Life Cycle of a Snort Rule: From Vulnerability to Coverage Alex Kirk Sourcefire VRT.
MX Cloud Managed Security Appliance Series · • Intrusion detection: PCI-compliant IDS sensor...
7
Datasheet | MX Industry-leading Cloud Management • Unified WAN, LAN, and wireless LAN management through a web- based dashboard. Scales easily from small deployments to large, multi-site deployments with tens of thousands of devices. • Role-based administration, email alerts on configuration change, connectivity issues and power loss, auditable change logs. • Summary reports with user, device, and application usage details archived in the cloud. • Quarterly feature updates and enhancements delivered on demand from the Cisco Meraki cloud. Branch Gateway Services • Built-in DHCP, NAT, QoS, and VLAN management services. • Web caching: accelerates frequently accessed content. • Link bonding: combines multiple WAN links into a single high- speed interface, with policies for QoS, traffic shaping, and failover. • Layer 3 failover: automatic detection of layer 2 and layer 3 outages and fast failover, including 3G/4G USB modems. • WAN optimization: data redundancy elimination, protocol optimization, and compression provide bandwidth savings up to 99%. Next Generation Firewall Capabilities • Application-aware traffic control: set bandwidth policies based on Layer 7 application type (e.g., YouTube, Skype, P2P). • Content filtering: CIPA-compliant content filter, web (Google/Bing) search filtering, and YouTube for Schools. • Intrusion detection: PCI-compliant IDS sensor using industry-leading Snort database from Sourcefire. • Anti-virus and anti-phishing: flow-based protection engine powered by Kaspersky. • Identity-based filtering and application bandwidth management Auto VPN • Site-to-site VPN: automatic routing table generation, provisioning and key exchange via Cisco Meraki’s secure cloud. • Interoperates with standards-based IPsec VPNs. • Client VPN: L2TP IPsec support for native Windows, Mac OS X, iPad and Android clients with no per-user licensing fees. Overview Cisco Meraki MX Security Appliances make it easy to deploy high quality network infrastructure to large numbers of distributed sites. Since the MX is 100% cloud managed, installation and remote management is simple. The MX has a comprehensive suite of network services, elimi- nating the need for multiple appliances. Services include a next-generation firewall, content filtering, web search filtering, intrusion detection, web caching, WAN optimization, and link bonding with failover. MX Cloud Managed Security Appliance Series
Transcript of MX Cloud Managed Security Appliance Series · • Intrusion detection: PCI-compliant IDS sensor...
-
Datasheet | MX
Industry-leading Cloud Management
• UnifiedWAN,LAN,andwirelessLANmanagementthroughaweb-baseddashboard.Scaleseasilyfromsmalldeploymentstolarge,multi-sitedeploymentswithtensofthousandsofdevices.
• Role-basedadministration,emailalertsonconfigurationchange,connectivityissuesandpowerloss,auditablechangelogs.
• Summaryreportswithuser,device,andapplicationusagedetailsarchivedinthecloud.
• QuarterlyfeatureupdatesandenhancementsdeliveredondemandfromtheCiscoMerakicloud.
Branch Gateway Services
• Built-inDHCP,NAT,QoS,andVLANmanagementservices.
• Webcaching:acceleratesfrequentlyaccessedcontent.
• Linkbonding:combinesmultipleWANlinksintoasinglehigh-speedinterface,withpoliciesforQoS,trafficshaping,andfailover.
• Layer3failover:automaticdetectionoflayer2andlayer3outagesandfastfailover,including3G/4GUSBmodems.
• WANoptimization:dataredundancyelimination,protocoloptimization,andcompressionprovidebandwidthsavingsupto99%.
Next Generation Firewall Capabilities
• Application-awaretrafficcontrol:setbandwidthpoliciesbasedonLayer7applicationtype(e.g.,YouTube,Skype,P2P).
• Contentfiltering:CIPA-compliantcontentfilter,web(Google/Bing)searchfiltering,andYouTubeforSchools.
• Intrusiondetection:PCI-compliantIDSsensorusingindustry-leadingSnortdatabasefromSourcefire.
