Tuesday, September 3, 2024

My own path towards CMSS: Cisco Meraki Solutions Specialist

    The CMSS exam is now cleared, and so is the self learning path on the Meraki documentation. The learning process has helped me build what I would call a solid baseline, which will get updated with all the cool stuff that come from Cisco Meraki. I focused more on understanding the documentation, rather than remembering every single piece of technology I've been reading about. But let's take a trip down the memory lane. 

Fig.1 Cisco Meraki Solutions Specialist Badge

Where did it all start?

    I've worked with Cisco Meraki almost since it was acquired by Cisco back in 2012. While I loved the idea from the beginning, the capabilities were quite limited for the customers segment I worked with back then. But then gradually it has evolved to become one of the leading products in the cloud networking space, covering all customer sizes from small businesses to large enterprises. 

    Over the years I've been through different trainings certifications, starting with CMNA, Meraki FIT and later on ECMS1 and ECMS2 on Cisco U. The next natural step was the Cisco Meraki Solutions Specialst exam. It has been on my to-do list since when it was announced back in october 2020, but other certifications like CCIE, CISSP and Microsoft CyberSecurity Architect had to come first. Three months ago, I finally decided to go for the CMSS training and exam.

Fig.2 Current Meraki badges

What training materials did I use?

    I've learned over the years that you can easily get lost into books and documents focusing on different topics from the exam blueprint, so what I usually do is to pick one primary learning material and supply it whenever I don't understand a specific topic. In this case I went straight for the official self-study material that is available on the Meraki Community page. Besides helping with the exam, the self-study guide is essentially an organized list of the most important Cisco Meraki documents. These documents contain not only the specific technical solutions they are discussing, but also links to most of the other related solutions. I made sure to read and understand each one of them, which is the main reason why the certification process took about three months. 

Sharing is caring

    During my CISSP studies, I posted once in a while topics that I considered important enough to share with the community. I took the same approach with CMSS, partially as a way to give back, but also to get the chance to discuss the topics with others for better understanding. Below you can find a list of the posts related to this specific exam. Feel free to deep dive into them to learn about the more specific topics. The most discussed post was the one related to the High-Density Wi-Fi based on the Meraki documentation, which has also reached the most people out of any post I've ever made.

📗CMSS : Meraki MX Firewall- What’s behind the routing magic? (3 months ago, 2658 impressions)

CMSS: Brand new Cisco Meraki MX650 and one-armed concentrator architectures  (2 months ago, 17456 impressions)

CMSS: Cisco Meraki Automatic Packet Capture on failing clients (2 months ago, 2199 impressions)

📶 CMSS: High Density Wi-Fi Best Practices  (1 month ago, 64293 impressions)

WiFi high-density discussion Featured on post from Jussi Kiviniemi (Hamina CEO) 

🔐 CMSS: Is your security strategy missing the bigger picture? (1 week ago, 2674 impressions)

How did the exam go?

    I made the decision to book the exam late at night on September 1, 2024, for the following day at 10 am.  Normally, I tend to book exams 1-2 months in advance, so that the deadline (exam date) serves as a catalyst for the study process, but this wasn't the case with CMSS. I've had my share of Cisco exams, and I've found out that the exam is the last step to close the process, rather than the most important element. What's important is understanding the technology, the reason why something is done the way it is. So, on the exam day I was pretty calm and just went for it. The registration process took about 45 minutes, as some video streaming towards Pearson Vue and a couple of services on my PC weren't closing properly to allow the exam to start. Despite this technicality, all went as expected and I passed the exam with a satisfactory score. 

Fig 2. Exam Score Report

Where do we go from here?

    While I've never been a big fan of working in study groups, mainly because I think it's difficult to keep the same pace, I do believe that engaging with the community is an alternative way to participate on discussions about the topics you are studying. This is a tradition that I plan to continue in the future with all my certifications, the next one being Azure Networking Engineer. This has also been in my list for a while, but also downvoted by all the other exciting certifications I've been through. But now it's the time! 

Conclusions

    I've enjoyed going through all the Meraki documentation over the past 3 months. The self-study guide is an excellent resourse for building a strong foundation baseline for the most important technical solutions technically possible with Cisco Meraki. Engaging with the community has proved to be a very efficient way to supply what's written in the documents. 

