Transcription
DATASHEETTHUNDER CFWHigh-Performance Versatile FirewallSupported PlatformsThe A10 Thunder Convergent Firewall (CFW) is a standalone security product, built onA10 Networks Advanced Core Operating System (ACOS ) platform. Thunder CFW isthe first converged security solution for service providers, cloud providers and largeenterprises that includes:Thunder CFWphysical appliance A powerful Secure Web Gateway that combines URL filtering, A10’s SSL Insighttechnology, and explicit proxy to increase security efficacy by decrypting SSLtraffic at high speed and restricting access to undesirable websites.Thunder SPEphysical appliance A high-performance Data Center Firewall with an integrated Layer 4 firewall, DDoSprotection, and server load balancing. By uniting application delivery control andsecurity on a single platform, Thunder CFW lowers hardware and operating costs.APPvThundervirtual appliance A scalable Gi/SGi Firewall with integrated DDoS protection and Carrier GradeNetworking (CGN) for mobile carriers. The Gi/SGi Firewall protects mobileinfrastructure with advanced policy enforcement. High-speed site-to-site IPsec VPN that enables enterprises and service providersto encrypt data at a massive scale and in the cloud.aGalaxyCentralized ManagementOverviewA10 Networks Thunder ConvergentFirewall (CFW) is a high-performance,all-inclusive and flexible securitysolution featuring a Secure WebGateway, Data Center Firewall, Gi/SGiFirewall and site-to-site IPsec VPNfor enterprises and service providers.Thunder CFW uncovers threats in SSLtraffic and blocks access to maliciouswebsites at the enterprise perimeter.It also protects high-value assets inthe data center from network andDistributed Denial of Service (DDoS)attacks. A10 Thunder CFW offers theperformance and the versatility youneed to safeguard your applications,your users and your infrastructure.With its data center efficient design and compact form factor, Thunder CFW providesan integrated security and application networking solution that minimizes rack space,power consumption and cooling costs.Thunder CFW also leverages the A10 Harmony architecture to provide open andstandards-based programmability, which offers rapid integration with management andorchestration systems, consistent policy enforcement and telemetry. The A10 NetworksaGalaxy Centralized Management System delivers everything that organizations need toconfigure, monitor and troubleshoot all A10 Thunder solutions, including Thunder CFW.Features and BenefitsWhether you are an enterprise, service provider or mobile carrier, A10 Thunder CFWoffers the performance and the versatility you need to safeguard your applications, yourusers and your infrastructure.Secure Web GatewayDecrypt SSL once and inspect multiple times: Thunder CFW enables security devicesto inspect encrypted traffic, eliminating the SSL blind spot in corporate defenses.Leveraging SSL Insight technology, Thunder CFW decrypts SSL traffic and forwards itto third-party security devices for inspection. With the Thunder CFW, organizations canmake their security infrastructure effective again.Prevent data exfiltration and enforce compliance: Thunder CFW allows seamlessintegration with third-party Data Loss Prevention (DLP) solutions via the industry standardICAP. Thunder CFW can send decrypted traffic to DLP servers for inspection before1
forwarding intercepted traffic to a client or a server. According toinspection results from DLP servers, Thunder CFW enforces a policyby either permitting or denying traffic to prevent data leaks andharmful infection.Gi/SGi FirewallAchieve massive scale and multiple functionality in a singlecompact appliance: The Thunder CFW, with an integrated Gi/SGiFirewall, delivers the performance that mobile carriers require toGain superior URL classification coverage: Thunder CFW providesan optional URL filtering service that maximizes employeeproductivity and mitigates web-based threats. Thunder CFW canmonitor or block access to malicious websites, including malware,spam and phishing sites. The A10 URL Classification Service,scale and protect their networks. With the ability to support largesession capacity and high connections-per-second rates, theThunder CFW will meet both current and future traffic requirements.Thunder CFW enables mobile carriers to efficiently safeguard