Cisco Meraki Security Appliances & SD-WAN

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

in this training we will discuss the features of the cisco meraki security appliances including their support for cisco sd-wan the mx is the cisco meraki series of security appliances the mx is a 100 cloud managed appliance providing comprehensive security networking and application control there are several different mx models as well as features that include automatic site-to-site vpn malware protection software defined wan and high availability let's get started with an mx platform overview on top of the standard security features you would expect to find in a quality next generation security appliance such as stateful firewalling intrusion detection and prevention services and vpn capability the mx also includes software defined wam content filtering advanced malware protection layer 7 visibility and traffic shaping from a reliability standpoint each model of mx has dual fixed lan interfaces and a cellular uplink to maximize the uptime of your network they also support a warm spare failover and redundant power supplies on certain models being cloud managed threat definitions and filter lists are automatically updated as soon as a new vulnerability or malicious website is identified definitions security patches and new feature updates are pushed out from the cloud to each of your devices this ensures your networks are always up to date and protected these updates can be delivered as soon as they become available or in a pre-scheduled maintenance window that suits your needs the single pane of glass cloud-based dashboard provides end-to-end visibility and reporting for all your meraki devices rich graphical reports in-depth usage analytics and intuitive configuration and troubleshooting tools are all included out of the box they are accessible wherever you have a browser and an internet connection there is an mx security appliance to suit every network the cisco meraki z series teleworker gateways are ideal devices for ultra small offices telecommuters or even as a remote access out of band management device the z3c model contains a built-in cellular 3g 4g failover option for added reliability for small branch applications the mx64 is the most popular device in the mx portfolio making up over 50 percent of all security appliances shipped to date the mx-67 and 68 are more powerful models that are capable of handling up to 450 megabits of firewall throughput and up to 200 megabits of vpn throughput the mx68 models further adds to the hardware feature set by providing two poe plus ports the mx67 and 68 family have a c variant which signifies the built-in cellular capabilities of those models the cellular sim slot allows for an integrated backup connectivity option across the mx 64 67 and 68 family is the w variant which signifies the wireless capabilities of those models the built-in wireless is capable of broadcasting up to four separate ssids serving clients at 802.11 ac or higher speeds the mx64 67 and 68 models are all recommended for installation for up to 50 users and serve as a great branch in a box solution for the medium branch we offer the mx84 and mx100 the mx84 has 10 copper gigabit ethernet interfaces and two sfp ports firewall throughput is 500 megabits per second and vpn throughput is 250 megabits per second the device is recommended for networks of up to 200 users the mx 100 has nine copper gigabit ethernet interfaces and two sfp ports firewall throughput is 750 megabits per second with vpn throughput of 500 megabits per second select this device for networks of up to 500 users for the larger branch campus or vpn concentrator we offer the mx250 and mx450 both models offer two 10 gig sfp plus interfaces for high speed connectivity a copper eight fiber and eight 10 gig sfp plus interfaces for flexible land connectivity needs the mx250 is rated for four gigabits per second of stateful firewall throughput and up to 2000 users while the mx450 is rated for up to six gigabits per second of firewall throughput and up to ten thousand users lastly the vmx100 is meraki's only appliance that is available as a virtual machine with two versions currently available one version for aws and the other version for azure when deployed the vmx can support up to 500 megabits per second of vpn throughput and is managed through the meraki dashboard just like any other piece of meraki hardware the mx security appliance is an exception to the meraki portfolio in that it supports two levels of licenses the features included with the enterprise features license are extremely powerful and may exceed many of your customers needs the auto vpn feature is a reason alone to choose mx for your networks this is a cloud brokered vpn service that allows you to build a dynamic self-healing resilient ipsec vpn in a couple of clicks of your mouse software defined when adds intelligence and automation to your traffic flows it's a transport independent service that supports policy-based routing and allows for dynamic path selection based on application type link quality and other factors high availability failover ensures maximum uptime for your network in the event of a device failure application control and traffic shaping allows you to get very granular with what you want to allow on your network and how you determine the level of bandwidth you want to allocate to each application type the slightly more expensive advanced security license includes all of the enterprise features plus a bundle of additional security subscription services to enhance your appliances capability advanced security license features include google safe search and youtube for schools cisco advanced malware protection with its global threat