SlideShare a Scribd company logo

Meraki MX Security Appliances Overview

O
omar awad

The document provides an overview of Meraki MX security appliances. It discusses the MX product line and features such as application control, security, networking and cloud-based management. It demonstrates the dashboard architecture and provides details on key features like content filtering, intrusion detection, and firewall capabilities. The document also positions Meraki against competitors like Fortinet, SonicWALL, Palo Alto Networks and discusses the Meraki roadmap.

1 of 36
Download to read offline
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 1 Meraki MX Security Appliances Daghan Altas Product Manager 4/19/2013
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2 • MX overview • Demo • Dashboard architecture • MX deep dive • Positioning • Competition • Roadmap • Q&A • Additional resources
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3 3 Application Control WAN Optimization, Traffic Shaping, Content Filtering Security NG Firewall, Client VPN, Site to Site VPN Networking NAT/DHCP, Routing, Link Balancing
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4 Key Features Details Cloud based management PCI L1 certified Single pane of glass Auto VPN Single click VPN (with failover over to WAN2 or 4G) Hub-n-spoke or mesh (spoke-to-spoke) Content filtering Webroot BrightCloud (85 categories) Local database + Cloud lookup Google safe search / YouTube for Schools Table-stake for K-12 Also HTTPS search enforcement Web caching Based on Squid Proxy On MX80 or above Intrusion detection SourceFire SNORT® based Org level reporting Layer 7 client tracking / NG firewall All Meraki products use the same signatures Firewall as well as traffic shaper WAN optimization TCP proxy / compression / dedup HTTP / CIFS / FTP optimization Anti-virus / Anti-phishing Kaspersky Safestream II (flow based) Files and JavaScript protection
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5 New features • Google safe-search • YouTube for schools • HTTPS search blocking • Web caching Improvements • Hub-n-spoke VPN • IP-based client finger printing • Identity-based group policies • Hybrid (local/cloud) web filtering* *May 2013
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 6
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 7
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8 Meraki’s out-of-band control plane 8 Management data (1 kb/s) WAN Scalable – Modern clustered design on commodity servers – Any one customer only a small fraction of load Out of band – No user traffic passes through cloud – Network is fully functional without cloud connectivity Reliable – Each customer talks to 2 datacenters (active / passive) – 3rd backup DC in case both active / passive DCs fail – All 3 DCs are geo separated Compliant – Fully HIPAA / PCI L1 compliant – DCs in N.A, E.U, Brazil, APAC – SSAE16
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9 • Servers connects to the public internet and rely on their own firewall for protection. • Customers partitioned across Meraki servers • Each partition is called a “shard” • Effectively one 1U RAIDed server plus one 1U backup • Goal: maximize # of customers we can host per shard • Shards are connected to the public internet via gigE and to each other (over an untrusted connection) via gigE. • Example numbers from a representative shard: • 15,000 Meraki devices (APs, firewalls, switches) • 300,000 clients (laptops, servers, printers) per day • Total of 300 GB of stats, dating back over a year • Gathers new data from every device every 45 secondsx86 machine (not virtualized) Linux 2.6 Firewall (iptables) Database (PostgreSQL) Web Server (Apache and nginx) Application Server (Rails)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10 • Shards call the devices Devices are the server, cloud is the client Asynchronous / event-driven (fast) One call for all data collection • Secure / efficient connection Google protobufs for low overhead SSL-based connection Authentication using a per-device shared secret. • Port IP requirements Port 80 (TCP): we can tunnel over port 80 but it is not efficient Other TCP ports: 443, 7734, 7752 UDP ports: 123, 7351, 9350 Event- driven RPC engine LLDP Module Probing Clients Module Other Module Create request Process response Database
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12 • United States Dallas, TX San Diego, CA • Japan Tokyo • Europe Dublin, Ireland London, UK Germany • Latin America Sao Paulo, Brazil
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 13
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14 Traffic sh. L7 FW L3 FW NAT CF(Brightcloud) AV (Kaspersky) Router / DPI engine L3 FW Traffic sh. L7 FW FW NAT DHCP service TCP proxy (WAN opt) Web proxy (Squid) IDS (Snort) Stat server Brain Log & Stats LAN WAN Click Kernel User Space Encrypt Encap. • VPN bypasses most services • WAN opt is costly (inline and user-space) • IDS is not inline • Modular “click” based configuration
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15 • Uses SNORT® • Full signature set • Updated daily • IDS only IPS is trivial but we have reservations • No custom signatures • No signature modification • Whitelisting is allowed • Memory / CPU intensive
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16 • Uses Kaspersky SafeStream II • Full signature set • Updated hourly • No custom rules • AV: Flow based signature match Files (pdf, exe, zip, etc…) Javascripts, HTML, etc.. • Anti-phishing: URL database • Whitelisting is allowed • CPU / Memory intensive
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17 • Uses Webroot BrightCloud • Whitelist / Blacklist is allowed • HTTPS blocking is based on CERT exchange • Max local URL database MX60/80/90: 1M MX400/600: 20M • Hybrid (local / cloud) lookup in May • Memory intensive (CPU load is minimal)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18 • ICSA (corporate) certification under way (ETA: mid to late summer) • Customer pen tests Interbank of New Mexico: 50 locations Cumbria Police Department: HQ (L2 VPN concentrator for MR)
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 19
