|
Zuhzuhzombie!! posted:That's what we're moving to. We've been using some IPtables firewalls but their time has come. The PA has just been a dream for the test setup right now, and how it can categorize and analyze the traffic is nice
|
#
?
Feb 27, 2013 17:09
|
|
|
|
| # ? May 29, 2024 19:25 |
|
|
I know this is a Cisco thread but I didn't want to create a new thread for this question and since Cisco bought out Meraki, I figured I'd ask here. I'm probably going to get a Meraki MX60 router. I was wondering if anyone has experience with any of their products. I'm wondering if I can just use it as a home router with the features, or will I need the subscription licenses? I've been having trouble finding info on this online.
|
|
#
?
Feb 27, 2013 18:20
|
|
|
We've been demoing some Meraki stuff at work lately, and everything is cloud managed, which requires a Meraki subscription to configure. The device will continue to function without a subscription, but you can't make any changes.
|
|
#
?
Feb 27, 2013 19:37
|
|
|
So there's no way to login directly to the router to make changes? That kinda sucks. Guess I'll resell it then.
|
|
#
?
Feb 27, 2013 19:43
|
|
|
n0tqu1tesane posted:We've been demoing some Meraki stuff at work lately, and everything is cloud managed, which requires a Meraki subscription to configure. The device will continue to function without a subscription, but you can't make any changes. What the heck is a "cloud managed switch"? More or less a LAN/WAN/VPN alternative that doesn't require DIA circuit?
|
|
#
?
Feb 27, 2013 20:08
|
|
|
Zuhzuhzombie!! posted:What the heck is a "cloud managed switch"? I think you can manage all devices (configuration/updates/upgrades) from a centralized webportal. Cisco has something similar but it's god awful and I don't think there's a product that combines Wifi+Lan Switches/Routers
|
|
#
?
Feb 27, 2013 20:30
|
|
|
Ah. We have a couple of school districts that have reported to us that they'd like for us to firewall their traffic and also manage the firewall. This will be a huge hassle and we probably can't charge enough to justify hiring a dedicated guy to handle firewall change requests. Customer's biggest gripe is having to wait the two week turn around for ATT to do it (or hiring someone themselves). Hoping to find a 'tard friendly firewall solution.
|
|
#
?
Feb 27, 2013 20:42
|
|
|
Zuhzuhzombie!! posted:Ah. Maybe checkout one of their webinars. You get a free AP (Meraki MR12) if you register to the webinar with a business email. Might not use it in the workplace, but it will probably beat any home router wifi.
|
|
#
?
Feb 27, 2013 20:47
|
|
|
lol internet. posted:I think you can manage all devices (configuration/updates/upgrades) from a centralized webportal. Cisco Prime is the new product, and from what I hear is pretty decent. The older CiscoWorks product is horrible though.
|
|
#
?
Feb 27, 2013 21:37
|
|
|
n0tqu1tesane posted:Cisco Prime is the new product, and from what I hear is pretty decent. I upgraded my setup to Prime NCS recently. Its way better than WCS was for Wireless. I just use its metrics for my wired switches but I didn't even setup a read write SNMP community for it though.
|
|
#
?
Feb 27, 2013 21:46
|
|
|
Langolas posted:I upgraded my setup to Prime NCS recently. Its way better than WCS was for Wireless. I just use its metrics for my wired switches but I didn't even setup a read write SNMP community for it though. If you did it's time to upgrade again, the new name is Prime Infrastructure.  PI is a merge of NCS (wireless) LMS (wired) Assurance manager (metrics) and Compliance manager (HIPAA+++ reporting).
ior fucked around with this message at 22:29 on Feb 27, 2013 |
|
#
?
Feb 27, 2013 22:26
|
|
|
Does software update work for you guys using Prime Infrastructure? 1.3 is out, as well as an update for my MSE virtual appliance. The MSE release notes say to use Prime software update but it doesn't detect those updates. I also can't download the tarball for the MSE upgrade, just OVA files.
|
|
#
?
Feb 27, 2013 22:55
|
|
|
Just had to share this little screenshot. No, the password recovery mechanism was not disabled.  Seen all kinds of eBay switches with configs still intact, but this is my first government one. Always remember to delete your configs before you eBay your old stuff! When I worked in government, albeit local government, I remember extremely strong prohibitions against letting a network device that could have potentially sensitive data in it ever creep out of the organization. Password recovery was also disabled on everything (and verified as such via Solarwinds). I can only assume the Department of Defense is supposed to be more stringent. v  v
|
|
#
?
Feb 27, 2013 23:03
|
|
|
ior posted:If you did it's time to upgrade again, the new name is Prime Infrastructure. Nice, That makes me laugh. Come on Cisco lets shuffle the wireless management suite around some more!
|
|
#
?
Feb 27, 2013 23:33
|
|
|
When you finally do upgrade, in the top right corner, hover over your login name and click Switch to Classic Theme. They tried to make it all lifecycle-y and hid every useful function in different menus. Classic Theme is reskinned WCS.
|
|
#
?