• Anti-virusandanti-phishing:flow-basedprotectionenginepoweredbyKaspersky.
• Identity-basedfilteringandapplicationbandwidthmanagement
Auto VPN
• Site-to-siteVPN:automaticroutingtablegeneration,provisioningandkeyexchangeviaCiscoMeraki’ssecurecloud.
• Interoperateswithstandards-basedIPsecVPNs.
• ClientVPN:L2TPIPsecsupportfornativeWindows,MacOSX,iPadandAndroidclientswithnoper-userlicensingfees.
OverviewCiscoMerakiMXSecurityAppliancesmakeiteasytodeployhighqualitynetworkinfrastructuretolargenumbersofdistributedsites.SincetheMXis100%cloudmanaged,installationandremotemanagementissimple.TheMXhasacomprehensivesuiteofnetworkservices,elimi-natingtheneedformultipleappliances.Servicesincludeanext-generationfirewall,contentfiltering,websearchfiltering,intrusiondetection,webcaching,WANoptimization,andlinkbondingwithfailover.
MXCloudManagedSecurityApplianceSeries
-
Cisco Systems, Inc. | 500 Terry A. Francois Blvd, San Francisco, CA 94158 | (415) 432-1000 | [email protected]
CloudManagedArchitectureBuiltonCiscoMeraki’saward-winningcloud-managedarchitecture,theMXistheonly100%cloud-managednetworkingandsecurityappliance.MXappliancesself-provision,automaticallypullingpoliciesandconfigurationsettingsfromthecloud.Powerfulremotetoolsprovidenetwork-widevisibilityandcontrol,andenableadministrationwithouton-sitenetworkingexpertise.Cloudservicesdeliverseamlessfirmwareandsecuritysignatureupdates,automaticallyestablishsite-to-siteVPNtunnels,andprovide24x7networkmonitoring.Moreover,theMX’sbrowser-basedmanagementdashboardcompletelyeliminatestheneedfortraining.
Redundant Power
Reliable,energy
efficientdesign
WAN Optimization
1TBSATAdisk
Multiple Uplink Ports
Linkbonding/failover
3G/4G Modem Support
Automaticwirelessfailover
10Gb Ethernet/SFP+ Ports
Forswitchconnectivity
Enhanced CPU
Layer3-7firewall
andtrafficshaping
Additional Memory
Forcontentfiltering
Inside the Cisco Meraki MX MX400shown,featuresvarybymodel
IroncladSecurityforEdgeNetworksTheMXhardwareplatformispurpose-builtforLayer7deeppacketinspection,withadvancedsecurityfeaturesincludingintrusiondetection(IDS),contentfiltering,websearchfiltering,anti-virus/anti-phishing,andIPsecVPNconnectivity,whileprovidingthethroughputandcapacityformodern,bandwidth-intensivenetworks.
Layer7fingerprintingtechnologyletsadministratorsidentifyunwantedcontentandapplicationsandpreventrecreationalappslikeBitTorrentfromwastingpreciousbandwidth.
TheintegratedSourcefire®Snort®enginedeliverssuperiorintrusiondetectioncoverage,akeyrequirementforPCI2.0compliance.TheMXalsousestheWebroot®BrightCloudURLcategorizationdatabaseforCIPA/IWFcompliantcontent-filtering,andKaspersky®SafeStreamengineforanti-virus/anti-phishingfiltering.
Bestofall,theseindustry-leadingLayer7securityenginesandsignaturesarealwayskeptup-to-dateviathecloud,simplifyingnetworksecuritymanagementandprovidingpeace-of-mindtoITadministrators.
OrganizationLevelThreatAssessmentCiscoMerakiCloudManagementArchitecture
-
Cisco Systems, Inc. | 500 Terry A. Francois Blvd, San Francisco, CA 94158 | (415) 432-1000 | [email protected]
IncreasedReliabilitywithMultipleWANLinksand3G/4GFailoverMultipleWANportswithbalancingandfailoverenabletheuseofredundantcommodityInternetconnections,providingadditionalbandwidthandhigherreliability.Forremotesiteswheremultiplewirelineprovidersaredifficulttosecure,theCiscoMerakiMXcanfailoverto3G/4GwirelessInternetconnections.