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20 Segment Meraki ASA ISA 500 ISR G2s Enterprise Maybe, position where there are lots of small sites or machines to protect with limited feature requirements, Not for DCs or Campus Yes, Good Enterprise Management and highly configurable. Integrates with other Ent. Mgmt. tools, such as SIEMs. Premium Cloud Web Security available. No Maybe, when primary FW function is protecting b/w virtual network segments or for regulatory compliance, but not as full featured FW. Premium Cloud Web Security available. Commercial Select Yes, position where there are lots of small sites or machines to protect with, Not for DCs or Campus Yes, Good Enterprise Management and highly configurable. Integrates with other Ent. Mgmt. tools, such as SIEMs No Yes, when primary FW function is protecting b/w virtual network segments or for regulatory compliance, but not as full featured FW Commercial Mid- Market Yes, where technical expertise is marginal, requirements are simple, and ease of use requirements are significant Yes, for vertical segments with rich security needs or private (non-hosted) management needs Maybe, if the deal is very price competitive and the capabilities of the ISA are not too basic to meet the customer’s needs Yes, where rich security requirements are limited and non security feature integration (Voice, WAN opt, Wireless, etc.) is important SMB Yes, if customer is not overly price sensitive. Unlikely, requires a high level of technical expertise Yes, cost optimized solution for SMB Unlikely, requires a high level of technical expertise. Managed Service may be an option By Market Segment Best, Lead with this Alternative Possible Unlikely
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21 Segment Meraki ASA ISA 500 ISR G2s Federal/DoD No Yes No Maybe, when primary FW function is protecting b/w virtual network segments, but not as full featured FW SLED Yes, schools in particular are an excellent target Yes No No, if URL filtering is a core requirement (i.e. schools). Yes, for most other SLED use cases. Retail Yes, excellent choice for small box retail shops w/ limited IT staff and a mgd WAN vendor, PCI Certified Yes, focus on big box retail or retail deployments with diverse network users connected in store Maybe, UTM functions can be appealling but lack of robust central management can hinder sales Yes, can meet PCI specs and excellent when integrated Voice or WAN is required and primary goal is to meet PCI Banking No, Financials not generally receptive to Cloud Hosted model Yes No Maybe, when primary FW function is protecting b/w virtual network segments SP Managed Services Yes, excellent multi-tenant management Yes, deployed today, but “current” lack of multitenant mgmt option will hinder sales Yes, where cost and UTM coverage are primary drivers Yes, already integrated in most SP OSS systems, quick TTM By Vertical Customer Segment Best, Lead with this Alternative Possible Unlikely
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22 MX Security Appliances: Models Recommended deployments Example customer Teleworker (Up to 5 users) Z1 Teleworkers, kiosks Groupon Small branch (Approx. 10-20 users) MX60 Small retail branch, small clinic Peet’s coffee (220 locations) MX60W With wireless Kindred Healthcare (1500 locations) Medium branch (Approx. 20-250 users) MX80 Mid size branch, retail branch with web cache Interbank of New Mexico (50 locations) MX90 Large branch, 8 LAN ports, 2 SFP Hilton Worldwide (20 locations so far) Large branch / campus / concentrator (Approx. 250-10,000 users) MX400 K-12 firewall VPN concentrator for up to 1000 sites Essex Property (200 locations) MX600 Large-K-12 firewall, 4TB web cache VPN concentrator for up to 2500 sites Bessemer Trust (10 locations)
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 23
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24 • Fortinet strengths Raw throughput / $ Large number of models WAN termination DLP • Fortinet weaknesses Cumbersome UI Weak centralized management Requires an additional box for reporting No Auto-VPN or built-in WAN opt Rudimentary traffic shaping • Meraki strengths Best cloud-based management More L7 features and visibility Best-in-class IDS / CF / AV • Meraki weaknesses Not designed for datacenters Not focused on raw speed Less customization
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25 FortiGate 100D Meraki MX80 Hardware $1,995 $1,995 Software $2,996* $4,000 Support & Maintenance - - Centralized management $828** - TCO $5,819 $5,995 *: 3-Y security HW/SW bundle is $4991 **: Scenario includes FortiManager and FortiAnalyzer 200D ($16,555) for a 20-site deployment
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26 • SonicWALL strengths Cost Well known in the SBM market • SonicWALL weaknesses Poor qualify IDS / AV / CF Very limited L7 features and visibility One-trick pony (weak wireless, no switch • Meraki strengths Best cloud-based management Single pane of glass More L7 features and visibility Best-in-class IDS / CF / AV • Meraki weaknesses Not designed for datacenters Cost disadvantage without centralized management
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27 NSA 2400 Meraki MX80 Hardware $2,495 $1,995 Software $3,040 $4,000 Support & Maintenance - - Management SW $579 - TCO $6,114 $5,995
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28 • PaloAlto Networks strengths Gartner likes them Has CIO mindshare Great NG FW marketing • PaloAlto Networks weaknesses Weak on distributed deployments No 3G / 4G failover No wireless / switch Network management requires additional software / servers • Meraki strengths Best cloud-based management Single pane of glass More L7 features and visibility Best-in-class IDS / CF / AV • Meraki weaknesses Not designed for datacenters Less customization Not focused on raw speed
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29 PA 500 MX80 Hardware $4,500 $1,995 Software $4070 $4,000 Support & Maintenance $1,703 - Management SW* 377 - TCO $10,389 $5,995 Savings -40%
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 30
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31 • HA only works in 1-armed VPN mode • Interfaces are NATed (vs. routed) • Routing protocols • Only IDS right now • LACP / RSTP • SSL VPN • Some limitations on NAT (e.g. no 1-to-N NAT) • IPv6
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32 • ICSA certification • Enhancing security features • Alignment with Cisco SIO • Full HA (in NAT mode) • Enhancing centralized management • Org level reporting improvements
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 33
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34 Sales tools 34 Weekly webinars for end-customers meraki.com/webinar Easy free trials meraki.com/eval Cisco SE access to demo network meraki.com/cisco/dashboard 200+ Cisco Meraki SEs and AMs cisco-se-support@meraki.com ASA / ISA / MX / ISR positioning guide http://wwwin.cisco.com/marketing/borderless/security/docs/Firewall_positioning.pptx
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 35
Thank you.

