mx deep dive ppt

Download MX Deep Dive PPT

Post on 08-Aug-2015

215 views

Category:

Documents

1 download

Embed Size (px)

TRANSCRIPT

  1. 1. Cisco Confidential 2010 Cisco and/or its affiliates. All rights reserved. 1 Meraki MX Security Appliances Daghan Altas Product Manager 4/19/2013
  2. 2. 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2 MX overview Demo Dashboard architecture MX deep dive Positioning Competition Roadmap Q&A Additional resources
  3. 3. 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3 3 Application Control WAN Optimization, Traffic Shaping, Content Filtering Security NG Firewall, Client VPN, Site to Site VPN Networking NAT/DHCP, Routing, Link Balancing
  4. 4. 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4 Key Features Details Cloud based management PCI L1 certified Single pane of glass Auto VPN Single click VPN (with failover over to WAN2 or 4G) Hub-n-spoke or mesh (spoke-to-spoke) Content filtering Webroot BrightCloud (85 categories) Local database + Cloud lookup Google safe search / YouTube for Schools Table-stake for K-12 Also HTTPS search enforcement Web caching Based on Squid Proxy On MX80 or above Intrusion detection SourceFire SNORT based Org level reporting Layer 7 client tracking / NG firewall All Meraki products use the same signatures Firewall as well as traffic shaper WAN optimization TCP proxy / compression / dedup HTTP / CIFS / FTP optimization Anti-virus / Anti-phishing Kaspersky Safestream II (flow based) Files and JavaScript protection
  5. 5. 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5 New features Google safe-search YouTube for schools HTTPS search blocking Web caching Improvements Hub-n-spoke VPN IP-based client finger printing Identity-based group policies Hybrid (local/cloud) web filtering* *May 2013
  6. 6. Cisco Confidential 2010 Cisco and/or its affiliates. All rights reserved. 6
  7. 7. Cisco Confidential 2010 Cisco and/or its affiliates. All rights reserved. 7
  8. 8. 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8 Merakis out-of-band control plane 8 Management data (1 kb/s) WAN Scalable Modern clustered design on commodity servers Any one customer only a small fraction of load Out of band No user traffic passes through cloud Network is fully functional without cloud connectivity Reliable Each customer talks to 2 datacenters (active / passive) 3rd backup DC in case both active / passive DCs fail All 3 DCs are geo separated Compliant Fully HIPAA / PCI L1 compliant DCs in N.A, E.U, Brazil, APAC SSAE16
  9. 9. 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9 Servers connects to the public internet and rely on their own firewall for protection. Customers partitioned across Meraki servers Each partition is called a shard Effectively one 1U RAIDed server plus one 1U backup Goal: maximize # of customers we can host per shard Shards are connected to the public internet via gigE and to each other (over an untrusted connection) via gigE. Example numbers from a representative shard: 15,000 Meraki devices (APs, firewalls, switches) 300,000 clients (laptops, servers, printers) per day Total of 300 GB of stats, dating back over a year Gathers new data from every device every 45 secondsx86 machine (not virtualized) Linux 2.6 Firewall (iptables) Database (PostgreSQL) Web Server (Apache and nginx) Application Server (Rails)
  10. 10. 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10 Shards call the devices Devices are the server, cloud is the client Asynchronous / event-driven (fast) One call for all data collection Secure / efficient connection Google protobufs for low overhead SSL-based connection Authentication using a per-device shared secret. Port IP requirements Port 80 (TCP): we can tunnel over port 80 but it is not efficient Other TCP ports: 443, 7734, 7752 UDP ports: 123, 7351, 9350 Event- driven RPC engine LLDP Module Probing Clients Module Other Module Create request Process response Database
  11. 11. 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
  12. 12. 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12 United States Dallas, TX San Diego, CA Japan Tokyo Europe Dublin, Ireland London, UK Germany Latin America Sao Paulo, Brazil
  13. 13. Cisco Confidential 2010 Cisco and/or its affiliates. All rights reserved. 13
  14. 14. 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14 Traffic sh. L7 FW L3 FW NAT CF(Brightcloud) AV (Kaspersky) Router / DPI engine L3 FW Traffic sh. L7 FW FW NAT DHCP service TCP proxy (WAN opt) Web proxy (Squid) IDS (Snort) Stat server Brain Log & Stats LAN WAN Click Kernel User Space Encrypt Encap. VPN bypasses most services WAN opt is costly (inline and user-space) IDS is not inline Modular click based configuration