References:

Announcing the Cisco Meraki Solutions Specialist Certification | The Meraki Blog

ECMS1 - The Meraki Community

Monday, August 26, 2024

Cisco Meraki - Compliance and Security Strategy

 With the evolving threat landscape, security and compliance are becoming more important for businesses of all sizes. While security has always been a priority for large enterprise customers, such as Banks, ISPs, Healthcare or critical infrastructure, today we see adoption on every business size, as everything is connected, so it has to be protected. While most technicians see security as tied to the security products, like NDR, XDR, EDR, SIEM, Firewalls etc. this is only a part of what is required for most organizations. Security must be closely aligned with the business needs and the risks the business is facing. An organization has to implement a security strategy before implementing any security. 

How do we solve this complex task?

    Well, it's not as hard as it seems. There are many different security standards out there, where some are more technical than others, but all of them have a very good description of what needs to be done, from describing the internal procedures and policies, to outlining the individual technical solutions that need to be implemented. Some of the standards I've been focusing on over the years are CISv8, NIST, ISO27001 and recently NIS2. The rest of this post with focus on the technical aspect of these standards, describing a strategy to implement some of the controls on some of the best MSP network solutions on the market: Cisco Meraki. 


Fig. 1 Cisco Meraki CIS Audit

Can a NaaS solution like Cisco Meraki be used?

    While Cisco Meraki is mainly tied to networking rather than security, there are a lot of integrations to other products that are more security focused, like Umbrella, XDR, Duo, Cisco+ Secure Connect etc. Our post will not focus on these integrations, but rather try to find out which components of Meraki equipment and the Dashboard cover security controls from different standards. The beauty with the standards is that there are a lot of mappings available, so one control in one of them will automatically cover controls in other standards. 

Where do we start from?

As part of my CMSS journey, I've reviewed many documents in the Meraki self-learning guide, but there is very little focus on compliance. Even though most technical solutions can be mapped to compliance controls, the only document that is pure compliance oriented is the one related to PCI DSS (Payment Card Industry) standard. You can find a link to the document in the references. There is also a built-in tool into the Dashboard to generate a PCI DSS 3.0 Compliance Report, which you can find under Wireless -> PCI Report. 


Fig. 2 PCI DSS 3.0 Wireless Compliance Report

   As mentioned before, the very first step is to pick a security standard. While PCI DSS is a great standard, it's focus on the payment card industry makes it less appropriate for other industries. If we were to select PCI DSS, we would want to go with PCI DSS 4.0 (2022), instead of  3.0 that is built into the platform. PCI DSS 3.0 is from 2013, and many things have changed since then. The American standard NIST is another great standard, with numerous publications focused on different areas, making it too complex for our purpose. ISO27001 is great for compliance and risk, but not as detailed when we talk about the technical aspect, making it a bit more difficult to translate to a specific line of products, like the ones from Meraki. 

And the winner is...

    What's left is CIS Controls. CIS is very detailed on the technical aspect, making it a great fit for our scope. There are several benchmarks available for other Cisco products, but unfortunately nothing specific for Cisco Meraki yet. The full list of CIS Cisco benchmarks includes the following:

Fig. 3 CIS Benchmarks for Cisco 

    Ideally, we would want to build another CIS Benchmark with focus on Meraki. While this will probably happen at some point in the future, we need to have a solution handy already today. So, how do we solve our compliance issue? CIS is grouped in 18 controls, each with several safeguards. Let's look at the first ones and try to address them with Cisco Meraki products and solutions. 

CIS Control 1 - Inventory and Control of Enterprise Assets

    We need to establish a detailed, up-to-date inventory of all our assets. This is one of the very first steps in every compliance standard. Without a clear list of our assets, it's impossible to protect our company. Any asset can pose a risk in today's threat landscape, so we have to make sure that only the ones we know are connecting to our environment. 

How would Meraki solve this issue? 

    While the Meraki dashboard is not a dedicated asset management tool, it does collect info from all the network assets that are present in our network. The inventory, located under the Organization tab, contains most relevant info like asset name, serial number, claim date, order number etc. This can be supplemented by using tags under the individual assets, for all the other required fields. 

