Meraki MX Security Appliances

Daghan Altas
Product Manager
4/19/2013

2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
 MX overview
Demo
Dashboard architecture
MX deep dive
Positioning
Competition
Roadmap
Q&A
Additional resources

2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
 Security
NG Firewall, Client VPN,
Site to Site VPN

Networking
NAT/DHCP, Routing,
Link Balancing

Application Control
WAN Optimization, Traffic
Shaping, Content Filtering

3
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
 Key Features Details
PCI L1 certified
Cloud based management Single pane of glass
Single click VPN (with failover over to WAN2 or 4G)
Auto VPN Hub-n-spoke or mesh (spoke-to-spoke)
Webroot BrightCloud (85 categories)
Content filtering Local database + Cloud lookup
Table-stake for K-12
Google safe search / YouTube for Schools Also HTTPS search enforcement
Based on Squid Proxy
Web caching On MX80 or above
SourceFire SNORT based
Intrusion detection Org level reporting
All Meraki products use the same signatures
Layer 7 client tracking / NG firewall Firewall as well as traffic shaper
TCP proxy / compression / dedup
WAN optimization HTTP / CIFS / FTP optimization
Kaspersky Safestream II (flow based)
Anti-virus / Anti-phishing Files and JavaScript protection

2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
New features Improvements
Google safe-search Hub-n-spoke VPN

YouTube for schools IP-based client finger printing

HTTPS search blocking Identity-based group policies

Web caching Hybrid (local/cloud) web filtering*

*May 2013

2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
 Merakis out-of-band control plane
Scalable
Modern clustered design on commodity servers
Any one customer only a small fraction of load
Out of band
Management
WAN
data (1 kb/s) No user traffic passes through cloud
Network is fully functional without cloud connectivity
Reliable
Each customer talks to 2 datacenters (active / passive)
3rd backup DC in case both active / passive DCs fail
All 3 DCs are geo separated
Compliant
Fully HIPAA / PCI L1 compliant
DCs in N.A, E.U, Brazil, APAC
SSAE16

8
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
 Servers connects to the public internet and rely on their own
firewall for protection.
Application Server (Rails)
Customers partitioned across Meraki servers
Each partition is called a shard
Web Server
Effectively one 1U RAIDed server plus one 1U backup
(Apache and nginx)
Goal: maximize # of customers we can host per shard
Database (PostgreSQL) Shards are connected to the public internet via gigE and to each
other (over an untrusted connection) via gigE.
Firewall Example numbers from a representative shard:
(iptables)
15,000 Meraki devices (APs, firewalls, switches)
Linux 2.6 300,000 clients (laptops, servers, printers) per day
Total of 300 GB of stats, dating back over a year
x86 machine Gathers new data from every device every 45 seconds
(not virtualized)

2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
 Shards call the devices Event-
driven
Create request

Devices are the server, cloud is the client RPC

engine
Process response

Asynchronous / event-driven (fast) Probing

Clients
One call for all data collection LLDP Module Module Other Module

Secure / efficient connection

Database
Google protobufs for low overhead
SSL-based connection
Authentication using a per-device shared secret.

Port IP requirements
Port 80 (TCP): we can tunnel over port 80 but it is not efficient
Other TCP ports: 443, 7734, 7752
UDP ports: 123, 7351, 9350

2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
 United States
Dallas, TX
San Diego, CA

Japan
Tokyo

Europe
Dublin, Ireland
London, UK
Germany

Latin America
Sao Paulo, Brazil

2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
 WAN

Traffic sh.
Brain
VPN bypasses most services
L7 FW
WAN opt is costly (inline and user-space)
L3 FW Log &
Stat server
Stats
IDS is not inline
NAT
Encrypt
Encap.
IDS
(Snort) Modular click based configuration
CF(Brightcloud)
AV (Kaspersky) NAT

Router / Web proxy

DPI engine (Squid)
TCP proxy
L3 FW (WAN opt)
FW
DHCP
service
Traffic sh.
L7 FW

Click
LAN Kernel User Space

2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
 Uses SNORT
Full signature set
Updated daily
IDS only
IPS is trivial but we have reservations

No custom signatures
No signature modification
Whitelisting is allowed
Memory / CPU intensive
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
 Uses Kaspersky SafeStream II
Full signature set
Updated hourly
No custom rules
AV: Flow based signature match
Files (pdf, exe, zip, etc)
Javascripts, HTML, etc..