Recommended

Cisco ACI & F5 Integrate to Transform the Data Center
Cisco ACI & F5 Integrate to Transform the Data CenterCisco ACI & F5 Integrate to Transform the Data Center
Cisco ACI & F5 Integrate to Transform the Data CenterF5NetworksAPJ
 
Cisco Meraki Portfolio Guide
Cisco Meraki Portfolio GuideCisco Meraki Portfolio Guide
Cisco Meraki Portfolio GuideMaticmind
 
Meraki Overview
Meraki OverviewMeraki Overview
Meraki OverviewCloud Distribution
 
Cisco Meraki Cloud Managed Networking
Cisco Meraki Cloud Managed NetworkingCisco Meraki Cloud Managed Networking
Cisco Meraki Cloud Managed NetworkingCisco Russia
 
Cisco Meraki Overview
Cisco Meraki OverviewCisco Meraki Overview
Cisco Meraki OverviewSSISG
 
Cisco Connect Toronto 2018 sd-wan - delivering intent-based networking to t...
Cisco Connect Toronto 2018 sd-wan - delivering intent-based networking to t...Cisco Connect Toronto 2018 sd-wan - delivering intent-based networking to t...
Cisco Connect Toronto 2018 sd-wan - delivering intent-based networking to t...Cisco Canada
 
Introducing Cisco Voice and Unified Communications
Introducing Cisco Voice and Unified CommunicationsIntroducing Cisco Voice and Unified Communications
Introducing Cisco Voice and Unified CommunicationsArchana Parameshwari
 
ECMS2 Training Slides.pdf
ECMS2 Training Slides.pdfECMS2 Training Slides.pdf
ECMS2 Training Slides.pdfaplic1
 

Recommended

Cisco ACI & F5 Integrate to Transform the Data Center
Cisco ACI & F5 Integrate to Transform the Data CenterCisco ACI & F5 Integrate to Transform the Data Center
Cisco ACI & F5 Integrate to Transform the Data CenterF5NetworksAPJ
 
Cisco Meraki Portfolio Guide
Cisco Meraki Portfolio GuideCisco Meraki Portfolio Guide
Cisco Meraki Portfolio GuideMaticmind
 
Meraki Overview
Meraki OverviewMeraki Overview
Meraki OverviewCloud Distribution
 
Cisco Meraki Cloud Managed Networking
Cisco Meraki Cloud Managed NetworkingCisco Meraki Cloud Managed Networking
Cisco Meraki Cloud Managed NetworkingCisco Russia
 
Cisco Meraki Overview
Cisco Meraki OverviewCisco Meraki Overview
Cisco Meraki OverviewSSISG
 
Cisco Connect Toronto 2018 sd-wan - delivering intent-based networking to t...
Cisco Connect Toronto 2018 sd-wan - delivering intent-based networking to t...Cisco Connect Toronto 2018 sd-wan - delivering intent-based networking to t...
Cisco Connect Toronto 2018 sd-wan - delivering intent-based networking to t...Cisco Canada
 
Introducing Cisco Voice and Unified Communications
Introducing Cisco Voice and Unified CommunicationsIntroducing Cisco Voice and Unified Communications
Introducing Cisco Voice and Unified CommunicationsArchana Parameshwari
 
ECMS2 Training Slides.pdf
ECMS2 Training Slides.pdfECMS2 Training Slides.pdf
ECMS2 Training Slides.pdfaplic1
 
AAA Best Practices
AAA Best PracticesAAA Best Practices
AAA Best PracticesSagar Gor
 
Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Anwesh Dixit
 
Cisco nx os
Cisco nx os Cisco nx os
Cisco nx os Utpal Sinha
 
ISE-802.1X-MAB
ISE-802.1X-MABISE-802.1X-MAB
ISE-802.1X-MABEmerson Barros Rivas
 
Collaboration Architecture Design: Cisco Collaboration Administration: Easy ...
Collaboration Architecture Design: Cisco Collaboration Administration: Easy ...Collaboration Architecture Design: Cisco Collaboration Administration: Easy ...
Collaboration Architecture Design: Cisco Collaboration Administration: Easy ...Cisco Canada
 
Aruba 2930 f switch campus switching
Aruba 2930 f switch campus switching Aruba 2930 f switch campus switching
Aruba 2930 f switch campus switching Eketerina Dyakova
 
Cisco Meraki- Simplifying IT
Cisco Meraki- Simplifying ITCisco Meraki- Simplifying IT
Cisco Meraki- Simplifying ITCisco Canada
 
Identity Services Engine Overview and Update
Identity Services Engine Overview and UpdateIdentity Services Engine Overview and Update
Identity Services Engine Overview and UpdateCisco Canada
 
A Software Defined WAN Architecture
A Software Defined WAN ArchitectureA Software Defined WAN Architecture
A Software Defined WAN ArchitectureOpen Networking Summits
 
Introduction to 5G by Doug Hohulin
Introduction to 5G by Doug HohulinIntroduction to 5G by Doug Hohulin
Introduction to 5G by Doug HohulinGigabit City Summit
 
Avaya Aura Application Enablement Services (AES)
Avaya Aura Application Enablement Services (AES)Avaya Aura Application Enablement Services (AES)
Avaya Aura Application Enablement Services (AES)Motty Ben Atia
 
From Cisco ACS to ISE
From Cisco ACS to ISE From Cisco ACS to ISE
From Cisco ACS to ISE Mahzad Zahedi
 
Best practices in synchronizing IP-based packet broadcasting networks
Best practices in synchronizing IP-based packet broadcasting networksBest practices in synchronizing IP-based packet broadcasting networks
Best practices in synchronizing IP-based packet broadcasting networksADVA
 
Advanced enterprise campus design. routed access (2015 milan)
Advanced enterprise campus design. routed access (2015 milan)Advanced enterprise campus design. routed access (2015 milan)
Advanced enterprise campus design. routed access (2015 milan)slide_site
 
Meraki Solution Overview
Meraki Solution OverviewMeraki Solution Overview
Meraki Solution OverviewClaudiu Sandor
 
TechWiseTV Workshop: Cisco Catalyst 9600: Deep Dive and Design Considerations
TechWiseTV Workshop: Cisco Catalyst 9600: Deep Dive and Design ConsiderationsTechWiseTV Workshop: Cisco Catalyst 9600: Deep Dive and Design Considerations
TechWiseTV Workshop: Cisco Catalyst 9600: Deep Dive and Design ConsiderationsRobb Boyd
 
Avaya IP Office Overview
Avaya IP Office OverviewAvaya IP Office Overview
Avaya IP Office OverviewMotty Ben Atia
 
ACI Hands-on Lab
ACI Hands-on LabACI Hands-on Lab
ACI Hands-on LabCisco Canada
 
Meraki Cloud Networking Workshop
Meraki Cloud Networking WorkshopMeraki Cloud Networking Workshop
Meraki Cloud Networking WorkshopCisco Canada
 
