WIXLIB

DATASHEETTHUNDER SSLiHigh-Performance Visibility in Encrypted TrafficSupported PlatformsThe A10 Networks Thunder SSLi products feature A10’s SSL Insight technology,which eliminates the blind spot imposed by SSL encryption by offloading CPU-intensiveSSL decryption functions from third-party security devices. Thunder SSLi decrypts SSLencrypted traffic and forwards it to one or more third-party security devices such as aThunder SSLiphysical appliancefirewall, for deep packet inspection (DPI). Once the traffic has been analyzed and scrubbed,Thunder SSLi re-encrypts it and forwards to the intended destination.Features and BenefitsFull Visibility into SSL TrafficWhile dedicated security devices provide in-depth inspection and analysis of network traffic,they are rarely designed to decrypt and re-encrypt SSL traffic at high speeds. In fact, somesecurity products cannot inspect SSL traffic at all. SSL Insight offloads CPU-intensivedecryption and re-encryption tasks from dedicated security devices, boosting performance.OverviewThunder SSLi functions as a forward proxy for SSL traffic, or as an explicit proxy toA10 Networks enables organizationsto analyze all data, includingencrypted data, by intercepting SSLcommunications and sending it tothird-party security devices such asfirewalls, threat prevention platformsand forensic tools for inspection.safeguard their communications efficiently.intercept SSL traffic. Organizations can simply deploy Thunder SSLi appliances toIn addition to inline deployment, organizations can deploy security devices, suchas intrusion detection systems and forensics tools, in passive mode. Thunder SSLidecrypts SSL traffic and sends a copy of the unencrypted traffic to the non-inlinesecurity device for inspection. Thunder SSLi devices can provide visibility to proxyservers and can also act as a proxy server. A single Thunder SSLi appliance can provideSSL visibility to the entire security stack.With SSL Insight, organizations can: Achieve high performance with SSL acceleration hardware – A10 Thunder SSLicomes equipped with powerful, dedicated SSL security processors that can scaleto meet high-volume traffic demands. With SSL acceleration hardware, ThunderSSLi delivers near parity performance between 1024-bit and 2048-bit key sizesand has the extreme power needed to handle 4096-bit keys at high-performanceproduction levels. Multiple cipher suites are available including DHE and ECDHEfor perfect forward secrecy (PFS) support. Scale security with load balancing – Besides offloading SSL encryption, ThunderSSLi can load balance multiple firewalls or other security devices. A Thunder SSLihigh availability pair can load balance multiple security devices and can track eachconnection to ensure that requests and responses are directed to the same device. Selectively manage traffic - Using the ICAP protocol, Thunder SSLi can interactwith third-party devices to decide if traffic should be subject to SSL Insight. Inaddition, the URL classification service can enforce privacy policies so data tomedical or financial organizations is not inspected.1

Reduce load on security infrastructure by controlling whichtypes of traffic to decrypt – Thunder SSLi can selectivelyredirect traffic based on application type to security devicesand security service chains with fine-grained policies. Forperformed at scale across multiple Thunder appliances, regardlessof physical location.Architecture and Key Componentsexample, Thunder SSLi can decrypt and forward email trafficand web traffic to a threat prevention platform, but not4 Granularly control traffic with aFleX policies – Using A10Networks aFleX scripting, Thunder SSLi customers canintercepted and forwarded to a third-party security deviceand which traffic should be sanitized before being sent tothe intended destination. aFleX offers complete control overapplication traffic, allowing customers to solve almost anytype of