With a strong working knowledge of Meraki’s APIs and dashboard, the software developers who support Thelios saw the Virtual Hackathon as an opportunity to apply their experience by creating a unique integration that would provide high business value and ease administrative burdens.
They chose to focus their efforts on the hackathon’s IT Operations category.
The team’s inspiration sprung from the fact that malware and ransomware have become all too common. They’ve seen how such threats, if left unchecked, can devastate corporate networks (e.g., what happened to Maersk when the NotPetya attack was unleashed against Ukraine).
While existing tools like Cisco Stealthwatch can help identify which network systems have been compromised, the team identified a gap between identifying affected clients and taking swift action to prevent further spread.
Within 48 hours, the WWT Thelios team built a web application (i.e., NORRIS) to query Stealthwatch APIs in order to identify rogue or compromised clients on the network.
NORRIS visualizes the location and threat assessment of wired and wireless clients on a map, making it easy for operators to see which devices are compromised. The application enables these operators to quickly identify and quarantine compromised devices with the push of a button. Once quarantine is initiated, NORRIS’ integration feature triggers the Meraki API to adjust Meraki MX or MR firewall rules so rogue devices are enclaved from non-compromised devices on the network.
Why would organizations find this innovation useful?
NORRIS speeds time to quarantine, minimizing the length of network exposure. Specifically, the solution eliminates the need for network operators to multitask by monitoring Stealthwatch for rogue clients on one screen and reacting to Stealthwatch alerts via Meraki on a separate screen. NORRIS effectively reduces operators’ response time and, ultimately, allows them to automate quarantine protocols based on business rules or analytics through Meraki firewall APIs.
To realize their solution, WWT’s developer team built a containerized application stack with a React frontend and Express backend.
In the frontend, they used Google Maps to overlay building floor plans and position network clients, which they subsequently color coded and provided “quarantine” and “release” actions for suspicious devices.
For the backend, they created collectors that fetched Meraki API data about network clients and firewall rules, listened to the Meraki Scanning API for device locations, and then interrogated StealthWatch for devices that were behaving suspiciously.
The developers then correlated that data to tag the devices with an appropriate risk level in the user interface. When an admin or operator “quarantines” a device on the frontend, the backend uses the Meraki API to apply firewall rules to isolate the device.
Other components of the team's NORRIS solution include Docker, Node.js, PostgreSQL, Recoil, RxJS and TimescaleDB.
The biggest challenge our developers faced in developing NORRIS within 48 hours was the lack of data in the lab environment. According to one developer, “We were quite surprised to find that the lab networks had no clients of any kind, nor was a suitable StealthWatch instance available.”
As a workaround, the team chose to leverage WWT’s in-house CMNA stack to provide the Meraki data. And, thanks to WWT’s ATC lab environment, the team was able to spin up access to a StealthWatch instance — one of the significant perks of being part of the WWT ecosystem.
After all submissions were reviewed, judges at Meraki and Cisco selected WWT’s NORRIS as the winner of the Virtual Hackathon's IT Operations category. In under 48 hours, our team had proved how Stealthwatch can work seamlessly with Meraki networks to provide operators with network traffic data that otherwise would have been unavailable.
What’s next for NORRIS and WWT’s crack team Thelios developers, you ask?
The team will continue to build new features and functionalities for our Thelios product, available to customers today for provisioning and monitoring Meraki networks. And given NORRIS’ positive reception at Cisco Live 2020, WWT customers can expect our NORRIS Stealthwatch integration to be introduced in the near future.
What do you think?
If you’re a network operator or have familiarity with network security challenges, we invite your feedback in the comments below.
- How do you go about quarantining rogue devices on your network?
- Similar to how WWT created NORRIS, what products, platforms or technology have you used or developed to automate the sustainment of network security?
- What kind of alerts, analytics and access would be most helpful to maintaining a secure and reliable network for your users?
Members of the WWT Thelios team are always seeking to learn more about new network security challenges to solve as they continue to enhance Thelios for network automation and visualization. Let us know if you have any ideas for where the team should focus next.