NORRIS

Welcome to NORRIS, a Cisco Stealthwatch integration for your Meraki networks. See where your clients are, how badly they are infected, and quickly isolate them with Meraki MX or MR firewall rules.

Comment 2

Inspiration

Malware and Ransomware are becoming all too common. Left unchecked, these threats can devastate corporate networks like what happened to Maersk when the NotPetya attack was unleashed against Ukraine.

While tools like Stealthwatch can help identify which systems have been compromised, a gap exists between identifying the affected clients and taking swift action to prevent a further spread.

What it does

Visualizes the location and threat assessment of wired and wireless clients. Enables single button quarantine of malicious clients using APIs to automate changing vlans and firewall rules to isolate these devices from the rest of the network, until a technician can be dispatched to resolve the situation.

How I built it

We built a containerized application stack with a React front-end and Express back-end. In the front-end, we leveraged Google Maps and placed overlays for the building floor plan and positioned network clients, which we color-coded and provided "quarantine" and "release" actions for suspicious devices. In the back-end, we created collectors that fetch Meraki API data about network clients and firewall rules, listen to the Meraki Scanning API for device locations, and interrogate StealthWatch for the devices which are behaving suspiciously. We then correlated this data to tag the devices with an appropriate risk level in the user interface. When a user "quarantines" a device in the front-end, the back-end uses the Meraki API to apply firewall rules which isolate the device.

Challenges I ran into

The single biggest challenge in trying to create the software was the lack of data in the lab environment. We were quite surprised to find that the lab networks had no clients of any kind, nor was a suitable StealthWatch instance available. We were able to use our in-house CMNA stack to provide the Meraki data. And thanks to WWT's ATC Lab, we were able to secure a StealthWatch instance, a significant perk of being part of the WWT ecosystem.

Accomplishments that I'm proud of

The team has thought about this concept for a bit, and, it was fun and satisfying to see a working solution in a matter of a couple days.

What I learned

Stealthwatch works very easily with our Meraki network and provides data we otherwise wouldn't have regarding traffic on the network.

What's next for NORRIS

The Thelios team at WWT builds a product for provisioning and monitoring many Meraki networks. NORRIS is an additional monitoring feature that could be introduced in the near future.

Disclaimer

Chuck Norris has no affiliation nor endorsement with Thelios, WWT, or NORRIS. Chuck, if you're reading this, please don't roundhouse us, we're just big fans. 🙏

Built With

+ 12 more
Share this project:

Updates