theirinfrastructure, including the Gateway GPRS Support Node (GGSN)powered by Webroot, categorizes over 460 million domains andand P-Gateway in the Evolved Packet Core (EPC).13 billion URLs into 83 categories, enabling organizations to blockThe Thunder CFW includes integrated Carrier Grade NATdesirable sites and shield their users from online threats.Extend the life of security infrastructure: Thunder CFW, withintegrated load balancing, enables organizations to maximizeuptime and increase the capacity of their security infrastructure.It also unburdens firewalls and other security devices fromcomputationally intensive tasks like SSL decryption and ICAPsupport, enabling those devices to do what they do best – detectand stop attacks.functionality to allow mobile carriers to preserve their investmentin IPv4-based infrastructure. Also included are various IPv6transition technologies, such as NAT64/DNS64, to assist inproviding a smooth transition to IPv6 networking and seamlesssubscriber access to resources regardless of the type of IPversion used. Integrated application layer gateways (ALGs) ensurethat applications remain addressable and operate transparentlythrough address translation. By including IPv4 preservation andIPv6 migration support in the multi-functional Thunder CFW,Data Center FirewallAchieve unprecedented firewall performance: Powered by A10’sAdvanced Core Operating System (ACOS), Thunder CFW provideshigh performance in a compact appliance, allowing organizationsto stop emerging threats at scale. Combining a Shared MemoryArchitecture and Flexible Traffic Accelerator (FTA) technology, theData Center Firewall offers ultra-high throughput and unmatchedconnection rates, eliminating traditional performance bottleneckswhile protecting data center assets.Lower OPEX and CAPEX: Consolidating multiple services onone platform reduces the number of appliances that need to bepurchased and cuts power, space and cooling costs. Thunder CFW’sData Center Firewall takes unification further by converging notjust security but also networking and application delivery features,empowering organizations to eliminate single-purpose devices fromtheir data centers and reduce hardware and operating costs.Protect multi-tenant environments: Thunder CFW leverages theA10 Harmony architecture to deliver completely programmablesecurity for the data center. A10 Harmony unifies policy control,offers unprecedented telemetry and provides 100% RESTful APIcoverage. Thunder CFW also supports multi-tenancy features likeApplication Delivery Partitions (ADPs) for segmentation.operational tasks are greatly simplified.To protect mobile infrastructure, the Thunder CFW Gi/SGi Firewallprovides granular control over network resources, allowing mobilecarriers to block network attacks and unauthorized access. It deliversa stateful firewall with a rich set of features to protect subscribers,along with shielding the LTE data and control plane services frommultiple types of threats. The Thunder CFW can also secure its ownresources, such as Network Address Translation (NAT) pools, toensure that its operational functions are not compromised.Site-to-Site IPsec VPNEncrypt data at unparalleled speeds: Thunder CFW enablesenterprises and service providers to build out large-scale VPNdeployments. By supporting thousands of VPN tunnels perThunder CFW platform and a broad array of encryption algorithmsand data integrity methods, organizations can deploy ThunderCFW alongside their existing VPN equipment or build out new VPNnetworks with Thunder CFW appliances.Consolidate IPsec VPN, firewall and application delivery: ThunderCFW combines Data Center Firewall, Gi/SGi Firewall and IPsec VPNon a single platform. Whether used with the Data Center Firewallto support secure interconnectivity between data centers or tosupport high-speed VPN connections in the cloud, Thunder CFWprovides a comprehensive networking and security platform thatreduces customers’ data center footprint and operating costs.A10 Thunder CFW Data Center Firewall hasachieved the ICSA Labs Firewall CorporateCertification.2The A10 Thunder CFW IPsec solution has achievedthe IPsec IKEv2 certification from ICSA Labs. ICSALabs testing and certification ensures that A10Thunder CFW performs as intended and providesinteroperable, cryptographically-based securityservices for IP layer environments.
