• Priority policy
• Policy migration
NGFW components: anti-malware – nice diagram
c
File Reputation
• Known Signatures
• Fuzzy Fingerprinting
• Indications of compromise
Block known malware Investigate files safely Detect new threats Respond to alerts
File & Device TrajectoryAMP for
Network Log
Threat Grid Sandboxing
• Advanced Analytics
• Dynamic analysis
• Threat intelligence
?
AMP for
Endpoint Log
Threat Disposition
Enforcement across
all endpoints
RiskySafeUncertain
Sandbox Analysis
• FireAMP for Networks runs on Cisco NGFW products. It is a composite engine:• Creates a hash and runs a reputation check against AMP Cloud or on-premises Private AMP appliance;
• Creates a behavior pattern analysis for executables and compares that against the AMP Cloud (Spero engine);
• May run local Clam AV check (traditional, off-line AV engine);
• Can submit a file to Cisco Threat Grid Cloud or on-premises dynamic analysis (sandbox) system;
• Can store files, whatever files for additional analysis;
• It can retrospectively convict files that have been passed, alert, remediate and draw network trajectory for forensics;
• It requires a ‚Malware’ license which includes certain (platform dependent) number of daily TG submissions.
• AMP has an endpoint version as well: called AMP for Endpoints (AMP4E).
• AMP4E can report compromise events and contextual data to Firepower Management center.
NGFW components: anti-malware – explanation
NGFW components: Correlation Engine – nice picture
Communications
App & Device Data
010111010010
10 010001101
010010 10 10
Data packets
Prioritize
response
Blended threats
• Network
profiling
• Phishing
attacks
• Innocuous
payloads
• Infrequent
callouts
3
1
2
Accept
Block
Automate
policies
ISE
Scan network traffic Correlate data Detect stealthy threats Respond based on priority
• Available only with centralized management at the moment (FMC).
• The system can do active and passive profiling of:• Network segment traffic;
• Hosts (OS, applications, versions, AMP4E information, etc.).
• FMC has a Nessus vulnerability database as well.
• FMC can correlate:• Host profiles and profile changes;
• The vulnerability DB;
• Traffic profile changes or certain patterns;
• Local Malware and/or IPS events;
• External AMP4E events;
• Connection events (local and NetFlow reported);
• Etc.
• Correlation is driven by correlation policies and can trigger ‚Remediation’ actions.
• Plus there are some built-in correlations that improves alerting (calculation of impact score).
NGFW components: Correlation Engine - explained
NGFW components: Firepower Management Center
Manage across many sites Control access and set policies Investigate incidents Prioritize response
Firepower Management CenterCentralized management for multi-site deployments
Multi-domain management
Role-based access control
High availability
APIs and pxGrid integration
NGIPS
Firewall & AVC
AMP
Security Intelligence
…Available in physical and virtual options
• FMC is the centralized management server for:• Legacy Sourcefire Firepower appliances;
• Firepower Threat Defense (FTD) unified code based appliances;
• Firepower modules of hybrid ‚editions’ (ASA code is still independently managed).
• There are plans to manage ASA module of hybrid editions in FMC as well.
• FMC is not only management but:• Important integration point: provides APIs, calls APIs (e.g. ISE pxGrid);
• Event management, aggregation,, correlation, alerting, historical data storage point;
• Provides forensics tools as well like: different dashboards, data mining capabilities, network file trajectories, etc..
NGFW components: FMC – explained
NGFW components: Firepower Device Manager
Set up easily Control access and set policies Investigate incidents Prioritize response
Firepower Device ManagerIntegrated on-box option for single instance deployment
Physical and virtual options
Easy set-up NAT and Routing
Role-based access controlIntrusion and Malware
prevention
High availability Device monitoring
VPN support
• Embedded device manager for Firepower Threat Defense based appliances.
• Legacy Sourcefire appliances has only a status monitoring HTML GUI, ASA+FP editions uses ASDM.
• FDM and FMC are exclusive, both cannot be used together.
• Main usage scenarios:• Simplified systems management and monitoring for simple deployments;
• Initial deployment of the appliance by a technician at a remote site.
