Securing Enterprise Networks with Cisco Meraki: (Networking Technology: Security)

Securing Enterprise Networks with Cisco Meraki Discover the Power of Cisco Meraki Unlock the full potential of Cisco Meraki with this in-depth guide, designed to help you build and secure modern, cloud-managed networks. Cisco Meraki offers a unique, cloud-managed IT platform that integrates seamlessly with Cisco’s traditional products and other third-party tools. Whether you’re a new Meraki customer, an experienced network engineer, or an IT manager looking to streamline operations, this book provides you with the knowledge and practical steps needed to secure enterprise networks effectively. In a world where cybercrime is an ever-present threat, Meraki’s cloud-managed solutions offer a robust alternative to traditional wired and wireless networks. This book not only introduces you to the fundamentals of Meraki but also dives deep into advanced security configurations, industry best practices, and real-world use cases. By the end of this book, you’ll be equipped to implement Meraki solutions that meet stringent IT security standards and frameworks, ensuring your network is not just operational but resilient and secure. With this book as your guide, you will gain the skills to deploy secure, cloud-managed networks using Cisco Meraki. You will learn Meraki’s History: Understand the evolution of Meraki from a research project at MIT to a key player in Cisco’s portfolio. Security Frameworks and Industry Best Practices: Learn about the essential IT security standards and frameworks and how Meraki can help you meet these requirements. Meraki Dashboard and Trust: Get familiar with the Meraki management portal and understand the considerations for adopting cloud-managed infrastructure. Role-Based Access Control (RBAC): Discover how to implement RBAC to enforce the principle of least privilege within your network. Securing Administrator Access to Meraki Dashboard: Master the configuration of strong authentication methods, including multifactor authentication (MFA) and SAML single sign-on (SSO). Security Operations: Explore the native Meraki tools and external solutions for compliance reporting, centralized logging, and incident response. User Authentication: Delve into the setup of authentication infrastructures supporting wired, wireless, and VPN access, including Meraki Cloud Authentication, SAML, and RADIUS. Wired and Wireless LAN Security: Learn how to secure your LAN with features like 802.1X authentication, firewalling, and adaptive policies.

Table of Contents:
Introduction xix Chapter 1 Meraki’s History 1 Roofnet 1 Start-up 3 Acquisition by Cisco 4 The Meraki Museum 7 Summary 7 Notes 8 Further Reading 8 Chapter 2 Security Frameworks and Industry Best Practices 11 The Cybersecurity Imperative 11 Adopting Industry Best Practice 13 Industry Standards 13 Security as a Team Sport 15 Key Themes Across Security Standards 15 Continuous Improvement 16 Comparison of Common Security Standards and Framework Requirements 16 Summary 17 Further Reading 17 Chapter 3 Meraki Dashboard and Trust 19 Meraki Dashboard 19 Out-of-Band Management 20 Meraki Dashboard Hierarchy 20 Trust 22 Privacy 23 Data Retention Policy 24 Data Security 24 Data Center Resiliency 26 Compliance with Information Standards, Regulations, and Industry Best Practices 26 Hardware Trust Model 28 Supply Chain Security 28 Secure Boot 29 Secure Device Onboarding 29 Software Trust Model 30 Cloud Shared Responsibility Model 32 Summary 32 Notes 33 Further Reading 33 Chapter 4 Role-Based Access Control (RBAC) 37 Meraki Dashboard’s Administration Hierarchy 38 Administrator Access Levels for Dashboard Organizations and Networks 