Secure your MERAKI Network

CISCO TECHNOLOGY LAB

Provided by Comstor V1

Welcome to the world’s most trusted secure LAN fabric.

Powered by Meraki

Empowered with Secure Access Service Edge (SASE) converge networking and
security to deliver seamless, secure access—anywhere people work.
Powered by Umbrella

Enable profiling and visibility of your end points.

Powered by Identity Services Engine
MERAKI, Umbrella, ISE and DUO

The world has changed in terms of how and where work is being conducted

Today we learn how to protect our data as well as our employees.

Join us in this lab where we will empower your team to be securely connected at home, in the office,
anywhere.

First, we look at the challenges in the office.

- Energy efficiency
- Secure data with Wi-Fi 6 & 802.1X
- Secure employees with Umbrella

Second, we empower your teleworkers to work from home

- Umbrella (Deploy & dCloud)
- Duo (dCloud)

INFO -- Lab exercises: Every exercise in the lab is preceded by EX --

P a ge |1
MERAKI, Umbrella, ISE and DUO

Contents
1 LAB - Login details ............................................................................................................................................................. 3

♦️ Log in on your Meraki Dashboard .............................................................................................. 4

♦️ Log in on your test pc .................................................................................................................. 6
♦️ Log in on Umbrella Dashboard ................................................................................................... 7
2 The Green Office .................................................................................................................................................................. 8

♦️ Apply a port schedule ............................................................................................................... 10

♦️ Automation using APIs .............................................................................................................. 11
3 The Secure Office .............................................................................................................................................................. 13

♦️ Dynamic policies powered by ISE ............................................................................................. 13

♦️ Meraki Health Dashboard ......................................................................................................... 20
♦️ DNS-Based Cloud security (UMBRELLA) ................................................................................... 23
♦️ Cloud-delivered firewall (UMBRELLA) ...................................................................................... 39
4 The Hybrid worker .......................................................................................................................................................... 40

♦️ Hybrid worker (UMBRELLA) ...................................................................................................... 40

♦️ Hybrid worker (DUO -- DEMOs) ................................................................................................ 46

P a ge |2
 MERAKI, Umbrella, ISE and DUO

1 LAB - Login details

Use the below details to log in on your lab.

MERAKI TEST PC UMBRELLA

EMAIL INVITATION YES – Accept in email - -

DASHBOARD URL Open Here Open Here Open Here

USERNAME Your email address Your email address Your email address

CLABs-2024
PASSWORD Your password CLABs-2024
Or your password*

All devices are online Wi-Fi works Login successful?

MAKE SURE THAT:
→ Inform trainer → Inform trainer → Inform trainer

NOTE: UMBRELLA
* Default Umbrella Password:
Note: if you already had an Umbrella account →

NOTE: MERAKI
After choosing a password; make sure you clicked YES. If not, go back to the email and click
again on the URL.

Still having troubles logging in?

The next pages with detailed screenshots might help.

P a ge |3
 MERAKI, Umbrella, ISE and DUO

♦️ Log in on your Meraki Dashboard

This dashboard is built for Managed Services providers and can support
most of the core services needed by MSPs.

For this training we will use the dashboard to configure our network
components.

You should have received an email to accept access to your station.

Click on the link in the email to accept access to your lab.

IMPORTANT: Make sure you clicked on YES. If not, go back to the email and click again on the URL.

P a ge |4
MERAKI, Umbrella, ISE and DUO

IMPORTANT ! Open the correct network

You have the rights in multiple networks in this lab but only 1 belongs to you.
Click on the dropdown arrow on the left to locate your network.

Locate the topology overview in the ‘Network-wide’ settings. Make sure all 3 devices
are online.

Please inform the trainer if there is an issue.

P a ge |5
 MERAKI, Umbrella, ISE and DUO

♦️ Log in on your test pc

Where is the fun on building a business network without having a wireless client?
Use remote desktop to take over a wireless client that sits in your new network.

Open a browser session to https://emea.comstorlabs.com:3100

Log in with
o Username:
o Password:

Does your test pc work? Please, inform the trainer.

P a ge |6
 MERAKI, Umbrella, ISE and DUO

♦️ Log in on Umbrella Dashboard

The second part of the lab is all about secure connect.

These actions will be performed in the Meraki dashboard and on the Umbrella dashboard.