ReduceBandwidthCostswithWebCachingandWANOptimizationWebcachingtemporarilystoresvideo,media,andwebdocuments,loweringbandwidthusageandacceleratingthedownloadspeedofInter-netcontentlikeYouTubevideosandothermedia.
WANoptimizationdramaticallyimprovesapplicationperformanceandreducebandwidthrequirementsatremotesites.AllCiscoMerakiMXappliancesincludeWANoptimizationatnoadditionalcharge.TheMX60andMX60WfeaturebasicWANoptimization,whiletheMX80,MX90,MX400,andMX600featureadvancedWANoptimization.
BasicWANoptimizationincludeslinkcompressionandprotocoloptimization.LinkcompressionreducesTCPtrafficby20%-30%,andproto-coloptimizationacceleratesWindowsFileSharing(CIFS),FTP,andHTTPtransfers.
AdvancedWANoptimizationaddshigh-capacitybyte-levelcachingforadditionalperformanceimprovements,employingauniversaldatastoretomaximizetheeffectivenessofthecache.
AutoConfiguringSite-to-SiteVPN NextGenApplicationFirewallandTrafficVisibility
UserandDeviceFingerprints IdentityBasedPolicyManagement
WANOptimization LinkBondingandFailover
-
Cisco Systems, Inc. | 500 Terry A. Francois Blvd, San Francisco, CA 94158 | (415) 432-1000 | [email protected]
Accessories / OpticsSupportedCiscoMerakiaccessorymodulesforMX90,MX400andMX600.
Note:Pleaserefertomeraki.comforadditionalsingle-modeandmulti-modefibertransceivermodules
InterfaceModulesforMX400andMX600
TheMX60WintegratesCiscoMeraki’saward-winningwirelesstech-nologywiththepowerfulMXnetworksecurityfeaturesinacompactformfactoridealforbranchofficesorsmallenterprises:
• 1x802.11b/g/nor802.11a/nradio,3x3MIMOwith3spatialstreams
• Unifiedmanagementofnetworksecurityandwireless
• Integratedenterprisesecurityandguestaccess
• Application-awaretrafficanalysisandtrafficshaping
AccessoriesTheCiscoMerakiMX90,MX400,andMX600modelssupportpluggableopticsforhigh-speedbackboneorlinkaggregationconnectionsbetweenwiringclosetsortoaggregationswitches.CiscoMerakioffersseveralstandards-basedGigabitand10Gigabitpluggablemodules.Eachappliancehasalsobeentestedforcompatibilitywithseveralthird-partymodules.
Pluggable(SFP)OpticsforMX90,MX400,MX600
Model Description
IM-8-CU-1GB CiscoMeraki8x1GbECopperInterfaceModuleforMX400andMX600
IM-8-SFP-1GB CiscoMeraki8x1GbESFPInterfaceModuleforMX400andMX600
IM-2-SFP-10GB CiscoMeraki2x10GbESFP+InterfaceModuleforMX400andMX600
SFP-1GB-SX CiscoMeraki1GbESFPSXFiberModule(1000BASE-SX,range:550m)
SFP-10GB-SR CiscoMeraki10GbEShortRangeSFP+Module(10GBASE-SR,range:400m)
CBL-TA-1M CiscoMeraki10GbETwinaxCablewithSFP+Connectors(10GSFP+Cu,range:1m)
MX60WwithIntegratedWireless
MX60WSecurityAppliance
TheZ1TelecommuterGatewayextendsthepoweroftheCiscoMerakidashboardandcloud-basedcentralizedmanagementtoemployees,ITstaffandexecutivesworkingfromhome.
Usingthepatent-pendingCiscoMerakiAutoVPN,AdministratorscanextendnetworkservicesincludingVoIPandremotedesktop(RDP)toremoteemployeeswithasingle-click,providewiredandwirelessaccess,andincreaseend-userpro-ductivitythroughLayer7trafficshapingandprioritization.