    Furthermore, the discovery that happens via LLDP, ARP, DHCP etc., can provide visibility into other assets not included in inventory. The client list includes more fields than the inventory, and can also be supplemented with tags. 

Mapping to other standards: ISO 27001:2022 5.9, 8.8. NIST SP 800-171 3.1.1.8,3.1.20,3.12.4 etc.

CIS Control 2 - Inventory and Control of Software Assets 

    Once we have a full list of all our assets, we need to examine the software installed on them. If we limit our scope to the network built on Cisco Meraki, we would want to document the software version running on every device. Easy right? The firmware upgrade tool in the dashboard shows the current version on each network, as well as gives the possibility to schedule and perform upgrades. Safeguard 2.2 under this control requires that authorized software is still supported, and the tool is doing exactly that. 



Fig. 4 Firmware Upgrade Tool

Mapping to other standards: ISO 27001:2022 5.9, NIST SP 800-53 CM-8, PCI v4.0 1.2.5, 6.3.2 etc.

CIS Control 3 - Data Protection

    This control is specifically related to the data protection and management. While Meraki doesn't address directly the specific safeguards of this control, it does help with some of them. Let's look as an example at the encryption of sensitive data in transit. We need to protect data from out of band attacks, things like packet capture. The best way to protect them is by using encryption. Now when we think about encryption, one of the first things that come in mind is the Auto-VPN. Whether we are transmitting data between our locations, or towards the public cloud, we have the option to built encrypted tunnels to avoid man in the middle attacks. 


Fig. 5 VPN Status Page

More goodies?

    The purpose of this post is to give an idea on how to handle compliance with Meraki equipment. There are 18 controls and 153 safeguards in CISv8.1, and we could go through all of them. But to keep the post to a reasonable length, let's just point other the last 2 ones. 

CIS Control 6 - Safeguard 6.5 Require MFA for Administrative Access

    According to Microsoft statistics, about 99.9% of compromised accounts don't have MFA. Considering how critical this control is, in relation to the risk posed to the organization, it would be unwise to use a product that doesn't support natively MFA. The Meraki Dashboard has the possibility to activate 2FA with the Duo Mobile app. It's also possible to provide external authentication by using SAML, in case the organization is using some third party identity provider with MFA.

CIS Control 12 / CIS Control 13

    CIS Controls 12 and 13 focus exclusively on network infrastructure management, monitoring and defense. There is a ton of Meraki features to comply with these controls, from IPS, centralized authentication, authorization and auditing, segmentation with VLAN's, ACL's, SGT, port level access control like 802.1x etc. While we will not go through them, you can read about the individual elements on the Meraki documentation. 

Conclusion

    With the increasing threat landscape, it's important to implement security measures accross organizations of all sizes. The right way to implement security is by starting with compliance, and the first step is to pick a security standard. While performing the internal audit, we will be able to check our current policies as procedures, as well as all the technical aspects. If the organization has already invested in a NaaS solution like Cisco Meraki, many of the controls will already be covered. However, it's important to make sure that what's available in the platform has been implemented, as a vast amount of controls is not specifically related to security products. 


Thursday, May 2, 2024

CCIE Coffee Blogs: #15436 Mesut Abdurrahmani

 This is my second blog post of a series of posts about Albanians that have achieved the much wanted CCIE status. It's meant to provide some background info for the CCIE Hall of Fame for Albania and Kosovo. This series contains non-technical content aiming to the inspiration of young Albanians to pursue similar paths like our much respected guests. 

Fig.1 CCIE Coffee Blogs

Meet Our Second Guest: Mesut Abdurrahmani

    Our second guest is one of the first Albanians that reached the CCIE status in the early 2000s. I've had a chat with Mesut to discover more about his CCIE path, the impact it has had on his career, as well as what he has learned during the journey. He has been working initially in Kosovo at two of the best ISPs Kujtesa and IPKO, and later on at Juniper Networks for more than 17 years, working initially as Focal Support Engineer, then as Team Lead for BRAS and in the last years as Lead Solution Architect. He was kind enough to answer some direct questions about his career, that you can read in the rest of this post. 