Feb 27, 2013 23:39
|
|
|
bort posted:When you finally do upgrade, in the top right corner, hover over your login name and click Switch to Classic Theme. But keep in mind that not all functionality is available in classic mode.
|
|
#
?
Feb 27, 2013 23:44
|
|
|
Nuclearmonkee posted:Just had to share this little screenshot. That's hilarious, but bad.
|
|
#
?
Feb 27, 2013 23:46
|
|
|
Even better if they used Cisco 7 passwords (reversible)
|
|
#
?
Feb 28, 2013 00:02
|
|
|
CrazyLittle posted:Even better if they used Cisco 7 passwords (reversible) They did. Domain name from the config: ip domain-name soccent.centcom.smil.mil Special Operations Central Command. 
|
|
#
?
Feb 28, 2013 00:15
|
|
|
e^: Just saw that. That smil is a SIPRNet second level domain. Someone hosed up hahahahaha.Nuclearmonkee posted:When I worked in government, albeit local government, I remember extremely strong prohibitions against letting a network device that could have potentially sensitive data in it ever creep out of the organization. Password recovery was also disabled on everything (and verified as such via Solarwinds). I can only assume the Department of Defense is supposed to be more stringent. v AFAIK, devices carrying classified or sensitive but unclassified information are supposed to be destroyed rather than sold as surplus. To give you an idea of how anal they are about technology - you can't even take a CD that's been in a classified computer and stick it in a machine of a lower classification or and unclassified network. That's a pretty standard USG-wide warning, though, so for all we know it could have come from like the Forestry Service or BLM or something; non secret-squirrel parts of the government need to access them internets too, you know. psydude fucked around with this message at 00:25 on Feb 28, 2013 |
|
#
?
Feb 28, 2013 00:19
|
|
|
psydude posted:AFAIK, devices carrying classified or sensitive but unclassified information are supposed to be destroyed rather than sold as surplus. To give you an idea of how anal they are about technology - you can't even take a CD that's been in a classified computer and stick it in a machine of a lower classification or and unclassified network. Unless they faked the config it appears to come from Special Operations Central Command and is configured with IPs in the 22.0.0.0/8 and 11.0.0.0/8 ranges. Pretty sure those guys are supposed to be super anal. Now it gets to have a rather boring existence serving truck engineers.
|
|
#
?
Feb 28, 2013 00:24
|
|
|
Nuclearmonkee posted:Unless they faked the config it appears to come from Special Operations Central Command and is configured with IPs in the 22.0.0.0/8 and 11.0.0.0/8 ranges. Pretty sure those guys are supposed to be super anal. Now it gets to have a rather boring existence serving truck engineers. You'd be surprised at the kind of people who find their way into working on classified networks.
|
|
#
?
Feb 28, 2013 00:27
|
|
|
psydude posted:You'd be surprised at the kind of people who find their way into working on classified networks. Well I know idiots exist everywhere, particularly in large organizations. I'm just amazed that they would allow such a horrible config oversight and not have some kind of compliance system in place to make sure it never ever happens. It's not like budget would be a concern for these guys and I would expect the senior engineers to be at least semi-competent. Even in my experience with derpy local pd/sheriff departments we had to follow the lowest FIPS 140-2 standard.
|
|
#
?
Feb 28, 2013 00:30
|
|
|
Nuclearmonkee posted:Well I know idiots exist everywhere, particularly in large organizations. I'm just amazed that they would allow such a horrible config oversight and not have some kind of compliance system in place to make sure it never ever happens. There are several controls and policies in DoD to help prevent this, but most of them boil down to someone actually doing something, rather than just signing a document and going "yup safe for DRMO"
|
|
#
?
Feb 28, 2013 00:31
|
|
|
Every switch I pull out gets its flash memory and vlan.dat configuration erased. And then it's destroyed. And I don't even work on any classified devices.
|
|
#
?
Feb 28, 2013 00:31
|
|
|
psydude posted:Every switch I pull out gets its flash memory and vlan.dat configuration erased. And then it's destroyed. And I don't even work on any classified devices. For fun and to help with "training" we take ours to the local explosives group on base, even at the unclassified level.
|
|
#
?
Feb 28, 2013 00:33
|
|
|
n0tqu1tesane posted:Cisco Prime is the new product, and from what I hear is pretty decent. Yeah I used WCS last year and I was pretty ughh about it.
|
|
#
?
Feb 28, 2013 00:59
|
|
|
psydude posted:You'd be surprised at the kind of people who find their way into working on classified networks. This was NIPR, but one of my favorite tickets as a defense contractor was the PC that didn't have Internet connectivity because some IA guy (InfoSec) got fed up with IDS alerts and blocked the IP via an ACL. It was a dynamic IP--no telling how long ago it had been blocked. The compromised system? Probably earned a PLA service medal by now. Edit: Cisco AVC is awesome. Before: "Why is wireless so slow?" I mumble something about sharing an office building with other wireless networks. Yesterday: "Why is wireless so slow?" Because two users are streaming Netflix right now. Click, drop. Done. Contingency fucked around with this message at 03:41 on Feb 28, 2013 |
|
#
?