NGFW components: Firepower Device Manager - explained
NGFW components: Cisco Defense Orchestrator
Plan and model security policy changes
before deploying them across the cloud
Deploy changes across virtual environments
in real time or offline
Receive notifications about any unplanned
changes to security policies and objects
• Import From Offline
• Discover Direct From
Device
Device Onboarding
Object & Policy
Analysis
Application, URL,
Malware & Threat
Policy Management
Change Impact
Modeling
Security
Templates
Simplify security policy management in the cloud with Cisco Defense Orchestrator Security
ReportsNotifications
Simple Search-
Based Management
Security Policy
Management
• CDO is an optional simplified Cloud Management platform for on-premises NGFW deployments.
• Simplified because it is a product in an ‚early stage’.
• Sales is limited to qualified opportunities only.
NGFW components: Cisco Defense Orchestrator - explained
10x times more data than what nearest competitor sees and analyzes
NGFW components: Security Intelligence
Identify advanced threats Get specific intelligence Catch stealthy threats Stay protected with updates
Endpoints
Devices
Networks
NGIPS
WWW Web250+Researchers
Jan
24 x 7 x 365 Operations
Security Coverage Research Response
1.5 million daily malware samples
600 billion daily email messages
16 billion daily web requests
Threat Intelligence
• The latest NSS breach detection test justified the effectiveness of Firepower.
• Two highlights:• 100% Detection Rate with 100% anti-evasion rating;
• Far most threat found in 1 min: 67% and in 3 min: 91.8%.
• Find more: www.nsslabs.com
And this works... NSS proven
NGFW integrations
• Sensors and FMC has had the eStreamer API for a long time:
• Open specification;
• A bit more complex.
• FMC now has a REST based API which is:
• Simple;
• Being developed fast;
• Already makes possible things like Cisco ACI DC fabric integration.
• FMC can run built in custom external remediation modules (Perl script format) triggered by correlation policies.
• The system uses open protocols: Open AppID, Snort signatures, (STIX, TAXII on roadmap).
• There are closed APIs used for advanced integrations like:
• ISE pxGrid for user- and endpoint identity and context information retrieval;
• ISE EPS API calls for ISE enforced endpoint quarantine in the access layer.
APIs and programmability quick overview
Integration with Cisco Identity Services Engine
TrustSec
Set access control policies Propagate rules and contextRemediate breaches
automatically
pxGrid
Propagate
• User Context
• Device context
• Access policies
Employee Tag
Supplier Tag
Server Tag
Guest Tag
Quarantine Tag
Suspicious Tag
ISE
Policy automation
ISE
Establish a secure network
Firepower
Management Center
BYOD
Guest Access
Segmentation
Integration with MS Terminal server based VDI solutions
Terminal Services Agent
10
11
01
10
10
10
11
11
Route user information to Terminal Services Capture information using APIs Identify risky behavior
192.068.0.23
123.018.6.53
135.036.5.49
User IPs
www
User 1 User 2 User 3
Firepower Management Center
User 1
User 2
User 3
APIs
VDI 192.068.0.23
NGFW Platforms and software ‚Editions’
Fast moving target
• Cisco is working on multiple NGFW transitions:• Moving away from legacy Sourcefire appliances to new generation platforms
running Firepower Threat Defense image.
• Moving from legacy ASA 5500-X hardware based ASA+FP solutions to FTD on same- or new hardware.
• Industry is moving as well:• Firewall and IPS functions are getting virtualized at some points. They become
Virtual Network Functions (NFV).
• Virtualized security devices are many times sold as on-demand, subscription based ‚services’.
It is transition time, and they are not always easy...