38 Assigning Permissions Using Network Tags 40 Port-Level Permissions 42 Role-Based Access Control for Camera-Only Administrators 49 Role-Based Access Control for Sensor-Only Administrators 52 Role-Based Access Control Using Systems Manager Limited Access Roles 53 Summary 60 Further Reading 60 Chapter 5 Securing Administrator Access to Meraki Dashboard 61 Securing Administrative Access to Meraki Dashboard 61 Meraki Dashboard Local Administrator Access Controls 62 Creating Meraki Dashboard Local Administrator Accounts 62 Password Age 68 Password Reuse 70 Password Complexity 72 Account Lockout After Invalid Login Attempts 74 Idle Timeout 77 IP Whitelisting 79 Multifactor Authentication (MFA) 81 Configuring SAML Single Sign-On (SSO) for Dashboard 98 The Use Cases for Single Sign-On 98 SAML Single Sign-On Login Flow 99 SAML Single Sign-On Design 99 Configuring Meraki SAML SSO Using Cisco Duo and Microsoft Entra ID 102 Prerequisites 103 Adding SP-Initiated SAML SSO 146 Verifying SAML SSO Access to Meraki Dashboard with Cisco Duo and Microsoft Entra (Including Duo Inline Enrollment) 148 Implementing Additional Access Controls Using Cisco Duo and Microsoft Entra ID 159 Password Policies 159 Password Age 160 Password Reuse 160 Password Complexity 160 Account Lockout After Invalid Login Attempts 160 Security Policies 161 IP Whitelisting 161 Restricting Concurrent Logins 162 Automatically Disabling Inactive Accounts 162 Automatically Disabling Accounts After a Predetermined Period of Time Unless Revalidated 163 Automatically Disabling Temporary Accounts 165 Summary 165 Further Reading 166 Chapter 6 Security Operations 169 Centralized Logging Capabilities 170 Login Attempts 172 Change Log 172 Event Log 174 Creating API Keys 175 Finding Your Organization ID 180 Exporting Logs 180 Exporting Logs to Splunk 181 Syslog 190 Exporting Flow Data 192 NetFlow, IPFIX, and Encrypted Traffic Analytics 193 Syslog Flows 196 Compliance Reporting with AlgoSec 197 Prerequisites 197 Integrating AlgoSec with Meraki Dashboard for Compliance Reporting 197 Monitoring and Incident Response 208 Security Center 209 Alerts 210 External Alerting 213 Webhooks 213 SNMP Traps 224 External Polling 227 Meraki Dashboard API 228 SNMP 234 Automated Incident Response with ServiceNow 240 Security Management 246 Inventory 247 Hardware 247 Software 248 Configuration 249 Client Devices 251 Topology 252 Summary 253 Notes 253 Further Reading 254 Chapter 7 User Authentication 257 Configuring Meraki Cloud Authentication 260 Configuring SAML with Cisco Duo and Microsoft Entra 264 Confirming Functionality of SAML Configuration Using AnyConnect VPN 273 Configuring RADIUS Using Cisco ISE, Cisco Duo, and Microsoft Active Directory 276 Prerequisites 277 Configuring Users and Groups in Microsoft Active Directory 280 Configuring Group(s) in Active Directory 280 Configuring User(s) in Active Directory 281 Configuring Cisco Identity Services Engine (ISE) 285 Adding Network Access Devices (NADs) to Cisco ISE 285 RADIUS Configuration for Wired and Wireless 802.1X 295 Configuring Organization-Wide RADIUS in Meraki Dashboard 295 Creating a Policy Set for Wired and Wireless 802.1X in Cisco ISE 300 Configuring an Authentication Policy in Cisco ISE 304 Configuring an Authorization Policy in Cisco ISE 305 Confirming Functionality of RADIUS Authentication on Wireless 308 Confirming Functionality of RADIUS Authentication for Wired 802.1X 312 RADIUS Configuration for AnyConnect VPN with Duo MFA 315 Configuring Duo Authentication Proxy 317 Configuring AD Sync in Duo Admin Panel 319 Encrypting Passwords in Duo Authentication Proxy 330 Enrolling Users with Cisco Duo 330 Configuring Cisco Duo as an External RADIUS Server in Cisco