• 1x802.11b/g/nradio,1x802.11a/nradio,2x2MIMOwith2spatialstreams
• Site-to-site(IPsec)VPNusingCiscoMerakiAutoVPN
• Layer7applicationvisibilityandtrafficshaping
Fordetailedspecs,pleaseseetheZ1datasheet
Z1TelecommuterGateway
Z1TelecommuterGateway
-
Cisco Systems, Inc. | 500 Terry A. Francois Blvd, San Francisco, CA 94158 | (415) 432-1000 | [email protected]
LifetimeWarrantywithNext-dayAdvancedReplacementCiscoMerakiMXappliancesincludealimitedlifetimehardwarewarrantythatprovidesnext-dayadvancehardwarereplacement.CiscoMeraki’ssimplifiedsoftwareandsupportlicensingmodelalsocombinesallsoftwareupgrades,centralizedsystemsmanagement,andphonesupportunderasingle,easy-to-understandmodel.Forcompletedetails,pleasevisitwww.meraki.com/support.
MX60 / MX60W MX80 MX90 MX400 MX600
Recommendedusecases
Smallretailbranch,smallclinic(approx.20users)
Midsizebranch,(approx.100users)
Largebranch,8LANports,2SFP(approx.250users)
K-12firewall/VPNconcentrator(approx.2,000users)
LargeK-12firewall,VPNconcentrator(approx.10,000users)
StatefulFirewallThroughput
100Mbps 250Mbps 500Mbps 1Gbps 2Gbps
AdvancedSecurityThroughput
50Mbps 125Mbps 225Mbps 325Mbps 650Mbps
Maximumsite-to-siteVPNsessions
20 50 125 2,000 5,000
Interfaces 5xGbE 5xGbE 9xGbE
2xGbE(SFP)
4xGbE 4xGbE
AdditionalInterfaceModules
N/A N/A N/A 8xGbE(RJ45)8xGbE(SFP)4x10GbE(SFP+)(2modulesmax)
8xGbE(RJ45)8xGbE(SFP)4x10GbE(SFP+)(2modulesmax)
WebCaching N/A Yes Yes Yes Yes
WANOptimization Basic Advanced Advanced Advanced Advanced
HardDrive* N/A 1TB 1TB 1TB 4x1TB(RAID)
USBfor3G/4GFailover Yes Yes Yes Yes Yes
Mounting Desk/Wall 1Urack 1Urack 1Urack 2Urack
Dimensions 9.5”x6.7”x1.14”(239mmx170mmx34mm)
19.0”x10.0“x1.75”(483mmx254mmx44mm)
19.0”x10.0“x1.75”(483mmx254mmx44mm)
19.0”x22.0“x1.75”(483mmx559mmx44mm)
19.0”x22.0“x3.5”(483mmx559mmx89mm)
Weight 3.04lb(1.4kg) 8lb(3.6kg) 9lb(4.1kg) 33lb(15.0kg) 53lb(24.0kg)
PowerSupply 18WDC(included) 100-220V50/60HzAC
100-220V50/60HzAC
100-220V50/60HzAC(dual)
100-220V50/60HzAC(dual)
PowerLoad(idle/max) 4W/10W(MX60)6W/13W(MX60W)
26W/32W 28W/35W 123W/215W 132W/226W
OperatingTemperature 32°Fto104°F(0°Cto40°C)
32°Fto104°F(0°Cto40°C)
32°Fto104°F(0°Cto40°C)
32°Fto104°F(0°Cto40°C)
32°Fto104°F(0°Cto40°C)
Humidity 5%to95% 5%to95% 5%to95% 5%to95% 5%to95%
ProductOptions
*Note:HarddriveisusedforwebcachingandadvancedWANOptimization,whichincludesbyte-levelobjectcaching.
