Cisco Meraki Suck and Spit (sas for short)


IFM supplies network engineering services for $NZ200+GST per hour. If you require assistance with designing or engineering a Cisco network - hire us!

Introduction

sas sucks in a wireshark capture and spits out firewall rules in a group policy for a Cisco Meraki MX with a default deny rule. This makes it perfect for creating firewall rules for IoT devices and then restricting those IoT devices in case they later become compromised.

sas is aware of resources that are accessed via a DNS name that use dynamically changing IP addresses.

sas is also able to read in an existing group policy and update any existing firewall rules with anything found in the packet capture not currently contained in the rule set.

Installation

Start by downloading sas.py (last updated 13-Marc-2020).

You need Python 3.2 or better. I would recommend the 64 bit edition to be able to process larger captures. This script was written using Python 3.7.3 and has not need used on any lower version of Python.

You need to install these Python modules:

pip install meraki-sdk
pip install -U python-dotenv

You need to install Wireshark (more specifically, you need tshark that comes with Wireshark).

sas uses dotenv to safely store your credentials.  Create a file called .meraki.env in your home directory.  For Linux this is typically /home/username.  For Windows this is typically c:\users\<username>.

Into .meraki.env put this line:

x_cisco_meraki_api_key=<your API key>

If you don't have an API key yet then following the instructions on this page: https://documentation.meraki.com/zGeneral_Administration/Other_Topics/The_Cisco_Meraki_Dashboard_API

To save time typing in the same configuration parameters in again over and over you can create an .env file in the same directory you are going to run the script from with these optional parameters (use none, some or all of them as you feel like).

orgName=<your organisation name>
netName=<the network name you are operating in>
groupPolicyName=<the name of the group policy you want to create or update>

Method of Operation

Start with the IoT device you are going to create firewall rules for turned off.  This is very important.

This is because sas needs to see all of the DNS queries that the device is making.  If you don't turn the device off before beginning then it may cache the DNS queries.

Next start your packet capture. You can do this from the Meraki dashboard.  Select your MX security appliance.  Make sure you do the packet capture on the "LAN" interface.  This is important because sas needs to see the requests coming from the device prior to NAT.  Select to download the packet capture.  Make sure you set the duration to be long enough for the device to start up and operate normally. This might take 5 or 10 minutes. A longer capture is better than a capture too short.  Enter a filter that will only capture packets for the one IoT device.  I suggest using a "host" filter, such as "host 192.168.1.10".  Once you have started your packet capture power up your IoT device.

Once the capture completes and downloads to your machine you need to convert it to json using tshark. tshark is a command line tool. Use a command line like:

tshark -2 -T json -r packet_capture.pcap >packet_capture.json

Now you are ready to use sas. You can use "sas -h" to get help.  You are probably going to use a command line like this:

sas.py -f packet_capture.json -o "Your Org Name" -n "Your network name" -gp "Your group policy name"

Note that if you put into your .env file the organisation, network or group policy names you don't need to specify them on the command line.  If you have them in both places the command line takes precedence.

Your finished.   Either the existing group policy will be updated or a new group policy has been created with the firewall rules.  You can now go and apply this to your device (a client in the Meraki dashboard). You could also potentially apply it to a VLAN interface.