Hey everyone! We recently got ISO certified and upgraded our network with Meraki switches and access points. I'm wondering if we need to scan these devices since they're cloud-managed and have a low attack surface (they lack SSH, Telnet, etc.). Scanning doesn't seem to reveal much information, like OS versions. What do you all think?
4 Answers
ISO27001 is essentially a framework. The key thing is to check your actual written policy about scanning. What does it state about devices in your network?
We've turned off the HTTP interface on our Meraki APs. The only concern from our security team is that a scan doesn't provide much visible detail about the devices.
If your Meraki devices are in a building you own or on a virtualization platform you control, then yes, you should definitely scan them! It’s important for compliance, regardless of the visibility you have into the systems.
You should be scanning anything within your network boundary. It’s just a good practice to ensure everything is secure, even if those devices are cloud-managed.
Yeah, the lack of scan details might actually please your security team since it indicates fewer vulnerabilities they can detect.