Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1694
Views
20
Helpful
9
Replies

Security at branch offices

Ricky Sandhu
Level 1
Level 1

‎08-27-2019 03:15 PM - edited ‎02-21-2020 09:26 AM

hello everyone, what would you recommend in terms of securing branch offices that directly connect to the internet instead of backhauling via the head office? We have over 90 offices all connected over Dmvpn.  Each office goes out to the internet directly.  Routers are running ZBFW with no application inspection etc.  Just wondering what others do in terms of implementing security in such scenarios?  We recently experienced a security event and now j am wondering if I should place something like an asa with firepower services at each location parallel to the routers.  That way all interoffice data can continue to go over the dmvpn routers while all other IMIX traffic can be routed via the asa?

0 Helpful
9 Replies 9

Rob Ingram
VIP
VIP

‎08-27-2019 03:31 PM

Hi,
Yes, you could implement your suggestion, that would work - I've done something similar before. You could also setup a VPN on the ASA as failover in case the DMVPN router failed.

 

Alternatively you could implement Cisco Umbrella, either the DNS filtering or the Secure Internet Gateway (full proxy). This would save you having to purchase, setup and maintain additional hardware as it is a cloud managed solution.

 

HTH

Ricky Sandhu
Level 1
Level 1
In response to Rob Ingram

‎08-27-2019 08:37 PM

Thanks for your reply.  We are already using DNS filtering via Cisco Umbrella however need a solution that can implement something like a reputation based filtering for IP addresses blacklisted by Talos etc.  A recent security event saw us getting attacked from a command and control center IP located overseas.  My idea is if this source IP was on a blacklist (which it was), we may have been able to mitigate this attack.  I will however look into your suggestion of Secure Internet Gateway.  I am assuming it ties into Talos as well?

0 Helpful

Rob Ingram
VIP
VIP
In response to Ricky Sandhu

‎08-28-2019 07:10 AM

Umbrella should have been able to block the command and control communication in the first place. I assume you have the check box ticked in the policy? What does the logs say?

Umbrella uses the TALOS feed to determine whether a URL is malicious or not.

Ricky Sandhu
Level 1
Level 1
In response to Rob Ingram

‎08-28-2019 08:13 AM

Yes we do see a lot of command and control being blocked in general.  However I feel this was missed because the attacker was using direct-ip communication.  No DNS queries were sent to Umbrella from the infected machine.

0 Helpful

Rob Ingram
VIP
VIP
In response to Ricky Sandhu

‎08-28-2019 08:27 AM

If the connection to the CnC servers was direct via IP and no DNS resolution, you can use the "IP Layer Enforcement" option in Umbrella, however you need the Umbrella Roaming Client.

HTH

Ricky Sandhu
Level 1
Level 1
In response to Rob Ingram

‎08-28-2019 10:39 AM

I'd have to jump through hoops and crawl underneath barbed wires to get our server guys to push out a client, but it's a good suggestion regardless. =)
0 Helpful

Karsten Iwen
VIP
VIP

‎08-28-2019 08:18 AM

Umbrella would also be my first step in an action plan. But adding an ASA or firepower-appliance to each branch makes your setup also much more complex. If there has to be a refresh of the routers in the near future, you should also evaluate if a migration to Meraki MX appliances would fit your needs. As with DMVPN, Meraki AutoVPN can build any to any communication and you also have an NGFW with some advanced security. Not as fancy as with firepower, but in combination with Umbrella it could be more efficient than your actual solution.

Ricky Sandhu
Level 1
Level 1
In response to Karsten Iwen

‎08-28-2019 10:36 AM

Hi Karsten, is there a way to centrally manage all MX appliances from a single console if we were to go that route? Currently we have hundreds of Meraki WAPs but I have to log into each branch office separately to configure them. With ASA w/Firepower, I was hoping to utilize FMC so I can easily push out configuration updates all at once. Also from my past research and some experience, MX falls short in terms of performance with things like crypto/ipsec when compared to say a 4431 router with Boost license.
0 Helpful

Karsten Iwen
VIP
VIP
In response to Ricky Sandhu

‎08-28-2019 12:08 PM

Are you sure that these are really Meraki APs? If something is centrally managed, then the Meraki Fullstack. You should see your organisation in the cloud-dashboard  and underneath that all your branches. There are your APs. Especially with APs you can use a template that is bound to the branches and configure all SSID for all branches at once. Even without templates, with the help of the API and 10 lines of python you can modify all WLANs for all networks at the same time.

If that is not what you see, there is something going wrong.

And yes, also the MX appliances are managed from this single dashboard, although it's typically not possible to use these templates. But still the API and some python will greatly scale the effectiveness of administration.

For throughput, there are quite good sizing guides published.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card