Fig.2 Mesut Abdurrahmani CCIE #15436

1. What sparked your interest in networking and technology? Who or what has been your biggest inspiration in your career?

In the early 2000s a Cisco Academy branch was founded in Prishtina, Kosova. I was encouraged by my family to give it a try and since then I have pursued this career path. Therefore, if I had to choose a person that helped me to do and be where I am now - it would probably be my father, from whom I heard the word Cisco and computer networking for the first time.

In the case of the goal of CCIE cert, two of the reasons were: 

 - To prove to myself that I can get this certification, that was perceived as a very difficult challenge.

 - At that time, there was a Cisco page that included all countries that had CCIE certified engineers. Kosovo/Albania did not have any, and we wanted to put it in the map. Mind me, we were in early 20s. :)

2. Can you describe your experience while preparing for the CCIE exam? How did you balance study with other commitments?

This is an interesting question that brought back memories of 2004/5. I studied for CCIE very intensively for over a year with a group of friends. Basically, my schedule would consist of doing my work in the first half of the day, and then straight to studying/training in the lab we created until midnight. Then repeat. Looking back, it's safe to say that we may have exaggerated with the intensity. The lab was made mainly of Cisco 2500 Series Routers and Catalyst Switches, already antique back then, that we were either acquired when they were decommissioned by some friendly companies or purchased at a bargain price in eBay.

3. What are some of the key achievements or milestones in your career since obtaining your CCIE certification?

It's almost 20 years since I became CCIE, hence there were a lot that can be listed here. Some of the "feels good" moments that first came to my mind are the Broadband network designs that are used by tens of millions of subscribers across the EMEA region and beyond. Initiating the design of many features that are still in use in many customers around the world and finally seeing that my network designs/documents are used and reused by many peers across the world, that's something I am proud of.

4. What have been some significant challenges in your career, and how did you overcome them?

One of the main aspects that makes networking and technology in general interesting is probably the ever-evolving landscape of technology that drives innovation. It's a challenge in itself to keep yourself up to date with the up-and-coming technologies.

5. How has being a CCIE certified professional impacted your career trajectory or opportunities?

Except for personal level, where I think the whole journey to get CCIE certification has high value for my own self, I do not think that being CCIE certified had a direct impact on my career. Probably because shortly after being CCIE certified, I was employed at a Cisco competitor and haven't changed my job since.

6.  What are some important life lessons you've learned during your journey to and after achieving CCIE certification?

In personal level, the journey to becoming a CCIE at a very young age had an enormous impact in various aspects. If I had to single out some of them, they would be: believing that hard work pays off and that not many things can be deemed impossible.

7. How do you continue to grow and develop professionally? Are there specific areas or technologies you're currently focused on?

In my current role as a lead solution design architect, I tend to work for Core & Edge, Data Centre, Broadband Networks, SDN, Cloud, SD-WAN and Security projects. My interests are broad enough at the moment.

 Conclusions: 

 Mesut is one of the first Albanians that got CCIE certified. He has put a lot of sweat in the early 20's on getting the certification with restricted budget and lab equipment. CCIE has changed a lot since, but on talking to Mesut it's clear that the certification has a huge impact on the personal and professional side, with the most important one being creating the confidence needed for tackling larger problems and projects. 

 Mesut is one of the superstars in the CCIE Hall of Fame, and reading about him will definitely help in motivating more Albanians to pursue the same path. 

Friday, April 5, 2024

Throwback to the roots of Cisco Meraki: Connecting the next billion people

    A quiz in the Meraki Insiders program triggered my Sherlock Holmes sense to deep dive into the early days of Cisco Meraki. The origins of Meraki can be traced back to a project called Roofnet at MIT. About 1 billion people were connected to the internet back in 2007, while 5 billion more still needed connectivity. So how do we connect the next billion? The challenge lies on the last mile, where they needed to connect the end customer to the nearby towers or centrals. The rest of this post will explain the Meraki solution to solve this global challenge. 

