08-27-2019 03:15 PM - edited 02-21-2020 09:26 AM
hello everyone, what would you recommend in terms of securing branch offices that directly connect to the internet instead of backhauling via the head office? We have over 90 offices all connected over Dmvpn. Each office goes out to the internet directly. Routers are running ZBFW with no application inspection etc. Just wondering what others do in terms of implementing security in such scenarios? We recently experienced a security event and now j am wondering if I should place something like an asa with firepower services at each location parallel to the routers. That way all interoffice data can continue to go over the dmvpn routers while all other IMIX traffic can be routed via the asa?
08-27-2019 03:31 PM
Hi,
Yes, you could implement your suggestion, that would work - I've done something similar before. You could also setup a VPN on the ASA as failover in case the DMVPN router failed.
Alternatively you could implement Cisco Umbrella, either the DNS filtering or the Secure Internet Gateway (full proxy). This would save you having to purchase, setup and maintain additional hardware as it is a cloud managed solution.
HTH
08-27-2019 08:37 PM
Thanks for your reply. We are already using DNS filtering via Cisco Umbrella however need a solution that can implement something like a reputation based filtering for IP addresses blacklisted by Talos etc. A recent security event saw us getting attacked from a command and control center IP located overseas. My idea is if this source IP was on a blacklist (which it was), we may have been able to mitigate this attack. I will however look into your suggestion of Secure Internet Gateway. I am assuming it ties into Talos as well?
08-28-2019 07:10 AM
08-28-2019 08:13 AM
Yes we do see a lot of command and control being blocked in general. However I feel this was missed because the attacker was using direct-ip communication. No DNS queries were sent to Umbrella from the infected machine.
08-28-2019 08:27 AM
08-28-2019 10:39 AM
08-28-2019 08:18 AM
Umbrella would also be my first step in an action plan. But adding an ASA or firepower-appliance to each branch makes your setup also much more complex. If there has to be a refresh of the routers in the near future, you should also evaluate if a migration to Meraki MX appliances would fit your needs. As with DMVPN, Meraki AutoVPN can build any to any communication and you also have an NGFW with some advanced security. Not as fancy as with firepower, but in combination with Umbrella it could be more efficient than your actual solution.
08-28-2019 10:36 AM
08-28-2019 12:08 PM
Are you sure that these are really Meraki APs? If something is centrally managed, then the Meraki Fullstack. You should see your organisation in the cloud-dashboard and underneath that all your branches. There are your APs. Especially with APs you can use a template that is bound to the branches and configure all SSID for all branches at once. Even without templates, with the help of the API and 10 lines of python you can modify all WLANs for all networks at the same time.
If that is not what you see, there is something going wrong.
And yes, also the MX appliances are managed from this single dashboard, although it's typically not possible to use these templates. But still the API and some python will greatly scale the effectiveness of administration.
For throughput, there are quite good sizing guides published.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide