Meraki MX Security Appliances

Daghan Altas
Product Manager
4/19/2013

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
• MX overview
• Demo
• Dashboard architecture
• MX deep dive
• Positioning
• Competition
• Roadmap
• Q&A
• Additional resources

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
 Security
NG Firewall, Client VPN,
Site to Site VPN

Networking
NAT/DHCP, Routing,
Link Balancing

Application Control
WAN Optimization, Traffic
Shaping, Content Filtering

3
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
 Key Features Details
PCI L1 certified
Cloud based management Single pane of glass
Single click VPN (with failover over to WAN2 or 4G)
Auto VPN Hub-n-spoke or mesh (spoke-to-spoke)
Webroot BrightCloud (85 categories)
Content filtering Local database + Cloud lookup
Table-stake for K-12
Google safe search / YouTube for Schools Also HTTPS search enforcement
Based on Squid Proxy
Web caching On MX80 or above
SourceFire SNORT® based
Intrusion detection Org level reporting
All Meraki products use the same signatures
Layer 7 client tracking / NG firewall Firewall as well as traffic shaper
TCP proxy / compression / dedup
WAN optimization HTTP / CIFS / FTP optimization
Kaspersky Safestream II (flow based)
Anti-virus / Anti-phishing Files and JavaScript protection

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
New features Improvements
• Google safe-search • Hub-n-spoke VPN

• YouTube for schools • IP-based client finger printing

• HTTPS search blocking • Identity-based group policies

• Web caching • Hybrid (local/cloud) web filtering*

*May 2013

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
 Meraki’s out-of-band control plane
Scalable
– Modern clustered design on commodity servers
– Any one customer only a small fraction of load
Out of band
Management
WAN
data (1 kb/s) – No user traffic passes through cloud
– Network is fully functional without cloud connectivity
Reliable
– Each customer talks to 2 datacenters (active / passive)
– 3rd backup DC in case both active / passive DCs fail
– All 3 DCs are geo separated
Compliant
– Fully HIPAA / PCI L1 compliant
– DCs in N.A, E.U, Brazil, APAC
– SSAE16

8
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
 • Servers connects to the public internet and rely on their own
firewall for protection.
Application Server (Rails)
• Customers partitioned across Meraki servers
• Each partition is called a “shard”
Web Server
• Effectively one 1U RAIDed server plus one 1U backup
(Apache and nginx)
• Goal: maximize # of customers we can host per shard
Database (PostgreSQL) • Shards are connected to the public internet via gigE and to each
other (over an untrusted connection) via gigE.
Firewall • Example numbers from a representative shard:
(iptables)
• 15,000 Meraki devices (APs, firewalls, switches)
Linux 2.6 • 300,000 clients (laptops, servers, printers) per day
• Total of 300 GB of stats, dating back over a year
x86 machine • Gathers new data from every device every 45 seconds
(not virtualized)

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
• Shards call the devices Event-
driven
Create request

Devices are the server, cloud is the client RPC

engine
Process response

Asynchronous / event-driven (fast) Probing

Clients
One call for all data collection LLDP Module Module Other Module

• Secure / efficient connection

Database
Google protobufs for low overhead
SSL-based connection
Authentication using a per-device shared secret.

• Port IP requirements
Port 80 (TCP): we can tunnel over port 80 but it is not efficient
Other TCP ports: 443, 7734, 7752
UDP ports: 123, 7351, 9350

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
• United States
Dallas, TX
San Diego, CA

• Japan
Tokyo

• Europe
Dublin, Ireland
London, UK
Germany

• Latin America
Sao Paulo, Brazil

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
 WAN

Traffic sh.
Brain
• VPN bypasses most services
L7 FW
• WAN opt is costly (inline and user-space)
L3 FW Log &
Stat server
Stats
• IDS is not inline
NAT
Encrypt
Encap.
IDS
(Snort) • Modular “click” based configuration
CF(Brightcloud)
AV (Kaspersky) NAT

Router / Web proxy

DPI engine (Squid)
TCP proxy
L3 FW (WAN opt)
FW
DHCP
service
Traffic sh.
L7 FW

Click
LAN Kernel User Space

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
• Uses SNORT®
• Full signature set
• Updated daily
• IDS only
IPS is trivial but we have reservations

• No custom signatures
• No signature modification
• Whitelisting is allowed
• Memory / CPU intensive
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
• Uses Kaspersky SafeStream II
• Full signature set
• Updated hourly
• No custom rules
• AV: Flow based signature match
Files (pdf, exe, zip, etc…)
Javascripts, HTML, etc..