Fig.1 Meraki solutions in 2007

The existing solutions

    Let's look at the existing solutions from back then. The most common approach in the US was using Wi-Fi distributed by access points installed in streetlight towers by the municipality. The cost to cover every area with Wi-Fi by this approach was proving to be ineffective, and the actual performance in the last mile was not acceptable without some kind of indoor repeater. Each AP cost $3500, not including installation. In terms of performance, some employees of Google had reported that they needed to keep the laptop by the window, if they were to have some acceptable signal. 

    Another alternative was subscribing to a dedicated DSL line, which provided better performance but at a considerably high monthly cost, more than $100 for each single installation. This solution required extensive infrastructure, making scaling problematic. This approach has had its share of success, as even today we see it implemented on the last mile towards the customer in many places in the world, including Denmark. However, the speed of deployment has been a challenge, similar to the one we face today with distribution of fiber. 

The MIT Roofnet

    One of the very first concepts of a mesh network came from the MIT Roofnet project. It aimed to create a community wireless network that was self-configuring and easy to scale, using omnidirectional antennas for simplicity and fault tolerance. As you might guess from the name, the antennas would potentially be installed on the roofs. 

    In terms of technical challenges, it addressed the ones of unstable links and self-interference through a routing protocol (SRCR) that optimizes routes based on real-time link quality. This approach allowed Roofnet to offer internet performance comparable to traditional infrastructures, through a user-friendly installation process, indicating that community-operated networks can be effectively deployed and maintained. This ingenious idea is the very start of the Cisco Meraki we know today. Some of the most important design decisions of Roofnet are:

- Unconstrained node placement, so you just use an ad-hoc concept, without needing to design all node placements beforehand. 

- The use of omnidirectional antennas, eliminating the need to know in advance who you will connect to.

- Assuming networks consist of slowly-changing, intermediate-quality links.

Here is a picture of the Roofnet and the performance measured on the individual links. 

Fig.1 MIT Roofnet as seen on 22 july 2003

    You can find a link to the full publication at the end of this post, if you are interested in more technical details. But now let's focus on how this could solve our previous issue. 

The Meraki Mesh

    Roofnet became the start to what we know as Cisco Meraki today. They came up with several solutions which were supposed to help with the adoption of the internet at an acceptable cost and performance. 

    The first AP that was produced was called Meraki Mini, and there are still today 191 that are online, almost 20 years later. Can you believe that? You can see a list of the first products in the following photo.

Fig.2 Meraki gear in 2007

    Meraki was working on different solutions that were more cost-effective than the DSL and more reliable than the municipality Wi-Fi. Rather than using expensive APs on light towers, the solution involved installing repeaters in each home, following the concept used by Roofnet. These repeaters would connect to each other by building a mesh network, one of the very first of its kind. The cost of a repeater was only $49, and it could be shared by several homes. By using this mesh concept, Meraki managed to create communities of 300–500 people that shared a couple of DSL lines.  They even introduced solar-powered Wi-Fi to keep costs down, at $99 per repeater, and in some areas provided free AP's for the sake of the expansion. 

    Operators had the freedom to set their prices. Meraki provided the software for managing the solution and processing payments, taking a 20% share of the providers' profits. As their CEO back then said: "You probably have a better idea of what you should charge in Zimbabwe than I do."

    I found the following product description of the Meraki Mesh solution on their website from 11 October 2007 that you can see here below:

Fig.2 Meraki mesh product description. 

    In terms of expansion, Meraki has grown from a few thousand networks in 2007 to over 100 000 in 2012, when it was acquired by Cisco and recently to an incredible number of over 4.75 million, thanks to the Cisco magic. 

Conclusion

    This post describes some of the first steps that turned Meraki into one of the leader of cloud controller Wi-Fi, routing and security. The small Roofnet project became the start of the journey towards solving one of the biggest challenges of the early internet, bringing the next 5 billion people online after the first one. The post is also providing some useful links at the bottom, if you share the same curiosity as I do about such an exciting journey. 

References

Roofnet Abstract

New York Times Article: Wireless Internet for All, Without the Towers

Cisco Meraki website in 2007




Tuesday, March 26, 2024

My own path to CISSP: Embracing a Management Mindset

    During the last 10 months, I’ve been working on getting CISSP certified. It started as a natural first step after passing the CCIE and the Microsoft Cybersecurity Architect exams. I wanted to go after a management certification, which was not tied to a specific vendor. Initially, I considered the Certified Ethical Hacker (CEH) certification, but given my current management role, CISSP sounded like a better choice.

