March 2019 - Fractional CISO

Managing your WiFi network is child’s play with the Cisco Meraki.

You may be considering making changes to your network or starting a new company or branch office. What should you do to minimize your organization’s cybersecurity risk?

When we moved into a new office, I was responsible for setting up the network. This included selecting the right network equipment for our organization.

As a security company, network security is obviously very important to us. We are also a small business, and we can’t afford to spend a lot of our time and resources configuring and maintaining the network. When we looked for network solutions, we wanted something that was both highly secure and low-maintenance at the same time.

Meraki’s Security Appliance was a great fit on both of these fronts – and we do not regret our decision. That is why I decided to write this Meraki Review.

The network tools are easy to set up, easy to troubleshoot, and easy to monitor and maintain. The Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) give top network people peace of mind in a fast-paced, high-stakes IT world. Here are some of the points of evaluating this suite in terms of its utility for business.

Criteria 1: Security

Meraki offers two types of licensing options: Enterprise and Advanced Security License.

The standard Meraki Enterprise License – This license gives you a stateful inspection firewall with VPN capabilities. Custom Splash pages, traffic shaping, and HTML caching are also included. It is a pretty basic set of capabilities.
The Advanced Security License (ASL) – This license enables the higher-level features that were more suitable for our security-focused needs. This license turns on the following capabilities:
Intrusion Protection and Detection powered by Snort,
Anti-Virus and Anti-Phishing powered by Kaspersky,
Web Search and Content Filtering,
Geography-Based Firewall Rules

ASL also has Advanced Malware Protection that enables malware detection, blocking and continuous analysis, along with retrospective actions and alerting. This is a huge game-changer and complements Cisco’s Threat Grid, which combines sandboxing and threat intelligence into one unified solution.

ASL is a huge improvement over the Enterprise license. Meraki’s “always automatically updated” policies make sure that the various intrusion, virus, and phishing databases are continuously updated. That means there’s no burden on admins to keep the definitions up to date. So, even though the ASL is almost double the cost of the Enterprise license, it is totally worth it.

Criteria 2: Easy to set up, use, and manage

Have you wondered how amazing it would be if network firewalls had the same kind of automated patch routines as computers and servers? … you could just remotely access and manage your network securely while you worked from home!

Meraki provides automated connection capabilities. Setting the device up is as easy as creating an account and adding all devices to the network using the single web interface.

That interface is the central point of visibility where your devices can be automatically configured, monitored and managed. The cloud controller allows all indoor and outdoor network components to work together seamlessly.

The Cloud Controller

Having central visibility built into all devices helps ensure that all the products are up to date on software versions. If the connection to the controller is lost, the network functionality remains unaffected, because the Cloud Controller is hosted by Cisco via an out-of-band connection. It doesn’t require an onsite server or appliance.

The Cloud Controller provides monitoring and automatic alerts.

The interface allows you to view detailed historical logs of events like security occurrences, client DHCP leases, and VPN events. The best part is, it can be filtered down by event category, by timespan, and even by specific client devices very easily. For further manipulation and extrapolation for analysis and reporting, all these logs can be exported in CSV format.

Administrators can have company-wide default settings implemented for the firewall, ensuring minimum security settings and guaranteeing that all devices on the network receive updates as they vet new software versions. These setting would be applied not only to all existing Meraki devices but also to other network devices that are added to the company account. It also means that if you are opening a new office, you can simply copy the configuration and apply it to the new site using several clicks. You can also clone device configuration to achieve consistency within your network.

The dashboard displays a dynamically adjusting line chart showing the network traffic and internet traffic passing through the device. It is useful to see if a particular WAN pipe is taking too much load, and how much strain is being placed on the firewall. Internal outages can be spotted with a glance, and reviewers can see when they are happening and how long they last. Network connectivity and performance tools will help to quickly diagnose network problems right from the web dashboard.

With a single click, we can obtain firmware update status for any firewall device and force a firmware update on the fly to that given firewall on demand. Firmware upgrades can be scheduled and will be downloaded automatically once there is new software or an improvement available.
Another great feature is the ‘Security Center’ where top threats and events are displayed. You can also view the rule details and inspect the captured packets and export it as PCAP if you want to do more.

If a staff member is fired, and their access needs to be removed, one swift action will remove all their access to the Meraki dashboard and all the associated gear.

All of the common administrator controls and functions, including reporting and monitoring, can be accessed via an intuitive user interface instead of the command line, and they can be configured quickly.

This ease of use and convenience was definitely a reason that Meraki’s Security Appliance was more appealing than legacy boxes like Cisco RV320 and RFC5207.

Doing More with Advanced Features

These devices are not limited by in-appliance memory. They can easily perform detailed logging, and provide a more comprehensive view of appliance status across the entire network- all in a single pane of glass.

