Meraki Advanced Security Feature Set vs. Enterprise Licensing
"What is the value of Cisco Meraki Advanced Security Feature Set vs. Enterprise Licensing?"
This is a question that comes up frequently in discussions with customers. When deciding whether or not to pay for the advanced feature set, you need to understand what the differences are between the licensing modes and more importantly, why would you need/want to use the more advanced features.
The Enterprise License for Meraki provides valuable features involving management, API support, Stateful Firewalling, full-mesh Auto-VPN, High Availability (HA) failover and more. Most of the additional features are centered around security. Security has many layers/aspects so it is important to consider a) the risks that the organization faces, and b) what the Advanced Security Features are and how they might play into the enterprise.
Traditionalists would mostly commonly consider Perimeter Security and Endpoint Security as the two important starting points for protecting data in an environment. However, as time has gone on, companies both large and small are subjected to an increasing quantity and complexity of threats from adversaries. These include DNS Hijacking, Phishing emails with Malware embedded in them or bogus website links, Command-and-Control attacks, Website Redirection as well as Ransomware.
Cisco/Meraki’s advanced feature set helps to deal with many of these issues before they get into the environment, meaning at the edge of the network. It doesn’t mean that one should ignore endpoint protection but that is the subject of another blog.
Let’s take a look at four key features of the Advanced Security Features and what they do:
Geo-based firewall rules - If you’ve been in the industry or looked at firewall logs or even ACL hits on devices in the cloud, you will see that there are a lot of people out there scanning and probing for access to devices and that many of them are not from the country you are operating in. This feature allows an enterprise to restrict, specifically block source countries that you would never have a legitimate based business need for.
Countries for example like China, Russia, Democratic Republic of the Congo etc.
This saves your firewall which might allow inbound services to devices from even allowing those initial traffic flows to be instantiated.
URL Content Filtering - A fairly common practice for most companies, this is built into the Meraki Firewall (MX) where you can select categories of URLs such as
Proxy Avoidance and Anonymizers
Intrusion Prevention - This ties in with Cisco's Advanced Malware Protection (AMP) and Threat Grid. These features are designed to catch anomalous behavior that would be traversing the firewall and take action to inform the client and stop the traffic. AMP allows for real-time malware blocking, retrospective malware detection and with the integration into Threat Grid, also allows malicious or suspicious files to be examined by Threat Grid in a sandbox environment and if the file or files are determined to be malicious, all consumers of AMP are updated with this information automatically.
Google SafeSearch - This allows you to block adult content from coming up on a Google or Bing search.
Our experience is that smaller to mid-sized companies (up to several thousand employees) who are using Cisco Meraki SD-WAN technology leverage the Advanced Security Features about 75% of the time because the security value is significant versus a cost increase that is incremental. Enterprises, however, who are much larger but perhaps utilize Cisco Meraki for remote locations or small offices perhaps, may already have these security features deployed across the enterprise and may instead choose to pay less for the Enterprise Licensing.
Please contact us for trails or demo units at email@example.com.