WIXLIB

DATASHEETTHUNDER SSLiHigh-Performance Visibility in Encrypted TrafficSupported PlatformsThe A10 Networks Thunder SSLi products feature A10’s SSL Insight technology,which eliminates the blind spot imposed by SSL encryption by offloading CPU-intensiveSSL decryption and encryption functions from third-party security devices. Thunder SSLidecrypts SSL-encrypted traffic and forwards it to one or more third-party security devicesThunder SSLiphysical appliancesuch as a firewall, for deep packet inspection (DPI). Once the traffic has been analyzed andscrubbed, Thunder SSLi re-encrypts it and forwards to the intended destination.Features and BenefitsFull Visibility into SSL TrafficWhile dedicated security devices provide in-depth inspection and analysis of network traffic,they are rarely designed to decrypt and re-encrypt SSL traffic at high speeds. In fact, somesecurity products cannot inspect SSL traffic at all. SSL Insight offloads CPU-intensivedecryption and re-encryption tasks from dedicated security devices, boosting performance.OverviewThunder SSLi functions as a forward proxy for SSL traffic, or as an explicit proxy toA10 Networks enables organizationsto analyze all data, includingencrypted data, by intercepting SSLcommunications, decrypting andsending the traffic in cleartext tothird-party security devices such asfirewalls, threat prevention platformsand forensic tools for inspection.safeguard their communications efficiently.intercept SSL traffic. Organizations can simply deploy Thunder SSLi appliances toIn addition to inline deployment, organizations can deploy security devices, suchas intrusion detection systems and forensics tools, in passive mode. Thunder SSLidecrypts SSL traffic and sends a copy of the unencrypted traffic to the non-inlinesecurity device for inspection. Thunder SSLi devices can provide visibility to proxyservers and can also act as a proxy server. A single Thunder SSLi appliance can provideSSL visibility to the entire security stack.With SSL Insight, organizations can: Achieve high performance with SSL acceleration hardware – A10 Thunder SSLicomes equipped with powerful, dedicated SSL security processors that can scaleto meet high-volume traffic demands. With SSL acceleration hardware, ThunderSSLi delivers near parity performance between 1024-bit and 2048-bit key sizesand has the extreme power needed to handle 4096-bit keys at high-performanceproduction levels. Multiple cipher suites are available including DHE and ECDHEfor perfect forward secrecy (PFS) support. Scale security with load balancing – Besides offloading SSL decryption andencryption, Thunder SSLi can load balance multiple firewalls or other securitydevices, dramatically increasing their performance, and can track each connectionto ensure that requests and responses are directed to the same device thatinspected the traffic. Selectively manage traffic - Using the ICAP protocol, Thunder SSLi can interact withthird-party devices to decide if traffic should be subject to SSL Insight. In addition,the URL classification service can enforce privacy policies so data like medical orfinancial records, etc., is not inspected and compliance criteria are met.1

Reduce load on security infrastructure by controlling whichmanagement consoles. For larger deployments, the aGalaxy types of traffic to decrypt – Thunder SSLi can selectivelycentralized management system ensures routine tasks canredirect traffic based on application type to security devicesbe performed at scale across multiple Thunder appliances,and security service chains with fine-grained policies forregardless of physical location. Thunder SSLi also supports theeffective traffic management. For example, Thunder SSLi canlatest AppCentric Templates for easy and speedy configurationdecrypt and forward email traffic and web traffic to a threatand deployment, cutting down the setup-to-deployment time fromprevention platform, but not burden the device with otherhours to just a few minutes.types of traffic. Granularly control traffic with aFleX policies – Using A10Architecture and Key ComponentsNetworks aFleX scripting, Thunder SSLi customers can Remote Serverexamine, update, modify or drop requests. aFleX scriptingSSL Insight Traffic Flowenables organizations to fully control which traffic is4intercepted and forwarded to a third-party security deviceInternetand which traffic should be sanitized before being sent to3the intended destination. aFleX offers complete control over Bypass sensitive applications and block known maliciouswebsites – To meet compliance requirements and5DecryptZoneSecurityDevicecommunications, such as traffic to banking and healthcare1applications. With a URL classification subscription, Thunderensuring confidential data remains encrypted. The optional3The external Thunder appliancere-encrypts the data and sendsit to the server.4The server sends an encryptedresponse to the externalThunder appliance.5A10 Thunder appliance decryptsthe response and forwards it tothe security device for inspection.6The internal Thunder appliancereceives traffic from the securitydevice, re-encrypts it and sends itto the client.ClientURL classification subscription can also maximize employeesites.A10 Thunder appliance sends theunencrypted data to a securityappliance which inspects thedata in clear text.Inside6SSLi can categorize traffic to over 460 million domains,malicious websites, including malware, spam, and phishing22ensure data privacy, SSL Insight can bypass trustedproductivity and reduce security risks by blocking access toEncrypted traffic from the clientis decrypted by the internal,client-side Thunder appliance.Outsideapplication traffic, allowing customers to solve almost anytype of application challenge.1Figure 1: Logical view of traffic flow through the SSL Insightdecrypt zone.A Single Point for Decryption and AnalysisOrganizations often deploy multiple security solutions to analyzeand filter application traffic. SSL Insight offers a centralizedpoint to decrypt SSL traffic and send it in clear text to a myriadof devices, eliminating the need to decrypt traffic multiple times.Thunder SSLi can interoperate with:Non-InlineSecurity DeviceICAP ty Device Firewalls Secure Web Gateways Intrusion Prevention Systems (IPS) Unified Threat Management (UTM) platforms Data Loss Prevention (DLP) productsInternetClientA10 Thunder SSLi or CFW Device Threat prevention platforms Network forensics and web monitoring toolsMany security devices are not designed for inline deployment or forhigh-speed SSL decryption. Thunder SSLi enables these devicesto inspect SSL-encrypted data without burdening the devicesFigure 2: A10 Thunder SSLi or Thunder CFW devices can decrypttraffic for a variety of security products, including inline, non-inline(passive/TAP) and ICAP enabled devices.with computationally intensive SSL processing. Thunder SSLi canProduct Descriptiondecrypt traffic once and forward traffic to a multitude of inline andThunder SSLi Product Linenon-inline security devices.Comprehensive and Scalable ManagementTo streamline and automate management, Thunder SSLi includesan industry standard CLI, a web user interface, and a RESTfulAPI (aXAPI ) which can integrate with third party or custom2Thunder SSLi appliances support any deployment need. EachThunder SSLi appliance is powered by A10 Networks AdvancedCore Operating System (ACOS ), which brings a uniquecombination of shared memory accuracy and efficiency, 64-bitscalability and advanced flow processing.