Go to https://dashboard.umbrella.com
Log in with
o Username:
o Password:
▪ Default Umbrella Password:
▪ →

Does your login work? Please, inform the trainer.

P a ge |7
MERAKI, Umbrella, ISE and DUO

2 The Green Office

In today’s economic climate, businesses are looking for new ways to shave costs and reduce
operating expenses of their IT networks. This can typically be achieved by investing in
technologies that provide monitoring and centralized management of network and powered
devices.

A business armed with information, technology, and the ability to easily and intelligently
control powered network devices can see cost savings of up to $270,000 over a 5-year
deployment — including 750 tons of CO2 emissions reductions (The California Public Utilities
Commission).

This return on investment often spans far beyond recovering original technology costs to
include benefits such as improved building security and fostering an employee culture for
environmental responsibility.

Let’s face it, IT equipment requires energy to run. We

cannot prevent that.
But what we can prevent is the unnecessary
consumption of energy.

• Why do companies keep their access points running

after the last person left the building?
• Do all phones and conferencing boards need to be
powered on at night?
• And what about the data that is sent over a cable,
even when in idle modus?

Cisco allows us to deploy energy aware networks. And

because this is such a hot topic these days; let’s dedicate
the first exercises to optimise the office to only consume
the energy needed.

PoE devices such as IP phones are becoming more prominent as businesses adopt new
technologies. This creates additional opportunities for cost savings through the reduction of
off-hour energy consumption.

Meraki switches add several intelligent features to your network for monitoring power draw. By
leveraging standard protocols, Meraki’s cloud readily displays real-time PoE information on a
per port, per device, and global switch basis. This data can quickly be analyzed to determine
how much power draw your PoE devices are consuming in a given 24-hour period.

Additionally, Meraki switches perform intelligent PoE budget allocation by analyzing discovery
protocols for device-advertised power requirements. This means your PoE switch budget is
used more efficiently across all of your switch interfaces.

A variety of real-time and historical power consumption reporting is also directly available in
the Meraki Dashboard. Ethernet power reporting is available via the network summary report
for any switching network. This provides deep visibility into the power consumed (in kW) by
the network over a specified time period and also collectively by the entire network. You can
even view switches by power consumption to find switches with heavy consumption.

P a ge |8
MERAKI, Umbrella, ISE and DUO

Smart power budgeting:

The Meraki dashboard supplies detailed, real-time statistics about your PoE devices
and overall switch power budget usage. Additionally, using discovery protocols, the
switch will snoop for — and only allocate — the advertised power amount per device.
This adds efficiency to per-port power budget allocation and also provides IT
administrators with detailed power consumption information.

Meraki switches will budget based on the PoE device classification, the
budget is allowed to exceed available power as it's used to gauge overall
power that might be consumed on the switch.

Devices will continue to be powered until total power consumption goes

over the available amount of power.

In this case the lowest port numbers take precedence and power will be
pulled from the highest ports thus denying them power.

Switch > Switches > #Your_Switch# > Ports

Total organisation power consumption:

Quickly find switches with heavy power consumption

Organization > Summary report > Scroll to bottom

P a ge |9
 MERAKI, Umbrella, ISE and DUO

♦️ Apply a port schedule

Meraki’s Port Scheduling feature allows you to define one or more weekly reoccurring
schedules that can be applied to selected switch ports within your network.

Ports 20 to 24 will be used to power IP phones and access points in the lunch area. Create a
schedule to schut down power consumption outside this time window.

Create

Switch > Port schedules | Add a new port schedule

• Name: Lunch Area
• Template: 8 to 5 on weekdays only

Apply

Switch > Switch ports | Select port 20 → 24 and click ‘Edit’ (‘Edit’ button sits on the top)
• Port Schedule: Lunch Area

P a g e | 10
 MERAKI, Umbrella, ISE and DUO

♦️ Automation using APIs

Meraki network hardware can be automated using APIs. This is a very big deal, because from
now on you can integrate your network logic into your existing infrastructure.

Think about the following: The last person leaving the office initiates a shutdown of the wireless
network and some of the IP phones on the desks. From the moment the first employee enters
the building, the network boots-up and is ready to be used.

Think about the astronomical savings you can make by implementing this ability.