Architecture and Key Components2 Gi/SGi FWMobile Service ProviderData Center3 DC FWWeb Appv4v6DC FW & ADCDNSRouterEPC with GGSN and PGWCGN & Gi/SGi FW1Enterprise PerimeterIPsec VPNSecure WebGatewayInternetOther Apps4 IPsec VPNWeb AppICAP (AV/DLP)IPsec VPNInternalNetworkIPSATPDNSNGFWSSLi & SWGDC FW & ADCSSLi & SWGOther AppsFigure 1: Thunder CFW use casesFlexibility to Deploy ADC and CGNThunder CFW supports multi-tenancy and isolation of configurationcomponents including administration with Application DeliveryPartitions (ADPs) using L3V (Layer 3 Visualization). L3V partitionsenables flexible deployment of independent services like applicationcomplement our industry-standard CLI and Web GUI, our RESTfulAPI with 100% coverage offers rapid integration with third-partymanagement consoles to efficiently operate one or more ThunderCFW appliances. For larger deployments, our aGalaxy CentralizedManagement System ensures that routine tasks can be performeddelivery controller (ADC) and carrier grade networking (CGN) onat scale, across multiple appliances, regardless of physical location.a single appliance to accelerate faster time to market of loadThunder CFW supports granular role-based access control, enablingbalancing and networking services.you to create users and groups and grant read-only or read/writeprivileges for specific partitions or management interfaces. ToManagementComprehensive and scalable management: Thunder CFWdevices feature an array of options to simplify and automatemanagement tasks that reduce administrative costs and ensurescale load-balancing capacity, A10 Networks aVCS Virtual ChassisSystem allows multiple appliances to operate as one, with a singlemanagement point for all appliances in the virtual chassis.that complex tasks can be done accurately the first time. ToThunder CFW’s integrated Web applicationfirewall has achieved WAF certificationfrom ICSA Labs. ICSA Labs testing andcertification ensures that Thunder CFWperforms as intended to secure applicationservices from exploitation and attack.3
Product DescriptionThunder CFW Product LineThunder CFW appliances support any deployment need. EachThunder CFW appliance is powered by ACOS software, whichbrings a unique combination of shared memory accuracy andefficiency, 64-bit scalability and advanced flow processing.Thunder SPE Appliances:-- The Thunder SPE appliances deliver ultra high-speed-- All models are dual power supply-capable*, feature solidstate drives (SSDs) and use no inaccessible moving partsfor high availability.-- All models benefit from A10’s Flexible Traffic Accelerator(FTA) technology, with select models featuring FieldProgrammable Gate Arrays (FPGAs) for hardware optimizedFTA processing; this provides highly scalable flowdistribution and DDoS protection capabilities.-- Select models include switching and routing processorsSecurity and Policy Enforcement for your most demandingfor high-speed network processing, dedicated securityapplication networking and security requirements. Thunderprocessors for SSL offload, and lights-out managementSPE appliances leverage A10’s innovative Security and(LOM) for out-of-band monitoring and management.Policy Engine (SPE) to implement security and policy-- Each appliance offers exceptional performance per rackenforcement functions at higher speed, harnessing theunit and the highest level “80 PLUS Platinum” certification*power of advanced Flexible Traffic Acceleration (FTA)for power supplies* to reduce power consumption costs andtechnology and high speed lookup capabilities. In addition,ensure a green solution. Coupled with high densityThunder SPE is a future-proof design capable of enabling an1 GbE, 10 GbE, and 40 GbE port options, Thunder CFWexpanded set of security and policy enforcements.meets the highest networking bandwidth demands.