mx deep dive ppt
TRANSCRIPT
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 1
Meraki MX Security Appliances Daghan Altas Product Manager
4/19/2013
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
• MX overview
• Demo
• Dashboard architecture
• MX deep dive
• Positioning
• Competition
• Roadmap
• Q&A
• Additional resources
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
3
Application Control
WAN Optimization, Traffic
Shaping, Content Filtering
Security
NG Firewall, Client VPN,
Site to Site VPN
Networking
NAT/DHCP, Routing,
Link Balancing
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Key Features Details
Cloud based management PCI L1 certified
Single pane of glass
Auto VPN Single click VPN (with failover over to WAN2 or 4G)
Hub-n-spoke or mesh (spoke-to-spoke)
Content filtering Webroot BrightCloud (85 categories)
Local database + Cloud lookup
Google safe search / YouTube for Schools Table-stake for K-12
Also HTTPS search enforcement
Web caching Based on Squid Proxy
On MX80 or above
Intrusion detection SourceFire SNORT® based
Org level reporting
Layer 7 client tracking / NG firewall All Meraki products use the same signatures
Firewall as well as traffic shaper
WAN optimization TCP proxy / compression / dedup
HTTP / CIFS / FTP optimization
Anti-virus / Anti-phishing Kaspersky Safestream II (flow based)
Files and JavaScript protection
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
New features
• Google safe-search
• YouTube for schools
• HTTPS search blocking
• Web caching
Improvements
• Hub-n-spoke VPN
• IP-based client finger printing
• Identity-based group policies
• Hybrid (local/cloud) web filtering*
*May 2013
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 6
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 7
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Meraki’s out-of-band control plane
8
Management
data (1 kb/s)
WAN
Scalable
– Modern clustered design on commodity servers
– Any one customer only a small fraction of load
Out of band
– No user traffic passes through cloud
– Network is fully functional without cloud connectivity
Reliable
– Each customer talks to 2 datacenters (active / passive)
– 3rd backup DC in case both active / passive DCs fail
– All 3 DCs are geo separated
Compliant
– Fully HIPAA / PCI L1 compliant
– DCs in N.A, E.U, Brazil, APAC
– SSAE16
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
• Servers connects to the public internet and rely on their own firewall for protection.
• Customers partitioned across Meraki servers
• Each partition is called a “shard”
• Effectively one 1U RAIDed server plus one 1U backup
• Goal: maximize # of customers we can host per shard
• Shards are connected to the public internet via gigE and to each other (over an untrusted connection) via gigE.
• Example numbers from a representative shard:
• 15,000 Meraki devices (APs, firewalls, switches)
• 300,000 clients (laptops, servers, printers) per day
• Total of 300 GB of stats, dating back over a year
• Gathers new data from every device every 45 seconds
x86 machine
(not virtualized)
Linux 2.6
Firewall
(iptables)
Database (PostgreSQL)
Web Server
(Apache and nginx)
Application Server (Rails)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
• Shards call the devices
Devices are the server, cloud is the client
Asynchronous / event-driven (fast)
One call for all data collection
• Secure / efficient connection
Google protobufs for low overhead
SSL-based connection
Authentication using a per-device shared secret.
• Port IP requirements
Port 80 (TCP): we can tunnel over port 80 but it is not efficient
Other TCP ports: 443, 7734, 7752
UDP ports: 123, 7351, 9350
Event-
driven
RPC
engine
LLDP Module
Probing
Clients
Module Other Module
Create request
Process response
Database
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
• United States
Dallas, TX
San Diego, CA
• Japan
Tokyo
• Europe
Dublin, Ireland
London, UK
Germany
• Latin America
Sao Paulo, Brazil
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 13
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Traffic sh.
L7 FW
L3 FW
NAT
CF(Brightcloud)
AV (Kaspersky)
Router /
DPI engine
L3 FW
Traffic sh.
L7 FW
FW
NAT
DHCP
service
TCP proxy
(WAN opt)
Web proxy
(Squid)
IDS
(Snort)
Stat server
Brain
Log &
Stats
LAN
WAN
Click
Kernel User Space
Encrypt
Encap.