-
Cisco Systems, Inc. | 500 Terry A. Francois Blvd, San Francisco, CA 94158 | (415) 432-1000 | [email protected]
Specifications
Management
ManagedviathewebusingtheCiscoMerakidashboard
Singlepane-of-glassintomanagingwiredandwirelessnetworks
No-touchremotedeployment(nostagingneeded)
Automaticfirmwareupgradesandsecuritypatches
Centralizedpolicymanagement
Org-leveltwo-factorauthenticationandsinglesign-on
Rolebasedadministrationwithchangeloggingandalerts
Monitoring and Reporting
Throughput,connectivitymonitoringandemailalerts
Detailedhistoricalper-portandper-clientusagestatistics
Applicationusagestatistics
Org-levelchangelogsforcomplianceandchangemanagement
VPNtunnelandlatencymonitoring
Networkassetdiscoveryanduseridentification
Periodicemailswithkeyutilizationmetrics
Syslogintegration
Remote Diagnostics
Liveremotepacketcapture
Real-timediagnosticandtroubleshootingtools
Aggregatedeventlogswithinstantsearch
Network and Security Services
Statefulfirewall,1:1NAT,DMZ
Identity-basedpolicies
AutoVPN:Automatedsite-to-site(IPsec)VPN,forhub-and-spokeormeshtopologies
Client(IPsecL2TP)VPN
MultipleWANIP,PPPoE,NAT
VLANsupportandDHCPservices
Staticrouting
Useranddevicequarantine
WAN Performance Management
Webcaching
WANlinkaggregation
AutomaticLayer3failover(includingVPNconnections)
3G/4GUSBmodemfailover
Applicationlevel(Layer7)trafficanalysisandshaping
AbilitytochooseWANuplinkbasedontraffictype
Note:WebcachingisnotavailableontheMX60orMX60Wmodels.
WAN Optimization
Byte-levelcaching
Universaldatastorewithdataredundancyelimination
TCPtransportcompressionandoptimization
Protocoloptimization(CIFS,HTTP,FTP)
Note:MX60/MX60WhavebasicWANoptimization,whichincludesprotocoloptimizationandlinkcompression,butlimitedcaching.
Advanced Security Services
Contentfiltering(WebrootBrightCloudCIPAcompliantURLdatabase)
Websearchfiltering(includingGoogle/BingSafeSearch)
YouTubeforSchools
Intrusion-detectionsensor(SourcefireSNORT®based)
Anti-virusengineandanti-phishingfiltering(KasperskySafeStreamIIengine)
Note:AdvancedsecurityservicesrequireAdvancedSecuritylicense.
Integrated Wireless
1x802.11a/b/g/n(2.4GHzor5GHz)
Maxdatarate450Mbit/s
3x3MIMOwith3spatialstreams,beamforming
3externaldual-banddipoleantennas(connectortype:RP-SMA)
Antennagain:[email protected],3.5dBi@5GHz
WEP,WPA,WPA2-PSK,WPA2-Enterprisewith802.1Xauthentication
Regulatory:FCC(US),IC(Canada),CE(Europe),C-Tick(Australia/NewZealand),RoHS
Note:IntegratedwirelessisonlyavailableontheMX60Wmodel.
Regulatory
FCC(US)
CB(IEC)
CISPR(Australia/NewZealand)
Warranty
Fulllifetimehardwarewarrantywithnext-dayadvancedreplacementincluded.