• Anti-phishing: URL database

• Whitelisting is allowed
• CPU / Memory intensive

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
• Uses Webroot BrightCloud
• Whitelist / Blacklist is allowed
• HTTPS blocking is based on CERT exchange
• Max local URL database
MX60/80/90: 1M
MX400/600: 20M
• Hybrid (local / cloud) lookup in May
• Memory intensive (CPU load is minimal)

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
• ICSA (corporate) certification under way (ETA: mid to late summer)

• Customer pen tests

Interbank of New Mexico: 50 locations
Cumbria Police Department: HQ (L2 VPN concentrator for MR)

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
 By Market Segment
Segment Meraki
Enterprise Maybe, position where
there are lots of small sites
or machines to protect with
limited feature
requirements, Not for DCs
or Campus
Commercial Select Yes, position where there
are lots of small sites or
machines to protect with,
Not for DCs or Campus
Commercial Mid- Yes, where technical
expertise is marginal,
Market requirements are simple,
and ease of use
requirements are
significant
SMB Yes, if customer is not
overly price sensitive.
Best, Lead with this Alternative
© 2010 Cisco and/or its affiliates. All rights reserved.
ASA
Yes, Good Enterprise
Management and highly
configurable. Integrates with
other Ent. Mgmt. tools, such
as SIEMs. Premium Cloud
Web Security available.
Yes, Good Enterprise
Management and highly
configurable. Integrates with
other Ent. Mgmt. tools, such
as SIEMs
Yes, for vertical segments
with rich security needs or
private (non-hosted)
management needs
Unlikely, requires a high level
of technical expertise
Possible
ISA 500
No
No
Maybe, if the deal is very
price competitive and the
capabilities of the ISA are
not too basic to meet the
customer’s needs
Yes, cost optimized solution
for SMB
Unlikely
ISR G2s
Maybe, when primary FW
function is protecting b/w virtual
network segments or for
regulatory compliance, but not as
full featured FW. Premium Cloud
Web Security available.
Yes, when primary FW function is
protecting b/w virtual network
segments or for regulatory
compliance, but not as full
featured FW
Yes, where rich security
requirements are limited and non
security feature integration
(Voice, WAN opt, Wireless, etc.)
is important
Unlikely, requires a high level of
technical expertise. Managed
Service may be an option
Cisco Confidential 20
 By Vertical Customer Segment
Segment Meraki ASA ISA 500 ISR G2s
Federal/DoD No Yes No Maybe, when primary FW
function is protecting b/w
virtual network segments, but
not as full featured FW

SLED Yes, schools in particular Yes No No, if URL filtering is a core

are an excellent target requirement (i.e. schools).
Yes, for most other SLED use
cases.

Retail Yes, excellent choice for Yes, focus on big box retail or Maybe, UTM functions can be Yes, can meet PCI specs and
small box retail shops w/ retail deployments with diverse appealling but lack of robust excellent when integrated
limited IT staff and a mgd network users connected in central management can Voice or WAN is required and
WAN vendor, PCI Certified store hinder sales primary goal is to meet PCI

Banking No, Financials not Yes No Maybe, when primary FW

generally receptive to function is protecting b/w
Cloud Hosted model virtual network segments

SP Managed Yes, excellent multi-tenant Yes, deployed today, but Yes, where cost and UTM Yes, already integrated in most
management “current” lack of multitenant coverage are primary drivers SP OSS systems, quick TTM
Services mgmt option will hinder sales

