Download - MX Deep Dive PPT

Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 1

Meraki MX Security Appliances Daghan Altas Product Manager

4/19/2013

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

• MX overview

• Demo

• Dashboard architecture

• MX deep dive

• Positioning

• Competition

• Roadmap

• Q&A

• Additional resources


3

Application Control

WAN Optimization, Traffic

Shaping, Content Filtering

Security

NG Firewall, Client VPN,

Site to Site VPN

Networking

NAT/DHCP, Routing,

Link Balancing


Key Features Details

Cloud based management PCI L1 certified

Single pane of glass

Auto VPN Single click VPN (with failover over to WAN2 or 4G)

Hub-n-spoke or mesh (spoke-to-spoke)

Content filtering Webroot BrightCloud (85 categories)

Local database + Cloud lookup

Google safe search / YouTube for Schools Table-stake for K-12

Also HTTPS search enforcement

Web caching Based on Squid Proxy

On MX80 or above

Intrusion detection SourceFire SNORT® based

Org level reporting

Layer 7 client tracking / NG firewall All Meraki products use the same signatures

Firewall as well as traffic shaper

WAN optimization TCP proxy / compression / dedup

HTTP / CIFS / FTP optimization

Anti-virus / Anti-phishing Kaspersky Safestream II (flow based)

Files and JavaScript protection


New features

• Google safe-search

• YouTube for schools

• HTTPS search blocking

• Web caching

Improvements

• Hub-n-spoke VPN

• IP-based client finger printing

• Identity-based group policies

• Hybrid (local/cloud) web filtering*

*May 2013


Meraki’s out-of-band control plane

8

Management

data (1 kb/s)

WAN

Scalable

– Modern clustered design on commodity servers

– Any one customer only a small fraction of load

Out of band

– No user traffic passes through cloud

– Network is fully functional without cloud connectivity

Reliable

– Each customer talks to 2 datacenters (active / passive)

– 3rd backup DC in case both active / passive DCs fail

– All 3 DCs are geo separated

Compliant

– Fully HIPAA / PCI L1 compliant

– DCs in N.A, E.U, Brazil, APAC

– SSAE16


• Servers connects to the public internet and rely on their own firewall for protection.

• Customers partitioned across Meraki servers

• Each partition is called a “shard”

• Effectively one 1U RAIDed server plus one 1U backup

• Goal: maximize # of customers we can host per shard

• Shards are connected to the public internet via gigE and to each other (over an untrusted connection) via gigE.

• Example numbers from a representative shard:

• 15,000 Meraki devices (APs, firewalls, switches)

• 300,000 clients (laptops, servers, printers) per day

• Total of 300 GB of stats, dating back over a year

• Gathers new data from every device every 45 seconds

x86 machine

(not virtualized)

Linux 2.6

Firewall

(iptables)

Database (PostgreSQL)

Web Server

(Apache and nginx)

Application Server (Rails)


• Shards call the devices

Devices are the server, cloud is the client

Asynchronous / event-driven (fast)

One call for all data collection

• Secure / efficient connection

Google protobufs for low overhead

SSL-based connection

Authentication using a per-device shared secret.

• Port IP requirements

Port 80 (TCP): we can tunnel over port 80 but it is not efficient

Other TCP ports: 443, 7734, 7752

UDP ports: 123, 7351, 9350

Event-

driven

RPC

engine

LLDP Module

Probing

Clients

Module Other Module

Create request

Process response

Database


• United States

Dallas, TX

San Diego, CA

• Japan

Tokyo

• Europe

Dublin, Ireland

London, UK

Germany

• Latin America

Sao Paulo, Brazil


Traffic sh.

L7 FW

L3 FW

NAT

CF(Brightcloud)

AV (Kaspersky)

Router /

DPI engine

L3 FW

Traffic sh.

L7 FW

FW

NAT

DHCP

service

TCP proxy

(WAN opt)

Web proxy

(Squid)

IDS

(Snort)

Stat server

Brain

Log &

Stats

LAN

WAN

Click

Kernel User Space

Encrypt

Encap.

• VPN bypasses most services

• WAN opt is costly (inline and user-space)

• IDS is not inline

• Modular “click” based configuration


• Uses SNORT®

• Full signature set

• Updated daily

• IDS only IPS is trivial but we have reservations

• No custom signatures

• No signature modification

• Whitelisting is allowed

• Memory / CPU intensive


• Uses Kaspersky SafeStream II

• Full signature set

• Updated hourly

• No custom rules

• AV: Flow based signature match

Files (pdf, exe, zip, etc…)

Javascripts, HTML, etc..

• Anti-phishing: URL database

• Whitelisting is allowed

• CPU / Memory intensive


• Uses Webroot BrightCloud

• Whitelist / Blacklist is allowed

• HTTPS blocking is based on CERT exchange

• Max local URL database

MX60/80/90: 1M

MX400/600: 20M

• Hybrid (local / cloud) lookup in May

• Memory intensive (CPU load is minimal)


• ICSA (corporate) certification under way (ETA: mid to late summer)

• Customer pen tests

Interbank of New Mexico: 50 locations

Cumbria Police Department: HQ (L2 VPN concentrator for MR)


Segment Meraki ASA ISA 500 ISR G2s

Enterprise Maybe, position where

there are lots of small sites

or machines to protect with

limited feature

requirements, Not for DCs

or Campus

Yes, Good Enterprise

Management and highly

configurable. Integrates with

other Ent. Mgmt. tools, such

as SIEMs. Premium Cloud

Web Security available.

No Maybe, when primary FW

function is protecting b/w virtual

network segments or for

regulatory compliance, but not as

full featured FW. Premium Cloud

Web Security available.