To implement this automation, we will look at a simple API call that is made from the badge
system of a self-created script to the Meraki Dashboard. The dashboard will shut down PoE
consumption on the access points and select IP phones.

All solutions from Cisco can talk to your own existing open solutions. Let’s make use of that.

The last person badging out will lock down the building, activate the burglar alert, and
deactivate unused IT equipment.

P a g e | 11
MERAKI, Umbrella, ISE and DUO

Just investigate this script. APIs and Python coding is not part of this lab. This is FYI

A possible script

We can leverage the Meraki Dashboard APIs to shut down PoE to unused equipment.
The following script is an example written in Python that does just that.

# Network variable
poe_state = 'false'
port_number = '5'
switch = 'Q2MW-UEFF-8MTX'

# The script libraries

import requests

# The script variables

url = "https://api.meraki.com/api/v1/devices/" + switch + "/switch/ports/" + port_number
payload = '''{"poeEnabled": ''' + poe_state + '''}'''
headers = {
"Content-Type": "application/json",
"Accept": "application/json",
"X-Cisco-Meraki-API-Key": "3c59e29c7745e50c1bcb583d6a06c0d160a123ef"
}

# The script API

response = requests.request('PUT', url, headers=headers, data = payload)
print(response.text.encode('utf8'))

The result

As a result, the script will cut power on the selected ports, resulting in off-work energy
savings.

In the morning, the same script can be used to re-activate the wireless network and IP
phones. In the script, change the poe_state variable to true.

P a g e | 12
 MERAKI, Umbrella, ISE and DUO

3 The Secure Office

In a hybrid office we need to provide a secure working environment for both our own
employees as our visitors.

In our case, the Employees are divided in groups, depending on their jobs within the company.
A different set of rules (policy) must be applied on Sales, Marketing, and Guests.

♦️ Dynamic policies powered by ISE

A way to achieve this is to integrate our network with a RADIUS server.

The first step is to grant access and apply the correct network policy. This is communicated
from the RADIUS server to our Meraki dashboard.

The ultimate step is to leverage all the available power from ISE (Identity Services Engine) as a
RADIUS server, where we can control the state of the end point and software installed, before
granting access. This to prevent infected hardware into the heart of our network.

Network Wide > Group Policies | Add a Group

Create the marketing policy:

NOTE:
Case • Name: marketing_acl
Sensitive • L3 rule: block traffic to the restricted sales server → 10.20.0.150/32
• L7 rule: block video/music and social/photo sharing
• Save

Create the sales policy:

• Name: sales_acl
• Save (don’t change anything, leave all default)

P a g e | 13
MERAKI, Umbrella, ISE and DUO

Create the company SSID

Wireless > SSIDs

• Rename the first SSID → company-xx

• Save
• Click on ‘Edit settings’

Create the company Access control

If you are not here already, navigate to Wireless > Access control | SSID: company-xx
• Network access: Enterprice with my RADIUS server
• Splash page: Cisco Identity Services Engine (ISE) Authentication
• RADIUS servers:
o Host: 10.20.0.111
o Port: 1812
o Secret: Comstor!05

• RADIUS attribute specifying group policy name: Airespace-ACL-Name

• RADIUS accounting servers:

o Host: 10.20.0.111
o Port: 1813
o Secret: Comstor!05

• Client IP and VLAN: External DHCP server assigned: Bridged

Allow Wi-Fi clients to connect to the Local LAN

Wireless > Firewall & Traffic Shaping

Outbound rules → Allow Local LAN

P a g e | 14
MERAKI, Umbrella, ISE and DUO

Troubleshooting tip for the following pages.

If, in the next exercises you don’t get an IP address, reboot your test PC.

Test with a wrong account first

Later on we will troubleshoot our wireless network.

To generate some errors, use a wrong username or password first

• SSID: company_xx (XX = your station number)

o Username: blabla
o Password: Comstor!05

P a g e | 15
MERAKI, Umbrella, ISE and DUO

Test Out as sales

You are an employee and a member from the sales department.

You should be able to access sales data.
Log into the local wireless network using your test PC.

• SSID: company_xx (XX = your station number)

o Username: sales
o Password: Comstor!05

• Access your secure sales files: 10.20.0.150

P a g e | 16
MERAKI, Umbrella, ISE and DUO

Test Out as Marketing

You are an employee and a member from the marketing department.