• VPN bypasses most services
• WAN opt is costly (inline and user-space)
• IDS is not inline
• Modular “click” based configuration
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
• Uses SNORT®
• Full signature set
• Updated daily
• IDS only IPS is trivial but we have reservations
• No custom signatures
• No signature modification
• Whitelisting is allowed
• Memory / CPU intensive
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
• Uses Kaspersky SafeStream II
• Full signature set
• Updated hourly
• No custom rules
• AV: Flow based signature match
Files (pdf, exe, zip, etc…)
Javascripts, HTML, etc..
• Anti-phishing: URL database
• Whitelisting is allowed
• CPU / Memory intensive
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
• Uses Webroot BrightCloud
• Whitelist / Blacklist is allowed
• HTTPS blocking is based on CERT exchange
• Max local URL database
MX60/80/90: 1M
MX400/600: 20M
• Hybrid (local / cloud) lookup in May
• Memory intensive (CPU load is minimal)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
• ICSA (corporate) certification under way (ETA: mid to late summer)
• Customer pen tests
Interbank of New Mexico: 50 locations
Cumbria Police Department: HQ (L2 VPN concentrator for MR)
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 19
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Segment Meraki ASA ISA 500 ISR G2s
Enterprise Maybe, position where
there are lots of small sites
or machines to protect with
limited feature
requirements, Not for DCs
or Campus
Yes, Good Enterprise
Management and highly
configurable. Integrates with
other Ent. Mgmt. tools, such
as SIEMs. Premium Cloud
Web Security available.
No Maybe, when primary FW
function is protecting b/w virtual
network segments or for
regulatory compliance, but not as
full featured FW. Premium Cloud
Web Security available.
Commercial Select Yes, position where there
are lots of small sites or
machines to protect with,
Not for DCs or Campus
Yes, Good Enterprise
Management and highly
configurable. Integrates with
other Ent. Mgmt. tools, such
as SIEMs
No Yes, when primary FW function is
protecting b/w virtual network
segments or for regulatory
compliance, but not as full
featured FW
Commercial Mid-
Market
Yes, where technical
expertise is marginal,
requirements are simple,
and ease of use
requirements are
significant
Yes, for vertical segments
with rich security needs or
private (non-hosted)
management needs
Maybe, if the deal is very
price competitive and the
capabilities of the ISA are
not too basic to meet the
customer’s needs
Yes, where rich security
requirements are limited and non
security feature integration
(Voice, WAN opt, Wireless, etc.)
is important
SMB Yes, if customer is not
overly price sensitive.
Unlikely, requires a high level
of technical expertise
Yes, cost optimized solution
for SMB
Unlikely, requires a high level of
technical expertise. Managed
Service may be an option
By Market Segment
Best, Lead with this Alternative Possible Unlikely
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Segment Meraki ASA ISA 500 ISR G2s
Federal/DoD No Yes No Maybe, when primary FW
function is protecting b/w
virtual network segments, but
not as full featured FW
SLED Yes, schools in particular
are an excellent target
Yes No No, if URL filtering is a core
requirement (i.e. schools).
Yes, for most other SLED use
cases.