Meraki devices can report or filter traffic on your network based on application level. It is easy to create rules based on domain names and create block points or limit speed. The map-based system shows locations, office floor plans and deployment locations for individual devices – geofencing is a great feature. Additionally, as long as the Security Appliance has internet, you can force a reboot with a single click anywhere in the world. The device also automatically optimizes wireless signals so that coverage is even and strong throughout a site.

Fixing Bandwidth Problems with Logic

Traffic problems can be dealt with logically most of the times with using QoS, traffic shaping, etc. The problem is that most organizations don’t have the equipment to solve these problems with proper logic, so they end up buying more and more bandwidth. The extra bandwidth makes it easy to mask the problems at hand, but it isn’t really a long-term solution.

Meraki has numerous tricks to solve this problem:

Traffic shaping policies can control some of the ‘bandwidth hogs’ that plague the network.
It is possible to set per-client limits for all devices on the network to a pre-determined maximum level of upstream and downstream consumption. It’s as easy as adjusting the brightness on your phone.

Link Aggregation

Cisco Meraki Security Appliance provides Link Aggregation that combines multiple network connections in parallel to increase throughput and provide redundancy. The traffic shaping rules further allow you to specify which pipe should take all the traffic for a specific function, such as specifying traffic vehicle for all VoIP calls or internal web server traffic.

Cisco Meraki Review- Shortcomings

I have been working with Meraki Security Appliance for some time now and have just a few suggestions for improvement.

Problems can arise without a dedicated connection to the Internet on-site. If you have a configuration that isn’t working, it means that you can’t get on to the Internet to configure the device rules.
If you want to deny countries with geolocation, the options are either all or nothing. There is no middle ground where you can create a rule that allows some regions but denies others.
It lacks built-in visibility. You can’t see hits on the firewall rules directly. Having to use (Security Information and Event Management) SIEM to pull syslogs from the device can be less than ideal.
Cost is also a detractor. This is one of the more expensive brands and costs almost twice the others, including license renewal costs. However, it does bring a lot of additional features for a small business, providing the office with everything that’s needed for secure business connectivity in a single desktop unit.

Cisco Meraki Review: Mobile App

Meraki also has a mobile app for ‘network management on the go’ that can really make things easy for managing your network.

This app allows you to view network summaries at a glance, and even enables faster deployment of Wi-Fi. You can view the status of wireless networks, identify healthy connections or off-line access points, use appliance tools, see details of any access point on the network and verify connectivity, usage, and settings. Despite this versatility and transparency, another online Meraki review suggests that many users found the app to be poorly designed with several missing features and clumsy navigation.

I for one think it is efficient for an on-the-go type setting and would be good for just checking on the network but not for administrating. Personally, I’d rather use the website.

Cisco Meraki Review: Summary

As you can probably tell from the whole Meraki review, we recommend this appliance. In addition to the attractive features, there is an added benefit of the prompt and knowledgeable support staff. I had some trouble with the device when the dashboard indicated uncharacteristically high utilization on the channels. It turns out it was a bug and that the problem would correct itself once an update was installed. But the device wouldn’t update even after they tried to push it directly. So, we returned the device. It was covered by the lifetime hardware warranty and a new device arrived within a day’s time. The Meraki support team was helpful throughout this process.

Only 19% of small businesses have dedicated personnel who handle IT issues. Should the others be stuck without good network management and maintenance policy? Should they suffer from poor data security? Absolutely not!

None of this is optimal for small businesses. For that matter, even a medium-sized business can have trouble deploying in-house resources or a hybrid mix to address all of the standards work, risk mitigation and more that has to go on in managing a network.

One of our security-conscious clients with hundreds of employees also uses the Meraki Security Appliance for this reason. It lets them aggregate their network devices and manage their network efficiently from a single console while preventing financial loss caused by security breaches and business downtime at the same time. The Meraki Security Appliance can be highly beneficial for small to medium-size businesses that want to ramp up business productivity with limited resources.

When reviewing the above factors, we found the Meraki to have a winning set of network management and security solutions.

If this Meraki Review helped your decision-making process, then check out the last blog I wrote on the WiFi Pineapple. It outlines how your WiFi network can be compromised and what you can do about it.

If you would like help with your cybersecurity strategy or program, give Fractional CISO a call for a complimentary consultation. We can be reached at (617) 658- 3276 or by email at [email protected].

“Yes, but…”

That is the right answer 95% of the time. Almost every organization needs a penetration test or pen test. Organizations with mature security programs don’t need to ask the question. They already know the answer based on their program and plan.

Organizations that are asking that question are operating from the right mindset. They should be thinking about what they need to do to improve the cybersecurity of their organization. With the right resources, companies can mitigate risk. If they do it smartly then they can mitigate the risk with a high return on investment.

What Is a Pen Test?

A penetration test or pen test involves skilled professionals going in and messing around with the system to see what they can break, and where they can enter and steal.