Cisco Firepower ‚Editions’
* Except: 5585, 5505, 5512 and 5515
„Legacy” Sourcefire appliance
Firepower NGIPS
x86 server
VMware ESXi
Firepower NGIPSv
NGIPS
(Legacy Sourcefire appliances)
ASA55xx *
FTD
x86 server
ESXi, KVM or AWS
FTDv
Firepower 4100 / 9300
FXOS
FTD
Firepower Threat Defense
(Unified Image)
ASA55xx
ASA-OS
Firepower NGIPS (in container)
ASA5585 chassis
ASA-OS Firep. NGIPS
ASA SSP FP SSP
ASA with Firepower services
(Hybrid)
Hardware
Virtual
NGFW / NGIPS HW / SW bundles overviewPlatform Image(s) ASA
engine
Firepower
engines
FX-OS Redundancy Embedded
GUI
Centralized
management
AMP extra
storage
Radware
DefensePro
Firepower 7K/8K NGIPS No * Full No Stateful Active / Standby ** Health status
only
FMC No No
AMP 7K/8K NGIPS No * Full No Stateful Active / Standby ** Health status
only
FMC Yes No
Firepower 4K-ASA ASA Full No Yes Stateful A/S or A/A or
clustering
ASDM CSM No 4150 only
Firepower 4K-FTD FTD Limited Full Yes Stateful A/S FDM FMC Optional No
Firepower 9300-ASA ASA Full No Yes Stateful A/S or A/A and
clustering
ASDM CSM No Yes
Firepower 9300-FTD FTD Limited Full Yes Stateful A/S or
Intra-chassis clustering only
FDM FMC No No
ASA55xx-ASA ASA Full No Yes Stateful A/S or A/A or
clustering
ASDM CSM No No
ASA55xx w/ FP
(Hybrid)
ASA +
NGIPS
Full Full No Stateful A/S or A/A or
clustering
ASDM FMC + CSM No No
ASA55xx-FTD *** FTD Limited Full No Stateful A/S FDM FMC No No
* NGIPS only image has limited stateful FW functions embedded.
** Routed mode is stateful, switch mode is stateless.
*** ASA 5505, 5512 and 5515 are not supported
• This is Cisco’s unified NGFW code. Main things to know:• It replaces the stateful FW and VPN modules of the former Sourcefire code with ASA engines.
• FTD keeps IPS only deployment options like physical in-line, in-line tap mode and promiscuous modes.
• It has a unified CLI and can be fully managed by FMC (former ASA functions as well).
• There are three missing important features that the ASA+SF ‚hybrid edition’ has:• Multiple context mode;
• RA VPN;
• Clustering.
• These missing features are being built and going to be launched in foreseeable time.
Firepower Threat Defense
FTD deployment modes
IPS/IDS only ports Fail-to-wire NetMods Full Firewall Ports
NetMod
Virtual or Physical
Routed
Transparent
101110
101110
Inline
Inline Tap
Passive
• Latest high performance 1 RU platform.
• Flexible platform with hardware acceleration where needed and with no bottleneck.
• Runs FX-OS as chassis manager layer.
• 8 built in 10G SFP+ ports and 2 network module slots.
• Multi-port 10G and 40G network modules with Fail-to-wire (HW bypass) models.
• Modules are compatible with the FP9300 series.
• Redundant- hot swappable power supplies and fans.
• It can run ASA or FTD ‚logical devices’.
• FP 4150 can run Radware Defense Pro as well with ASA.
Firepower 4100 series
• Latest high performance 3 RU, modular platform.
• Flexible platform with hardware acceleration where needed and with no bottleneck.
• Runs FX-OS as chassis manager layer.
• 8 built in 10G SFP+ ports and 2 network module slots.
• Multi-port 10G, 40G and 100G network modules with Fail-to-wire (HW bypass) models.
• 10G and 40G modules are compatible with the FP9300 series.
• Redundant- hot swappable power supplies and fans.
• It can run ASA (optionally with DefensePro) or FTD ‚logical devices’.
Firepower 9300 series
• This is how we say: Welcome to NFV everywhere!
• It is a secure boot enabled software layer that:• Manages the chassis hardware;
• Runs on separate CPU on the FP4100 and 9300 series;
• Allocates resources to logical devices;
• Manages logical devices;
• Boots and updates logical devices (securely, signed packages only);
• Has an IOS like CLI and an HTML GUI;
• Was built to be highly programmable over its REST API.
• No, it is not a ‚bootloader’ causing extra complications
Hey, what is FX-OS?!
FX-OS
Virtual NGFW platforms
Platform ASA
engine
Firepower
engines
Hypervisor support Application level Redundancy Embedded GUI Centralized
management
NGIPSv No Yes VMware ESXi only. No No FMC
ASAv Yes No ESXi, KVM, Hyper-V,
Azure, AWS,
Stateful Active / Standby ASDM CSM
FTDv Yes Yes KVM, ESXi, AWS Stateful Active / Standby No FMC
Firepower 6.1 – What is new?
