Remote working for a secure and collaborative future: Meraki MR Teleworker

The interruption of our daily work life that COVID has caused will not go forgotten. Increased pressure from employees, stakeholders, and investors will change the industry’s perception of what productive and innovative work environments can be. With the realization that the more we work from home, the more likely we will continue to work from home beginning to set in. Organizations are looking for solutions. 

There are numerous solutions to provide a productive remote working environment. Traditional client and client-less VPNs, VDI solutions like Citrix XenApp/Desktop come to mind. These solutions have worked for years, and most certainly still do. Often this requires some infrastructure to support it. 

If you were an organization fortunate enough to have the infrastructure in place pre-COVID, transitioning to remote work was probably a pure uplift for you. You may have needed to scramble to get more VPN licenses or lease more bandwidth to meet capacity.

Unfortunately, some organizations don’t have a work from home policy or even a contingency plan, let alone the infrastructure to support remote workers.

The MR Teleworker VPN is a solution that extends the corporate LAN to employees at remote sites with Meraki AP’s. It may be the path of least resistance for those organizations that have temporarily or permanently shifted to remote working.

A Meraki AP at a remote site or your home establishes a layer two connection using an IPSec-encrypted UDP tunnel back to the corporate LAN. The L2 tunnels are built on a per SSID basis and terminate at a headquarters on a Meraki MX security appliance.  

An access point would typically require a switch with PoE capabilities to power the Meraki AP, but that’s not usually something an average worker has. So for my setup, I’m using a PoE injector with a Meraki Wifi6 MR36 access point plugged into a LAN port on my router.  

Optionally we could take this one step further and provide split tunneling. Let’s say you wanted to offer a personal SSID for your remote workers. You could enable split tunneling, which would prevent the traffic from hairpinning to the headquarters before egressing to the internet. 

Again, the VPN tunnels are built on a per SSID basis, so you would create a new SSID for personal use and change the VPN tunnel type. Three VPN rules will be enabled by default. You might add more specific rules above the last statement, the default rule, if you required them. 

Agility will be a new competitive advantage in a post COVID world. It will require companies to reimagine where their applications live, where their workers work, and how to secure all of it while meeting their customer’s needs. The MR teleworker VPN is only one example of many that will meet the requirements for remote workers.

Mike

Protecting the WFH workforce – Defending against COVID-19 malicious domains

Many organizations have implemented work from home (WFH) strategies due to COVID-19. This measure, although enabling business continuity for many, introduces increased risk to cyber threats and attacks.

Cisco Talos has been proactively hunting COVID related outbreaks, educating the public, and pushing these discoveries to all Cisco Security tools for blocking. I encourage you to read the Talos blog, “Threat Actors attempt to capitalize on coronavirus outbreak” and “Threat Update: COVID-19“.

Talos goes as far as to list ways that you can defend against COVID related attacks. Cisco Umbrella, in particular, can leverage threat intelligence from Cisco Talos, to uncover and block these malicious domains, IPs, URLs, and files that are used in attacks. It’s not just Talos intelligence that Umbrella can leverage, however. You can take advantage of 3rd party threat intelligence platforms (TIP) that you may have and create a completely robust, kickass defense for your work from home workforce.

Here’s how –

Turn on – Newly Seen DomainsAs part of Cisco Umbrella intelligence, some domains may be blocked as Newly Seen Domains (NSD). Newly created domains related to COVID-19 will also be flagged as NSD as long as they fit the criteria.

Third Party Integration: Umbrella support integrations with SIEM, threat intelligence platforms, or homegrown systems. This feature utilizes the ‘Enforcement API‘ in Umbrella.

Here are the default integrations.

In this case, I want to show you how to leverage a homegrown system. We’ll call it “COVID-19-BLOCK”

When you add a new integration, an API key is generated. This API key can be used to make requests to and from Umbrella.

Our homegrown system is nothing more than a simple python script that makes POST requests to Umbrella.

