Meraki Security Baseline

Network security is an essential aspect of any organization, and with the increasing threat of cyber-attacks, it is imperative to ensure that the firewall security features are enabled and functioning correctly. However, manually checking the security status of firewalls can be a time-consuming task, especially when dealing with multiple firewalls across multiple organizations. This is a challenge that most Managed Service Providers like ourselves face. The purpose of this blog post is to start building a security baseline, which can help standardize and audit security configurations on customers based on the MX Security Best Practice Design document published by Cisco Meraki. In this post, we will go over the steps to accomplish this using Python.

Overview of the Script

The script uses the Meraki REST API to check the security settings of MX firewalls in a list of  organizations. The script reads the API keys and org IDs from a file, and then retrieves the list of networks for the selected organization. It filters the list to find the MX firewalls and then retrieves the license edition, anti-malware, intrusion prevention and IP spoofing protection settings for each firewall. The results are displayed in a table format, showing the organization name, network name, license edition, anti-malware status, intrusion prevention status and spoof protection status. 

Prerequisites

• A Meraki Dashboard account with API access enabled
• Python 3.x installed
• The 'requests' and 'prettytable' libraries installed
• A file containing the API keys and organization IDs of the Meraki organizations to be checked

The Code

The code consists of the following steps:

1. Import the necessary libraries, including the 'requests' library for making API calls and the 'prettytable' library for generating a table to display the results.
2. Read the file containing the API keys and organization IDs of the Meraki organizations to be checked.
3. Use the Meraki APIs to retrieve the list of networks in each organization.
4. Filter the networks to find Meraki MX firewalls.
5. For each firewall, make API calls to obtain the license edition, anti-malware, intrusion prevention, and spoof protection settings.
6. Format the results as a table, with the organization name, network name, license edition, anti-malware status, intrusion prevention status, and spoof protection status as columns.
7. Print the table.

The end result will look like this:

Fig.1 Table with list of controls

Here comes the full script, which is also published on GitHub: Meraki-Security-Baseline. Comments under each section should give you an idea on what each part of the code is doing. 

import requests
from prettytable import PrettyTable
table= PrettyTable()

# API endpoint for organizations
org_url = 'https://api.meraki.com/api/v1/organizations'

# API endpoint for firewalls
fw_url = 'https://api.meraki.com/api/v1/networks/{}/appliance/'

# Read the file containing the API keys and org IDs
with open("C:/MerakiAutomation/api_keys_org_ids.txt", "r") as f:
    lines = f.readlines()
    print(lines)

# Create a table header
table.field_names = ["Organization", "Network", "License Edition", "Anti-Malware", "Intrusion Prevention", "Spoof Protection"]
table.align["Organization"] = "l"
table.align["Network"] = "l"
table.align["License Edition"] = "l"
table.align["Anti-Malware"] = "l"
table.align["Intrusion Prevention"] = "l"
table.align["Spoof Protection"] = "l"

# Loop through each line in the file
for line in lines:
    api_key, org_id = line.strip().split(",")

    # Get list of networks for the selected organization
    networks_url = f"https://api.meraki.com/api/v1/organizations/{org_id}/networks"
    response = requests.get(networks_url, headers={'X-Cisco-Meraki-API-Key': api_key})
    networks = response.json()

    # Filter the networks to find MX firewalls
    mx_firewalls = [network for network in networks if network['productTypes'][0] == 'appliance']

    # Loop through the firewall list
    for firewall in mx_firewalls:

         # Get the organization name
        org_response = requests.get(f"{org_url}/{org_id}", headers={'X-Cisco-Meraki-API-Key': api_key})
        org = org_response.json()
        org_name = org['name']

        
        # Network Name
        network_name = firewall['name']

        # Get the current license version for the MX
        licenses_response = requests.get(f"{org_url}/{org_id}/licensing/coterm/licenses/", headers={'X-Cisco-Meraki-API-Key': api_key}).json()
        license_edition = "Enterprise"
        for item in licenses_response:
            counts = item.get('counts')
            for count in counts:
                if count.get('model').startswith('MX'):
                    editions = item.get('editions')
                    for edition in editions:
                        if 'Advanced Security' in edition.get('edition'):
                            license_edition = 'Advanced Security'
                        break

        # Get anti-malware settings
        fw_url_antimalware = (fw_url + "security//malware")
        firewall_settings = requests.get(fw_url_antimalware.format(firewall['id']), headers={'X-Cisco-Meraki-API-Key': api_key}).json()
        anti_malware_enabled = firewall_settings['mode']

        # Get intrusion prevention settings
        fw_url_intrusion = (fw_url + "security//intrusion")
        firewall_settings = requests.get(fw_url_intrusion.format(firewall['id']), headers={'X-Cisco-Meraki-API-Key': api_key}).json()
        if 'mode' in firewall_settings:
            intrusion_prevention_enabled = firewall_settings['mode']
        else:
            intrusion_prevention_enabled = "Not Supported"
    
        # Get Ip Spoof Protection settings
        fw_url_spoof = (fw_url + "firewall//settings")
        firewall_settings = requests.get(fw_url_spoof.format(firewall['id']), headers={'X-Cisco-Meraki-API-Key': api_key}).json()
        spoof_protection_enabled = firewall_settings['spoofingProtection']['ipSourceGuard']['mode']
        
        # Add rows to the table
        table.add_row([org_name, network_name, license_edition, anti_malware_enabled, intrusion_prevention_enabled, spoof_protection_enabled ])

# Print the results
print (table)

Future work

Please note that this script is the first version of our Meraki baseline security checks, which will be expanded in the future. I plan to include additional controls from Cisco Meraki's Best Practice Design for MX Security. 