• FMCv and FTDv support on KVM;
• VDI identity FW in Windows Terminal Server based VDI environments;
• Safe Search and YouTube EDU Policies (for US. customers mainly);
• Official- built-in ISE Remediation;
• Inline Source SGT Tags – not only on FTDv but legacy Sourcefire Appliances as well;
• On-premise AMP Private Cloud appliance support;
• On-Box device manager (limited, no Java) for FTD on former ASA Saleen (5500X) platforms;
• Official FMC HA (FMC 1500, 2000, 3500 and 4000 appliances only);
• REST API through FMC only at the moment. FTD is not officially supported (though certain features work for FTD appliances);
• Rate limiting – QoS phase 1 (FTD(v) only);
• Pre-filter policies – (FTD(v) only);
• Site-to-Site VPN for FTD (officially supported between FTD devices only at the moment, simple ‘crypto map like’, no overlay routing, IKEv1 and IKEv2 are both supported);
• Multicast routing for FTD(v);
• Shared NAT policies for FTD(v) so identical NAT policies must not have to be configured on each and every FTD device in FTD;
• Support for Fail-to-Wire Netmods in FP4000 and FP9300 chassis – IPS inline-pair and inline-pair tap mode interfaces only;
• Unified CLI for FTD(v) – you don’t have to change to ‘diagnostic CLI’ to see former ASA LINA CLI commands;
• True-IP Policy Enforcement (XFF).
New features in Firepower 6.1
VDI identity FW in Windows Terminal Server environments
• Supports Microsoft Windows TS environments only.
• Provides user identity information for VDI users.
• The agent sends information to FMC over the REST API and does PAT as well.
• FMC configures the sensor over eStreamer.
• First REST based API opened into the Firepower system.
• FTD is officially not supported, but some parts (policy, identity work).
• Built in REST API explorer with script examples, available functions, etc.
• Main functions:• Interface, virtual switch and virtual bridge configurations (legacy NGIPS only) – already used in the NGIPS ACI
device pack;
• Identity functions – already used by the VDI identity ‚TS agent’;
• Policy functions: Access Rule granularity.
• Disabled by default.
• More information: http://www.cisco.com/c/en/us/support/security/defense-center/products-programming-reference-guides-list.html
FMC REST API
• Officially called: Firepower Device Manager (FDM).
• Java-less embedded GUI for FTD on ASA 55xx devices only at the moment.
• It is not supported to work in parallel with FMC (centralized management).
• Primary usage scenarios:• Small Business with no IT security personnel;
• Initial provisioning by an onsite technician.
• Limited functionality which is going to be improved step by step in forthcoming releases.
• It has an ‚Easy Setup Wizard’ which can useful during provisioning, even if FMC takes over later on.
• You may read more here:http://www.cisco.com/c/en/us/support/security/defense-center/products-programming-reference-guides-list.html
On-box device manager
On-box device manager
• Supported on FTD devices managed by FMC only.
• Uses bi-directional rate limiters – no shaping, no BW. reservation at the moment.
• Separate QoS policy object which can be mapped to one or more devices.
• One device can have one QoS policy only.
• The QoS policy rules can use the same object DB and conditions as other policies.
• Rate limiters are applied per interface when configured for Zones:
• E.g. DMZ Zone has two interfaces: ‚dmz1’ and ‚dmz2’;
• QoS policy rule applies 20 Mbps upload limitation for an application towards the DMZ zone;
• FTD will limit traffic to 20 Mbps upload on each interface separately – which means aggregate 40 for the whole zone.
• Note: this is phase one only. QoS is actively developed in forthcoming releases.
Rate Limiting – QoS Phase 1.
• Firepower has inspected clear-text tunneled packets before 6.1 automatically.
• Pre-filter policies can match:• GRE, IP-in-IP, 6in4 and Teredo tunnels based on ‚port’ numbers or custom tunnel policies;
• Source/Destination interfaces, subnets and ports.
• Pre-filter policy is applied before the Access Control Policy.
• One Pre-filter policy can be enforced on a certain FTD device.
• Actions:• Block – drops the packet;
• Fastpath – forwards the packets without additional inspection, if possible forwards in SmartNIC (no data-plane CPU usage);
• Analyze – Analyze the packet as per the matching Access Control Policy rule.
Pre-filter policy on FTD
Pre-filter policy on FTD
Cisco Meraki Cloud Managed networks
Cisco Meraki Cloud Managed Networking Overview
Cisco Cloud Managed Networking (Meraki)
• Wireless Access Points (MR series)
• Layer 2 and Layer 3 switches (MS series)
• Security Gateways (MX series)
• IP Telephony (MC47)
• Mobile Device Management (Meraki Systems Manager)
• More on Meraki: http://meraki.cisco.com
Cisco Cloud Managed Networking (Meraki)• Unified cloud-based management: the ‚Dashboard’.