# Custom integration - ADD EVENT URL
import requests

url = "https://s-platform.api.opendns.com/1.0/events?customerKey=c988727a-XXX-XXXX-XXXX-XXXXXXXXX";

payload = "{\n    \"alertTime\": \"2013-02-08T11:14:26.0Z\",\n    \"deviceId\": \"ba6a59f4-e692-4724-ba36-c28132c761de\",\n    \"deviceVersion\": \"13.7a\",\n    \"dstDomain\": \"coronadiseasenews.com\",\n    \"dstUrl\": \"http://coronadiseasenews.com/a-bad-url\",\n    \"eventTime\": \"2020-03-31T09:30:26.0Z\",\n    \"protocolVersion\": \"1.0a\",\n    \"providerName\": \"Security Platform\"\n}"
headers = {
  'Content-Type': 'application/json'
}
response = requests.request("POST", url, headers=headers, data = payload)

print(response.text.encode('utf8'))

After running the script, we can confirm that our request to block the COVID-19 malicious domain was successful.

As you can see, we were successful in adding this malicious domain to our block list.

Now, take a moment to expand on this custom integration that we just made. There are roughly 70,000 COVID-19 malicious domains and growing daily. What if we were able to take all of the published COVID-19 molicous domains and add them to an Umbrella block policy like we did above?

I think that would make any CSO smile.

Mike

Cisco’s One Button to Push with Office 365 – Setup

It seems as though the more straightforward the technology is to use, the better. It is especially true with organizations trying to simplify the user’s experience when joining a meeting from conference devices. 

One Button to Push alleviates the need to type in meeting information when joining a meeting. It simplifies the user experience by providing the users with a simple one-button-to-push to participate from their conference device. 

It is surprisingly easy to provide the One Button to Push. 

We will be going through the details of how to deploy One Button to Push for cloud registered devices and leveraging O365 to reserve those devices for a meeting. The good news is, is that there are other deployment models based on calendar deployments types if you are not an Office 365 organization today. Think G-Mail, Exchange..

The other great thing is if you have on-premise registered devices, you can leverage Cisco Webex Edge for Devices. Webex Edge for Devices will give you cloud capabilities on the conference devices while keeping the device registered on-prem. 

Prerequisites:
Admin access to Cisco Webex Control Hub – https://admin.webex.com
Admin Access to O365 tenant – I’m using a free trial of O365 Business premium
Telepresence device

  • 1. Enable Hybrid Calendar

Log into https://admin.webex.com with your admin credentials. From there choose Services > Hybrid Calendar > Office 365.

After choosing to authorize, you will be asked for an account to use to associate the Hybrid Calendar service to your Webex Control Hub. This account should be an admin account in your O365 tenant.

  • 2. Create a resource room in O365

If you don’t already have a resource room created, create one now. The resource room will create a room mailbox that is used when scheduling a meeting.  

I’ve created a resource room through the admin portal https://portal.office.com/adminportal > Resources > Rooms & equipment

  • 3. Create a Place in Control Hub and Enroll a Telepresence Device

The “Place” will serve as a hierarchy for you to organize your device with. For this purpose, the Place will only be hosting one device. 

Choose Places Add Place > Provide a common name for the device. Click Next. Follow the on-screen prompts.

Activation code will be used to enroll your Telepresence device.

  • 4. Powershell

By default, Hybrid Calendar will remove the body of an email. If left as the default, any information like SIP URIs will be removed from the meeting invite and prevent OBTP from working.

This is a default behavior of O365, to strip the body of an email sent to a “room resource” (as opposed to a user mailbox). Which is why you need to connect with powershell to change the default behavior of the identity.

Before Powershell

Notice that the subject of the meeting invite “OBTP Pre Powershell” isn’t in the subject of the reserved room below. Also, notice that there is no OBTP because the SIP URI was removed from the message body of the invite.

After Powershell

Notice that the subject of the meeting invite “OBTP Post Powershell” is in the subject of the reserved room below. Also, notice that there is an OBTP.

Run the below Powershell commands in order. You should provide your admin O365 account when asked for a username and password.