Conclusion

In conclusion, the script provides a quick and easy way to check the security configuration and license of all the MX firewalls in different organizations, saving time and reducing the chances of security configuration issues going unnoticed. As a best practice, it is recommended to run this script on a regular basis to ensure that the firewall security configurations remain consistent and secure.

References

Introduction - Meraki-Dashboard-API-v1-Documentation - Document - Cisco DevNet

Best Practice Design - MX Security and SD-WAN - Cisco Meraki

prettytable · PyPI

Read More

My Own Path to CCIE: Maximizing Chances of Success and Enjoying the Benefits

    The CCIE Enterprise Infrastructure certification is without any doubt one of the most highly desired certifications in the field of networking. It's a testament to one's knowledge, experience, and expertise in the field of enterprise networking. In this blog post, I'll be sharing a few thoughts on my experience with CCIE and the advantages that come with this certification.

Fig.1 The CCIE kit

The path to success

    I started this journey back in 2015 in Albania with CCIE R&S, but due to the job profile and some potential contacts with service providers, decided to switch to SP after passing the written exam of R&S. I took the exam in Brussels on 15 May 2015 and failed. Back then, the exam had a single module lasting 8 hours with a 30 minutes break for lunch. I believe my failure is mostly related to speed, as I ran out of time before I could go through all the questions. After that, I learned a few tricks, which I used during the Enterprise Infrastructure:

• Practice speed. Not only you should have a deep understanding of the technologies, best practices and methodologies, but you should also show that you can implement them quickly without mistakes.
• Attack the problems from different angles. Don't limit yourself to finding a single solution for each problem. Many questions in the exam are quite restrictive in what you are allowed to do. You might need to find a different solution to comply the restrictions.
• Notepad is your friend. A lot of tasks back then were repetitive, and this is also relevant today. It can help you avoid mistakes and save time. Every second you spare on the exam is going to count when the clock ticks at the end of the exam.

    With this experience I had back in 2015, and a few changes in my private life over the years, it took me quite some time to get back on track. But then on summer 2021 I couldn't wait anymore. Parenting was getting easier, my team was covering my back at work and my wife my absence at home. I booked my CCIE Enterprise Infrastructure exam for 20 July 2022 in a mobile lab in Copenhagen.

    The next few months a lot of my free time was dedicated to reading, practicing and watching videos. To ensure that I was well-prepared, I took a couple of weeks off before the exam date, during which I focused exclusively on studying and preparing for the exam.

    Finally, the big day arrived, and I confidently drove towards the mobile lab in Copenhagen, ready to take on the challenge of the CCIE Enterprise Infrastructure exam. I arrived at the mobile lab in Copenhagen about an hour earlier than the scheduled exam time. I decided to take a walk around the nearby harbor to take some fresh air, clear my mind and calm my nerves. Then I went towards the exam hall. The rest of the day was a mix of excitement, stress, depression, happiness and finally accomplishment. The day after, this mail arrived:

Fig. 2 The confirmation mail

    I was so excited about the end result, that I didn't read the email I received from Cisco Training carefully, and forgot to confirm my information on my profile, which delayed the delivery of the certification kit by about 3 months.  

What are some of the advantages you get from the certification?

    CCIE Enterprise Infrastructure certification not only certifies an individual's expertise in the field of enterprise networking, but it also provides numerous benefits and opportunities. Here are some of the most important ones: 

• Increased knowledge and skills: The certification requires extensive study and a lot of hands-on work. This leads naturally towards a deeper understanding of the technologies and best practices.
• Networking Opportunities: It opens doors towards the community, both via social platforms, but also through events organized by Cisco. You get the chance to share what you learn with others, but also develop yourself though the knowledge you ingest from them.
• Professional Growth: Being part of such an exclusive community and meeting with so many professional people is going to help in the process of developing your own career. 

Is it still worth it, even though it's a 30-year-old certification?

    I had the opportunity to join an event "CCIE in an SDN World" last week, where there was some discussion about developments of CCIE and the impact that automation and SDN is having on the network engineers nowadays and if we are all going to be replaced by AI/ML. Since I've been through the certification process recently, here are my takes:

• CCIE evolves: The field of networking is constantly evolving, and CCIE certified professionals are equipped to adapt to new technologies and stay ahead of the curve. We are in a process of upgrading and evolving our own skills together with the exam.
• Industry Demand: Despite advancements in automation and AI, the demand for skilled network engineers remains high. Even though platforms like ChatGPT are having a large success in adaptation in different fields, you still need to interact with them. If you don't have the knowledge and the skills, how would you instruct the AI platform?
• Are we that evolved? I still use CLI myself daily, even though I'm learning more and more automation and programmability. Don't you?

Conclusion 

    Obtaining a CCIE Enterprise Infrastructure certification is still a valuable and relevant accomplishment in today's ever-evolving world of networking. It requires extensive preparation, which leads to increased knowledge and skills in the field. Not only does it offer opportunities for professional growth, but it also opens doors for networking and community building. Despite advancements in automation and AI, the demand for skilled network engineers remains high, and CCIE certified professionals are equipped to adapt and stay ahead of the curve. So, the journey may be challenging, but the reward of obtaining the CCIE Enterprise Infrastructure certification is worth it. 

Bonus question: Do you know the first 3 CCIE numbers?

Fig. 3 The first 3 CCIE's (Credit: Jeff McLaughlin)

#1024 - The lab

#1025 - The lab creator: Stuart Biggs

#1026 - Terrance Slattery 

Read More