ISE-CiscoLive.pdf
ISE-CiscoLive.pdfISE-CiscoLive.pdf
ISE-CiscoLive.pdfssuserf4db0a
 
Cisco Meraki Product Launch Q1 2017
Cisco Meraki Product Launch Q1 2017Cisco Meraki Product Launch Q1 2017
Cisco Meraki Product Launch Q1 2017Maticmind
 
Meraki powered services bell
Meraki powered services bellMeraki powered services bell
Meraki powered services bellCisco Canada
 

More Related Content

What's hot

AAA Best Practices
AAA Best PracticesAAA Best Practices
AAA Best PracticesSagar Gor
 
Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Anwesh Dixit
 
Collaboration Architecture Design: Cisco Collaboration Administration: Easy ...
Collaboration Architecture Design: Cisco Collaboration Administration: Easy ...Collaboration Architecture Design: Cisco Collaboration Administration: Easy ...
Collaboration Architecture Design: Cisco Collaboration Administration: Easy ...Cisco Canada
 
Aruba 2930 f switch campus switching
Aruba 2930 f switch campus switching Aruba 2930 f switch campus switching
Aruba 2930 f switch campus switching Eketerina Dyakova
 
Cisco Meraki- Simplifying IT
Cisco Meraki- Simplifying ITCisco Meraki- Simplifying IT
Cisco Meraki- Simplifying ITCisco Canada
 
Identity Services Engine Overview and Update
Identity Services Engine Overview and UpdateIdentity Services Engine Overview and Update
Identity Services Engine Overview and UpdateCisco Canada
 
Introduction to 5G by Doug Hohulin
Introduction to 5G by Doug HohulinIntroduction to 5G by Doug Hohulin
Introduction to 5G by Doug HohulinGigabit City Summit
 
Avaya Aura Application Enablement Services (AES)
Avaya Aura Application Enablement Services (AES)Avaya Aura Application Enablement Services (AES)
Avaya Aura Application Enablement Services (AES)Motty Ben Atia
 
From Cisco ACS to ISE
From Cisco ACS to ISE From Cisco ACS to ISE
From Cisco ACS to ISE Mahzad Zahedi
 
Best practices in synchronizing IP-based packet broadcasting networks
Best practices in synchronizing IP-based packet broadcasting networksBest practices in synchronizing IP-based packet broadcasting networks
Best practices in synchronizing IP-based packet broadcasting networksADVA
 
Advanced enterprise campus design. routed access (2015 milan)
Advanced enterprise campus design. routed access (2015 milan)Advanced enterprise campus design. routed access (2015 milan)
Advanced enterprise campus design. routed access (2015 milan)slide_site
 
Meraki Solution Overview
Meraki Solution OverviewMeraki Solution Overview
Meraki Solution OverviewClaudiu Sandor
 
TechWiseTV Workshop: Cisco Catalyst 9600: Deep Dive and Design Considerations
TechWiseTV Workshop: Cisco Catalyst 9600: Deep Dive and Design ConsiderationsTechWiseTV Workshop: Cisco Catalyst 9600: Deep Dive and Design Considerations
TechWiseTV Workshop: Cisco Catalyst 9600: Deep Dive and Design ConsiderationsRobb Boyd
 
Avaya IP Office Overview
Avaya IP Office OverviewAvaya IP Office Overview
Avaya IP Office OverviewMotty Ben Atia
 
Meraki Cloud Networking Workshop
Meraki Cloud Networking WorkshopMeraki Cloud Networking Workshop
Meraki Cloud Networking WorkshopCisco Canada
 

What's hot (20)

AAA Best Practices
AAA Best PracticesAAA Best Practices
AAA Best Practices
 
Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)
 
Cisco nx os
Cisco nx os Cisco nx os
Cisco nx os
 
ISE-802.1X-MAB
ISE-802.1X-MABISE-802.1X-MAB
ISE-802.1X-MAB
 
Collaboration Architecture Design: Cisco Collaboration Administration: Easy ...
Collaboration Architecture Design: Cisco Collaboration Administration: Easy ...Collaboration Architecture Design: Cisco Collaboration Administration: Easy ...
Collaboration Architecture Design: Cisco Collaboration Administration: Easy ...
 
Aruba 2930 f switch campus switching
Aruba 2930 f switch campus switching Aruba 2930 f switch campus switching
Aruba 2930 f switch campus switching
 
Cisco Meraki- Simplifying IT
Cisco Meraki- Simplifying ITCisco Meraki- Simplifying IT
Cisco Meraki- Simplifying IT
 
Identity Services Engine Overview and Update
Identity Services Engine Overview and UpdateIdentity Services Engine Overview and Update
Identity Services Engine Overview and Update
 
A Software Defined WAN Architecture
A Software Defined WAN ArchitectureA Software Defined WAN Architecture
A Software Defined WAN Architecture
 
Introduction to 5G by Doug Hohulin
Introduction to 5G by Doug HohulinIntroduction to 5G by Doug Hohulin
Introduction to 5G by Doug Hohulin
 
Avaya Aura Application Enablement Services (AES)
Avaya Aura Application Enablement Services (AES)Avaya Aura Application Enablement Services (AES)
Avaya Aura Application Enablement Services (AES)
 
From Cisco ACS to ISE
From Cisco ACS to ISE From Cisco ACS to ISE
From Cisco ACS to ISE
 
Best practices in synchronizing IP-based packet broadcasting networks
Best practices in synchronizing IP-based packet broadcasting networksBest practices in synchronizing IP-based packet broadcasting networks
Best practices in synchronizing IP-based packet broadcasting networks
 
Advanced enterprise campus design. routed access (2015 milan)
Advanced enterprise campus design. routed access (2015 milan)Advanced enterprise campus design. routed access (2015 milan)
Advanced enterprise campus design. routed access (2015 milan)
 
Meraki Solution Overview
Meraki Solution OverviewMeraki Solution Overview
Meraki Solution Overview
 
TechWiseTV Workshop: Cisco Catalyst 9600: Deep Dive and Design Considerations
TechWiseTV Workshop: Cisco Catalyst 9600: Deep Dive and Design ConsiderationsTechWiseTV Workshop: Cisco Catalyst 9600: Deep Dive and Design Considerations
TechWiseTV Workshop: Cisco Catalyst 9600: Deep Dive and Design Considerations
 