Best, Lead with this Alternative Possible Unlikely

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
 MX Security Appliances: Models
Recommended deployments Example customer
Teleworker (Up to 5 users)

Z1 Teleworkers, kiosks Groupon

Small branch (Approx. 10-20 users)

MX60 Small retail branch, small clinic Peet’s coffee (220 locations)

MX60W With wireless Kindred Healthcare (1500 locations)

Medium branch (Approx. 20-250 users)

MX80 Mid size branch, retail branch with web cache Interbank of New Mexico (50 locations)

MX90 Large branch, 8 LAN ports, 2 SFP Hilton Worldwide (20 locations so far)

Large branch / campus / concentrator (Approx. 250-10,000 users)

K-12 firewall
MX400 Essex Property (200 locations)
VPN concentrator for up to 1000 sites

Large-K-12 firewall, 4TB web cache

MX600 Bessemer Trust (10 locations)
VPN concentrator for up to 2500 sites

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
• Fortinet strengths • Meraki strengths
Raw throughput / $ Best cloud-based management
Large number of models More L7 features and visibility
WAN termination Best-in-class IDS / CF / AV
DLP

• Fortinet weaknesses • Meraki weaknesses

Cumbersome UI Not designed for datacenters
Weak centralized management Not focused on raw speed
Requires an additional box for reporting Less customization
No Auto-VPN or built-in WAN opt
Rudimentary traffic shaping

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
 FortiGate 100D Meraki MX80

Hardware $1,995 $1,995

Software $2,996* $4,000

Support & Maintenance - -

Centralized management $828** -

TCO $5,819 $5,995

*: 3-Y security HW/SW bundle is $4991

**: Scenario includes FortiManager and FortiAnalyzer 200D ($16,555) for a 20-site deployment

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
• SonicWALL strengths
Cost
Well known in the SBM market
• SonicWALL weaknesses
Poor qualify IDS / AV / CF
Very limited L7 features and visibility
One-trick pony (weak wireless, no switch
• Meraki strengths
Best cloud-based management
Single pane of glass
More L7 features and visibility
Best-in-class IDS / CF / AV
• Meraki weaknesses
Not designed for datacenters
Cost disadvantage without centralized
management

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
 NSA 2400 Meraki MX80

Hardware $2,495 $1,995

Software $3,040 $4,000

Support & Maintenance - -

Management SW $579 -

TCO $6,114 $5,995

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
• PaloAlto Networks strengths • Meraki strengths
Gartner likes them Best cloud-based management
Has CIO mindshare Single pane of glass
Great NG FW marketing More L7 features and visibility
Best-in-class IDS / CF / AV

• PaloAlto Networks weaknesses • Meraki weaknesses

Weak on distributed deployments Not designed for datacenters
No 3G / 4G failover Less customization
No wireless / switch Not focused on raw speed
Network management requires additional
software / servers

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
 PA 500 MX80

Hardware $4,500 $1,995

Software $4070 $4,000

Support & Maintenance $1,703 -

Management SW* 377 -

TCO $10,389 $5,995

Savings -40%

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
• HA only works in 1-armed VPN mode

• Interfaces are NATed (vs. routed)

• Routing protocols

• Only IDS right now

• LACP / RSTP

• SSL VPN

• Some limitations on NAT (e.g. no 1-to-N NAT)

• IPv6

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
• ICSA certification

• Enhancing security features

• Alignment with Cisco SIO

• Full HA (in NAT mode)

• Enhancing centralized management

• Org level reporting improvements

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
 Sales tools
Weekly webinars for end-customers
meraki.com/webinar

Easy free trials

meraki.com/eval

Cisco SE access to demo network

meraki.com/cisco/dashboard

200+ Cisco Meraki SEs and AMs

cisco-se-support@meraki.com

ASA / ISA / MX / ISR positioning guide

http://wwwin.cisco.com/marketing/borderless/security/docs/Firewall_positioning.pptx

34
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Thank you.