ISE 335 Creating the Policy Set for AnyConnect VPN in Cisco ISE 337 Meraki Dashboard Using Active Directory Authentication for AnyConnect VPN 342 Prerequisites 342 Configuring Active Directory Authentication 346 Confirming Functionality of Active Directory Configuration 348 Summary 350 Further Reading 350 Chapter 8 Wired and Wireless LAN Security 353 Access Control Lists and Firewalls 354 Access Control Lists (Meraki MS) 354 Meraki MR Firewall 357 Layer 3 Firewall 358 Layer 7 Firewall (Including NBAR Content Filtering) 360 Ethernet Port Security Features (Meraki MS) 362 MAC Allow Lists 362 Sticky MAC Allow Lists 366 Port Isolation 368 SecurePort 370 Dynamic ARP Inspection 373 Rogue DHCP Server Detection (Meraki MS) 376 Hardening Meraki MR and MS Devices (Local Status Page) 379 Zero Trust (Wired and Wireless Dot1x) 382 802.1X with Protected EAP (PEAP) on Wired and Wireless Networks 383 Configuring Wireless 802.1X with Protected EAP (PEAP) 383 Configuring Wired 802.1X with Protected EAP (PEAP) 388 Configuring 802.1X Using EAP-TLS on Wired and Wireless Networks 394 Configuring the Identity Source Sequence in Cisco ISE 396 Configuring the Policy Set in Cisco ISE 398 Generating a Client Certificate Using Cisco ISE 404 Exporting the Cisco ISE Certificate Authority Certificate 408 Testing Wireless 802.1X with EAP-TLS 411 Testing Wired 802.1X with EAP-TLS 413 Sentry-Based 802.1X with EAP-TLS on Wired and Wireless Networks 416 Sentry Wi-Fi 416 Sentry LAN 419 Configuring MAC Authentication Bypass (MAB) 426 Configuring an Endpoint Identity Group in Cisco ISE 426 Creating a Policy Set in Cisco ISE for MAC Authentication Bypass 430 Configuring Wireless MAC Authentication Bypass in Meraki Dashboard 436 Configuring Wired MAC Authentication Bypass in Meraki Dashboard 439 Group Policies 443 Creating a Group Policy 443 Applying Group Policies 446 Applying Group Policies to a Client Manually 446 Applying Group Policies Using a Sentry Policy 449 Applying Group Policies Using RADIUS Attributes and Cisco ISE 452 Adaptive Policy and Security Group Tags (SGTs) 459 Enabling Adaptive Policy 460 Configuring Security Group Tag Propagation 461 Enabling SGT Propagation on Meraki MS Switches 461 Enabling SGT Propagation on Meraki MX Security Appliances 463 Creating Security Group Tags 466 Creating Adaptive Policy Groups in Meraki Dashboard 466 Creating Security Group Tags in Cisco ISE 469 Assigning Security Group Tags 472 Statically Assigning Security Group Tags to SSIDs 472 Statically Assigning Security Group Tags to Switch Ports 473 Assigning Security Group Tags Using Cisco ISE 475 Creating an Adaptive Policy 476 Testing Adaptive Policy 479 Client Laptop 480 POS Terminal 480 POS Server 483 Testing 483 Wireless Security 487 Summary 489 Notes 489 Further Reading 490 Chapter 9 Meraki MX and WAN Security 493 Meraki MX Introduction 493 Site-to-Site VPN (Auto VPN) 494 Site-to-Site VPN with Non-Meraki Devices 499 ThousandEyes 505 Remote-Access VPN 507 Client VPN 508 Sentry VPN 514 AnyConnect VPN 519 Confirming Functionality of AnyConnect VPN Access 524 Restricting Client VPN Traffic 529 Virtual MX (vMX) 531 Sizing a Virtual MX 531 Understanding Feature Parity with Meraki MX 532 Deploying Virtual MX in Amazon Web Services (AWS) 533 Creating a New vMX Network in Meraki Dashboard 533 Configuring the Default VPC in AWS 536 Deploying vMX in AWS 541 Viewing the New vMX in Meraki Dashboard 552 Summary 553 Notes 554 Further Reading 554 Chapter 10 Securing User Traffic 557 Comparison of Meraki’s Native Security Capabilities and Cisco Secure Connect 558 Native Meraki MX Capabilities 559 Layer 3 Firewall 559 Layer 7 Firewall 563 Geo-IP Firewall 566 Enabling Detailed Traffic Analysis 566 Configuring