Вы находитесь на странице: 1из 31

Meraki and the Cisco Security Architecture

Steve Harrison
Security SE Lead EMEA, Cisco Meraki
7th December 2017

#WWST #CISCOVT #CISCOSE


Key Learning Objectives

At the end of the session, you should:


• Understand at a high level how Cisco Meraki networking and
security products integrate with core Cisco Security solutions
• Be aware of any key differences or limitations in how these
integrations function
• Know what new or improved integrations are in development

#WWST #CISCOVT #CISCOSE


Security architecture and
integrations overview
Analytics and Insights Threat Intelligence Cloud and Web Security

Security Architecture
Posture and Policy Network Infrastructure Malware

Firewall Meraki MX

Switching Meraki MS
Remote Access Intrusion Prevention

Wireless Meraki MR
Endpoint Management

Meraki Systems Manager

#WWST #CISCOVT #CISCOSE


Analytics and Insights Threat Intelligence Cloud and Web Security

Security Architecture
Posture and Policy Network Infrastructure Malware

Firewall Meraki MX

Cisco ISE
and TrustSec
Remote Access Intrusion Prevention

Endpoint Management

= Limited integration or interoperability = Deeper integration = Active development or beta

#WWST #CISCOVT #CISCOSE


Analytics and Insights Threat Intelligence Cloud and Web Security

Security Architecture
Posture and Policy Network Infrastructure Malware

Cisco ISE
and TrustSec Switching Meraki MS
Remote Access Intrusion Prevention

Endpoint Management

= Limited integration or interoperability = Deeper integration = Active development or beta

#WWST #CISCOVT #CISCOSE


Analytics and Insights Threat Intelligence Cloud and Web Security

Security Architecture
Posture and Policy Network Infrastructure Malware

Cisco ISE
and TrustSec
Remote Access Intrusion Prevention

Wireless Meraki MR
Endpoint Management

= Limited integration or interoperability = Deeper integration = Active development or beta

#WWST #CISCOVT #CISCOSE


Analytics and Insights Threat Intelligence Cloud and Web Security

Security Architecture
Posture and Policy Network Infrastructure Malware

Cisco ISE
and TrustSec
Remote Access Intrusion Prevention

Endpoint Management

Meraki Systems Manager

= Limited integration or interoperability = Deeper integration = Active development or beta

#WWST #CISCOVT #CISCOSE


Analytics and Insights Threat Intelligence Cloud and Web Security

Security Architecture
Posture and Policy Network Infrastructure Malware

Firewall Meraki MX

Cisco ISE
and TrustSec Switching Meraki MS
Remote Access Intrusion Prevention

Wireless Meraki MR
Endpoint Management

Meraki Systems Manager

= Limited integration or interoperability = Deeper integration = Active development or beta

#WWST #CISCOVT #CISCOSE


Integrations deep dive
Current Integrations – StealthWatch
Integration details
• NetFlow export from MX can be consumed by Stealthwatch
Key limitations
• No Flexible NetFlow
• No NAT flow stitching
• No NetFlow on MS/MR

#WWST #CISCOVT #CISCOSE


Current Integrations – ISE and TrustSec
Integration details
• Authentication using ISE across MX / MS / MR
• Change of Authorization and profiling/posture support for MS and MR
• IP-based SGT assignment using RADIUS accounting for MS and MR
• Enforce Systems Manager enrollment using ISE and provide posture data to ISE from
SM
• Organization-specific MDM enrollment redirect for streamlined onboarding
Key limitations
• No profiling or posture support on MX
• No TrustSec capability on MX

#WWST #CISCOVT #CISCOSE


IP-SGT using RADIUS accounting
MSFT
Active
Directory

IP Address SGT

Auditor 10.1.10.1 Auditor

ISE

Application
Servers App Servers
1

PCI Servers
Network PCI
Servers

Meraki
Network Device

#WWST #CISCOVT #CISCOSE


Current Integrations – AnyConnect
Integration details
• Deploy AnyConnect via Systems Manager
• Provision and deploy endpoint VPN profiles via Systems Manager
Key limitations
• No AnyConnect support on MX

In development
• IKEv2 support for IPsec RA VPN (first phase of AnyConnect support for MX)

#WWST #CISCOVT #CISCOSE


Current Integrations – Umbrella
Integration details
• Use Umbrella resolvers for DNS resolution when serving DHCP from MX / MS / MR
• Deploy Umbrella Roaming Client using Systems Manager
Key limitations
• No eDNS forwarding capability
• No visibility into applied Umbrella policies in Meraki Dashboard
In development
• Apply Umbrella policies to MR wireless SSIDs
• Automatically deploy Umbrella roaming client policies using Systems Manager

#WWST #CISCOVT #CISCOSE


Current Integrations – AMP
Integration details
• AMP for Networks (with Threat Grid sandboxing in beta) on MX
• Native malware event visibility in Meraki Dashboard via Security Center
• Retrospective alerting via Dashboard and email alerts
• Deploy AMP for Endpoints using Systems Manager
Key limitations
• No correlation/trajectory between AMP on MX and AMP for Endpoints
• Only files downloaded via HTTP are inspected on MX
In development
• Automatically deploy AMP for Endpoints (Clarity) policies using Systems Manager

