The Design Decisions Behind Selecting Meraki as a Security Appliance

I received an email asking for details as to why I replaced my Untangle whitebox with a Meraki MX60 security appliance. For those familiar with my lab, this is something I went about doing a little less than a year ago during a lengthy lab refresh. Each time I forklift the security appliance I try to get some significant gains, such as when I migrated from SmoothWall to Untangle.

To be clear, my Untangle firewall was pretty awesome for the years it protected my home and lab. Total investment was under $300 in the hardware – a little Shuttle toaster box – with free software. Back in 2014, I even wrote a post showing folks how to use VLANs with version 9.x (something that didn’t become available until version 10.x). Here’s my original blurb on it:

Untangle is a snazzy and free Linux-based firewall and services device. Using a shopping cart like experience, one can pluck a variety of free and paid applications and drop them on the device. I personally run the virus blocker, spyware blocker, firewall, IPS, and IPsec VPN apps for my home lab on a baby sized Atom box that, although many years old, still purrs like a kitten. This strikes me as rather impressive, since the box is on 24/7 and was built using COTS (commodity off-the-shelf) hardware.

With Untangle, the main complication was their pricing model for enterprise-y features. Chief among them was site-to-site tunneling and client-side VPN, which were always a bit ghetto on Untangle but things I really needed. The complete licensing package for Untangle is just over $500 US per year, which is too rich for my blood.

Meraki licensing is really simple to view and update
Meraki licensing is really simple to view and update

The other constraint was that my Untangle hardware was really, really old. It was begging for a replacement. 🙂

Rather than specing out another whitebox, I realized I was a bit tired of being the support person for hardware and have been actively seeking solutions that are turn-key, such as my Synology and ioSafe arrays for storage. Most of the security appliances in the market seemed too watered down (home usage) or more like a pet project that required far too much time investment. I value time as one of the most precious and valuable commodities, especially for a device that literally allows me access to the Internet.

As a work-from-home person, this is non-trivial and not something I’m willing to risk. I require a rock solid device that allows me to yell (nicely) at support if it breaks. 🙂

I'm a huge fan of the Site-to-Site VPN simplicity
I’m a huge fan of the Site-to-Site VPN simplicity

Meraki had made a splash in the market well before Cisco bought them. The idea of having a security appliance that I could fully manage from anywhere was very attractive because I travel frequently. And the MX60w supported the entire gauntlet of features I needed for half the cost of Untangle’s annual license. It’s also a wireless access point, which I use to connect my infrastructure devices (Nest, Sonos speakers, and the like).

After being a Meraki customer for 10+ months, I can say that I’m still a huge fan and have bought more of them for other folks (even at Rubrik). My favorite features thus far include:

  1. The VPN tunneling is intuitive, easy to setup, and auto-magic when connecting to other Meraki devices.
  2. The per-client visibility is nice to see what’s eating up bandwidth, or determine if something is being too chatty.
  3. Being able to control the device over the web or mobile app is incredibly clutch, allowing me to manage several devices from a single account.

Another time saver is having Meraki automatically handle all of my schedule maintenance for me. I can select when it’s OK to push code, and what level of code I want – stable or beta – and they do the rest. As an example, I’m scheduled to get the next round of firmware on February 27th.

meraki-update

Again, less time spent is a huge win for me, because I don’t want to spend time with the device. I just want it to forward good traffic and block bad traffic. 🙂

I’m guessing there are better devices out there that meet someone else’s design requirements. Meraki met mine and I’m very pleased with the device. As a reminder, each environment’s functional design is going to be unique in some ways, so I don’t believe there is a “best way” when it comes to hardware. Buy what makes sense for you, as I did, and go forward from there. Enjoy!