  15. 15. 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15 Uses SNORT Full signature set Updated daily IDS only IPS is trivial but we have reservations No custom signatures No signature modification Whitelisting is allowed Memory / CPU intensive
  16. 16. 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16 Uses Kaspersky SafeStream II Full signature set Updated hourly No custom rules AV: Flow based signature match Files (pdf, exe, zip, etc) Javascripts, HTML, etc.. Anti-phishing: URL database Whitelisting is allowed CPU / Memory intensive
  17. 17. 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17 Uses Webroot BrightCloud Whitelist / Blacklist is allowed HTTPS blocking is based on CERT exchange Max local URL database MX60/80/90: 1M MX400/600: 20M Hybrid (local / cloud) lookup in May Memory intensive (CPU load is minimal)
  18. 18. 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18 ICSA (corporate) certification under way (ETA: mid to late summer) Customer pen tests Interbank of New Mexico: 50 locations Cumbria Police Department: HQ (L2 VPN concentrator for MR)
  19. 19. Cisco Confidential 2010 Cisco and/or its affiliates. All rights reserved. 19
  20. 20. 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20 Segment Meraki ASA ISA 500 ISR G2s Enterprise Maybe, position where there are lots of small sites or machines to protect with limited feature requirements, Not for DCs or Campus Yes, Good Enterprise Management and highly configurable. Integrates with other Ent. Mgmt. tools, such as SIEMs. Premium Cloud Web Security available. No Maybe, when primary FW function is protecting b/w virtual network segments or for regulatory compliance, but not as full featured FW. Premium Cloud Web Security available. Commercial Select Yes, position where there are lots of small sites or machines to protect with, Not for DCs or Campus Yes, Good Enterprise Management and highly configurable. Integrates with other Ent. Mgmt. tools, such as SIEMs No Yes, when primary FW function is protecting b/w virtual network segments or for regulatory compliance, but not as full featured FW Commercial Mid- Market Yes, where technical expertise is marginal, requirements are simple, and ease of use requirements are significant Yes, for vertical segments with rich security needs or private (non-hosted) management needs Maybe, if the deal is very price competitive and the capabilities of the ISA are not too basic to meet the customers needs Yes, where rich security requirements are limited and non security feature integration (Voice, WAN opt, Wireless, etc.) is important SMB Yes, if customer is not overly price sensitive. Unlikely, requires a high level of technical expertise Yes, cost optimized solution for SMB Unlikely, requires a high level of technical expertise. Managed Service may be an option By Market Segment Best, Lead with this Alternative Possible Unlikely
  21. 21. 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21 Segment Meraki ASA ISA 500 ISR G2s Federal/DoD No Yes No Maybe, when primary FW function is protecting b/w virtual network segments, but not as full featured FW SLED Yes, schools in particular are an excellent target Yes No No, if URL filtering is a core requirement (i.e. schools). Yes, for most other SLED use cases. Retail Yes, excellent choice for small box retail shops w/ limited IT staff and a mgd WAN vendor, PCI Certified Yes, focus on big box retail or retail deployments with diverse network users connected in store Maybe, UTM functions can be appealling but lack of robust central management can hinder sales Yes, can meet PCI specs and excellent when integrated Voice or WAN is required and primary goal is to meet PCI Banking No, Financials not generally receptive to Cloud Hosted model Yes No Maybe, when primary FW function is protecting b/w virtual network segments SP Managed Services Yes, excellent multi-tenant management Yes, deployed today, but current lack of multitenant mgmt option will hinder sales Yes, where cost and UTM coverage are primary drivers Yes, already integrated in most SP OSS systems, quick TTM By Vertical Customer Segment Best, Lead with this Alternative Possible Unlikely
  22. 22. 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22 MX Security Appliances: Models Recommended deployments Example customer Teleworker (Up to 5 users) Z1 Teleworkers, kiosks Groupon Small branch (Approx. 10-20 users) MX60 Small retail branch, small clinic Peets coffee (220 locations) MX60W With wireless Kindred Healthcare (1500 locations) Medium branch (Approx. 20-250 users) MX80 Mid size branch, retail branch with web cache Interbank of New Mexico (50 locations) MX90 Large branch, 8 LAN ports, 2 SFP Hilton Worldwide (20 locations so far) Large branch / campus / concentra