#WWST #CISCOVT #CISCOSE


AMP and Threat Grid Integration with MX
1 2 3

Service File File File Retrospection


Reputation Analysis

Blocking of known Behavior analysis of Retrospective alerting upon


Function
malicious files unknown files disposition change

Powered by AMP AMP


Cloud Threat Grid Cloud

*Trigger

#WWST #CISCOVT #CISCOSE


Architecture

Threat
File AnalysisGrid
File Analysis
Threat
Intelligence

✓✖ ? AMP
File Cloud
Reputation
File Reputation Threat
Intelligence

NGFW NGIPS ISR


ESA / CES WSA / Umbrella Endpoint

Email Web Host


ISE Stealthwatch Meraki MX

Network Attached
Controls

#WWST #CISCOVT #CISCOSE


Threat Grid Privacy and Sample Visibility
• Every Sample submitted to Threat Grid Cloud
gets tagged:
• Public – Sample and sample report is searchable
by TG users
• Private – Sample is only visible to the submitting
Organization
• All automated Submissions from any Cisco
Security product integration (including Meraki)
are always marked private
• Public / Private Tags can be changed in TG Portal
after file analysis is completed

Public / Private Tags indicated in Theat Grid portal

#WWST #CISCOVT #CISCOSE


Meraki Security Center Events

Aggregated view of
security events

Quick drill into file


analysis results

Identify clients and


networks that are
potentially infected

#WWST #CISCOVT #CISCOSE


Current Integrations – Snort IPS
Integration details
• Three curated IPS rulesets for detection or prevention
• Native IDS/IPS event visibility in Meraki Dashboard via Security Center
Key limitations
• No customization of IPS rule sets
• Single-packet flows will not be blocked due to Snort not being run in-line

#WWST #CISCOVT #CISCOSE


Security Appliance > Threat Protection

#WWST #CISCOVT #CISCOSE


Two way communication with Talos
“Inbound”
• Talos threat research and intelligence informs Snort signatures and the AMP malware
database used on the MX
“Outbound”
• Snort IPS telemetry data is provided back to Talos to inform threat research activities
• AMP lookup data from MXes is available to Talos, just like with other platforms

#WWST #CISCOVT #CISCOSE


Security Connector:
How it works
Seamless UX for admin-users
One-time registration syncs all products together

PUSHES PUSHES
Umbrella iOS identities* Meraki SM iOS identities* Clarity (AMP)
Dashboard Can create or Dashboard
PULLS PULLS
maps policies to pull Umbrella or maps policies
identities Umbrella policies Clarity policies Clarity policies to identities

PULLS* PUSHES
Per-device iOS identities* Per-device configurations for
the Cisco Security Connector
reflecting one or both policies

Supervised devices
Automatically enrolled with Meraki
* iOS identities include device serial numbers,
friendly names, and group profiles.

#WWST #CISCOVT #CISCOSE


Zero-touch UX for end-users
Visibility and control
Flows attributed by
iOS identity and app
AMP
Umbrella Requests attributed Clarity (AMP)
Dashboard by iOS identity Umbrella Dashboard

Encryption and enforcement Auditing and correlation


Internet requests App traffic flows

Umbrella Clarity
App extension App extension

Works anywhere One app, two extensions


On- and off-network Automatically provisioned via Meraki

#WWST #CISCOVT #CISCOSE


CISCO SECURITY CONNECTOR

Umbrella app extension on your device


Umbrella global network and dashboard in the cloud

Customer benefits New on your device New in the cloud


• Real-time visibility and control • DNS-layer enforcement per • Mobile device identity type
for who (e.g. iOS identity) goes mobile identity, which supports (for iOS) supported for policies and
where (e.g. domain or URL) on IPv61 reports2
the internet
• Customizable URL blocking via • Search any identity type using
• Defends users against phishing the Intelligent proxy is supported a partial name and select all
attacks and accidental browsing to matching identities
• Auto-configures split-DNS for local
bad sites
domains
• Protects data against exfiltration
• Auto-disables when an existing
to malicious destinations and
VPN is active
encrypts internet (DNS) requests
• Debugging supported by end-user
1. Requires NAT64 at the edge or border gateway, which
UI all or nearly all customers will have.

2. Some customers had a legacy identity type for iOS.

#WWST #CISCOVT #CISCOSE


CISCO SECURITY CONNECTOR

Clarity app extension on your device


AMP cloud servers and AMP Clarity dashboard in the cloud

Customer benefits New on your device New in the cloud


• Audits all traffic flows generated • Audits all traffic flows* generated • Management tab updated
by iOS users, apps, and system by the device and associated by to support iOS identities
processes before encryption to app, which supports IPv6
• New dashboard tab for iOS
gain URL-level granularity
• Debugging supported by end-user devices featuring trajectory
• Correlates traffic flows to gain UI of app and network usage
insights per app or device;
• New report tab to communicate
facilitating incident investigations
iOS specific issues
• Surfaces the most and least used
apps across your organization,
which may identify policy issues.

* Socket type, protocol, port, and local IP address are


collected for all flows. And the full URL path—minus
query string—is collected for HTTP/S connections.

#WWST #CISCOVT #CISCOSE


To Review
Now you know…
• How Cisco Meraki networking and security products
integrate with core Cisco Security solutions
• What the key differences or limitations are in how these
integrations function
• What new or improved integrations are in development

#WWST #CISCOVT #CISCOSE


Additional Resources

• Security Connector TDM


• Network Security High Level Positioning
• Meraki MX BDM Deck
• ISE / Meraki Integration Guide

#WWST #CISCOVT #CISCOSE