Thunder SSLi Hardware Appliances:-- Select models include switching and routing processorsfor high-speed network processing, dedicated security-- The A10 Thunder SSLi line of appliances fits all sizeprocessors for SSL offload, and lights-out managementnetworks in a single, rack-mountable deployment to(LOM) for out-of-band monitoring and management.address the most demanding requirements.-- Each appliance offers exceptional performance per rack-- All models, except for Thunder 840, are dual power supply-unit to reduce power consumption costs and ensure acapable. All models also feature solid-state drives (SSDs)green solution. Coupled with high density 1 GbE, 10 GbEand use no inaccessible moving parts for high availability.and 40 GbE port options, Thunder SSLi meets the highest-- All models benefit from A10’s Flexible Traffic Acceleratornetworking bandwidth demands.(FTA) technology, with select models featuring FieldProgrammable Gate Arrays (FPGAs) for hardware optimizedFTA processing; this provides highly scalable flowdistribution and DDoS protection capabilities.Thunder SSLi Hardware Appliance Specifications TableThunder 840Thunder 3230SThunder 3430S0.5 Gbps3.5 Gbps5.5 Gbps30012.5k18k1 GE Copper5001 GE Fiber (SFP)0441/10 GE Fiber (SFP )24440 GE Fiber (QSFP )000Management InterfaceYesYesYesLights Out ManagementNoYesYesConsole PortYesYesYesSolid-state Drive (SSD)YesYesYesIntelCommunication ProcessorIntel Xeon4-coreIntel Xeon6-core8 GB16 GB32 GBYesYesYesFlexible Traffic AccelerationSoftware1 x FTA-4 FPGA1 x FTA-4 alDual or Quad57W / 75W210W / 265W240W / 288W195 / 256717 / 904819 / 983Dual 600W RPSDual 600W RPSSSLi Throughput (2k key)*1 *2SSLi CPS (2k key)*1 *2Network InterfaceProcessorMemory (ECC RAM)Hardware Acceleration64-bit Linear Decoupled ArchitectureSSL Security ProcessorPower Consumption (Typical/Max)*3Heat in BTU/hour (Typical/Max)*3Power Supply (DC option available)Single 150W (AC only)100 - 240 VAC, 50-60 Hz80 Plus Platinum efficiency, 100 - 240 VAC, Frequency 50 – 60 HzCooling FanSingle Fixed FanHot Swap Smart FansDimensions1.75 in (H), 17.0 (W),12 in (D)Rack Units (Mountable)Unit WeightOperating RangesRegulatory CertificationsStandard Warranty1.75 in (H), 17.5 in (W),17.15 in (D)1.75 in (H), 17.5 in (W),17.15 in (D)1U1U1U8.8 lbs23 lbs23 lbsTemperature 0 - 40 C Humidity 5% - 95%FCC Class A, UL, CE, TUV, CB,VCCI, China CCC, BSMI, RCM RoHSFCC Class A, UL, CE, TUV, CB,VCCI, China CCC, MSIP, BSMI,RCM, NEBS RoHSFCC Class A, UL, CE, TUV, CB,VCCI, China CCC, MSIP, BSMI,RCM, NEBS RoHS, FIPS 140-2 90-day Hardware and Software*1 SSLi performance are measured in single appliance SSLi deployment. *2 With maximum SSL *3 With base model. Number varies by SSL model*4 No dedicated hardware but FTA-4 FPGA handles select switching/routing functions Certification in process FIPS model must be purchased3