Secure your branch office with thed2zmdbbm9feqrf.cloudfront.net/2015/eur/pdf/BRKSEC-2900.pdf ·...
Transcript of Secure your branch office with thed2zmdbbm9feqrf.cloudfront.net/2015/eur/pdf/BRKSEC-2900.pdf ·...
Secure your branch office with the Cisco Meraki MX
BRKSEC-2900
Daghan Altas
Product Manager
Cisco CNG
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2900 Cisco Public
Agenda
• Problem
• Cisco CNG
• Live network creation demo (45m)
• Product Brief
• Q&A
3
4
What if my firewall dies?
What if my Internet goes down?
What about DR?
What happens if I discover a threat?
How can I keep my PCI traffic isolated from guest traffic?
I need a solution that just works!
We have a small team responsible for 1000 store networks
I pay too much for MPLS!
BYOM!
How do I discover a threat?
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2900 Cisco Public
Cost Agility Security
Bandwidth costs • MPLS costs
• Increased bandwidth demands
High cost and complexity of
network management:• Truck roles
• Zero local IT
• Difficulty with troubleshooting
CPE complexity• Management
• Configuration
New WAN architecture demands• Agility
• Migration to Metro-E
• Adoption of Internet (and DIA)
• Service creation
• Intelligent QoS
Security is more important than
ever:• Direct Internet Access to SaaS
• Guest wireless access
• BYOD
• APT protection
WAN access needs to change
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2900 Cisco Public
Cisco Cloud-managed Networking Group
• Cisco Meraki: a complete cloud-managed networking solution
– Wireless, switching, security, WAN optimization, and MDM
– Built from the ground up for cloud management
• Leader in cloud-managed networking
– Among Cisco’s fastest-growing portfolios: over 100% annual growth
– Tens of millions of devices connected worldwide
• Recognized for innovation
– Gartner Magic Quadrant, InfoWorld Technology of the Year, CRN Coolest Technologies
Trusted by thousands of customers worldwide:
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2900 Cisco Public
Cisco Meraki MR
Wireless
LAN
Cisco Meraki MX
Security
Appliances
Cisco Meraki MS
Ethernet
Switches
Cisco Meraki SM
Mobile Device
Management
Today: 100% cloud managed edge networking
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2900 Cisco Public
Cloud-managed networking architecture
Network endpoints securely
connected to the cloud
Cloud-hosted centralized
management platform
Intuitive browser-based
dashboard
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2900 Cisco Public
The EU Cloud
EU privacy laws limit the transfer of private data out of the EU
Meraki EU Cloud features local datacenters: Frankfurt, Munich, Dublin
Management info, user traffic analytics, location data never leave the EU
Scalable, secure networks that
comply with EU privacy regulations
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2900 Cisco Public
Application Control
WAN Optimization, Traffic
Shaping, Content Filtering
Security
NG Firewall, Client VPN,
Site to Site VPN, IDS/IPS
Networking
NAT/DHCP, 3G/4G failover,
Static Routing, Link Balancing
7 models scaling from teleworker and small branch to campus / datacenter
A complete Unified Threat Management solution
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2900 Cisco Public
Why choose the Cisco Meraki MX?
Intuitive centralized management• No training, no command line
• Templates to configure at-scale
• Packet capture, built-in tools and
diagnostics
Industry-leading visibility• Fingerprints users, applications, and devices
• Network-wide monitoring and alerts
• Full stack: APs, switches, Security, MDM
Designed for distributed enterprises• Single pane of glass visibility
• Zero-touch provisioning
• Seamless updates from the cloud
• Site-to-site IPSec VPN in 3 clicks
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2900 Cisco Public
Ironclad security
Best IPSSOURCEfire IDS / IPS,
updated every day
Content
Filtering
4+ billions URLS, updated in
real-time
Geo-based
security
Block attackers from rogue
countries
AV / anti-
phishing
Kaspersky AV, updated every
hour
PCI
compliance
PCI L1 certified cloud-based
management
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2900 Cisco Public
Rock-solid UTM for multi-site organizations
Why Cisco Meraki MX?