Fig.1 The CISSP confirmation mail

How I got here?

    CISSP is considered to be one of the most respected security certifications in the industry. The first time I heard about it was while working on a project at Societe Generale in Albania about 12 years ago, where the CISO had these thick books on his table, similar to the ones I was used to from the Cisco world. Back then I was 100% Cisco minded, so that wasn’t tempting for me. As mentioned it was 10 months ago I really got into track.

Fig.2 My first LinkedIn Post about CISSP

    Right after making my mind that this was the right way to go, I purchased the official certification guide along with several Udemy courses taught by Thor Pedersen. This was a no-brainer as everyone suggested those resources to start with.

    In addition, I’ve spent a lot of time on developing our own Compliance Services, focusing on NIS-2, to assist customers of Critical Infrastructure in Denmark in protecting from cyberthreats. 

    Whenever I’ve found something interesting on the book, I’ve shared posts on my own blog or LinkedIn. You can find some of them at the end of this post.

    Since CCIE took a lot of my free time, which I would otherwise have dedicated to my family, I decided to follow a different approach this time. I utilized any “spare” time, where I wasn’t doing anything with them. This was mainly watching Udemy videos while preparing dinner, and reading the certification guide before bed, instead of browsing 9gag. There have also been a lot of deviations from the standard, like using the time at the hospital, while we were expecting our second child, to read about 300 pages from the official certification guide, or reading several pages while sitting on the VIP lounge at home. 😉

Which resources did I use?

The primary resources for my preparation were:

  • Udemy CISSP videos from Thor Pedersen. He is the go-to trainer, when we talk about CISSP. He has the largest pool of students and the highest rating. 
  • (ISC)2 Certified Information Systems Security Professional (CISSP) Official Study Guide, 9th Edition
  • There are many different standards you can read, but I focused mainly on CIS v.8, NIST, IEC62443 and the upcoming NIS-2.

    Besides these resources, I have a lot of background info from the previous Microsoft Cybersecurity Architect Exam as well as all kind of different Cisco certifications I’ve been through over the years, which proved to be very beneficial on the exam.

How was the exam?

    If I had to say it with one word, I would say confusing. Nothing compared to CCIE in terms of difficulty, but it still required a lot of focus when reading the questions. Many of them had several correct answers, requiring the selection of the most appropriate one. What worked for me was to “Think like a Manager”. This is one of the main reasons why I wanted to do CISSP in the first place, to shift my mindset from the technical solutions, to the strategy, design, governance. So, moving towards a helicopter view and focusing on what would benefit the business, instead of picking the right technical solution.

    There was a ridiculous amount of questions which I went through in 3 hours, with very few of them where I was 100% certain to have provided the correct answer. I was kinda surprised when I saw the mentor smiling, after those mixed feelings while going through the exam. Then I looked at the paper, and it said “Congratulations”…

Why should you take the CISSP exam?

Here are some of the most important benefits according to me:

  • Changing your mindset from a technician to a manager
  •  Absorbing a large amount of security topics in a short amount of time
  • Linking the technical solutions to the risk they address
  • Learning about physical security

Conclusions

    CISSP has been a great training that has helped me in changing my mindset from technician to manager, as well as building our own compliance services. Going through such a large pool of subjects makes you understand how bread the security field is. CISSP may not be suitable as a first cybersecurity certification due to its high-level content and the requirement for at least five years of documented experience. You can find more relevant trainings from Cisco and Microsoft in the references below. 

References:

My own posts related to CISSP:

Shared Responsibility Model: #cissp and pizza ~ Ibrahim Ramku - Blog

The evolution of switches ~ Ibrahim Ramku - Blog

Cryptography Post

CISSP Training materials:

Thor Pedersen - Udemy

CISSP Official Study Guide - 9th edition

Start your career in CyberSecurity with these trainings:

Cisco - Intro to CyberSecurity

MS - Cybersecurity Fundamentals

Different standards:

CIS v8

NIST

NIS-2

ISA/IEC 62443