Home/ Case Studies/ Multi-Site Network Hardening + MFA
Infrastructure - Network Security

Multi-Site Network Hardening
+ Duo RADIUS MFA Deployment

Industry
Healthcare - Radiology
Sites
8 Sites
MFA Coverage
100%
Platform
Cisco Meraki MX75

Situation

A multi-site healthcare organization operated 8 locations with no standardized firewall policy, no MFA enforcement on remote access, and Meraki MX75 appliances deployed in default or minimally configured states. VPN authentication relied on native Meraki Auth with no second factor, and no outbound traffic controls were enforced at any site.

From a HIPAA perspective, the lack of network-level access controls and absence of MFA on remote access represented direct violations of the Technical Safeguards requirements under §164.312. The engagement had two parallel workstreams: standardize and harden the Meraki fleet, and deploy phishing-resistant MFA for VPN access covering users on legacy systems that could not participate in Entra ID Conditional Access.

Meraki MX75 Hardening

A hardening template was built and validated on the primary site before replication. This template-first approach ensured that every subsequent site deployment was consistent and documented, reducing configuration drift risk across the fleet.

L3 Outbound Deny Rules (9 rules)
Port 23 — Telnet blocked
Port 25 — SMTP outbound blocked
Port 135 — RPC blocked
Ports 137-139 — NetBIOS blocked
Port 445 — SMB blocked
Port 1080 — SOCKS proxy blocked
Port 3389 — RDP outbound blocked
Port 4444 — Reverse shell blocked
Security Controls
IDS in Prevention/Security mode (AMP enabled)
Content Filtering — Safe Search enforced
YouTube Strict mode enabled
L7 blocking: Gaming, Sports, Video/Music
L7 blocking: Blogging, Advertising categories
IP spoofing protection enabled
UPnP disabled at all sites
ISP gateway radio disablement documented
# Hardening validation — primary site
 
[OK] L3 outbound deny ruleset — 9 rules active
[OK] IDS mode — Prevention/Security
[OK] AMP — enabled
[OK] Content filtering — Safe Search + YouTube Strict
[OK] L7 policy — 5 categories blocked
[OK] IP spoofing — blocked
[OK] Port forwarding — none configured
[>>] Replication pending — 6 remaining sites
 
# Template documented and staged for rollout
Template-first approach: The primary site was fully hardened and validated before replication. This created a tested baseline that could be applied consistently across all remaining sites without per-site guesswork.

Hub-and-Spoke AutoVPN Topology

The organization's multi-site connectivity was restructured around a hub-and-spoke AutoVPN model with centralized DHCP and NAT governance. This simplified routing while improving visibility and control over inter-site traffic.

  • Hub site designated as the centralized VPN concentrator for all spoke locations
  • DHCP reservations managed via Meraki dashboard for all domain-joined desktops — preferred over OS-level static IPs to reduce configuration drift and simplify auditing
  • NAT governance documented at each site
  • ISP-provided gateways with wireless radios disabled at all sites to eliminate unauthorized wireless entry points

Cisco Duo RADIUS MFA Deployment

The organization's VPN used Meraki Client VPN with native Meraki Auth — no second factor. Legacy clinical systems including PACS workstations could not enroll in Entra ID Conditional Access, meaning standard MFA enforcement left a gap on VPN access from these systems.

The solution was to deploy Cisco Duo RADIUS MFA as an Auth Proxy on a production Ubuntu server, then migrate the Meraki MX75 VPN authentication source from Meraki Auth to RADIUS, routing all authentication through Duo before granting VPN access.

  • Duo Auth Proxy 6.6.0 deployed on Ubuntu 24.04 LTS production server
  • Duo Mobile activated for all VPN users
  • Meraki MX75 VPN authentication source migrated from Meraki Auth to RADIUS
  • All VPN authentication now routes through Duo second-factor verification
  • 100% MFA coverage achieved organization-wide including legacy systems
  • Compensating control CC-VPN-001 formally closed — satisfied Beazley cyber insurance Q5 requirement
Why Duo instead of Entra Conditional Access? Legacy clinical workstations (PACS, MRI modality systems) cannot be enrolled in Intune or participate in Entra ID Conditional Access due to OS version or domain join constraints. Duo RADIUS bridges this gap — any system that can authenticate via RADIUS gets MFA, regardless of OS or enrollment status.

Outcomes

  • 100% MFA coverage on VPN access — including all legacy clinical systems outside Entra CA scope
  • Primary site fully hardened — 9-rule L3 deny ruleset, IDS Prevention, AMP, Content Filtering, L7 blocking
  • Hardening template documented and validated for consistent rollout across remaining 7 sites
  • Hub-and-spoke AutoVPN topology established with centralized DHCP/NAT governance
  • Beazley cyber insurance Q5 (VPN MFA) satisfied — compensating control formally closed
  • HIPAA §164.312 Technical Safeguards — network access control and authentication requirements addressed

Need network hardening or MFA deployment?

This work maps to the Tier 2 Security Hardening engagement. Multi-site Meraki deployments and legacy system MFA are a core specialty.

Start a Conversation
Engagement Stats
Sites in scope8
Sites hardened2
L3 deny rules9
MFA coverage100%
Controls closedCC-VPN-001
Tech Stack
Cisco Meraki MX75 Cisco Duo Ubuntu 24.04 LTS RADIUS AutoVPN Meraki Dashboard
HIPAA Alignment
§164.312 Technical Safeguards §164.310 Physical Safeguards §164.308(a)(5) Access Control
Related Service

This work maps to the Tier 2 Security Hardening engagement.

View Services ->