Many organizations around the world are adopting technological innovations such as hybrid cloud services and hybrid work as part of their digital transformation shifting from a network centric to a cloud centric approach.
As a result, security needs to move to the cloud as well. That is why, organizations need to come up with a strategy to deliver security capabilities such as secure web gateway, CASB, L4/L7 Firewall, IPS, malware protection and DLP from the cloud to protect their users when they access Internet wherever they are cause that is the new reality; the security perimeter as we knew it is gone and Internet is still a huge threat source.
SASE is a concept from Gartner that represents a cloud centric architecture where networking and security services converge and are delivered from the cloud. In this post we are going to explore how Cisco Meraki MX and Cisco Umbrella SIG have managed to simplify SASE deployments to a point where almost no admin touch is required. To do so, we are going to explore the step by step configuration.
As previously mentioned, SASE means convergence between cloud delivered connectivity and security, so, in this case, Meraki MX (a Cisco Meraki Zero Touch provisioning firewall) will be the technology providing networking services allowing us to build and SD-WAN fabric to connect multiple sites and also connect our users to Internet through the Umbrella Secure Internet Gateway (SIG) cloud, the Security Services Edge (SSE) that will provide all the security capabilities discussed earlier.
"Sigraki" is the name of the integration between Meraki MX and Umbrella SIG which will allow us to automatically create IPSec tunnels to the Umbrella SIG cloud so that we can connect it into our SD-WAN fabric to enable secure Internet access to protect our users.
Sigraki requirements
For these integration we require Umbrella SIG Essentials or Advantage package and we require our Meraki MX to be running at least firmware version 15.37
Hands on
The first step is to integrate Umbrella and Meraki using Umbrella APIs:
Go to the Umbrella console and create Management API Keys Admin > API Keys > Click on Create
Go to Meraki console and add the Umbrella Management API Keys to connect Meraki and Umbrella Organization > Cloud On-Ramp > Configuration > Click on Connect to Cisco Umbrella Add Management and Secret Keys > Click on Yes, continue
Then we need to create the IPSec tunnels to connect the Meraki MX to the Umbrella cloud
Still on Meraki Umbrella SD-WAN Connector Configuration page Click on Deploy
Enter a name for the Umbrella network and choose the Umbrella Data Centers to want to connect to. By default you need to connect to two Umbrella Data Centers that you can use as active connections since each Umbrella Data Center has its own Disaster Recovery Data Center with automatic failover capabilities so you don't have to worry about high availability.
Verify the IPSec tunnels have been successfully created,. You will notice that the tunnels had been automatically on Umbrella and Meraki has deployed two new networks associated to the Umbrella Data Centers. On the Meraki console go to Organizations > Cloud On-Ramp > Deployments On the Umbrella console go to Deployments > Network Tunnels
Wait until you see the Tunnel Status set to Active on the Umbrella dashboard
Then, we need to add the Umbrella protected Internet access into our SD-WAN Fabric to protect the users using the Meraki MX as their internet gateway.
Go to the Meraki console and configure the branch MX as a Spoke on the Site-to-site VPN page. Note that in order to create a site-to-site VPN you must have at least on Vlan using unique addressing on your branch MX. In my case I'm gonna be using a Vlan named "sig-vlan". Security & SD-WAN > (CONFIGURE) Site-to-site VPN
Select the deployed Umbrella Tunnels as Hubs, enable the Vlans that you want to protect by connecting them to Umbrella and click on Save Changes.
At this point, all traffic routed to the Internet from the branch MX is going to be already passing through one of the IPSec tunnels to Umbrella SIG and Umbrella is going to be applying the default policies to this traffic. Finally, we need to customize Umbrella policies to enforce the desired security posture for the users at the branch. In this post we won't cover the entire stack of security capabilities that Umbrella SIG has to offer but I definitely recommend yo to take a look at Cisco documentation.(https://umbrella.cisco.com/products/sig-product).
One of the amazing benefits of using Umbrella is that it can handle TLS decryption of https sessions to inspect them and enforce the policies into them. To avoid getting a certificate error into our hosts's browsers, we need to distribute Umbrella root certificate into the hosts sitting behind the Meraki MX. You can download the certificate from Umbrella console. Deployments > Configuration > Root Certificate > click on the Download icon
You must install this certificate into the Trusted Root Certification Authorities keychain.
In this example we will test our deployment using a new Secure Web Gateway policy applied to all the identities passing through both IPSec tunnels; this policy will be set with TLS inspection (decryption) enabled and will execute a Remote Browser Isolation (RBI) action against websites falling under the content category "Finance". Remote Browsing Isolation is a technique that Umbrella provides to avoid direct interaction between the web browser of the user and the destination website by creating a surrogate browser in the cloud that visits the website on behalf of the user; hence, protecting it from client side exploits. Policies > Management > Web Policy > click on the Add icon
Final thoughts
Organizations should start considering adopting SASE to:
Move from Data Center centric to Cloud centric
Enable hybrid-cloud adoption
Enable hybrid-work
Move their security investments from OPEX to CAPEX
Protect their users when accessing Internet wherever they are
As we have seen, Sigraki is a great option to do so, particularly for Meraki and Umbrella customers; as the technology in not only reliable and offers strong security capabilities but also demands a very low effort and a small learning curve to deploy and operate.
cheers
a security artist