intelligence network cisco sourcefire ids and ips to detect and protect traffic between the internet and the lan as well as vlan to vlan threat grid behavior monitoring to establish files dispositions through executing potentially malicious files in a sandbox environment and ipgo location database for geographical based viable rules the most important thing to know about these two licenses you must be running the same licensing level organization wide you may have multiple networks within your organization you may want to run advanced security at your head office but want to run enterprise at the branch offices and for the teleworkers unfortunately you are not able to do this all mx's within an organization must be licensed to either all enterprise or all advanced security there is a workaround for this however you could put the headquarters mx in one organization and the branch office in another but this approach is not ideal first you will lose your aggregated end-to-end reporting and analytics as these roll up to an organizational level second you won't be able to take advantage of the auto vpn to automatically configure and heal your site-to-site vpns you can still set up the non-meraki vpns between organizations like you would to an asa or zur but you will lose some of the really compelling features that are in auto vpn so our recommendation is to have all mx's in one organization traditionally vpns have been complicated to set up and support and they are prone to misconfiguration in the past pre-configured devices still required on-site help from staff with little to no technical experience the meraki mx auto vpn feature provides the ability to set up vpns in a simple automatic and resilient manner with the meraki mx auto vpn feature all the challenges of site-to-site vpns are removed because all meraki devices talk to the centralized cloud dashboard to fetch their configurations you will never again end up in a situation phoning on-site staff and walking them through fixing an offline device not only is the distribution of configurations seamless the actual setup of the vpn couldn't be easier it's a simple matter of clicking on a radio button to select whether your mx is a hub or a spoke then if you have selected spoke pick a hub from the drop-down list now if you want to add resiliency to your network you can select a second hub or a third then arrange them in order of preference finally browse the list of local networks and check yes or no as to whether you would like them to be on the vpn you're done it is as simple as that you now have a fully resilient hub and spoke vpn between your sites because the vpn is cloud brokered if the mx is on a dynamic ip and changes its address it will simply update the dashboard and the new configuration will be pushed out to all the other mxs that are participating in your vpn from a monitoring and troubleshooting perspective the dashboard gives a really beautiful and intuitive view of your vpns through the dashboard you get to view usage and latency graphs a breakdown of all peer information and charts that display how much traffic is traversing each site to site link the cisco advanced malware protection team and the cisco meraki mx team work really hard to bring the best anti-malware solution in the industry to the mx platform now that it is fully integrated into the cisco solution portfolio the mx gets access to the amp global intelligence database just by using the cisco meraki dashboard like all things at cisco meraki we offer comprehensive features with minimal complexity the amp intelligence database has over a half a billion known files and receives a million new samples every day this means your network can be protected from even the newest of threats because the amp database is being updated every hour with amp downloaded files get checked in real time against the global amp database and are blocked immediately if they are deemed malicious however no solution can detect 100 percent of the malware one of your users may be unlucky enough to be patient zero amp from meraki can even retrospectively detect malware suppose your user happens to download some malware that had not yet been identified as a threat a few hours or even a few days later this download is tagged as a threat as the administrator you would be notified about this new threat so you could take corrective action against the files that have already been downloaded the meraki security center gives you a graphical view of what threats have been blocked where those threats are coming from and which users or hosts are triggering them it also combines information from the ips and ids so you are presented with a more holistic view of your security landscape lastly threat grid provides sandbox execution of unknown files either in the cloud or in a local sandbox you can monitor and playback the actions performed by a file to determine its intent malicious or otherwise software defined wan or sd-wan provides mpls-like functionality at a fraction of the cost or complexity there are four main areas that gartner says are required to classify a solution as sd-wan the first of those is transport independence the solution must be completely agnostic to the underlying connection type it must support multiple connection types in other words according to gartner it should not make any difference if you build your sd-wan over the top of an existing carrier mpls network public internet lte 3g satellite or even dial-up an sd-wan will work in the case of cisco meraki for example a cisco meraki st-wan deployed over mx appliances provide this transport resiliency and independence secondly sd-wan needs to offer dynamic path selection the sd-wan enabled appliance must be able to identify multiple paths