Geo-IP Firewall 567 Content Filtering 570 URL Filtering 570 Category Blocking with Cisco Talos Intelligence 572 Threat Protection 576 Advanced Malware Protection (AMP) 576 Intrusion Detection and Prevention (IDS/IPS) 580 Cisco Secure Connect 582 Setting Up Secure Connect 584 Initial Setup and Integration with Cisco Umbrella 586 Adding Meraki SD-WAN Sites to Secure Connect 597 Configuring DHCP to Assign Umbrella’s DNS Servers 601 Installing Umbrella’s Root CA Certificate on Clients 602 Enabling Intelligent Proxy and SSL Decryption in Cisco Umbrella 603 DNS Security 606 Cloud Firewall 608 Layer 3/4 Firewall 608 Application Blocking 614 Intrusion Detection and Prevention (IDS/IPS) 620 Secure Web Gateway (SWG) 622 URL Filtering (Destination Lists) 622 Content Filtering (Content Categories) 631 File Inspection and Advanced Sandboxing 636 File Type Control 645 Cloud Access Security Broker (CASB) 649 Data Loss Prevention (DLP) 657 Summary 667 Notes 667 Further Reading 667 Chapter 11 Securing End-User Devices 671 Integrating with Vender Mobile Device Enrollment Programs 672 Enrolling Devices with Systems Manager 676 Checking Compliance with Security Policy (Systems Manager Policies) 677 Creating a Systems Manager Profile 681 Configuring End-User Devices for Network Connectivity 684 Certificate Settings Payload 684 Wi-Fi Settings Payload 686 VPN Settings Payload 693 Applying Security Policy to Devices (Systems Manager Profiles) 697 Passcode Policy (Includes Screen Lock) 697 Disk Encryption 700 Preventing the Installation of Banned Apps 700 Deploying Applications to Devices 704 Pushing Operating System Updates to Devices 711 Summary 712 Notes 713 Further Reading 713 Chapter 12 Physical Security 715 Meraki MV Security Cameras 716 Privacy 716 Monitoring Video 717 Motion Alerts 719 Motion Search 721 Sensor Sight (Meraki Smart Camera and Sensor Integration) 724 Summary 727 Further Reading 727 Appendix A Comparison of Common Security Standards and Framework Requirements 729 9780138298180 TOC 9/12/2024

About the Author :
Ryan Chaney, the lead author on this book, started his Cisco journey in his early 20s, completing his first CCIE (R+S) at the age of 25, before completing his second CCIE (Security) just 2 years later. Before joining Cisco, he worked in a variety of networking roles across the world, including time as a network architect for Visa in London. Ryan spent the first 10 years of his 15 years at Cisco as a systems engineer, educating customers, designing, and building IT solutions. His first experience with Meraki came while volunteering at the Royal Far West Centre for Country Kids, where he designed and built the network for their new headquarters in Manly, Sydney. At the time, no books had been published on Meraki. This experience and wanting to share his learnings with fellow network engineers, like you, became the inspiration for this book. Ryan lives in Bondi Beach, Australia. Simerjit Singh, the contributing author on this book, is a seasoned Meraki solutions engineer with more than 17 years’ tenure at Cisco. From his wealth of experience working with customers in the Enterprise and SMB segments, Simerjit contributes his vast experience of the diverse needs of these customers and relevant Meraki solutions. Simerjit holds highly regarded qualifications in networking and security, including a bachelor of technology in computer science, as well as both CCIE and ISC2 Certified Cloud Security Professional (CCSP) certifications. Committed to continuous learning and professional growth, Simerjit is currently pursuing a master’s degree in cybersecurity from the Royal Melbourne Institute (RMIT). Simerjit lives in Melbourne with his mother, wife, and two sons.