You should not be able to access sales data.
Right-Mouse-Button on your wireless network & Forget your wireless network.

• SSID: company_xx (XX = your station number)

o Username: marketing
o Password: Comstor!05

• Try accessing your secure sales files: 10.20.0.150 and facebook.com

P a g e | 17
MERAKI, Umbrella, ISE and DUO

Review the policies applied to your client

Network-wide > Clients

Add the 802.1X policy column in the result using the edit icon on the right

P a g e | 18
 MERAKI, Umbrella, ISE and DUO

We use Identity Services Engine as our RADIUS server.

In this exercise we detect the role of the user. But with ISE, we can go beyond.
Leveraging the ISEs full potential we can also check on the user’s:
• Type of workstation – Is this a company laptop or an own device?
• IoT – ISE can also detect IoT device types.
• Location of the user – Is the user located in the lunch area or office area, or connected
over VPN?
• Time of connection – Did the user connect during working hours? Think of schools
enforcing a non-social network policy during lectures.
• External storage – Did the user plug in an untrusted USB device?
• Antivirus version – Is the Antivirus software up to date?
• OS version – Is the operating system up to date?
• AMP vulnerability score – Do a sweep of the device to reflect the vulnerability of
installed apps.

Any of those combinations can result in a dedicated access lists or VLAN tag, providing the
proper access rights.

Feature MR MX MS Details
IEEE-802.1X Authentication Supported Supported Supported
MAC Authentication Bypass Supported Supported Supported
Enforcement Supported Not Supported Supported1 Preconfigured GP
Local Web Authentication Supported Supported Not Supported Local captive portals
Device Profiling Supported Limited Support Supported RADIUS (MS and MR).
Device Posturing Supported Limited Support Supported mid level MS, all MR.
Guest (Hotspot, Self-register, Sponsored) Supported Limited Support Supported Guest VLAN (MS).
Central Web Authentication Supported Not Supported Supported
Network Supplicant Provisioning (NSP) Supported Not Supported Supported
Change of Authorization (CoA) Supported Not Supported Supported
Adaptive Policy (Inline Security Group Tag) Supported Not Supported Supported Requires MS390

Want to learn more?

A separate training is available of integrating ISE with
Meraki and Catalyst.

P a g e | 19
 MERAKI, Umbrella, ISE and DUO

♦️ Meraki Health Dashboard

Wireless Health actively monitors your wireless network to help identify, locate and resolve
issues you may be having with your users or APs. Wireless Health takes a structured approach
to classifying network connectivity based on common issues and steps to resolution — from
association, to authentication, to IP address assignment, to DNS resolution. Wireless Health
uses this information to pinpoint painful areas in the wireless connection process for your
network, and helps point you in the right direction for resolution.

| select your client

There are 2 ways to retrieve the wireless health. From a user perspective, or from a network
perspective. Let’s investigate the first one, first.

Click on the first widget to open the Health dashboard for this client.

2 issues are found in this screenshot (likely you will only see 1). The first issue should be visible to
you also. This is our login attempt using a switch password on the school SSID. The last one is a
mistake I made building the lab. I blocked VLAN 4 (Guest) on the switch do the client was not
able to reach the DHCP server on the MX.

P a g e | 20
MERAKI, Umbrella, ISE and DUO

Click on to investigate this issue.

Can you find the reason of this issue?

Now go back to your client and click on the second widget.

Here you find a list of performance graphs

When you scroll down you might learn that this client is not suitable for high bandwidt
applications, like video calls. This is because we are using old Wi-Fi dongles.

Scroll up and selector the tab.

This tab provides a handy overview of the access attempts of this user. This will come in very
handy assisting the user why a network connection might not be working.

Care to see a summary of all of your users and their health issues.

Here you can learn about the worst performing clients and APs. Remember that APs also have
health graphs.

P a g e | 21
MERAKI, Umbrella, ISE and DUO

EXTRA: Discover the RF Spectrum on both user radios of the access point

Open the RF Spectrum analyser and notice that 2.4GHz is indeed the most interfered radio (a
lot of red lines in the measurement of the analysis).

Now: Highlight the 5GHz and notice that this spectrum is very clean (no that much interference).
This is because in our lab we use a lot of equipment radiating in 2.4GHz spectrum.