Many firms call these professionals “ethical hackers” – some call them “white hat” security professionals. The idea of the penetration test is that these individuals perform a comprehensive analysis of the network through trying to hack their way into a system, not to damage or destroy or hurt users, but so that the company can improve its cybersecurity practices and eliminate vulnerabilities.

How does a Pen Test differ from a vulnerability test or vulnerability scanning?

Think of the penetration test as a vulnerability test that has someone sitting in the captain’s chair.

A pen test uses a trained human to attack an infrastructure or system. A vulnerability test is an automated scan of that system. It checks ports and versions to determine if there are weaknesses in the system. It does not try to actually exploit the vulnerabilities to compromise the solution. A vulnerability test gives the owners of the system a report.

Human oversight is really essential in many kinds of cybersecurity. We have all sorts of sophisticated tools that can help humans to spot dangerous network behavior. There are tools that seal down endpoints or deal with social hacking such as spear phishing or spoofing. But without some engaged human operation, these tools are only robotic sentries. Outside malicious parties can easily fool these tools.

Pen Test Cost

A pen test cost is usually measured in tens of thousands of dollars. (I have not seen a good one for less than $25,000.) A vulnerability scan for organizations with hundreds of devices is typically in the single digit thousands of dollars.

Why are penetration tests so expensive? Because they are state-of-the-art ways to protect network systems. When ethical hackers or white hat professionals take the time to engage password cracking systems, attack APIs, or build a honeypot spear phishing system (and then follow through), they are investing in active front-line cybersecurity work that will close loopholes and tighten security for a company’s digital assets. Hiring expert security personnel to focus solely on your systems for a period of time is expensive!

Pen Test Process

A penetration test typically involves the following:

Planning. Defining goals for the test and gathering intelligence.
Scanning. Evaluate weak points and organizational response to scans.
Gaining access. Method to gain entry into system which may involve social engineering, phishing, dropping USB drives in your parking lot, adding rogue wireless access points, exploiting Internet exposed vulnerabilities or physically compromising your offices.
Controlling a resource. Method for maintaining control of a node or resource in the system/network.
Analysis and reporting. Evaluating what can be done to improve the organization’s security posture.

All of these can be essential in figuring out how to mitigate risk and avoid data theft or other cybersecurity breaches.

But I Think I Really Need a Pen Test!

Organizations should always be looking for the most cost-effective security controls. A pen test is a control that should be performed later in an organization’s security maturity journey.

Organizations that don’t have basic security building blocks in place should focus on those first. These building blocks are comprised of an inventory of what is on their network, and a regular patching process for systems and applications. These basics also include strong user management, closing ports and limiting protocols and services on their network. If organizations have deficiencies with these types of security controls, a pen test is a really expensive way to find out.

CIS 20 view on Pen Tests

CIS 20 Security Controls with Pen Test at #20

The Center for Internet Security (CIS) has a good framework for prioritizing which controls to focus on. In the CIS 20 controls, Penetration Tests and Red Team Exercises is number 20 on their list. There are a number of things to put in place beforehand that are much more cost-effective. Inventory and control of hardware assets and continuous vulnerability management are great foundational principles. Firewalls and account controls and malware prevention systems are all effective ways to thin an attack surface or prevent intrusions, and so the penetration test may come later in the game.

(Note: We like the CIS 20 controls but believe that it does not properly emphasize the importance of user training at 17. Tricking a user to click on a link is easy for many attackers. Training users to be more security-aware can significantly reduce the number of possible events in an organization.)

Pen Test vs. other security controls

Pen tests are performed periodically. When you harden systems and networks, you see the benefits every day. Training users to be more security-aware can significantly reduce the number of possible events in an organization. That’s what’s behind a lot of penetration tests. The human penetration tester uses digital coordination tools to find out where the weakest points are. They then report back to the company, which will invest in that specific type of user education that will keep employees or other users from inadvertently giving away the store to hackers.

When you shrink the attack service down, hackers will have a more difficult time obtaining a foothold. When you address social engineering problems, hackers find that dealing with an already alert and aware user base is to some extent an exercise in futility.

Pen Test or Cybersecurity Plan?

When we are brought into a new organization, we will perform a risk assessment and then create a cybersecurity plan based on that risk assessment. In many cases, the pen test will be part of the plan. However, it is rare that the pen test is the first item on the list. Often organizations have many other higher priority cybersecurity projects to work on.

To Recap

Here’s the bottom line – while a penetration test is not the first or the only thing you need to do in cybersecurity, it’s often vital to the company’s success in protecting data and systems. We will figure out what specific types of penetration testing are needed and work with the client to proceed accordingly. Having a customized plan in place saves time and money and makes sure that the penetration testing that happens is targeted to the company’s actual needs.

Monthly Archives: March 2019