-- All models are dual power supply-capable, feature solidstate drives (SSDs) and utilize no inaccessible moving partsfor high availability.-- Thunder SPE appliances offer the best performance perrack unit coupled with high density interface 1 GbE, 10 GbE,40 GbE and 100 GbE port options and the highest level “80PLUS Platinum” certification for power supplies to ensurea green solution and reduce power consumption costs.Thunder CFW Hardware Appliances:-- The A10 Thunder CFW line of appliances fits all sizenetworks starting with entry level models and moving upvThunder Virtual Appliances:-- The vThunder CFW line of virtual appliances is designedto meet the growing needs of organizations requiring aflexible and easy-to-deploy converged security, carrier gradenetworking, application delivery and server load balancersolution running within a virtualized infrastructure or publiccloud service.-- Each vThunder instance has a full set of features that canrun atop your choice of commodity hardware, as well asyour choice of leading hypervisor; for example, VMwareESXi, Microsoft Hyper-V, and KVM.to high performance appliance for your most demandingThe aGalaxy Centralized Management System delivers everythingrequirements.that organizations need to monitor, configure and troubleshoottheir Thunder CFW deployment.* Except for Thunder 8404
Thunder CFW Specifications TableThunder 840Thunder 1030SThunder 3030SDCFW Throughput5 Gbps10 Gbps30 GbpsDCFW Layer 4 CPS200k300k500k8 million16 million32 million8k8k16kData Center FirewallDCFW Concurrent SessionsDCFW RulesSecure Web Gateway*1 *2SSLi Throughput0.5 Gbps1.5 Gbps2.5 GbpsRSA (1K): 500RSA (2K): 300RSA (1K): 4KRSA (2K): 3kRSA (1K) : 8kRSA (2K): 6k1.5 Gbps6 Gbps8 Gbps501001k1 GE Copper5661 GE Fiber (SFP)0221/10 GE Fiber (SFP )224SSLi CPSIPsec VPN*2IPsec ThroughputIPsec TunnelsNetwork Interface40 GE Fiber (QSFP )000YesYesYesLights Out ManagementNoYesYesConsole PortYesYesYesManagement InterfaceSolid-state Drive (SSD)ProcessorMemory (ECC RAM)YesYesYesIntelCommunication ProcessorIntel Xeon4-coreIntel Xeon4-core8 GB8 GB16 GBHardware Acceleration64-bit Linear Decoupled ArchitectureYesYesYesFlexible Traffic ingSoftwareSoftwareSoftwareN/AYesYes57W / 75W98W / 108W180W / 240WSSL Security Processor ('S' Models)Power Consumption (Typical/Max)Heat in BTU/hour (Typical/Max)*3*3Power Supply (DC option available)195 / 256334 / 369615 / 819Single 150W (AC only)Single 600W Dual 600W RPS100 - 240 VAC, 50-60Hz80 Plus Platinum efficiency, 100 - 240 VAC, 50 – 60 HzCooling FanSingle Fixed FanHot Swap Smart FansDimensions1.75 in (H), 17.0 (W), 12 in (D)Rack Units (Mountable)Unit Weight1.75 in (H), 17.5 in (W), 17.45 in (D)1.75 in (H), 17.5 in (W), 17.45 in (D)1U1U1U8.8 lbs"18.0 lbs20.1 lbs (RPS)"20.1 lbsOperating RangesRegulatory CertificationsStandard WarrantyTemperature 0 - 40 C Humidity 5% - 95%FCC Class A, UL, CE, TUV, CB,VCCI, CCC, BSMI, RCM RoHSFCC Class A, UL, CE, TUV, CB,VCCI, CCC, KCC BSMI, RCM,FAC RoHS, FIPS 140-2 FCC Class A, UL, CE, TUV, CB,VCCI, CCC, KCC, BSMI, RCM,EAC, FAC RoHS, FIPS 140-2 90-day Hardware and Software*1 Tested in single appliance SSLi deployment with maximum SSL option. Cipher “AES128-SHA256” with 2K RSA keys are used for RSA cases, “ECDHE-RSA-AES128-SHA256” with EC P-256 and 2K RSAkeys are used for PFS case *2 With maximum SSL *3 With base model. Number varies by SSL model *4 No dedicated hardware but FTA-4 FPGA handles select switching/routing functions Certification in process FIPS model must be purchased5