-
Cisco Systems, Inc. | 500 Terry A. Francois Blvd, San Francisco, CA 94158 | (415) 432-1000 | [email protected]
Model License Description
MX60-HW LIC-MX60-ENT-1YR
LIC-MX60-ENT-3YR
LIC-MX60-ENT-5YR
LIC-MX60-SEC-1YR
LIC-MX60-SEC-3YR
LIC-MX60-SEC-5YR
CiscoMerakiMX60,1yearEnterpriseLicenseandSupport
CiscoMerakiMX60,3yearEnterpriseLicenseandSupport
CiscoMerakiMX60,5yearEnterpriseLicenseandSupport
CiscoMerakiMX60,1yearAdvancedSecurityLicenseandSupport
CiscoMerakiMX60,3yearAdvancedSecurityLicenseandSupport
CiscoMerakiMX60,5yearAdvancedSecurityLicenseandSupport
MX60W-HW LIC-MX60W-ENT-1YR
LIC-MX60W-ENT-3YR
LIC-MX60W-ENT-5YR
LIC-MX60W-SEC-1YR
LIC-MX60W-SEC-3YR
LIC-MX60W-SEC-5YR
CiscoMerakiMX60W,1yearEnterpriseLicenseandSupport
CiscoMerakiMX60W,3yearEnterpriseLicenseandSupport
CiscoMerakiMX60W,5yearEnterpriseLicenseandSupport
CiscoMerakiMX60W,1yearAdvancedSecurityLicenseandSupport
CiscoMerakiMX60W,3yearAdvancedSecurityLicenseandSupport
CiscoMerakiMX60W,5yearAdvancedSecurityLicenseandSupport
MX80-HW LIC-MX80-ENT-1YR
LIC-MX80-ENT-3YR
LIC-MX80-ENT-5YR
LIC-MX80-SEC-1YR
LIC-MX80-SEC-3YR
LIC-MX80-SEC-5YR
CiscoMerakiMX80,1yearEnterpriseLicenseandSupport
CiscoMerakiMX80,3yearEnterpriseLicenseandSupport
CiscoMerakiMX80,5yearEnterpriseLicenseandSupport
CiscoMerakiMX80,1yearAdvancedSecurityLicenseandSupport
CiscoMerakiMX80,3yearAdvancedSecurityLicenseandSupport
CiscoMerakiMX80,5yearAdvancedSecurityLicenseandSupport
MX90-HW LIC-MX90-ENT-1YR
LIC-MX90-ENT-3YR
LIC-MX90-ENT-5YR
LIC-MX90-SEC-1YR
LIC-MX90-SEC-3YR
LIC-MX90-SEC-5YR
CiscoMerakiMX90,1yearEnterpriseLicenseandSupport
CiscoMerakiMX90,3yearEnterpriseLicenseandSupport
CiscoMerakiMX90,5yearEnterpriseLicenseandSupport
CiscoMerakiMX90,1yearAdvancedSecurityLicenseandSupport
CiscoMerakiMX90,3yearAdvancedSecurityLicenseandSupport
CiscoMerakiMX90,5yearAdvancedSecurityLicenseandSupport
MX400-HW LIC-MX400-ENT-1YR
LIC-MX400-ENT-3YR
LIC-MX400-ENT-5YR
LIC-MX400-SEC-1YR
LIC-MX400-SEC-3YR
LIC-MX400-SEC-5YR
CiscoMerakiMX400,1yearEnterpriseLicenseandSupport
CiscoMerakiMX400,3yearEnterpriseLicenseandSupport
CiscoMerakiMX400,5yearEnterpriseLicenseandSupport
CiscoMerakiMX400,1yearAdvancedSecurityLicenseandSupport
CiscoMerakiMX400,3yearAdvancedSecurityLicenseandSupport
CiscoMerakiMX400,5yearAdvancedSecurityLicenseandSupport
MX600-HW LIC-MX600-ENT-1YR
LIC-MX600-ENT-3YR
LIC-MX600-ENT-5YR
LIC-MX600-SEC-1YR
LIC-MX600-SEC-3YR
LIC-MX600-SEC-5YR
CiscoMerakiMX600,1yearEnterpriseLicenseandSupport
CiscoMerakiMX600,3yearEnterpriseLicenseandSupport
CiscoMerakiMX600,5yearEnterpriseLicenseandSupport
CiscoMerakiMX600,1yearAdvancedSecurityLicenseandSupport
CiscoMerakiMX600,3yearAdvancedSecurityLicenseandSupport
CiscoMerakiMX600,5yearAdvancedSecurityLicenseandSupport
OrderingGuideToplaceanorderforanMXappliance,pairaspecifichardwaremodelwithasinglelicense(whichincludescloudservices,softwareupgradesandsupport).Forexample,toorderanMX90with3yearsofAdvancedSecuritylicense,orderanMX90-HWwithLIC-MX90-SEC-3YR.Lifetimewarrantywithadvancedreplacementisincludedonallhardwareatnoadditionalcost.
*Note:ForeachMXproduct,additional7or10yearEnterpriseorAdvancedSecuritylicensingoptionsarealsoavailable(ex:LIC-MX90-SEC-7YR).