P a g e | 22
 MERAKI, Umbrella, ISE and DUO

♦️ DNS-Based Cloud security (UMBRELLA)

In this exercise we learn how to roll out cloud security to enforce a secure online behaviour for
all our employees.

The first step is to connect Umbrella to your wireless controller. This is as easy as applying a
token (your personal Umbrella secret key) and defining a profile (sales, guest, …).

The next step is to create a policy per profile in the Umbrella dashboard. We will protect all our
users against threats, DNS-based attacks, and unprofessional web resources.

The ultimate step is to inspect all connections that were made and blocked to understand
what happens on the network and to help us further finetune our policy.

P a g e | 23
MERAKI, Umbrella, ISE and DUO

Add Umbrella to your SSID

Network-wide > Configure > General

Scroll to the bottom and add the Umbrella account:

• API Key: 52be9b7a9b344137b2b434f71291dd6b
• Key secret: 1ff002c5791a43ca896797662b8df3a6

Wireless > Firewall & traffic shaping

Click on Enable Umbrella Protection and select our On-Network Policy - Office

P a g e | 24
MERAKI, Umbrella, ISE and DUO

FYI – This step is informational – Read Only

The API key from the previous step can be created in the Umbrella dashboard.

The token has been created for you, so these steps are informational.
When you have your own Umbrella dashboard, you can create a token using the
following steps:

Umbrella Dashboard
Admin > Legacy Keys > Umbrella Network Devices

P a g e | 25
MERAKI, Umbrella, ISE and DUO

Verify that your WLAN is added as a Network Device.

Every profile that is added in the wireless controller appears in Umbrella as an identity.
These identities can then be linked to a policy

Umbrella Dashboard
Deployment > Core Identities > Network Devices

Verify that your on-network policy for office workers.

An on-network policy is created that will activate from the moment a user connects to
an office wireless network.

Umbrella Dashboard
Policies > Management > DNS Policies > click on On-Network Policy - Office

P a g e | 26
MERAKI, Umbrella, ISE and DUO

1. Identity (click on Edit Identity)

Here we define who is affected by this policy. As mentioned before, we would

like to map all Wireless Controller network devices to this policy.

Note here that we have selected all Network Devices. This means that all
wireless networks, added previously, will automatically fall into this group.

(Click cancel to go back)

2. Security Settings Applied: Office Policy (click on Edit)

Let’s define the threat categories we will block. The power of Umbrella is that
the connection will be cut off before any of these connections can be
completed.

Malware: Websites and other servers that host malicious software, drive-by
downloads/exploits, mobile threats and more.

Newly Seen Domains: Domains that have become active very recently. These
are often used in new attacks.

Command and Control Callbacks: Prevent compromised devices from

communicating with attackers' infrastructure.

Phishing Attacks: Fraudulent websites that aim to trick users into handing
over personal or financial information.

Dynamic DNS: Block sites that are hosting dynamic DNS content.

Potentially Harmful Domains: Domains that exhibit suspicious behaviour and

may be part of an attack.

DNS Tunnelling VPN: VPN services that allow users to disguise their traffic by
tunnelling it through the DNS protocol. These can be used to bypass corporate
policies regarding access and data transfer.

Cryptomining: Cryptomining allows organizations to control cryptominer

access to mining pools and web miners.

(Click cancel to go back)

P a g e | 27
MERAKI, Umbrella, ISE and DUO

3. Content Setting Applied (click on Edit)

Here we define the web categories that are unsuitable for our users. Any
website that falls in one of these categories will be blocked.

(Click cancel to go back)

4. Application Setting Applied (click on Edit)

Here we define any application that we would like to block explicitly.

Search for Calendar and note that we block Google Calendar for all our
employees.

Search for WhatsApp and note that we block uploads using WhatsApp.

(Click cancel to go back)

5. Destination lists enforced (click on Edit)

Further finetuning can be made here. We noticed that some of our users are
using Google Translate to bypass blocked websites. To overcome this, we block
the usage of translating web sites in Google Translate.

YouTube on the other hand we specifically allow.

(Click cancel to go back)

6. File Analysis

We inspect files for malicious behaviours using a combination of static and

dynamic analysis methods, in addition to file reputation and advanced
heuristics.

7. Custom Block page

We built a custom block page to let the user know why the connection is
refused.