Thunder CFW Specifications Table (continued)Thunder 3040(S)Thunder 3230(S)Thunder 3430(S)Data Center FirewallDCFW Throughput30 Gbps25 Gbps38 GbpsDCFW Layer 4 CPS500k1.4 million2 million32 million32 million64 million16k16k32kDCFW Concurrent SessionsDCFW RulesSecure Web Gateway*1 *2SSLi Throughput2.5 Gbps3.5 Gbps5.5 GbpsRSA: 6.5kECDHE: 4.5kRSA: 12.5kECDHE: 7kRSA: 18kECDHE: 10kN/A15 Gbps30 Gbps1k1k4k1 GE Copper6001 GE Fiber (SFP)2441/10 GE Fiber (SFP )444SSLi CPSIPsec VPN*2IPsec ThroughputIPsec TunnelsNetwork Interface40 GE Fiber (QSFP )Management Interface000YesYesYesLights Out ManagementYesYesYesConsole PortYesYesYesSolid-state Drive (SSD)ProcessorMemory (ECC RAM)YesYesYesIntel Xeon4-coreIntel Xeon4-coreIntel Xeon6-core16 GB16 GB32 GBHardware Acceleration64-bit Linear Decoupled ArchitectureYesYesYesFlexible Traffic AccelerationSoftware1 x FTA-4 FPGA1 x FTA-4 sYes180W / 240W190W / 240W210W / 260WSSL Security Processor ('S' Models)Power Consumption (Typical/Max)Heat in BTU/hour (Typical/Max)*3*3Power Supply (DC option available)615 / 819648 / 819717 / 887Dual 600W RPSDual 600W RPSDual 600W RPS100 - 240 VAC, 50-60Hz80 Plus Platinum efficiency, 100 - 240 VAC, 50 – 60 HzCooling FanSingle Fixed FanHot Swap Smart FansDimensions1.75 in (H), 17.5 in (W),17.45 in (D)1.75 in (H), 17.5 in (W),17.15 in (D)1.75 in (H), 17.5 in (W),17.15 in (D)1U1U1U23 lbs23 lbsRack Units (Mountable)Unit Weight20.6 lbsOperating RangesRegulatory CertificationsStandard WarrantyTemperature 0 - 40 C Humidity 5% - 95%FCC Class A, UL, CE, CB,GS , VCCI, CCC, KCC, BSMI,RCM RoHSFCC Class A, UL, CE, TUV, CB,VCCI, CCC, KCC, BSMI, RCM,NEBS RoHSFCC Class A, UL, CE, GS, CB,VCCI, CCC, KCC, BSMI, RCM,NEBS RoHS90-day Hardware and Software*1 Tested in single appliance SSLi deployment with maximum SSL option. Cipher “AES128-SHA256” with 2K RSA keys are used for RSA cases, “ECDHE-RSA-AES128-SHA256” with EC P-256 and 2K RSAkeys are used for PFS case *2 With maximum SSL *3 With base model. Number varies by SSL model *4 No dedicated hardware but FTA-4 FPGA handles select switching/routing functions Certification in process FIPS model must be purchased6
Thunder CFW Specifications Table (continued)Thunder 4440(S)Thunder 5330(S)Thunder 5440(S)Data Center FirewallDCFW Throughput70 Gbps70 Gbps90 GbpsDCFW Layer 4 CPS2.8 million2.8 million3.5 millionDCFW Concurrent Sessions64 million64 million128 million32k32k64kDCFW RulesSecure Web Gateway*1 *2SSLi Throughput8 Gbps10 Gbps15 GbpsRSA: 22kECDHE: 10kRSA: 30kECDHE: 15kRSA: 35kECDHE: 20k30 Gbps35 Gbps35 Gbps4k4k8k1 GE Copper0001 GE Fiber (SFP)0001/10 GE Fiber (SFP )24824SSLi CPSIPsec VPN*2IPsec ThroughputIPsec TunnelsNetwork Interface40 GE Fiber (QSFP )Management Interface404YesYesYesLights Out ManagementYesYesYesConsole PortYesYesYesSolid-state Drive (SSD)ProcessorMemory (ECC RAM)YesYesYesIntel Xeon6-coreIntel Xeon10-coreIntel Xeon12-core32 GB32 GB64 GBHardware Acceleration64-bit Linear Decoupled ArchitectureFlexible Traffic AccelerationSwitching/RoutingSSL Security Processor ('S' Models)Power Consumption (Typical/Max)Heat in BTU/hour (Typical/Max)*3*3Power Supply (DC option available)YesYesYes2 x FTA-4 FPGA1 x FTA-4 FPGA2 x FTA-4 FPGAHardwareHybrid*4HardwareYesYesYes360W / 445W210W / 260W360W / 445W1,229 / 1,519717 / 8871,229 / 1,519Dual 1100W RPSDual 600W RPSDual 1100W RPS80 Plus Platinum efficiency, 100 - 240 VAC, 50 – 60 HzCooling FanDimensionsRack Units (Mountable)Unit WeightOperating RangesRegulatory CertificationsStandard WarrantyHot Swap Smart Fans1.75 in (H), 17.5 in (W), 30 in (D)1.75 in (H), 17.5 in (W),17.15 in (D)1.75 in (H), 17.5 in (W), 30 in (D)1U1U1U23 lbs32.5 lbs32.5 lbsTemperature 0 - 40 C Humidity 5% - 95%FCC Class A, UL, CE, GS, CB,VCCI, CCC, KCC, BSMI, RCM RoHS , FIPS 140-2 FCC Class A,
computationally intensive tasks like SSL decryption and ICAP support, enabling those devices to do what they do best – detect and stop attacks. Data Center Firewall. Achieve unprecedented firewall performance: Powered by A10’s . Ad