and offer some sort of intelligence in how it chooses to best route to the destination without manual intervention third there must be a simple interface for managing the wan if the interface is not simple we might as well go back to hand configuring mpls pe routers via the cli lastly the solution must support vpns to create an overlay wan we need to stitch together all these features somehow and make sure it is secure and advertise our local networks to remote sites this is achieved by the use of virtual private networks the meraki appliances absolutely meet and exceed all of the requirements set by gartner so how is the meraki software defined when implemented sd-wan completely abstracts the transport away from the service giving complete transport independence we do this by using the auto vpn functionality as long as there is ip reachability autovpn will build the ipsec overlay tunnels between sites application optimization as with all meraki devices application visibility is built right in you can use this application awareness combined with qos and traffic shaping to ensure super granular control over the traffic flows on your wan meraki supports not only failover and load sharing but granular intelligent path selection and control based on the individual traffic flows and traffic types you can set specific rules based on source address destination address port number application type or combination of any number of these as well as abrupt failover when a link goes down meraki also supports soft failover of individual traffic types based on custom criteria for example you could set up a performance class indicating that voice over ip traffic should be on a path with less than 150 milliseconds of delay the preferred length of this voice service may not fail completely but due to congestion or upstream issues it may have high latency the mx device will monitor these thresholds and dynamically move the voice traffic over to a more suitable wan connection no waiting for users to call up and complain about voice quality no manual intervention is required this is intelligent path control and from a security perspective the overlay of vpn isn't just providing a virtualized transport it is also providing a secure encrypted tunnel this can give you the comfort that your private corporate data can traverse the public internet without any fear of compromise mission critical networks can't afford to be down cisco has built several layers of redundancy into the meraki mx products line to protect your networks against wand failure power interruption and appliance faults in the event of an appliance failure the warm spare feature will ensure that your site stays online automatically because your configurations and features are synchronized from the cloud all of your firewall rules dhcp configuration and leases vpns and advanced security services will continue to operate off the backup device virtual router redundancy protocol ensures minimal interruptions in the client devices as the switchover happens dual redundancy wan connection means you have the option of protecting your network connectivity to the internet via multiple service providers this can be achieved with a basic failover or using concurrent load balancing if required granular traffic control rules allow you to specify which traffic takes priority on each link and ensure that in a failover event your most critical traffic continues to operate as expected all mx devices also support cellular wan providing a third option to access the internet in the event of a total exchange outage or a black hole outage event high availability is simple to configure and monitoring of links and devices is all directly from the dashboard alerts can be configured to notify the administrator of a failure event so a ticket can be raised with your service provider or an rma arranged for the device the meraki mx sizing guide is a fantastic resource to help you answer the most common questions about the mx security appliance the sizing guide provides a side-by-side comparison of each model of mx simply select the physical requirements such as port quality and type poe power and so forth then compare the line rate network performance the sizing guide goes on to articulate each security feature and the comparative performance impact of enabling that service most useful though are the real world use cases these cases have been developed in collaboration between product development engineering and the sales teams off real world customer networks do you want to know what a k-12 school with limited bandwidth would look like how will the device perform with net content filtering layer 7 firewall rules traffic shaping malware protection safe search and web caching all turned on it's there in the sizing guide how about a college that is a high bandwidth user but only wants to enable net malware protection and layer 7 to block bittorrent well that is in the sizing guide too retail services for branches or head offices all included in the sizing guide so the mx sizing guide is the go-to guide for comparing meraki products against each other as well as for comparing them to the competition the sizing guide is constantly revised and updated as new products and features are added to the meraki security portfolio the mx sizing guide is available on our website at the link shown at the bottom of the screen alternatively type meraki mx sizing guide into your favorite search engine this completes our discussion of meraki security and sd-wan thank you

Info

Channel: Covene LLC

Views: 977

Rating: undefined out of 5

Keywords: meraki, sd-wan, security appliances, mx-series, mx

Id: 98KCKvsBs2k

Channel Id: undefined

Length: 22min 31sec (1351 seconds)

Published: Wed Sep 30 2020