I made a webinar with Meraki about Christian Aid’s use of their technology. I cover why we decided to replace our Cisco ASA VPN infrastructure with Meraki MX Security Appliances, and what benefits we experienced – both expected and unexpected.
You’ll need to register to watch. Once you have registered, why not attend a live webinar and get a free Meraki AP with 3 years license.
Our Regional ICT Service Manager, Sanjay has just enabled our first MX64W Security Appliance and WiFi in Kathmandu, Nepal. Here is a screen shot of the first two days use.
I’ve also enabled a live public view of traffic on our WiFi access points in Freetown.
Hoping to see Kindu, Democratic Republic of Congo on Meraki next week, and Managua, Nicaragua shortly after.
Here’s some details about our global Meraki network:
2 models of office (soon to be 3)
We have a variety of different sized offices and, since we use donated money, a responsibility to spend it wisely. So we opted to go with two models. One for larger offices, and one for smaller offices.
The large offices have between 10 and 50 staff, and are often spread over quite a large area, and sometimes multiple floors. For these offices we chose the MX80 Security Appliance, with one or two MR16 Access Points.
A small office is anything greater than 1 and less than 10. For these offices we opted for a MX60W Security Appliance which combines the functionality of a Security Appliance with a wifi radio.
I’ve recently been looking with interest at the Z1 teleworker gateway, which has all the functionality of the MX60W, but at a lower price, and more compact. I’ll be shipping off our first Z1 to our office in Tacloban, Philippines later this month. Given the cost and compact nature, I hope we can keep some of these in reserve for emergency response – they will make setting up a secure working environment in situations like Nepal much faster and easier.
27 offices in 26 developing countries
Some networks are combined in the above map – there are three networks in DR Congo for example. Offices in Kathmandu, Nepal, Managua, Nicaragua and Tacloban, Philippines are yet to come online.
7 offices in UK
This will increase to cover a total of 18 offices, including our offices in Dublin, Ireland and Madrid, Spain.
1.06 TB transferred by over 4000 clients in the last week
Clearly we have a lot of people visiting our offices. We don’t have nearly that many staff!
72 devices deployed
- 1 MR12 Access Point (our first device, given free by Meraki to get us hooked – it worked)
- 18 MR16 Access Points
- 16 MR18 Access Points
- 16 MX60W Security Appliances with WiFi
- 13 MX80 Security Appliances
- 1 MX100 Security Appliance (at HQ as the VPN hub)
- 1 MX64W Security Appliance with WiFi
- 2 MX64 Security Appliances (no WiFi)
- 1 Z1 Teleworker Gateway – waiting to be shipped to Tacloban, Philippines.
One of the things I’ve enjoyed most in the last couple of years in my job has been rolling out and using Cisco Meraki networking equipment across the 29 offices Christian Aid has in the developing world.
The whole experience of learning about the devices and service, designing our implementation, rolling out, and then supporting and using Meraki daily has been fun, which hasn’t been something I’ve found myself saying about other projects I’ve worked on such as SharePoint or Cisco ASAs. Meraki just hasn’t been as challenging, but in a good way – I’ve managed to achieve so much without increasing blood pressure or tearing any hair out on the way. I have had to put my technical knowledge and skills to use for sure, but in a more graceful way that has just been more…pleasant.
In upcoming posts I want to share what I have done with Meraki, because I think that anyone who wants to achieve the same things with their network can do it most easily with Meraki and should consider it.
In posts over the next couple of weeks I’ll be covering the following things:
- Global VPN
- Standardised WiFi networks
- Mobile Device Management
- Bandwidth Management
- Sharing networks and internet connections with other organisations and the public
I hope you are interested on coming along with me for some of the journey.
Using a separate admin account is common on the Unix world. At Christian Aid we adopted separate admin accounts for staff in the ICT Services teams to give increased security.
One annoying thing about this is that Windows tools based in MMC don’t easily run as a different user AND with elevated permissions (confusingly referred to as Run as Administrator in the UI). We had been working around this by remoting to a server and then running the tools from there while logged in with an admin account.
That’s a bit of a pain though, right? It would be much better to just run the tools locally as the admin user. It can be done by editing the shortcut to each item in Administrative Tools like this:
runas.exe /user:DOMAIN\adminuser "cmd /c Start /B app.mmc"
Obviously adjust DOMAIN\adminuser as appropriate.
Putting the whole “normal” run command behind a cmd is necessary for some applications that require additional flags, and works for those that don’t too.
Here is a list of commands that work on my copy of Windows 7:
- Administrative Center:
runas.exe /user:DOMAIN\adminuser "cmd /c Start /B dsac.exe"
This requires Run as administrator. If it isn’t ticked, nothing will happen.
- Domains and Trusts:
runas.exe /user:DOMAIN\adminuser "cmd /c Start /B %SystemRoot%\system32\domain.msc"
- Sites and Services:
runas.exe /user:DOMAIN\adminuser "cmd /c Start /B dssite.msc"
- Users and Computers:
runas.exe /user:DOMAIN\adminuser "cmd /c Start /B dsa.msc"
runas.exe /user:DOMAIN\adminuser "cmd /c Start /B dnsmgmt.msc /s"
- Group Policy Management:
runas.exe /user:DOMAIN\adminuser "cmd /c Start /B gpmc.msc"
Use this approach for any application that needs to both run as a different user (and always the same user) and/or run with elevated privileges.
/savecred security hole
Anyone using this can add a /savecred flag to the runas command, which allows storage of credentials. The first time you use a shortcut like this, you’ll get asked for the users password in a command window. The
/savecred flag means they will get stored in Windows Credential Manager, and you won’t need to add them all the time. That’s convenient, but it does mean if the computer and Windows account is compromised, an attacker is a click away from your admin interfaces!
I have a Pioneer A4 Airplay speaker connected by WiFi to a Technicolor TG582n router. After playing around with configuration settings as described on npr.me.uk I managed to disconnect the A4 speaker from the WiFi network.
So I decided to experiment with different combinations of settings to see if I could find which work.
- STBC – with this enabled, the connection does work – initially I thought it didn’t but was able to get it working with the A4 next to the router.
- CDD – with this enabled, the connection does work. This provides better coverage, so worth using.
- AMSDU – with this enabled the connection does work.
- SGI – with this enabled the connection does work.
After systematically turning each thing on at a time, I found all the settings work after all, so it must have been something else that stopped the connection. At least I now know.
I don’t think I benefit at all by using any of these settings for listening to music, but in theory they should improve performance for other wifi clients such as laptops and smartphones. A good discussion of most of the techniques enabled by the functions can be found at Veriwave.