• Lean IT staff; needed centralized remote management for easily-deployed UTMs (zero-touch)
• Intuitive site-to-site VPN
• HIPAA compliant
• Needed single-box solution (MX60W) for security and wireless at rehabilitation centers
• Guest hotspots provided with MX60W Wi-Fi and 3G/4G uplinks
• Largest diversified provider of post-
acute care in USA
• 2000+ locations in 46 states,
75,000+ employees
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2900 Cisco Public
Penn Mutual saves $858K
Projects / Pain Points: • Implement a BYOD platform at 50 remote sites
• Managed Service Provider & MPLS costs
Solution:• Complete Meraki Stack: MR, MS, MX
• Phase off MPLS to Broadband
Business Outcomes:• Reduced Telco Spend by 40%
• Single platform in branch improved IT efficiency
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2900 Cisco Public
Demo: Resilient WAN and security under 30 min
• HA within DC
• DC to DC failover
• WAN link failover (4G)
• Automated VPN between sites
• Full UTM features
– IPS
– Content Filtering
– AV
– L7 firewall rules
20
Internet
DC1:
10.2.0.0/16 DR: 10.2.0.0/16
Template:
West Template: East
10.2.0.10 10.2.0.10
Branch1: 192.168.1.0/24
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2900 Cisco Public
End goal: DC-to-DC failover and load-balancing
Internet
DC1HA PAIR
Branches connected to DC1
Active VPN Tunnel
DC2 HA PAIR
Branches connected to DC2
Active VPN Tunnel
Failover VPN TunnelFailover VPN Tunnel
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2900 Cisco Public
Introducing the MX64 / MX64W
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2900 Cisco Public
MX64 / MX64W
Speed
• Industry’s first 802.11ac UTM
• Dual radio
• ~3X speed of 11n wireless
• 2-3X faster than MX60 /
MX60W
Security
• UTM provides one-stop security
• IPS, content filtering, malware / anti-
phishing
—Seamless, automatic updates
• PCI 3.0-certified cloud backend
SKU List Price
MX64-HW $595
LIC-MX64-ENT-3Y $600
LIC-MX64-SEC-3Y $1200
MX64W-HW $945
LIC-MX64W-ENT-3Y $650
LIC-MX64W-SEC-3Y $1300
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2900 Cisco Public
What is IWAN?
“Intelligent WAN” (IWAN) is a collection of Cisco technologies and products that enable transport independence, intelligent path
control, application optimization, and secure connectivity for multi-site deployments.
Transport
Independence
Application
Optimization
Intelligent Path
Control
Secure
Connectivity
• IPsec overlay (Auto VPN)
• Scalable (cloud architecture)
• Traffic distribution over
multiple pathways (Internet,
cellular, MPLS)
• App visibility & control (Meraki
dashboard, group-based
policies, traffic analytics)
• Application QoS & bandwidth
optimization (Traffic shaping)
• Uplink chosen by link latency,
data loss, etc. (PfR, aka
performance-based routing)
• Uplink assigned by traffic
protocol, subnet, source,
destination, etc. (PbR, aka
policy-based routing)
• Intuitive, automatic,
scalable VPN solution to
connect remote branch
sites (Auto VPN)
Need
screenshot
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2900 Cisco Public
Upcoming IWAN features for the MX (FQ3)
Dual-active path:• Active-active VPN + VPN
• Active-active VPN + MPLS
Policy-based routing (PbR) :• Allows uplinks to be intelligently assigned
based on traffic protocol, subnet, source,
destination, etc.
Performance-based routing (PfR):• Ensures the best uplink is used based on
latency and loss metrics
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2900 Cisco Public
Choosing the right MX for your environment
MX64/64W
MX80
MX100
MX400
MX600
Z1
Small branches
(~25 users)
Where Throughput
100 Mbps
Large branch
/campus
(~10,000 users)
Large branch
/campus
(~2,000 users)
Mid-size branches
(~100 users)
Mid-size branches
(~500 users)
Features
Wireless (MX60W)
Modular interface
Large Web cache (4TB)
250 MbpsLarge Web cache (1TB)
500 MbpsSFP ports
Large Web cache (1TB)
1 Gbps
2 Gbps
Modular interface
Large Web cache (1TB)
For teleworkers
(1-5 users)
Dual-radio wireless
FW throughput: 50
Mbps
All devices support 3G/4G
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2900 Cisco Public
MX Security Appliances: Licenses
Enterprise License Advanced Security
License
Stateful firewall
Site to site VPN
Branch routing
Link bonding and failover
Application control
Web caching
WAN optimization
Client VPN
`
All enterprise features, plus
Content filtering (with Google SafeSearch)
Kaspersky Anti-Virus and Anti-Phishing
SourceFire IPS / IDS
Geo-based firewall rules
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2900 Cisco Public
EU Cloud
https://meraki.cisco.com/lib/pdf/meraki_datasheet_eu_cloud.pdf
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2900 Cisco Public
Free evaluations available
• Try Cisco Meraki with no risk or commitment
• Complimentary technical assistance available
• Start trial at meraki.cisco.com/eval
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2900 Cisco Public
Call to Action
• Visit the World of Solutions for
– Cisco Campus
– Walk in Labs
– Technical Solution Clinics
• Meet the Engineer
• Lunch time Table Topics
• DevNet zone related labs and sessions
• Recommended Reading: for reading material and further resources for this session, please visit www.pearson-books.com/CLMilan2015
34
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2900 Cisco Public
Complete Your Online Session Evaluation
• Please complete your online sessionevaluations after each session.Complete 4 session evaluations& the Overall Conference Evaluation(available from Thursday)to receive your Cisco Live T-shirt.
• All surveys can be completed viathe Cisco Live Mobile App or theCommunication Stations
35