Anti-phishing: URL database

Whitelisting is allowed
CPU / Memory intensive

2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
 Uses Webroot BrightCloud
Whitelist / Blacklist is allowed
HTTPS blocking is based on CERT exchange
Max local URL database
MX60/80/90: 1M
MX400/600: 20M
Hybrid (local / cloud) lookup in May
Memory intensive (CPU load is minimal)

2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
 ICSA (corporate) certification under way (ETA: mid to late summer)

Customer pen tests

Interbank of New Mexico: 50 locations
Cumbria Police Department: HQ (L2 VPN concentrator for MR)

2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
 By Market Segment
Segment Meraki
Enterprise Maybe, position where
there are lots of small sites
or machines to protect with
limited feature
requirements, Not for DCs
or Campus
Commercial Select Yes, position where there
are lots of small sites or
machines to protect with,
Not for DCs or Campus
Commercial Mid- Yes, where technical
expertise is marginal,
Market requirements are simple,
and ease of use
requirements are
significant
SMB Yes, if customer is not
overly price sensitive.
Best, Lead with this Alternative
2010 Cisco and/or its affiliates. All rights reserved.
ASA
Yes, Good Enterprise
Management and highly
configurable. Integrates with
other Ent. Mgmt. tools, such
as SIEMs. Premium Cloud
Web Security available.
Yes, Good Enterprise
Management and highly
configurable. Integrates with
other Ent. Mgmt. tools, such
as SIEMs
Yes, for vertical segments
with rich security needs or
private (non-hosted)
management needs
Unlikely, requires a high level
of technical expertise
Possible
ISA 500
No
No
Maybe, if the deal is very
price competitive and the
capabilities of the ISA are
not too basic to meet the
customers needs
Yes, cost optimized solution
for SMB
Unlikely
ISR G2s
Maybe, when primary FW
function is protecting b/w virtual
network segments or for
regulatory compliance, but not as
full featured FW. Premium Cloud
Web Security available.
Yes, when primary FW function is
protecting b/w virtual network
segments or for regulatory
compliance, but not as full
featured FW
Yes, where rich security
requirements are limited and non
security feature integration
(Voice, WAN opt, Wireless, etc.)
is important
Unlikely, requires a high level of
technical expertise. Managed
Service may be an option
Cisco Confidential 20
 By Vertical Customer Segment
Segment Meraki ASA ISA 500 ISR G2s
Federal/DoD No Yes No Maybe, when primary FW
function is protecting b/w
virtual network segments, but
not as full featured FW

SLED Yes, schools in particular Yes No No, if URL filtering is a core

are an excellent target requirement (i.e. schools).
Yes, for most other SLED use
cases.

Retail Yes, excellent choice for Yes, focus on big box retail or Maybe, UTM functions can be Yes, can meet PCI specs and
small box retail shops w/ retail deployments with diverse appealling but lack of robust excellent when integrated
limited IT staff and a mgd network users connected in central management can Voice or WAN is required and
WAN vendor, PCI Certified store hinder sales primary goal is to meet PCI

Banking No, Financials not Yes No Maybe, when primary FW

generally receptive to function is protecting b/w
Cloud Hosted model virtual network segments

SP Managed Yes, excellent multi-tenant Yes, deployed today, but Yes, where cost and UTM Yes, already integrated in most
management current lack of multitenant coverage are primary drivers SP OSS systems, quick TTM
Services mgmt option will hinder sales