::To permit signed scripts to run
Set-ExecutionPolicy RemoteSigned
::Check to be sure 'Basic = True'
winrm get winrm/config/client/auth
::If Basic != True then run
winrm set winrm/config/client/auth '@{Basic="true"}'
::Send O365 credentials
$UserCredential = Get-Credential
::In Pop-up Username: O365-Admin-Username password:O365-Admin-Password
::Run the below
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
::Run the below
Import-PSSession $Session -DisableNameChecking
::Run the below
Set-CalendarProcessing -identity "obtp" -DeleteComments $false -DeleteSubject $false -AddOrganizerToSubject $false
::Disconnect when Done
Remove-PSSession $Session

Awesome! We have made life that much easier! Your Cisco conference devices can now join any SIP based meeting with One Button to Push.

Mike

References

https://docs.microsoft.com/en-us/powershell/exchange/exchange-online/connect-to-exchange-online-powershell/connect-to-exchange-online-powershell?view=exchange-ps

https://help.webex.com/en-us/uuhc6x/License-Requirements-for-Cisco-Webex-Hybrid-Services

https://help.webex.com/en-us/yvz1kw/Make-it-Easier-for-Video-Devices-to-Join-Meetings-with-OBTP#One-Button-to-Push-with-Office-365

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cloudCollaboration/spark/hybridservices/calendarservice/cmgt_b_deploy-spark-hybrid-calendar-service.html

Cisco SDWAN and Umbrella Integration

Cisco SDWAN offers full-stack security capabilities like IPS/IDS, a stateful firewall, AMP integration, and the ability to leverage the full capabilities of Cisco Umbrella. I can’t emphasize how easy it is to bring Umbrella Security to your Cisco SDWAN deployment. Check out my short video to see how to make it happen.

Cisco SDWAN + Umbrella

Update: 9/1/2020 – This procedure has changed with the release Cisco IOS XE SD-WAN Release 16.10.x and Cisco SD-WAN Release 18.4.x – Umbrella auto-registration

Source:
https://docs.umbrella.com/hardware-integrations/docs/sd-wan-dns-layer-security-configuration

Mike

Catalyst 9300 Upgrading IOS-XE 16.6.2 onward (Install Mode)

End of Support and End of Life roll-up for Cisco AirOS Wireless, ASA and Switching

If you would like to skip to the code used to upgrade the switch, scroll to Appendix A.

This upgrade procedure is nearly identical to the Catalyst 9200 upgrade procedure.

Note: When upgrading..

First, check to see what mode your switch is running in. The preferred mode is INSTALL mode. In my case, it is running in INSTALL mode.

Prepare the switch to accept the new IOS-XE image by freeing up some storage.

Step 1. Remove Unwanted Packages
Cat9300#install remove inactive

Step 2. Copy New Image to Flash
Cat9300#copy usbflash0:/cat9k_iosxe.x.x.x.SPA.bin flash:/

Step 3. Set Boot Variable
Cat9300(config)#boot system flash:packages.conf
Cat9300(config)#end
Cat9300#wr
Cat9300#show boot system

Step 4. Software Install Image to Flash
Cat9300#install add file flash:cat9k_iosxe.x.x.x.SPA.bin activate commit

Your screen will produce a similar output and requires a reload. Confirm a reload by hitting ‘y’.

It will take a couple of minutes to reload. After the reload, you can confirm your running mode, version and pkg files are in your flash directory.

Step 5. Verify New Packages and Image after reload
Cat9300#dir flash:*.pkg

Step 6. Check Version and New Bootloader
Cat9300#show version

Step 7. Clean up
Cat9200#install remove inactive

Hope that this helps.

Mike

Appendix A
Step 1. Remove Unwanted Packages
Cat9300#install remove inactive
Step 2. Copy New Image to Flash
Cat9300#copy usbflash0:/cat9k_iosxe.x.x.x.SPA.bin flash:/
Step 3. Set Boot Variable
Cat9300(config)#boot system flash:packages.conf
Cat9300(config)#end
Cat9300#wr
Cat9300#show boot system
Step 4. Software Install Image to Flash
Cat9300#install add file flash: cat9k_iosxe.x.x.x.SPA.bin activate commit
Step 5. Verify New Packages and Image after reload
Cat9300#dir flash:*.pkg
Step 6. Check Version and New Bootloader
Cat9300#show version
Cat9300#show boot

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-12/release_notes/ol-16-12-9300.html#id_67613