WIXLIB

Data SheetThunder SSLiReal-Time Visibility Into Encrypted TrafficThe most comprehensive decryption solution, A10 Thunder SSLi Platforms(SSL Insight) decrypts traffic across all ports, enabling thirdparty security devices to analyze all enterprise traffic withoutcompromising performance.Thunder SSLiPhysical ApplianceVThunder SSLiVirtual ApplianceEliminate the BlindSpotManagementThunder SSLi eliminates the blind spotThunder SSLi boosts the performance ofintroduced by SSL encryption by offloadingthe security infrastructure by decryptingCPU-intensive SSL decryption and encryptiontraffic and forwarding it to one or morefunctions from third-party security devices,third-party security devices, such as awhile ensuring compliance with privacyfirewall for deep packet inspection (DPI).standards.Harmony ControllerCentralized Analyticsand ManagementThunder SSLi re-encrypts traffic andWhile dedicated security devices provideforwards it to the intended destination.in-depth inspection and analysis of networkResponse traffic is also inspected in thetraffic, they are not designed to decrypt andsame way.encrypt traffic at high speeds. In fact, manysecurity products do not have the ability todecrypt traffic at all.TalkWith A10Weba10networks.com/ssli1

BenefitsGain Full VisibilitySecureInto The Blind SpotKey StorageThunder SSLi decrypts traffic across allStoring encryption keys on manyports and multiple protocols, eliminatingappliances in the network can introducethe encryption blind spot and enablingserious vulnerabilities. Threat actorsthe security infrastructure to inspectcan acquire keys from vulnerable pointspreviously invisible traffic, detect hiddenand use them for encrypted attacks orthreats and defend against them.data extraction.With FIPS 140-2 Level 3-validatedinternal and external Hardware SecurityDecrypt Trafficfor All Security DevicesTo truly secure an enterprise network,Module (HSM) support, ThunderSSLi reduces decryption points soencryption keys are stored securely.from both internal and external threats,organizations require the help of avariety of security devices.Thunder SSLi works with the majorsecurity vendors, which may bedeployed in a number of ways in the“secure decrypt zone”, ensuring thatthe whole network is secure againstValidateCertificate StatusAttackers can use invalid certificatesto infiltrate networks. If these attacksare not blocked, users can be at risk ofmultiple attacks.encrypted threats. Thunder SSLiThunder SSLi helps the systeminteroperates with:confirm the validity of certificates it Firewalls Secure Web Gateways (SWG)receives from the server by supportingCertificate Revocation Lists (CRL)and Online Certificate Status Protocol Intrusion Prevention Systems (IPS)(OCSP). These protocols help verify the Unified Threat Management (UTM)origin certificate is valid.platforms Data Loss Prevention (DLP)products Threat Prevention platforms Network Forensics and WebMonitoring tools2

EnsureReduceCompliance and PrivacyOperational CostsThunder SSLi allows for selectiveThunder SSLi offers a centralized pointdecryption, making sure thatto decrypt enterprise traffic, forwardingorganizations can keep up withit to many inline and non-inlineindustry, government and othersecurity devices. This eliminates thecompliance and privacy standards. Fordecryption overhead of each securityexample, HIPAA compliance may forbiddevice, improving performance whilethe decryption of private and sensitivemaintaining proper security diligence.healthcare information.It also eliminates the need to purchasebigger security devices just to supportresource-exhausting decryption andencryption functions.Simplify Operationsand ManagementA wizard-based "on the box" configuration, deployment and management tool, AppCentric Templatesmake Thunder SSLi the easiest-to-use decryption solution in the industry. With informative dashboards,organizations can track their network with ease. Thunder SSLi also includes an industry-standard CLI, a webuser interface and a RESTful API (aXAPI ), which integrates with third-party or custom management consoles.Good120 Kbps761947223System StatusSSL TrafficSSL CPSSSL SessionsCerts in Cache LegendSSL Inspection StatusSSL Traffic Legend 10 sSSL Traffic89 %11%DecryptedConn Rate0%BypassedErrors LegendKey Exchange MethodsDecrypted 60Access to Suspicious WebsitesECDHEDHE15:36:30Top Bypassed 30Top Accessed fofail-safeothersAppCentricTemplates helpusers manage theirencrypted trafficusing a dashboardto visualize SSLtraffic, decryptionand encryption,bypassing, trafficmanagement usingcategorization,and more.33

A10 Harmony Controller provides centralized management and rich analytics for multiple Thunder devicesfrom multiple branch offices into one centralized and condensed console. Distributed Thunder devices canbe configured and managed through Harmony Controller from a central location. Harmony Controller candisplay either individual Thunder device statistics or as a aggregated into an intuitive dashboard for fastertroubleshooting and rich analytics.A10 HarmonyController providescentralizedmanagementand analyticsfor completevisibility into allSSLi instances.Dashboard canbe populated foreach SSLi instanceindividually or inaggregated fashionproviding a holisticview into trafficpatterns.4