Commercial Select Yes, position where there

are lots of small sites or

machines to protect with,

Not for DCs or Campus

Yes, Good Enterprise

Management and highly

configurable. Integrates with

other Ent. Mgmt. tools, such

as SIEMs

No Yes, when primary FW function is

protecting b/w virtual network

segments or for regulatory

compliance, but not as full

featured FW

Commercial Mid-

Market

Yes, where technical

expertise is marginal,

requirements are simple,

and ease of use

requirements are

significant

Yes, for vertical segments

with rich security needs or

private (non-hosted)

management needs

Maybe, if the deal is very

price competitive and the

capabilities of the ISA are

not too basic to meet the

customer’s needs

Yes, where rich security

requirements are limited and non

security feature integration

(Voice, WAN opt, Wireless, etc.)

is important

SMB Yes, if customer is not

overly price sensitive.

Unlikely, requires a high level

of technical expertise

Yes, cost optimized solution

for SMB

Unlikely, requires a high level of

technical expertise. Managed

Service may be an option

By Market Segment

Best, Lead with this Alternative Possible Unlikely


Segment Meraki ASA ISA 500 ISR G2s

Federal/DoD No Yes No Maybe, when primary FW

function is protecting b/w

virtual network segments, but

not as full featured FW

SLED Yes, schools in particular

are an excellent target

Yes No No, if URL filtering is a core

requirement (i.e. schools).

Yes, for most other SLED use

cases.

Retail Yes, excellent choice for

small box retail shops w/

limited IT staff and a mgd

WAN vendor, PCI Certified

Yes, focus on big box retail or

retail deployments with diverse

network users connected in

store

Maybe, UTM functions can be

appealling but lack of robust

central management can

hinder sales

Yes, can meet PCI specs and

excellent when integrated

Voice or WAN is required and

primary goal is to meet PCI

Banking No, Financials not

generally receptive to

Cloud Hosted model

Yes No Maybe, when primary FW

function is protecting b/w

virtual network segments

SP Managed

Services

Yes, excellent multi-tenant

management

Yes, deployed today, but

“current” lack of multitenant

mgmt option will hinder sales

Yes, where cost and UTM

coverage are primary drivers

Yes, already integrated in most

SP OSS systems, quick TTM

By Vertical Customer Segment

Best, Lead with this Alternative Possible Unlikely


MX Security Appliances: Models

Recommended deployments Example customer

Teleworker (Up to 5 users)

Z1 Teleworkers, kiosks Groupon

Small branch (Approx. 10-20 users)

MX60 Small retail branch, small clinic Peet’s coffee (220 locations)

MX60W With wireless Kindred Healthcare (1500 locations)

Medium branch (Approx. 20-250 users)

MX80 Mid size branch, retail branch with web cache Interbank of New Mexico (50 locations)

MX90 Large branch, 8 LAN ports, 2 SFP Hilton Worldwide (20 locations so far)

Large branch / campus / concentrator (Approx. 250-10,000 users)

MX400 K-12 firewall

VPN concentrator for up to 1000 sites Essex Property (200 locations)

MX600 Large-K-12 firewall, 4TB web cache

VPN concentrator for up to 2500 sites Bessemer Trust (10 locations)


• Fortinet strengths

Raw throughput / $

Large number of models

WAN termination

DLP

• Fortinet weaknesses

Cumbersome UI

Weak centralized management

Requires an additional box for reporting

No Auto-VPN or built-in WAN opt

Rudimentary traffic shaping

• Meraki strengths

Best cloud-based management

More L7 features and visibility

Best-in-class IDS / CF / AV

• Meraki weaknesses

Not designed for datacenters

Not focused on raw speed

Less customization


FortiGate 100D Meraki MX80

Hardware $1,995 $1,995

Software $2,996* $4,000

Support & Maintenance - -

Centralized management $828** -

TCO $5,819 $5,995

*: 3-Y security HW/SW bundle is $4991

**: Scenario includes FortiManager and FortiAnalyzer 200D ($16,555) for a 20-site deployment


• SonicWALL strengths

Cost

Well known in the SBM market

• SonicWALL weaknesses

Poor qualify IDS / AV / CF

Very limited L7 features and visibility

One-trick pony (weak wireless, no switch








Cost disadvantage without centralized

management


NSA 2400 Meraki MX80

Hardware $2,495 $1,995

Software $3,040 $4,000

Support & Maintenance - -

Management SW $579 -

TCO $6,114 $5,995


• PaloAlto Networks strengths

Gartner likes them

Has CIO mindshare

Great NG FW marketing

• PaloAlto Networks weaknesses

Weak on distributed deployments

No 3G / 4G failover

No wireless / switch

Network management requires additional

software / servers








Less customization

Not focused on raw speed


PA 500 MX80

Hardware $4,500 $1,995

Software $4070 $4,000

Support & Maintenance $1,703 -

Management SW* 377 -

TCO $10,389 $5,995

Savings -40%


• HA only works in 1-armed VPN mode

• Interfaces are NATed (vs. routed)

• Routing protocols

• Only IDS right now

• LACP / RSTP

• SSL VPN

• Some limitations on NAT (e.g. no 1-to-N NAT)

• IPv6


• ICSA certification

• Enhancing security features

• Alignment with Cisco SIO

• Full HA (in NAT mode)

• Enhancing centralized management

• Org level reporting improvements


Sales tools

34

Weekly webinars for end-customers

meraki.com/webinar

Easy free trials

meraki.com/eval

Cisco SE access to demo network

meraki.com/cisco/dashboard

200+ Cisco Meraki SEs and AMs

[email protected]

ASA / ISA / MX / ISR positioning guide

http://wwwin.cisco.com/marketing/borderless/security/docs/Firewall_positioning.pptx

mailto:[email protected]





Thank you.

Download - MX Deep Dive PPT

Top Related