Note that for the page to see, Umbrella needs to be able to infuse this block
page in the HTTPS secure web connection. A requirement is to have the
certificate from Umbrella installed on the user devices.

8. Advanced Settings

a. Intelligent Proxy: The intelligent proxy is the ability for Umbrella to

intercept and proxy requests for malicious files embedded within certain
so-called "grey" domains. Some websites, especially those with large user
communities or the ability to upload and share files, have content that
most users want to access while also posing a risk because of the
possibility of hosting malware.
b. SSL Decryption: Most traffic on the internet is encrypted. Enable this
feature if you would like to activate Intelligent Proxy over HTTPS. This is
enabled in our case.
c. Enforce SafeSearch: When a user is looking for content on search engines
or YouTube, we can enforce SafeSearch to remove unproper content from
the search results.

P a g e | 28
MERAKI, Umbrella, ISE and DUO

Test Out as Sales

You are an employee and a member from the sales department.

Log into the local wireless network using your test PC.

• Forget your Wireless Network (RMB on the SSID & Forget)

• Reconnect to SSID: company_xx (XX = your station number)

o Username: sales
o Password: Comstor!05

• Open FireFox

P a g e | 29
MERAKI, Umbrella, ISE and DUO

• Browse to YouTube to test SafeSearch.

Click on the 3 dots, next to the search icon and notice that Restricted Mode is active.
Due to our security policy, none of our users can deactivate this feature when
connected to our office network.

YouTube is in our Allow Destination lists, so this should work.

NOTE: If this is not the case (Make sure there were 5 minutes between the Umbrella
connection and the test.)

• Browse to facebook.com to test Content Settings

Umbrella will block the connection and will attempt to infuse the block page.
Because our workstation does not trust the Umbrella certificate it will show a warning.

On workstations managed by the company we can push these certificates automatically.

The following process shows you how to install the certificate manually.

P a g e | 30
MERAKI, Umbrella, ISE and DUO

• Install the Umbrella certificate and test again

Using the test client browse to:

https://d36u8deuxga9bo.cloudfront.net/certificates/Cisco_Umbrella_Root_CA.cer

Go to the options from FireFox

P a g e | 31
MERAKI, Umbrella, ISE and DUO

Search for Certificate and click on View Certificates

On the Authorities tab, click on Import

P a g e | 32
MERAKI, Umbrella, ISE and DUO

Import your certificate and don’t forget to TRUST your certificate!

• Trust this CA for web: Enable
• Trust this CA for email: Enable

Go back to the Facebook.com tab and refresh to view the block page.

P a g e | 33
MERAKI, Umbrella, ISE and DUO

• Test Intelligent Proxy

This feature will allow “Grey” sites but block malicious URLs whared through these
“Grey” mediums.

To test unencrypted traffic Navigate to : http://proxy.opendnstest.com/

To test encrypted traffic Navigate to : https://proxy.opendnstest.com/

Because we have a certificate installed we can now start SSL decryption too. Use the
second URL (https://proxy.opendnstest.com/).

Click on the Allowed URL & blocked page content to simulate a grey site with
malicious content. The site itself will be shown, the content blocked.

P a g e | 34
 MERAKI, Umbrella, ISE and DUO

• Free testing against malware, phishing, CnC, …

The station you are working on will be reverted after the training. Feel free to try and
break the Umbrella DNS security.

Tip: http://internetbadguys.com

It is likely that FireFox also detects malware and refuses a connections. This is obviously
a good thing. To ignore FireFox to test Umbrella, click on Ignore the risk

https://www.wicar.org/test-malware.html

P a g e | 35
MERAKI, Umbrella, ISE and DUO

EX – Investigate the security reports

Understanding what is going on in your networks is equally important to security as

protecting your users. Let’s learn to understand the traffic coming from our branch site.

Security Activity

Reporting > Core Reports > Security Activity

Get a quick overview from all the security violations and threats happening in your
network.

Previously we opened a grey website with malicious content and other malicious sites and
content. All the content that was detected as malicious you can investigate here.

Look for your network (ssid0_company-xx…) to investigate a threat that was blocked.
The below example shows the event related to the grey website with a malicious file.

Activity Search

Reporting > Core Reports > Activity Search

Curious about the other events? Even the ones that got through.
This report can help you to finetune your security policies and understand what is
going on inside your branch office.