application challenge.1Encrypted traffic from the clientis decrypted by the internal,client-side Thunder SSLi.2Thunder SSLi sends theunencrypted data to a securityappliance which inspects thedata in clear text.3The external Thunder SSLire-encrypts the data and sendsit to the server.4The server sends an encryptedresponse to the externalThunder SSLi.5Thunder SSLi decrypts theresponse and forwards it to thesecurity device for inspection.6The internal SSLi receives trafficfrom the security device,re-encrypts it and sends it tothe client.3Inspection/ProtectionA10 Thunder SSLi5DLPDecryptedUTMIDS2OtherA10 Thunder SSLi Block malicious websites and bypass sensitive applications– To meet compliance requirements and ensure data privacy,SSL Insight can bypass trusted communications, such asEncryptedInternetexamine, update, modify or drop requests. aFleX scriptingenables organizations to fully control which traffic isSSL Insight Traffic FlowWeb Serverburden the device with other types of traffic.6Encrypted1traffic to banking and healthcare applications. With a URLclassification subscription, Thunder SSLi can categorizetraffic to over 460 million domains, ensuring confidentialdata remains encrypted. The optional URL classificationsubscription can also maximize employee productivityand reduce security risks by blocking access to maliciousClientFigure 1: A10 Thunder SSLi helps protect internal users fromweb-based threats.websites, including malware, spam, and phishing sites.A Single Point for Decryption and AnalysisServerOrganizations often deploy multiple security solutions to analyzeSSLEncryptedand filter application traffic. SSL Insight offers a centralizedpoint to decrypt SSL traffic and send it in clear text to a myriadof devices, eliminating the need to decrypt traffic multiple times.InternetSecurity DeviceThunder SSLi can interoperate with: FirewallsA10Thunder SSLi Secure Web Gateways Intrusion Prevention Systems (IPS)Security Device Unified Threat Management (UTM) platforms Data Loss Prevention (DLP) products Threat prevention platforms Network forensics and web monitoring toolsMany security devices are not designed for inline deployment or forhigh-speed SSL decryption. Thunder SSLi enables these devicesto inspect SSL-encrypted data without burdening the deviceswith computationally intensive SSL processing. Thunder SSLi candecrypt traffic once and forward traffic to a multitude of inline andnon-inline security devices.Comprehensive and Scalable ManagementTo streamline and automate management, Thunder SSLi includesan industry standard CLI, a web user interface, and a RESTfulAPI (aXAPI ) which can integrate with third party or custommanagement consoles. For larger deployments, the aGalaxy centralized management system ensures routine tasks can be2SSLEncryptedSSLDecryptedClient 1Client 2Figure 2: A10 Thunder SSLi can decrypt and forward traffic tosecurity devices that are non-inline passively deployed.Product DescriptionThunder SSLi Product LineThunder SSLi appliances support any deployment need. EachThunder SSLi appliance is powered by A10 Networks AdvancedCore Operating System (ACOS ), which brings a uniquecombination of shared memory accuracy and efficiency, 64-bitscalability and advanced flow processing.

Thunder SSLi Hardware Appliances:distribution and DDoS protection capabilities.-- The A10 Thunder SSLi line of appliances fits all size-- Select models include switching and routing processorsnetworks in a single, rack-mountable appliance to addressfor high-speed network processing, dedicated securitythe most demanding requirements.processors for SSL offload, and lights-out management(LOM) for out-of-band monitoring and management.