Reference ArchitecturesDecrypt ZoneSecurity DeviceHarmony Controller26 3147Client5A10 Thunder SSLiInternetRemote Server1Encrypted traffic from the client is interceptedby Thunder SSLi and decrypted.5The server processes the request and sendsan encrypted response to Thunder SSLi.2Thunder SSLi sends the decrypted traffic to asecurity device, which inspects it in clear-text.6Thunder SSLi decrypts the response traffic andforwards it to the same security device forinspection.3The security device, after inspection, sends thetraffic back to Thunder SSLi, which interceptsand re-encrypts it.7Thunder SSLi receives the traffic from thesecurity device, re-encrypts it and sends it tothe client.4Traffic Flow Throughthe Decrypt ZoneThunder SSLi provides visibility via a logicaldecrypt zone where third-party securitydevices inspect traffic for threats. Thunder SSLican be deployed in a one- or two-applianceconfiguration.Thunder SSLi sends the re-encrypted traffic tothe server.Decrypt ZoneNon-InlineSecurity DeviceIDS/ATPClientInlineSecurity DeviceIPS/NGFWICAPDeviceDLP/AVHarmony ControllerA10 Thunder SSLiThunder7655S SSLiby the NumbersMultiple Deployment &Decryption OptionsInternetThunder SSLi may be deployed inline, on theenterprise perimeter, and can decrypt traffic fora variety of security products simultaneously,including inline, non-inline (passive/TAP) andICAP-enabled devices.72 Gbps145 Gbps4M100SSLi ThroughputSSL BulkThroughputSSLi ConcurrentSessionsGbE PortsRSA: 100KECDHE: 70KSSLi CPS5

Decrypted Traffic Solutionsfor any Security DeviceThunder SSLi decrypts traffic for security devices from the top vendors.Firewalls Cisco ASA with FirePOWER Palo Alto Networks NextGeneration Firewalls Check Point Next GenerationFirewallsSecure WebGatewaysAdvanced ThreatProtection OPSWAT MetaDefender FireEye Network Security Garland Technology NPB Fidelis Network Bivio Networks CybersecurityForensics and SecuritySystems RSA NetWitness Symantec ProxySGOthers Trend Micro Deep Security Cyphort Advanced Threat Detection Vectra Networks Cybersecurity IBM QRadar Forcepoint Trusted GatewaySystemFeaturesDecryptFull-ProxyAcross Multiple Ports and ProtocolsArchitectureUsing Dynamic Port Inspection,Thunder SSLi operates as a full-proxy,Thunder SSLi decrypts traffic across allwhich enables adjusting of cipher suiteTCP ports. Decryption for protocols likeselection for encryption. Thunder SSLiSTARTTLS, XMPP, SMTP and POP3 arecan re-negotiate to a different cipheralso supported.suite of similar strength, making thesolution future-proof against newHowever, the decryption functionalitiesciphers or TLS versions that might beare not limited to only SSL/TLS,introduced to the network withoutencrypted traffic and decryption fornotice. Thunder SSLi can ensureSSH traffic is supported as well.traffic is encrypted using the mostsecure ciphers, eliminating the use ofcompromised ciphers.6

Multiple CiphersSecure HSMfor PFS Supportfor FIPS ComplianceWith dedicated SSL accelerationThunder SSLi supports both internal andhardware, Thunder SSLi deliversexternal network HSMs to ensure privatehigh performance with 2048-bit andkeys are securely stored. With industry-4096-bit key sizes, while supportingleading support for up to four internalmultiple cipher suites, including DHEHSMs (FIPS 140-2 Level 3-validated),and ECDHE, for perfect forward secrecyThunder SSLi provides high performance(PFS) support.with better security. Thunder SSLiinteroperates with existing external HSMsdeployed in the network.URL Classificationfor Selective DecryptionThunder SSLi URL classificationcategorizes the traffic of more than 460million domains, selectively bypassingtraffic decryption to enforce privacypolicies so private/sensitive data (e.g.,medical or financial records) is notdecrypted, in adherence to compliancestandards like HIPAA.URL FilteringExplicitProxy SupportIn addition to the standard transparentproxy deployment, Thunder SSLican also be deployed as an explicitproxy, giving more control over trafficmanagement. Thunder SSLi can connectto multiple upstream proxy serversusing proxy chaining.ICAPSupportfor Access ControlData Loss Prevention (DLP) systemsURL filtering is used to maximizetypically use ICAP to connect to theemployee productivity and reducenetwork and help prevent unauthorizedrisks by blocking access to maliciousdata exfiltration. Thunder SSLi supportswebsites, including malware, spam andICAP connectivity simultaneously withphishing sources.other decryption modes. This enables anetwork’s existing DLP systems withoutthe purchase of extra solutions.Load BalanceSecurity DevicesWith load-balancing support,GranularTraffic ControlThunder SSLi dramatically increasesExamine, update, modify or dropperformance of firewalls and otherrequests DPI using A10 aFleX scripting.security devices. Easily add securityFully control which traffic is interceptedcapacity and extend the life of existingand forwarded to a third-party securitysecurity devices. Flexible weighteddevice, and which traffic should betraffic priorities can be assigned.sanitized before being sent to theintended destination.7

Intelligent ServiceChainingfor High-Performance SecuritySelectively redirect traffic, based onapplication type, to different serviceCentralizedAnalytics andManagementfor Thunder SSLi ****chains with fine-grained policies.A10 Harmony Controller providesThunder SSLi reduces latency andperformance monitoring and fasterpotential bottlenecks with thetroubleshooting with device healthDecrypt Once, Inspect Many Timesstatus, logs and traffic pattern analysis.approach, consolidating decryption andencryption duties.Deep insights into anomalies andthreats enables enterprises to setadaptive controls and policy updatesthrough behavior analysis.UserAuthenticationand User-basedPoliciesThreat InvestigatorCreate security policies for users,and confidence scores. The Threatmaking sure no unauthorized access isInvestigator can be accessed as stand-allowed, with the identity and accessalone AppCentric Templates as well asmanagement feature. This also enablesthrough the access logs.Explore the trustworthiness ofwebsites, based on threat reputationyou to define user-ID-based traffic andinspection policies to maintain granularcontrol.8