P a g e | 36
MERAKI, Umbrella, ISE and DUO

Shadow IT → App Discovery

Reporting > Core Reports > App Discovery

From now on you are aware what applications are introduced into your network by
your employees and guests.

Do you see any shady application you which to block?

→ Block it
Do you see an unknow application that might be used to improve productivity?
→ approve

Click on the Unreviewed apps to review the new applications that were active inside our
network.

Now you can review the application one-by-one to take control of the useage of unwanted
applications.

P a g e | 37
MERAKI, Umbrella, ISE and DUO

Further detailed reports

Reporting > Additional Reports

Take your time to navigate through these detailed reports.

The TOP reports can help you to identify the most popular destination accessed by the
most active users.

Cloud Malware.

Your company can choose to integrate Umbrella with their cloud storage solutions to
investigate files that are stored and shared using that medium.

Data Loss prevention.

Prevent files from being shares with sensitive and confidential data.

You can create rules to check on tag words or type of data, like bank account numbers
etc.

P a g e | 38
 MERAKI, Umbrella, ISE and DUO

♦️ Cloud-delivered firewall (UMBRELLA)

This section is not in the scope of this lab. But is a valuable to talk about this functionality.

In a nutshell, you connect your branch router to Umbrella, and Umbrella will apply Firewall
rules on the traffic before releasing the traffic on the web.

Organizations are embracing direct internet access (DIA) instead of backhauling traffic to the
data center. Today organizations seek a cloud-native security service as a simple-to-manage and
scalable alternative to costly refresh cycles and maintenance headaches.

Firewall in the cloud is now an essential element of a cloud-delivered security service. It helps
you to improve security efficacy and ensure consistent enforcement everywhere.

Branch in a box.

Cisco recently released a new Catalyst switch that is able to build an IPSec connection to the
main site for site-to-site traffic and another IPSec tunnel to Umbrella for DIA (Direct Intenet
Access). This is natively supported and can reach up to 100Gbps IPSec encryption speeds.

P a g e | 39
 MERAKI, Umbrella, ISE and DUO

4 The Hybrid worker

In a hybrid office we need to secure our employees, wherever they are connected from.
From home, on the road, from customers, everywhere.

♦️ Hybrid worker (UMBRELLA)

In this exercise we learn how to roll out cloud security to enforce a secure online behaviour for
all our employees, everywhere they go.

Using Cisco Secure Client (previously known as Anyconnect) will protect you with DNS-based
security AND web policies, resulting in a full Web Secure Gateway.

The Cisco Secure Client will be able to:

• All DNS Policies we have seen this far.
• Inspect files for malware using signatures, heuristics and file reputation. Powered by Cisco
Advanced Malware Protection.
• Analyse files for malicious behaviour using advanced sandboxing with static and dynamic
threat intelligence.
• Umbrella checks a file, based on its file extension, including s a detection engine to evaluate
the file. (Images, video files, document, ...)
• Full HTTPS inspection
• || Source – Destination – Time || Rulesets (think of blocking sites or content like social media
during school hours)

Side-Note:

More protection is to be expected using the Cisco Secure Client. Below is another test
performed by AVTest over Cisco Umbrella but this time with the client.

The below results are published by AVTest (https://www.av-test.org/en/), an

independent IT Security Institute. The test released 3682 attacks on a systems
protected by different Cloud Security vendors. The results of this test indicate that
Cisco Umbrella outperformed the other vendors’ detection rates.

Vendor Package Detection rate (3,682 attacks)

Cisco Umbrella SIG Advantage 90.41%

Netskope Secure Web Gateway 80.12%

Zscaler Internet Access Transformation 79.60%

Palo Alto Networks Prisma Access for Mobile Users 79.33%

Skyhigh Security Secure Web Gateway 63.96%

Iboss Zero Trust Edge 44.60%

P a g e | 40
MERAKI, Umbrella, ISE and DUO

Installation Umbrella module on Secure client

Open the folder LAB Programs (on the desktop) and install Cisco Secure Client > open setup.

Unselect all and select only Umbrella > Install Selected

P a g e | 41
MERAKI, Umbrella, ISE and DUO

Connect Cisco Secure Client to Umbrella

Open Cisco Secure Client and note that the correct profile is missing.