Avaya IP Office Overview
Avaya IP Office OverviewAvaya IP Office Overview
Avaya IP Office Overview
 
ACI Hands-on Lab
ACI Hands-on LabACI Hands-on Lab
ACI Hands-on Lab
 
Meraki Cloud Networking Workshop
Meraki Cloud Networking WorkshopMeraki Cloud Networking Workshop
Meraki Cloud Networking Workshop
 
ISE-CiscoLive.pdf
ISE-CiscoLive.pdfISE-CiscoLive.pdf
ISE-CiscoLive.pdf
 

Viewers also liked

Cisco Meraki Product Launch Q1 2017
Cisco Meraki Product Launch Q1 2017Cisco Meraki Product Launch Q1 2017
Cisco Meraki Product Launch Q1 2017Maticmind
 
Meraki powered services bell
Meraki powered services bellMeraki powered services bell
Meraki powered services bellCisco Canada
 
Cisco Meraki - Simplifying Powerful Technology
Cisco Meraki - Simplifying Powerful TechnologyCisco Meraki - Simplifying Powerful Technology
Cisco Meraki - Simplifying Powerful TechnologyCisco Canada
 
Cisco's Cloud Networking Powered by Meraki
Cisco's Cloud Networking Powered by MerakiCisco's Cloud Networking Powered by Meraki
Cisco's Cloud Networking Powered by MerakiRowell Dionicio
 
Slides lean talk 1
Slides lean talk 1Slides lean talk 1
Slides lean talk 1minhlean
 
THCS_W08_BaiGiang_PowerPoint
THCS_W08_BaiGiang_PowerPointTHCS_W08_BaiGiang_PowerPoint
THCS_W08_BaiGiang_PowerPointCNTT-DHQG
 
Qcil presentation health care conference
Qcil presentation health care conferenceQcil presentation health care conference
Qcil presentation health care conferenceUHF-EAHF2012
 
User eXperience Design - New Energy Mind
User eXperience Design - New Energy MindUser eXperience Design - New Energy Mind
User eXperience Design - New Energy MindNew Energy Group
 
7 Essential Stages to a Total Online Presence
7 Essential Stages to a Total Online Presence7 Essential Stages to a Total Online Presence
7 Essential Stages to a Total Online PresenceDuct Tape Marketing
 
Felipe arcila ángel wi fi power point
Felipe arcila ángel wi fi power pointFelipe arcila ángel wi fi power point
Felipe arcila ángel wi fi power pointfelipearcilaangel
 
Making the most of Jabber
Making the most of JabberMaking the most of Jabber
Making the most of JabberCisco Canada
 
Timeline roadmap product graphs powerpoint ppt templates.
Timeline roadmap product graphs powerpoint ppt templates.Timeline roadmap product graphs powerpoint ppt templates.
Timeline roadmap product graphs powerpoint ppt templates.SlideTeam.net
 

Viewers also liked (19)

Cisco Meraki Product Launch Q1 2017
Cisco Meraki Product Launch Q1 2017Cisco Meraki Product Launch Q1 2017
Cisco Meraki Product Launch Q1 2017
 
Meraki powered services bell
Meraki powered services bellMeraki powered services bell
Meraki powered services bell
 
Cisco Meraki - Simplifying Powerful Technology
Cisco Meraki - Simplifying Powerful TechnologyCisco Meraki - Simplifying Powerful Technology
Cisco Meraki - Simplifying Powerful Technology
 
Cisco's Cloud Networking Powered by Meraki
Cisco's Cloud Networking Powered by MerakiCisco's Cloud Networking Powered by Meraki
Cisco's Cloud Networking Powered by Meraki
 
MX Analyst Deck
MX Analyst DeckMX Analyst Deck
MX Analyst Deck
 
Slides lean talk 1
Slides lean talk 1Slides lean talk 1
Slides lean talk 1
 
THCS_W08_BaiGiang_PowerPoint
THCS_W08_BaiGiang_PowerPointTHCS_W08_BaiGiang_PowerPoint
THCS_W08_BaiGiang_PowerPoint
 
Google analitycs
Google analitycsGoogle analitycs
Google analitycs
 
Qcil presentation health care conference
Qcil presentation health care conferenceQcil presentation health care conference
Qcil presentation health care conference
 
User eXperience Design - New Energy Mind
User eXperience Design - New Energy MindUser eXperience Design - New Energy Mind
User eXperience Design - New Energy Mind
 
7 Essential Stages to a Total Online Presence
7 Essential Stages to a Total Online Presence7 Essential Stages to a Total Online Presence
7 Essential Stages to a Total Online Presence
 
Felipe arcila ángel wi fi power point
Felipe arcila ángel wi fi power pointFelipe arcila ángel wi fi power point
Felipe arcila ángel wi fi power point
 
MPP Phone Roadmap
MPP Phone RoadmapMPP Phone Roadmap
MPP Phone Roadmap
 
Making the most of Jabber
Making the most of JabberMaking the most of Jabber
Making the most of Jabber
 
Timeline roadmap product graphs powerpoint ppt templates.
Timeline roadmap product graphs powerpoint ppt templates.Timeline roadmap product graphs powerpoint ppt templates.
Timeline roadmap product graphs powerpoint ppt templates.
 
Coolhunting
CoolhuntingCoolhunting
Coolhunting
 
Breakout - Airheads Macau 2013 - Aruba Location and Analytics Services
Breakout - Airheads Macau 2013 - Aruba Location and Analytics Services Breakout - Airheads Macau 2013 - Aruba Location and Analytics Services
Breakout - Airheads Macau 2013 - Aruba Location and Analytics Services
 
Location Analytics – Key Considerations and Use Cases
Location Analytics – Key Considerations and Use CasesLocation Analytics – Key Considerations and Use Cases
Location Analytics – Key Considerations and Use Cases
 
Shanghai Keynote: Aruba Mobile Engagement
Shanghai Keynote: Aruba Mobile EngagementShanghai Keynote: Aruba Mobile Engagement
Shanghai Keynote: Aruba Mobile Engagement
 

Similar to Meraki MX Security Appliances Overview

Cloud networking workshop
Cloud networking workshopCloud networking workshop
Cloud networking workshopCisco Canada
 