Best, Lead with this Alternative Possible Unlikely

2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
 MX Security Appliances: Models
Recommended deployments Example customer
Teleworker (Up to 5 users)

Z1 Teleworkers, kiosks Groupon

Small branch (Approx. 10-20 users)

MX60 Small retail branch, small clinic Peets coffee (220 locations)

MX60W With wireless Kindred Healthcare (1500 locations)

Medium branch (Approx. 20-250 users)

MX80 Mid size branch, retail branch with web cache Interbank of New Mexico (50 locations)

MX90 Large branch, 8 LAN ports, 2 SFP Hilton Worldwide (20 locations so far)

Large branch / campus / concentrator (Approx. 250-10,000 users)

K-12 firewall
MX400 Essex Property (200 locations)
VPN concentrator for up to 1000 sites

Large-K-12 firewall, 4TB web cache

MX600 Bessemer Trust (10 locations)
VPN concentrator for up to 2500 sites

2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
 Fortinet strengths Meraki strengths
Raw throughput / $ Best cloud-based management
Large number of models More L7 features and visibility
WAN termination Best-in-class IDS / CF / AV
DLP

Fortinet weaknesses Meraki weaknesses

Cumbersome UI Not designed for datacenters
Weak centralized management Not focused on raw speed
Requires an additional box for reporting Less customization
No Auto-VPN or built-in WAN opt
Rudimentary traffic shaping

2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
 FortiGate 100D Meraki MX80

Hardware $1,995 $1,995

Software $2,996* $4,000

Support & Maintenance - -

Centralized management $828** -

TCO $5,819 $5,995

*: 3-Y security HW/SW bundle is $4991

**: Scenario includes FortiManager and FortiAnalyzer 200D ($16,555) for a 20-site deployment

2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
 SonicWALL strengths
Cost
Well known in the SBM market
SonicWALL weaknesses
Poor qualify IDS / AV / CF
Very limited L7 features and visibility
One-trick pony (weak wireless, no switch
Meraki strengths
Best cloud-based management
Single pane of glass
More L7 features and visibility
Best-in-class IDS / CF / AV
Meraki weaknesses
Not designed for datacenters
Cost disadvantage without centralized
management

2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
 NSA 2400 Meraki MX80

Hardware $2,495 $1,995

Software $3,040 $4,000

Support & Maintenance - -

Management SW $579 -

TCO $6,114 $5,995

2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
 PaloAlto Networks strengths Meraki strengths
Gartner likes them Best cloud-based management
Has CIO mindshare Single pane of glass
Great NG FW marketing More L7 features and visibility
Best-in-class IDS / CF / AV

PaloAlto Networks weaknesses Meraki weaknesses

Weak on distributed deployments Not designed for datacenters
No 3G / 4G failover Less customization
No wireless / switch Not focused on raw speed
Network management requires additional
software / servers

2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
 PA 500 MX80

Hardware $4,500 $1,995

Software $4070 $4,000

Support & Maintenance $1,703 -

Management SW* 377 -

TCO $10,389 $5,995

Savings -40%

2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
 HA only works in 1-armed VPN mode

Interfaces are NATed (vs. routed)

Routing protocols

Only IDS right now

LACP / RSTP

SSL VPN

Some limitations on NAT (e.g. no 1-to-N NAT)

IPv6

2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
 ICSA certification

Enhancing security features

Alignment with Cisco SIO

Full HA (in NAT mode)

Enhancing centralized management

Org level reporting improvements

2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
 Sales tools
Weekly webinars for end-customers
meraki.com/webinar

Easy free trials

meraki.com/eval

Cisco SE access to demo network

meraki.com/cisco/dashboard

200+ Cisco Meraki SEs and AMs

cisco-se-support@meraki.com

ASA / ISA / MX / ISR positioning guide

http://wwwin.cisco.com/marketing/borderless/security/docs/Firewall_positioning.pptx

34
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Thank you.