• A complete enterprise network can be modeled with Meraki.
• Dashboard hierarchy: one ‚Organization’ includes one or more ‚Networks’.
• Role Based Access Control.
• Advanced Networking Functions.
• Simple and fast deployment.
• Advanced Troubleshooting functions.
• Partners can easily sell it as ‚Managed Networking Service’.
• Since it is fully cloud managed, it is ‚cloud supported’ as well, it is Cisco who checks the log files in CLI shells, etc. for you.
Meraki Wireless
• Quality 802.11n and 802.11ac, Indoor and Outdoor Access Points
• Dedicated ‚security’ radios to detect RF interference and L1 / L2 attacks
• The Dashboard has integrated CMX Location Analytics function
• Wireless Mesh capabilities
• Seamless roaming (802.11r)
• Advanced QoS
• Advanced RF optimization and monitoring
• Extensive Client monitoring and profiling
• Paid (guest) Access (PayPal)
Meraki Wireless Security• Multiple Authentication Types
• WPA(2)-PSK
• WPA(2)-Enterprise: Meraki (back-end) or RADIUS (can be ISE)
• Open- with optional web authentication: RADIUS, LDAP, Facebook, Google, AUP only...
• Web authentication can be combined with WPA (and NAC)
• Air Marshal WIPS with automated or manual containment
• NAT mode with optional peer-to-peer traffic restrictions within an SSID
• L3 and L7 (AVC) Firewall and URL filtering
• Meraki MDM (Systems Manager) integration
• Simplified NAC (host compliance) that works with Web Authentication
• VPN tunneling from AP to a central MX Security Gateway (remote- small office solution)
Meraki wired LAN Switches
• Many L2 and L3 models, some of them can be stacked
• 10G and Nbase-T Multi-gigabit technology support
• PoE and PoE+ plus support
• Advanced QoS
• Security functions
• Useful troubleshooting tools: Packet Capture, Cable Test, etc.
Meraki wired LAN security
• Port Security
• DHCP Guard
• Port isolation (PVLAN)
• Multiple authentication technologies:
• Web authentication;
• 802.1X with Meraki backend or external RADIUS server.
• L3 and L7 (AVC) packet filtering
Meraki MX Security Gateways – Cisco UTM
Cisco Meraki MX Security Gateway overview
• This is a UTM. It has advanced- and integrated security features implemented in a simplified way.
• Multiple hardware options, some with built in Access Point.
• Cloud managed over Dashboard with cross device (MR, MX, MS) group policies.
• Advanced site-to-site VPN (iWAN)
• Flexible balancing between two ISP uplinks
• AVC and URL filtering
• Advanced QoS (shaping, policing, dynamic routing between uplinks based on latency, etc.)
• 3G / 4G support with external USB attached modems.
• Active / Standby stateless failover support.
Meraki MX Security
• L3-L7 Firewall Meraki with Cloud Application Detection
• Snort IPS engine with built in rules and minimal customization.
• Anti-malware:• Currently Kaspersky;
• Soon: Cisco AMP with ThreatGrid.
• Dynamic URL filtering.
• Geolocation based filtering.
• Web authentication.
• ID Firewall with Active Directory integration.
Meraki MX models
MX64/64W
MX84
MX100
MX400
MX600
Z1
Small branch
(~50 clients)
Where Throughput
250 Mbps (FW)
200 Mbps (UTM)
Campus/
VPN Concentration
(~10,000 clients)
Large
branch/campus
(~2,000 clients)
Mid-size branch
(~200 clients)
Mid-size branch/
Small campus
(~500 clients)
Notable Features
11ac wireless (MX64W)
Power redundancy
Modular interface
SFP or SFP+ (with modules)
500 Mbps (FW)
300 Mbps (UTM)
SFP Ports
750 Mbps (FW)
650 Mbps (UTM)SFP Ports
1 Gbps (FW)
1 Gbps (UTM)
1 Gbps (FW)
1 Gbps (UTM)
Power redundancy
Modular interface
SFP or SFP+ (with modules)
For teleworkers
(1-5 users)
Dual-radio wireless
FW throughput: 50
Mbps
All devices support 3G/4G
MX65/65W
Small branch
(~50 clients)PoE+, dual WAN, 802.11ac 250 Mbps (FW)
200 Mbps (UTM)
Price (USD List)
$595/$945
$1,995
$4,995
$15,995
$31,995
$945/$1,245
Example: MX65W hardware elements included
MX ordering and BoM example
• Ordering a Cisco Meraki unit requires two items:
• Hardware
• 1, 3, 5, 7 or 10 years license
• Example: MX 84 with 3 years Advanced Security licence:
Name Catalog Num Vendor Description Qty Unit Price Duration Prorated Unit List Price Extended
Price
Discount % Total
Price
LIC-MX84-SEC-3YR LIC-MX84-SEC-3YR Cisco Meraki MX84 Advanced Security 1 4000,00 0 4000,00 0,00 4000,00
4000,00
MX84-HW MX84-HW Cisco Meraki MX84 Cloud Managed Security Appliance 1 1995,00 0 1995,00 0,00 1995,00
1995,00
5995,00
LIC-MX84-SEC-3YR
MX84-HW
Meraki MX(USD)
Meraki MX VPN• Simple RA VPN using the native VPN capabilities of common Operating Systems.