Copy OrgInfo.json from the LAB Progams folder to the following umbrella folder:
%ProgramData%\Cisco\Cisco Secure Client\Umbrella\

P a g e | 42
MERAKI, Umbrella, ISE and DUO

Test your Off-network policy

Note that your can now access Facebook.com. Why is this?

TIP: Open the Off-network Policy – Home/Remote and notice the following
• All roaming computers are mapped to this policy.
• Facebook is allowed for all roaming computers

All roaming computers, regardless of where they connect, will use the home/remote
policy.

P a g e | 43
MERAKI, Umbrella, ISE and DUO

Check the activity search and notice that your roaming computer is now displayed instead of
our network as an identity.

Test out in a home or remote network.

Disconnect from the office network and connect to API Lab (an unprotected network).
And try again to download malware using the eicar or wicar websites
https://www.wicar.org/test-malware.html

P a g e | 44
MERAKI, Umbrella, ISE and DUO

Check the reports to find out where you have been protected from.

Notice in the reports that the eicar website is selectively allowed (“Grey” website with malicious
content).

Free testing against malware, phishing, CnC, …

The station you are working on will be reverted after the training. Feel free to try and break the
Umbrella DNS + WEB security.

P a g e | 45
 MERAKI, Umbrella, ISE and DUO

♦️ Hybrid worker (DUO -- DEMOs)

Easy, Flexible Cybersecurity Solutions for Everyone

Multi-factor authentication is an electronic authentication method in which a user is granted

access to a website or application only after successfully presenting two or more pieces of
evidence to an authentication mechanism: knowledge, possession, and inherence.

Duo’s MFA (multi-factor authentication) and 2FA (two-factor authentication) app and access
tools can help make security resilience easy for your organization, with user-friendly features
for secure access, strong authentication, and device monitoring.

Use the below examples to learn the basic principles of MFA and see it in action.

• The day starts with logging on in the morning

Click HERE to simulate the experience of Chris

This is an interactive demo.

Open the URL and Please click

as you would in real life.

• Another use case is to protect sites and applications.

Click HERE to simulate the experience of Lee

This is an interactive demo.

Open the URL and Please click

as you would in real life.

P a g e | 46
MERAKI, Umbrella, ISE and DUO

The Life and Death of Passwords

Passwordless authentication (or “modern authentication,” as it is known by some) is the term

used to describe a group of identity verification methods that don’t rely on passwords.
Biometrics, security keys, and specialized mobile applications are all considered “passwordless”
or “modern” authentication methods.

Use the below examples to see passwordless authentication in action.

• Opening an application without using a password

Click HERE to simulate the experience of Lee

This is an interactive demo.

Open the URL and Please click

as you would in real life.

• Interested to understand how Lee registered the application for the first time?
Click HERE to simulate the experience of Lee

This is an interactive demo.

Open the URL and Please click

as you would in real life.

P a g e | 47
MERAKI, Umbrella, ISE and DUO

A use case for every business

We understand that every business is unique and has different requirements, but every
business requires a secure authentication process for their employees and users.

Below you can find a large set of demos to help you understand many ways to provide secure
access to your customer networks.

https://demo.duo.com/

P a g e | 48
MERAKI, Umbrella, ISE and DUO

DUO – The admin experience

Visibility is essential when it comes to security.

Be aware when end points were jeopardised or authentications failed, and why.

Connect to the demo dashboard using your own Cisco CCO ID.
https://dcloud2-lon.cisco.com/content/instantdemo/cisco-duo-admin-panel-v1-instant-
demo?returnPathTitleKey=content-view

When logged in, click View to start

Investigate the active policy

P a g e | 49
MERAKI, Umbrella, ISE and DUO

Investigate the Reports

P a g e | 50
MERAKI, Umbrella, ISE and DUO

Investigate Device Insights

Only allow confirmations from up-to-date systems. Less possible that they are hacked

P a g e | 51
MERAKI, Umbrella, ISE and DUO

DUO – Start your own experience

Start your account → For Free!

Tired of working with a demo and following a script?

We invite you to test it out to secure your own applications and experience it for yourself.

Get the full experience for 30 days

https://signup.duo.com/

After 30 days you will be given the Free edition of DUO

(Basic feature set for 10 users)

DUO Editions

Multiple versions are available depending on the needs of your customer.

Learn about the differences using the link below.

https://duo.com/editions-and-pricing

P a g e | 52