Understanding Cisco Next Generation SD-WAN Solution
Understanding Cisco Next Generation SD-WAN SolutionUnderstanding Cisco Next Generation SD-WAN Solution
Understanding Cisco Next Generation SD-WAN SolutionCisco Canada
 
Application Centric Infrastructure (ACI), the policy driven data centre
Application Centric Infrastructure (ACI), the policy driven data centreApplication Centric Infrastructure (ACI), the policy driven data centre
Application Centric Infrastructure (ACI), the policy driven data centreCisco Canada
 
Presentation capturing the cloud opportunity
Presentation capturing the cloud opportunityPresentation capturing the cloud opportunity
Presentation capturing the cloud opportunityxKinAnx
 
S100298 pendulum-swings-orlando-v1804a
S100298 pendulum-swings-orlando-v1804aS100298 pendulum-swings-orlando-v1804a
S100298 pendulum-swings-orlando-v1804aTony Pearson
 
Dynamic Software Defined Network Infrastructure Test Bed at Marist College
Dynamic Software Defined Network Infrastructure Test Bed at Marist CollegeDynamic Software Defined Network Infrastructure Test Bed at Marist College
Dynamic Software Defined Network Infrastructure Test Bed at Marist CollegeADVA
 
FlexiCloud: Infinitely Scalable
FlexiCloud: Infinitely ScalableFlexiCloud: Infinitely Scalable
FlexiCloud: Infinitely ScalablePallavi Vyas
 
Usage Based Metering in the Cloud (Subscribed13)
Usage Based Metering in the Cloud (Subscribed13)Usage Based Metering in the Cloud (Subscribed13)
Usage Based Metering in the Cloud (Subscribed13)Zuora, Inc.
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...
Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...
Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...Cisco Canada
 
Cisco Security portfolio update
Cisco Security portfolio updateCisco Security portfolio update
Cisco Security portfolio updateAtanas Gergiminov
 
What is ThousandEyes Webinar
What is ThousandEyes WebinarWhat is ThousandEyes Webinar
What is ThousandEyes WebinarThousandEyes
 
cisco-20meraki-20overview-20-285-29-140501114803-phpapp01
cisco-20meraki-20overview-20-285-29-140501114803-phpapp01cisco-20meraki-20overview-20-285-29-140501114803-phpapp01
cisco-20meraki-20overview-20-285-29-140501114803-phpapp01Sergiy Pitel
 
Cisco Meraki Overview | Voyager Networks
Cisco Meraki Overview | Voyager NetworksCisco Meraki Overview | Voyager Networks
Cisco Meraki Overview | Voyager NetworksNTS UK - Part of Capita
 
SP Virtual Managed Services (VMS) for Intelligent WAN (IWAN)
SP Virtual Managed Services (VMS) for Intelligent WAN (IWAN)SP Virtual Managed Services (VMS) for Intelligent WAN (IWAN)
SP Virtual Managed Services (VMS) for Intelligent WAN (IWAN)Cisco Canada
 
Cisco connect winnipeg 2018 understanding cisco's next generation sdwan sol...
Cisco connect winnipeg 2018 understanding cisco's next generation sdwan sol...Cisco connect winnipeg 2018 understanding cisco's next generation sdwan sol...
Cisco connect winnipeg 2018 understanding cisco's next generation sdwan sol...Cisco Canada
 

Similar to Meraki MX Security Appliances Overview (20)

Protegendo sua cloud
Protegendo sua cloud Protegendo sua cloud
Protegendo sua cloud
 
Cloud networking workshop
Cloud networking workshopCloud networking workshop
Cloud networking workshop
 
Understanding Cisco Next Generation SD-WAN Solution
Understanding Cisco Next Generation SD-WAN SolutionUnderstanding Cisco Next Generation SD-WAN Solution
Understanding Cisco Next Generation SD-WAN Solution
 
SAP HANA Cloud Security
SAP HANA Cloud SecuritySAP HANA Cloud Security
SAP HANA Cloud Security
 
Application Centric Infrastructure (ACI), the policy driven data centre
Application Centric Infrastructure (ACI), the policy driven data centreApplication Centric Infrastructure (ACI), the policy driven data centre
Application Centric Infrastructure (ACI), the policy driven data centre
 
Presentation capturing the cloud opportunity
Presentation capturing the cloud opportunityPresentation capturing the cloud opportunity
Presentation capturing the cloud opportunity
 
S100298 pendulum-swings-orlando-v1804a
S100298 pendulum-swings-orlando-v1804aS100298 pendulum-swings-orlando-v1804a
S100298 pendulum-swings-orlando-v1804a
 
Dynamic Software Defined Network Infrastructure Test Bed at Marist College
Dynamic Software Defined Network Infrastructure Test Bed at Marist CollegeDynamic Software Defined Network Infrastructure Test Bed at Marist College
Dynamic Software Defined Network Infrastructure Test Bed at Marist College
 
FlexiCloud: Infinitely Scalable
FlexiCloud: Infinitely ScalableFlexiCloud: Infinitely Scalable
FlexiCloud: Infinitely Scalable
 
Usage Based Metering in the Cloud (Subscribed13)
Usage Based Metering in the Cloud (Subscribed13)Usage Based Metering in the Cloud (Subscribed13)
Usage Based Metering in the Cloud (Subscribed13)
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...
Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...
Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...
 
Cisco Security portfolio update
Cisco Security portfolio updateCisco Security portfolio update
Cisco Security portfolio update
 
What is ThousandEyes Webinar
What is ThousandEyes WebinarWhat is ThousandEyes Webinar
What is ThousandEyes Webinar
 
cisco-20meraki-20overview-20-285-29-140501114803-phpapp01
cisco-20meraki-20overview-20-285-29-140501114803-phpapp01cisco-20meraki-20overview-20-285-29-140501114803-phpapp01
cisco-20meraki-20overview-20-285-29-140501114803-phpapp01
 
Cisco Meraki Overview | Voyager Networks
Cisco Meraki Overview | Voyager NetworksCisco Meraki Overview | Voyager Networks
Cisco Meraki Overview | Voyager Networks
 
Cisco data center training for ibm
Cisco data center training for ibmCisco data center training for ibm
Cisco data center training for ibm
 
SP Virtual Managed Services (VMS) for Intelligent WAN (IWAN)
SP Virtual Managed Services (VMS) for Intelligent WAN (IWAN)SP Virtual Managed Services (VMS) for Intelligent WAN (IWAN)
SP Virtual Managed Services (VMS) for Intelligent WAN (IWAN)
 
Ip san-best-practices-en
Ip san-best-practices-enIp san-best-practices-en
Ip san-best-practices-en
 
Cisco connect winnipeg 2018 understanding cisco's next generation sdwan sol...
Cisco connect winnipeg 2018 understanding cisco's next generation sdwan sol...Cisco connect winnipeg 2018 understanding cisco's next generation sdwan sol...
Cisco connect winnipeg 2018 understanding cisco's next generation sdwan sol...
 