• AnyConnect based RA VPN is on roadmap.
• Hub & Spoke or Mesh site-to-site VPN among Meraki devices:
• Automated configuration;
• The IPsec and IKE policies cannot be tuned;
• Split or Full tunneling (it is possible to concentrate Internet breakout to a dedicated HUB locations);
• iWAN capabilities: in case of dual WAN uplink, it is possible to have dual VPN connection with quality based
routing.
• IPsec/IKEv1 site-to-site VPN tunnels to other Cisco and 3rd party devices.
• IKEv1;
• Pre-shared key;
• Possible to tune IKEv1 and IPsec settings in this case.
Meraki MX vs. Cisco ISRFeature Description On-Premise - Cisco ISR Cloud Managed - Meraki MX
Intelligent Path Selection Load Balancing
Policy-Based Path Selection
Number of Paths Supported
Rapid Failure Detection and Mitigation
Yes
Yes (L7 / app level)
Multiple (Any Transport)
Yes (Blackout & Brownout)
Yes
Yes (L3-L4 - based on loss, jitter,
latency)
2 (Broadband,4G,MPLS)
Yes
Security & Compliance Virtual Private Network
Firewall
Intrusion Prevention & Detection
Content/URL Filtering
Anti-Virus / Malware Detection
Yes
Yes
Yes (Snort)
Yes (Cloud Web Security)
AMP
Yes
Yes
Yes (Snort)
Yes (Built-in)
AMP
Transport Independence WAN Connectivity
Cellular
IPv6
T1/E1, T3/E3, Serial, xDSL, Ethernet
Yes (Integrated/Module)
Yes
Ethernet
Yes (Dongle)
Planned (2H2016)
Application Optimization WAN Optimization
Content Caching
Application Visibility
Congestion Control
Yes (WAAS)
Yes (Akamai)
Yes
Yes (HQoS)
No
Yes (Squid-Cache)
Yes
Yes (L7 Traffic prioritization)
Unified Communications Voice Gateway
Session Border Controller
Call Control Agent
Yes
Yes
Yes
No
No
No
Routed Protocols OSPF
EIGRP
BGP
Yes
Yes
Yes
Supported at the headend
No
Planned (FY17)
Integrated Storage & Compute Integrated Compute Yes (UCS E-Series) No
• Less granular and less flexible policies.
• Less customizable and less granular logging.
• Less granular reporting and monitoring.
• No AMP4E integration (network AMP is on roadmap only).
• No granular file filtering.
• Less granular AVC functionality, no integration with the IPS engine.
• Far less customizable IPS (Snort) engines, no customization of preprocessors at all.
• No multiple context mode.
• Less granular „Forensics” capabilities.
• Host profiling is less granular and not security focused.
• No built in vulnerability analysis engine.
• No IoC support.
• No IPv6 support yet.
• Etc.
Meraki MX vs. ASA/Firepower major differences
Real quick demo and Q&A
• With this offer, you will:
• Gain valuable information on your network including critical attacks
• Reduce risk and make security a growth engine for your business
• This offer is valid through December 29th, 2016 in Austria, Belgium, Denmark, Finland, France, Germany, Ireland, Italy, Luxemburg, Netherlands, Norway, Spain, Sweden, Switzerland and United Kingdom.
• For more information and to request a Threat Scan POV, go to www.cisco.com/go/threatscanpov
