Posts
This post is focusing on building the Center for Internet Security (CIS) Benchmark for Cisco Meraki. CIS is one of the most respected institutions when it comes to security standards, with CIS Controls being one of the most widely used resources for implementing and securing infrastructures. This benchmark is considered a prescriptive configuration recommendation for Cisco Meraki. This section of the Benchmark will focus on Inventory and Asset Management.
Why do we need a Benchmark?
Following the configuration guides can sometimes be complicated and without having a logical connection between the different documents, it's almost impossible to ensure that all the necessary security features are enabled. In order to streamline the security implementation, it is recommended to follow security standards. One of the most widely used security standards is CIS Controls, due to its very detailed and practical way of describing the technical and organizational safeguards to build a secure infrastructure. I decided to join CIS as an Editor and Subject-Matter Expert to help the community and the rest of the world.
Who is this benchmark for?
This benchmark is intended for system and application administrators, security specialists, auditors, help desk, and platform deployment personnel who plan to develop, deploy, assess, or secure solutions that incorporate Cisco Meraki equipment and solutions.
Network Inventory and Asset Management
Inventory Tracking
Fig.1 Organization Inventory
Audit Procedure
Log into the Meraki Dashboard, go to Organization -> Configure -> Inventory and verify that all claimed devices are in use and assigned to a network.
Mapping: CIS 8.1 Control 1.1, 1.2
Tagging and Naming Convention
Implementing device naming convention and device tagging helps in improving operations, troubleshooting and accountability. Without standardized naming, device management is inefficient, especially in larger deployments. In case of incidents, it is very difficult to identify devices and the troubleshooting process becomes slower. Using a well-defined naming and tagging schema helps the technical staff with operations and the compliance staff with meeting requirements. Maintaining the asset inventory, proper naming and tagging introduces extra overhead. The effort is outweighed by better visibility, reduced risk and more efficient operations. There is no service impact when implementing changes.
Audit Procedure
Verify if the organization has implemented a naming convention schema. Then log into the Meraki Dashboard.
Go to Organization -> Network -> Wireless -> List Verify that the wireless devices have proper naming and tags describing location and ownership.
Go to Organization -> Network -> Switching -> Switches Verify that the Switches have proper naming and tags describing location and ownership.
Go to Organization -> Network -> Security & SD-WAN -> Appliance Status Verify that the Firewalls have proper naming and tags describing location and ownership.
A similar approach should be followed with Mobile Gateways, Cameras and Sensors.
Mapping: CIS 8.1 Control 1.1
Unofficial recommendation.
- Documented schema - A document should be written with the structure, so existing and new engineers can easily understand the naming
- Uniqueness - Every device should have a name that is unique within the domain where it's used.
- Clarity - The name or tag should make sense and be easy to read.
- Scalability - The schema should provide the possibility to add new devices without the risk of running out of space
- Structure - The name should be split in sections, where each is representing a specific component.
Conclusion
Call-to-Action
References
https://documentation.meraki.com/General_Administration/Organizations_and_Networks/Organization_Menu/Manage_Tags
https://documentation.meraki.com/General_Administration/Organizations_and_Networks/Renaming_a_Network_or_Organization
https://developer.cisco.com/meraki/api-v1/update-device/
https://developer.cisco.com/meraki/api-v1/update-network/
.jpg)