Meraki MX Security Appliances Overview

  • 1. Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 1 Meraki MX Security Appliances Daghan Altas Product Manager 4/19/2013
  • 2. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2 • MX overview • Demo • Dashboard architecture • MX deep dive • Positioning • Competition • Roadmap • Q&A • Additional resources
  • 3. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3 3 Application Control WAN Optimization, Traffic Shaping, Content Filtering Security NG Firewall, Client VPN, Site to Site VPN Networking NAT/DHCP, Routing, Link Balancing
  • 4. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4 Key Features Details Cloud based management PCI L1 certified Single pane of glass Auto VPN Single click VPN (with failover over to WAN2 or 4G) Hub-n-spoke or mesh (spoke-to-spoke) Content filtering Webroot BrightCloud (85 categories) Local database + Cloud lookup Google safe search / YouTube for Schools Table-stake for K-12 Also HTTPS search enforcement Web caching Based on Squid Proxy On MX80 or above Intrusion detection SourceFire SNORT® based Org level reporting Layer 7 client tracking / NG firewall All Meraki products use the same signatures Firewall as well as traffic shaper WAN optimization TCP proxy / compression / dedup HTTP / CIFS / FTP optimization Anti-virus / Anti-phishing Kaspersky Safestream II (flow based) Files and JavaScript protection
  • 5. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5 New features • Google safe-search • YouTube for schools • HTTPS search blocking • Web caching Improvements • Hub-n-spoke VPN • IP-based client finger printing • Identity-based group policies • Hybrid (local/cloud) web filtering* *May 2013
  • 6. Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 6
  • 7. Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 7
  • 8. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8 Meraki’s out-of-band control plane 8 Management data (1 kb/s) WAN Scalable – Modern clustered design on commodity servers – Any one customer only a small fraction of load Out of band – No user traffic passes through cloud – Network is fully functional without cloud connectivity Reliable – Each customer talks to 2 datacenters (active / passive) – 3rd backup DC in case both active / passive DCs fail – All 3 DCs are geo separated Compliant – Fully HIPAA / PCI L1 compliant – DCs in N.A, E.U, Brazil, APAC – SSAE16
  • 9. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9 • Servers connects to the public internet and rely on their own firewall for protection. • Customers partitioned across Meraki servers • Each partition is called a “shard” • Effectively one 1U RAIDed server plus one 1U backup • Goal: maximize # of customers we can host per shard • Shards are connected to the public internet via gigE and to each other (over an untrusted connection) via gigE. • Example numbers from a representative shard: • 15,000 Meraki devices (APs, firewalls, switches) • 300,000 clients (laptops, servers, printers) per day • Total of 300 GB of stats, dating back over a year • Gathers new data from every device every 45 secondsx86 machine (not virtualized) Linux 2.6 Firewall (iptables) Database (PostgreSQL) Web Server (Apache and nginx) Application Server (Rails)
  • 10. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10 • Shards call the devices Devices are the server, cloud is the client Asynchronous / event-driven (fast) One call for all data collection • Secure / efficient connection Google protobufs for low overhead SSL-based connection Authentication using a per-device shared secret. • Port IP requirements Port 80 (TCP): we can tunnel over port 80 but it is not efficient Other TCP ports: 443, 7734, 7752 UDP ports: 123, 7351, 9350 Event- driven RPC engine LLDP Module Probing Clients Module Other Module Create request Process response Database
  • 11. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
  • 12. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12 • United States Dallas, TX San Diego, CA • Japan Tokyo • Europe Dublin, Ireland London, UK Germany • Latin America Sao Paulo, Brazil
  • 13. Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 13
  • 14. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14 Traffic sh. L7 FW L3 FW NAT CF(Brightcloud) AV (Kaspersky) Router / DPI engine L3 FW Traffic sh. L7 FW FW NAT DHCP service TCP proxy (WAN opt) Web proxy (Squid) IDS (Snort) Stat server Brain Log & Stats LAN WAN Click Kernel User Space Encrypt Encap. • VPN bypasses most services • WAN opt is costly (inline and user-space) • IDS is not inline • Modular “click” based configuration
  • 15. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15 • Uses SNORT® • Full signature set • Updated daily • IDS only IPS is trivial but we have reservations • No custom signatures • No signature modification • Whitelisting is allowed • Memory / CPU intensive
  • 16. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16 • Uses Kaspersky SafeStream II • Full signature set • Updated hourly • No custom rules • AV: Flow based signature match Files (pdf, exe, zip, etc…) Javascripts, HTML, etc.. • Anti-phishing: URL database • Whitelisting is allowed • CPU / Memory intensive
  • 17. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17 • Uses Webroot BrightCloud • Whitelist / Blacklist is allowed • HTTPS blocking is based on CERT exchange • Max local URL database MX60/80/90: 1M MX400/600: 20M • Hybrid (local / cloud) lookup in May • Memory intensive (CPU load is minimal)
  • 18. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18 • ICSA (corporate) certification under way (ETA: mid to late summer) • Customer pen tests Interbank of New Mexico: 50 locations Cumbria Police Department: HQ (L2 VPN concentrator for MR)
  • 19. Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 19