Retail Yes, excellent choice for
small box retail shops w/
limited IT staff and a mgd
WAN vendor, PCI Certified
Yes, focus on big box retail or
retail deployments with diverse
network users connected in
store
Maybe, UTM functions can be
appealling but lack of robust
central management can
hinder sales
Yes, can meet PCI specs and
excellent when integrated
Voice or WAN is required and
primary goal is to meet PCI
Banking No, Financials not
generally receptive to
Cloud Hosted model
Yes No Maybe, when primary FW
function is protecting b/w
virtual network segments
SP Managed
Services
Yes, excellent multi-tenant
management
Yes, deployed today, but
“current” lack of multitenant
mgmt option will hinder sales
Yes, where cost and UTM
coverage are primary drivers
Yes, already integrated in most
SP OSS systems, quick TTM
By Vertical Customer Segment
Best, Lead with this Alternative Possible Unlikely
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
MX Security Appliances: Models
Recommended deployments Example customer
Teleworker (Up to 5 users)
Z1 Teleworkers, kiosks Groupon
Small branch (Approx. 10-20 users)
MX60 Small retail branch, small clinic Peet’s coffee (220 locations)
MX60W With wireless Kindred Healthcare (1500 locations)
Medium branch (Approx. 20-250 users)
MX80 Mid size branch, retail branch with web cache Interbank of New Mexico (50 locations)
MX90 Large branch, 8 LAN ports, 2 SFP Hilton Worldwide (20 locations so far)
Large branch / campus / concentrator (Approx. 250-10,000 users)
MX400 K-12 firewall
VPN concentrator for up to 1000 sites Essex Property (200 locations)
MX600 Large-K-12 firewall, 4TB web cache
VPN concentrator for up to 2500 sites Bessemer Trust (10 locations)
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 23
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
• Fortinet strengths
Raw throughput / $
Large number of models
WAN termination
DLP
• Fortinet weaknesses
Cumbersome UI
Weak centralized management
Requires an additional box for reporting
No Auto-VPN or built-in WAN opt
Rudimentary traffic shaping
• Meraki strengths
Best cloud-based management
More L7 features and visibility
Best-in-class IDS / CF / AV
• Meraki weaknesses
Not designed for datacenters
Not focused on raw speed
Less customization
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
FortiGate 100D Meraki MX80
Hardware $1,995 $1,995
Software $2,996* $4,000
Support & Maintenance - -
Centralized management $828** -
TCO $5,819 $5,995
*: 3-Y security HW/SW bundle is $4991
**: Scenario includes FortiManager and FortiAnalyzer 200D ($16,555) for a 20-site deployment
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
• SonicWALL strengths
Cost
Well known in the SBM market
• SonicWALL weaknesses
Poor qualify IDS / AV / CF
Very limited L7 features and visibility
One-trick pony (weak wireless, no switch
• Meraki strengths
Best cloud-based management
Single pane of glass
More L7 features and visibility
Best-in-class IDS / CF / AV
• Meraki weaknesses
Not designed for datacenters
Cost disadvantage without centralized
management
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
NSA 2400 Meraki MX80
Hardware $2,495 $1,995
Software $3,040 $4,000
Support & Maintenance - -
Management SW $579 -
TCO $6,114 $5,995
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
• PaloAlto Networks strengths
Gartner likes them
Has CIO mindshare
Great NG FW marketing
• PaloAlto Networks weaknesses
Weak on distributed deployments
No 3G / 4G failover
No wireless / switch
Network management requires additional
software / servers
• Meraki strengths
Best cloud-based management
Single pane of glass
More L7 features and visibility
Best-in-class IDS / CF / AV
• Meraki weaknesses
Not designed for datacenters
Less customization
Not focused on raw speed
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
PA 500 MX80
Hardware $4,500 $1,995
Software $4070 $4,000
Support & Maintenance $1,703 -
Management SW* 377 -
TCO $10,389 $5,995
Savings -40%
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 30
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
• HA only works in 1-armed VPN mode
• Interfaces are NATed (vs. routed)
• Routing protocols
• Only IDS right now
• LACP / RSTP
• SSL VPN
• Some limitations on NAT (e.g. no 1-to-N NAT)
• IPv6
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
• ICSA certification
• Enhancing security features
• Alignment with Cisco SIO
• Full HA (in NAT mode)
• Enhancing centralized management
• Org level reporting improvements
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 33
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
Sales tools
34
Weekly webinars for end-customers
meraki.com/webinar
Easy free trials
meraki.com/eval
Cisco SE access to demo network
meraki.com/cisco/dashboard
200+ Cisco Meraki SEs and AMs
ASA / ISA / MX / ISR positioning guide
http://wwwin.cisco.com/marketing/borderless/security/docs/Firewall_positioning.pptx
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 35
Thank you.