Feb 28, 2013 03:22
|
|
|
For what it's worth I quite like Fortinet's two approaches for centralised management of their various routers/switches/AP's. Fortimanager ties everything in nicely and works in closed environments, managing firmware updates, tracking config changes etc. Forticloud is much less much and ofcourse requires the device to be able to talk to Forticloud over the internet, but it is nice when your device is behind weirdly NAT'd 3G networks/etc as it creates a secure tunnel back to Forticloud and from there you can manage/work with the device. 2c.
|
|
#
?
Feb 28, 2013 12:48
|
|
|
BurgerQuest posted:For what it's worth I quite like Fortinet's two approaches for centralised management of their various routers/switches/AP's. Fortimanager ties everything in nicely and works in closed environments, managing firmware updates, tracking config changes etc. Forticloud is much less much and ofcourse requires the device to be able to talk to Forticloud over the internet, but it is nice when your device is behind weirdly NAT'd 3G networks/etc as it creates a secure tunnel back to Forticloud and from there you can manage/work with the device. You can even get FortiManager as a virtual appliance which is pretty sweet.
|
|
#
?
Feb 28, 2013 13:43
|
|
|
CrazyLittle posted:Even better if they used Cisco 7 passwords (reversible) This is honestly fine. ate shit on live tv fucked around with this message at 16:31 on Feb 28, 2013 |
|
#
?
Feb 28, 2013 16:28
|
|
|
edit: *
|
|
#
?
Feb 28, 2013 16:48
|
|
|
Does anyone know what cisco calls secure open wireless? i.e. The SSID is broadcasted, but there is no password on it, BUT the connection between the end device and the AP is encrypted? Can you do this on a Cisco 5508 WLC running AIR-CAP3602E-A-K9 APs?
|
|
#
?
Feb 28, 2013 18:53
|
|
|
Powercrazy posted:Does anyone know what cisco calls secure open wireless? i.e. The SSID is broadcasted, but there is no password on it, BUT the connection between the end device and the AP is encrypted? Uhm you mean the proposed solution to secured open wireless networks that really is not implemented on any platform without 3rd party patches? No you can not  Edit: actually it seems they have adapted their proposal around SOWN to make use of 802.11u (which Cisco supports) so I guess you could make it work. Though it IS a hack, and your clients wont really support it. ior fucked around with this message at 19:16 on Feb 28, 2013 |
|
#
?
Feb 28, 2013 19:13
|
|
|
Powercrazy posted:This is honestly fine. It's fine as long as the equipment never leaves with the config intact. Even other telcos equipment that I've recovered had (more securely) hashed passwords with radius/tacacs auth to remote servers.
|
|
#
?
Feb 28, 2013 19:26
|
|
|
Even the Cisco MD5 hash is extremely insecure, just not as readily reversible. It's 6 characters plus 2 characters of salt, md5 hashed. The salts are all known, so really you just have an MD5 hash of 6 characters. Hardly secure at all. Can be brute forced on a modest GPU within 24hrs. BUT fear not, the locally stored passwords are irrelevant for the security of the device since you are using TACACS/RADIUS. ior posted:Uhm you mean the proposed solution to secured open wireless networks that really is not implemented on any platform without 3rd party patches? No you can not
|
|
#
?
Feb 28, 2013 19:40
|
|
|
Powercrazy posted:Thanks for the info, I do see the 802.1u option available, but I have no idea how to use it, or what requirements the end-devices need to support it. Trust me on this. Forget it for now 
|
|
#
?
Feb 28, 2013 20:11
|
|
|
Powercrazy posted:Even the Cisco MD5 hash is extremely insecure, just not as readily reversible. It's 6 characters plus 2 characters of salt, md5 hashed. The salts are all known, so really you just have an MD5 hash of 6 characters. Hardly secure at all. I was playing around with one of the new 15.0 releases of IOS for 3750s and it looks like SHA256 (designated type 4) is replacing MD5 for secret hashing. Pity I had to revert to a slightly older version as the TenGig interface on a non master switch wouldn't come up automatically when the switch powers up. This is had the fun result of losing any commands that uses the new encryption method like enable secret as the older IOS doesn't recognise type 4 encryption.
|
|
#
?
Feb 28, 2013 21:36
|
|
|
Nuclearmonkee posted:Just had to share this little screenshot. this doesn't mean anything fyi... i used to work in DOD and made my home lab replicate work down to the login banner http://www.dtic.mil/whs/directives/corres/pdf/DTM-08-060.pdf
|
|
#
?
Mar 1, 2013 04:05
|
|
|
|
| # ? May 29, 2024 19:25 |
|
|
the ip's and passwords were different obviously but you get the idea
|
|
#
?
Mar 1, 2013 04:06
|
|