-- All models are dual power supply-capable, feature solidstate drives (SSDs) and use no inaccessible moving parts-- Each appliance offers exceptional performance per rackfor high availability.unit to reduce power consumption costs and ensure agreen solution. Coupled with high density 1 GbE, 10 GbE-- All models benefit from A10’s Flexible Traffic Accelerator(FTA) technology, with select models featuring Fieldand 40 GbE port options, Thunder SSLi meets the highestProgrammable Gate Arrays (FPGAs) for hardware optimizednetworking bandwidth demands.FTA processing; this provides highly scalable flowThunder SSLi Hardware Appliance Specifications TableThunder 840Thunder 3230SThunder 3430S0.5 Gbps3.5 Gbps5.5 Gbps30012.5k18k1 GE Copper5001 GE Fiber (SFP)0441/10 GE Fiber (SFP )24440 GE Fiber (QSFP )000Management InterfaceYesYesYesLights Out ManagementNoYesYesConsole PortYesYesYesSolid-state Drive (SSD)YesYesYesIntelCommunication ProcessorIntel Xeon4-coreIntel Xeon6-core8 GB16 GB32 GBYesYesYesFlexible Traffic AccelerationSoftware1 x FTA-4 FPGA1 x FTA-4 alDual or Quad57W / 75W210W / 265W240W / 288W195 / 256717 / 904819 / 983Dual 600W RPSDual 600W RPSSSLi Throughput (2k key)*1 *2SSLi CPS (2k key)*1 *2Network InterfaceProcessorMemory (ECC RAM)Hardware Acceleration64-bit Linear Decoupled ArchitectureSSL Security ProcessorPower Consumption (Typical/Max)*3Heat in BTU/hour (Typical/Max)*3Power Supply (DC option available)Single 150W (AC only)100 - 240 VAC, 50-60 Hz80 Plus Platinum efficiency, 100 - 240 VAC, Frequency 50 – 60 HzCooling FanSingle Fixed FanHot Swap Smart FansDimensions1.75 in (H), 17.0 (W),12 in (D)Rack Units (Mountable)Unit Weight1.75 in (H), 17.5 in (W),17.15 in (D)1U1U1U8.8 lbs23 lbs23 lbsOperating RangesTemperature 0 - 40 C Humidity 5% - 95%FCC Class A , UL, CE , TUV , CB ,VCCI , China CCC, BSMI , RCM RoHS Regulatory CertificationsStandard Warranty1.75 in (H), 17.5 in (W),17.15 in (D) FCC Class A, UL, CE, TUV, CB,VCCI, China CCC, MSIP, BSMI,RCM, NEBS RoHSFCC Class A, UL, CE, TUV, CB,VCCI, China CCC, MSIP, BSMI,RCM, NEBS RoHS, FIPS 140-2 90-day Hardware and Software*1 SSLi performance are measured in single appliance SSLi deployment. *2 With maximum SSL *3 With base model. Number varies by SSL model*4 No dedicated hardware but FTA-4 FPGA handles select switching/routing functions Certification in process FIPS model must be purchased3

Thunder SSLi Hardware Appliance Specifications Table (continued)Thunder 4440SThunder 5330SThunder 5440S8 Gbps8 Gbps12.5 Gbps22k24k28k0001 GE Fiber (SFP)0001/10 GE Fiber (SFP )24824SSLi Throughput (2k key)*1 *2SSLi CPS (2k key)*1 *2Network Interface1 GE Copper40 GE Fiber (QSFP )404Management InterfaceYesYesYesLights Out ManagementYesYesYesConsole PortYesYesYesSolid-state Drive (SSD)YesYesYesIntel Xeon6-coreIntel Xeon10-coreIntel Xeon12-core32 GB32 GB64 GBYesYesYes2 x FTA-4 FPGA1 x FTA-4 FPGA2 x FTA-4 FPGAHardwareHybrid*4HardwareProcessorMemory (ECC RAM)Hardware Acceleration64-bit Linear Decoupled ArchitectureFlexible Traffic AccelerationSwitching/RoutingSSL Security ProcessorPower Consumption (Typical/Max)*3Heat in BTU/hour (Typical/Max)*3Power Supply (DC option available)Dual or QuadDual or QuadDual or Quad400W / 485W240W / 288W400W / 485W1,365 / 1,655819 / 9831,365 / 1,655Dual 1100W RPSDual 600W RPSDual 1100W RPS80 Plus Platinum efficiency, 100 - 240 VAC, Frequency 50 – 60 HzCooling FanHot Swap Smart FansDimensions1.75 in (H), 17.5 in (W), 30 in (D)1.75 in (H), 17.5 in (W),17.15 in (D)1.75 in (H), 17.5 in (W), 30 in (D)1U1U1U32.5 lbs23 lbs32.5 lbsRack Units (Mountable)Unit WeightOperating RangesRegulatory CertificationsStandard WarrantyTemperature 0 - 40 C Humidity 5% - 95%FCC Class A , UL , CE , TUV , CB ,VCCI , China CCC, BSMI , RCM RoHSFCC Class A, UL, CE, TUV, CB,VCCI, China CCC, BSMI, RCM,NEBS RoHS90-day Hardware and Software*1 SSLi performance are measured in single appliance SSLi deployment. *2 With maximum SSL *3 With base model. Number varies by SSL model*4 No dedicated hardware but FTA-4 FPGA handles select switching/routing functions Certification in process FIPS model must be purchased4FCC Class A , UL , CE , TUV , CB ,VCCI , China CCC, BSMI , RCM RoHS, FIPS 140-2