  • 20. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20 Segment Meraki ASA ISA 500 ISR G2s Enterprise Maybe, position where there are lots of small sites or machines to protect with limited feature requirements, Not for DCs or Campus Yes, Good Enterprise Management and highly configurable. Integrates with other Ent. Mgmt. tools, such as SIEMs. Premium Cloud Web Security available. No Maybe, when primary FW function is protecting b/w virtual network segments or for regulatory compliance, but not as full featured FW. Premium Cloud Web Security available. Commercial Select Yes, position where there are lots of small sites or machines to protect with, Not for DCs or Campus Yes, Good Enterprise Management and highly configurable. Integrates with other Ent. Mgmt. tools, such as SIEMs No Yes, when primary FW function is protecting b/w virtual network segments or for regulatory compliance, but not as full featured FW Commercial Mid- Market Yes, where technical expertise is marginal, requirements are simple, and ease of use requirements are significant Yes, for vertical segments with rich security needs or private (non-hosted) management needs Maybe, if the deal is very price competitive and the capabilities of the ISA are not too basic to meet the customer’s needs Yes, where rich security requirements are limited and non security feature integration (Voice, WAN opt, Wireless, etc.) is important SMB Yes, if customer is not overly price sensitive. Unlikely, requires a high level of technical expertise Yes, cost optimized solution for SMB Unlikely, requires a high level of technical expertise. Managed Service may be an option By Market Segment Best, Lead with this Alternative Possible Unlikely
  • 21. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21 Segment Meraki ASA ISA 500 ISR G2s Federal/DoD No Yes No Maybe, when primary FW function is protecting b/w virtual network segments, but not as full featured FW SLED Yes, schools in particular are an excellent target Yes No No, if URL filtering is a core requirement (i.e. schools). Yes, for most other SLED use cases. Retail Yes, excellent choice for small box retail shops w/ limited IT staff and a mgd WAN vendor, PCI Certified Yes, focus on big box retail or retail deployments with diverse network users connected in store Maybe, UTM functions can be appealling but lack of robust central management can hinder sales Yes, can meet PCI specs and excellent when integrated Voice or WAN is required and primary goal is to meet PCI Banking No, Financials not generally receptive to Cloud Hosted model Yes No Maybe, when primary FW function is protecting b/w virtual network segments SP Managed Services Yes, excellent multi-tenant management Yes, deployed today, but “current” lack of multitenant mgmt option will hinder sales Yes, where cost and UTM coverage are primary drivers Yes, already integrated in most SP OSS systems, quick TTM By Vertical Customer Segment Best, Lead with this Alternative Possible Unlikely
  • 22. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22 MX Security Appliances: Models Recommended deployments Example customer Teleworker (Up to 5 users) Z1 Teleworkers, kiosks Groupon Small branch (Approx. 10-20 users) MX60 Small retail branch, small clinic Peet’s coffee (220 locations) MX60W With wireless Kindred Healthcare (1500 locations) Medium branch (Approx. 20-250 users) MX80 Mid size branch, retail branch with web cache Interbank of New Mexico (50 locations) MX90 Large branch, 8 LAN ports, 2 SFP Hilton Worldwide (20 locations so far) Large branch / campus / concentrator (Approx. 250-10,000 users) MX400 K-12 firewall VPN concentrator for up to 1000 sites Essex Property (200 locations) MX600 Large-K-12 firewall, 4TB web cache VPN concentrator for up to 2500 sites Bessemer Trust (10 locations)
  • 23. Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 23
  • 24. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24 • Fortinet strengths Raw throughput / $ Large number of models WAN termination DLP • Fortinet weaknesses Cumbersome UI Weak centralized management Requires an additional box for reporting No Auto-VPN or built-in WAN opt Rudimentary traffic shaping • Meraki strengths Best cloud-based management More L7 features and visibility Best-in-class IDS / CF / AV • Meraki weaknesses Not designed for datacenters Not focused on raw speed Less customization
  • 25. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25 FortiGate 100D Meraki MX80 Hardware $1,995 $1,995 Software $2,996* $4,000 Support & Maintenance - - Centralized management $828** - TCO $5,819 $5,995 *: 3-Y security HW/SW bundle is $4991 **: Scenario includes FortiManager and FortiAnalyzer 200D ($16,555) for a 20-site deployment
  • 26. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26 • SonicWALL strengths Cost Well known in the SBM market • SonicWALL weaknesses Poor qualify IDS / AV / CF Very limited L7 features and visibility One-trick pony (weak wireless, no switch • Meraki strengths Best cloud-based management Single pane of glass More L7 features and visibility Best-in-class IDS / CF / AV • Meraki weaknesses Not designed for datacenters Cost disadvantage without centralized management
  • 27. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27 NSA 2400 Meraki MX80 Hardware $2,495 $1,995 Software $3,040 $4,000 Support & Maintenance - - Management SW $579 - TCO $6,114 $5,995
  • 28. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28 • PaloAlto Networks strengths Gartner likes them Has CIO mindshare Great NG FW marketing • PaloAlto Networks weaknesses Weak on distributed deployments No 3G / 4G failover No wireless / switch Network management requires additional software / servers • Meraki strengths Best cloud-based management Single pane of glass More L7 features and visibility Best-in-class IDS / CF / AV • Meraki weaknesses Not designed for datacenters Less customization Not focused on raw speed
  • 29. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29 PA 500 MX80 Hardware $4,500 $1,995 Software $4070 $4,000 Support & Maintenance $1,703 - Management SW* 377 - TCO $10,389 $5,995 Savings -40%
  • 30. Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 30
  • 31. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31 • HA only works in 1-armed VPN mode • Interfaces are NATed (vs. routed) • Routing protocols • Only IDS right now • LACP / RSTP • SSL VPN • Some limitations on NAT (e.g. no 1-to-N NAT) • IPv6
  • 32. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32 • ICSA certification • Enhancing security features • Alignment with Cisco SIO • Full HA (in NAT mode) • Enhancing centralized management • Org level reporting improvements
  • 33. Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 33
  • 34. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34 Sales tools 34 Weekly webinars for end-customers meraki.com/webinar Easy free trials meraki.com/eval Cisco SE access to demo network meraki.com/cisco/dashboard 200+ Cisco Meraki SEs and AMs cisco-se-support@meraki.com ASA / ISA / MX / ISR positioning guide http://wwwin.cisco.com/marketing/borderless/security/docs/Firewall_positioning.pptx
  • 35. Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 35