ELIMINATE THE BLIND SPOT
You can eliminate the blind spot introduced by SSL encryption by offloading CPU-intensive SSL decryption and encryption functions from third-party security devices, while ensuring compliance with privacy standards.
While dedicated security devices provide in-depth inspection and analysis of network traffic, they are not designed to decrypt and encrypt traffic at high speeds. In fact, many security products do not have the ability to decrypt traffic at all.
This solution boosts the performance of the security infrastructure by decrypting traffic and forwarding it to one or more third-party security devices, such as a firewall for deep packet inspection (DPI).
It re-encrypts traffic and forwards it to the intended destination. Response traffic is also inspected in the same way.
| HARDWARE SPECIFICATIONS |
Thunder
840 |
Thunder
1030S |
Thunder
3030S |
Thunder
3040S |
Thunder
3230S |
Thunder
3430S |
Thunder
4440S |
Thunder
5330S |
Thunder
5440S |
Thunder
5840S |
| SSLi Throughput*1 |
0.5 Gbps |
1.5 Gbps |
2.5 Gbps |
2.5 Gbps |
3.5 Gbps |
5.5 Gbps |
8 Gbps |
10 Gbps |
15 Gbps |
20 Gbps |
| SSLi CPS*1 |
RSA (1K): 500
RSA (2K): 300 |
RSA (1K): 4k
RSA (2K): 3k |
RSA (1K): 8k
RSA (2K): 6k |
RSA: 8k
ECDHE: 4.5k |
RSA: 12.5k
ECDHE: 7k |
RSA: 18k
ECDHE: 10k |
RSA: 22k
ECDHE: 10k |
RSA: 30k
ECDHE: 15k |
RSA: 35k
ECDHE: 20k |
RSA: 50k
ECDHE: 25k |
| SSLi Concurrent Sessions |
40k |
125k |
200k |
200k |
200k |
400k |
400k |
400k |
1 Million |
1 Million |
| Network Interface |
|
| - 1 GE Copper |
5 |
6 |
6 |
6 |
0 |
0 |
0 |
0 |
0 |
0 |
| - 1 GE Fiber (SFP) |
0 |
2 |
2 |
2 |
4 |
4 |
0 |
0 |
0 |
0 |
| - 1/10 GE Fiber (SFP+) |
2 |
2 |
4 |
4 |
4 |
4 |
24 |
8 |
24 |
24 |
| - 40 GE Fiber (QSFP+) |
0 |
0 |
0 |
0 |
0 |
0 |
4 |
0 |
4 |
4 |
*1 Tested in single appliance SSLi deployment with maximum SSL option. Cipher "AES128-SHA256" with 2K RSA keys are used for RSA cases, "ECDHE-RSA-AES128-SHA256" with EC P-256 and 2K RSA keys are used for PFS case.
Benefits
Gain Full Visibility into the Blind Spot
This solution decrypts traffic across all ports and multiple protocols, eliminating the encryption blind spot and enabling the security infrastructure to inspect previously invisible traffic, detect hidden threats and defend against them.
Decrypt Traffic For All Security Devices
To truly secure an enterprise network, from both internal and external threats, organizations require the help of a variety of security devices.
It works with the major security vendors, which may be deployed in a number of ways, ensuring that the whole network is secure against encrypted threats, and interoperates with:
- Firewalls
- Secure Web Gateways (SWG)
- Intrusion Prevention Systems (IPS)
- Unified Threat Management (UTM) platforms
- Data Loss Prevention (DLP) products
- Threat Prevention platforms
- Network Forensics and Web Monitoring tools
Secure Key Storage
Storing encryption keys on many appliances in the network can introduce serious vulnerabilities. Threat actors can acquire keys from vulnerable points and use them for encrypted attacks or data extraction.
With FIPS 140-2 Level 3-validated internal and external Hardware Security Module (HSM) support, Thunder SSLi reduces decryption points so encryption keys are stored securely.
Validate Certificate Status
Attackers can use invalid certificates to infiltrate networks. If these attacks are not blocked, users can be at risk of multiple attacks.
Thunder SSLi helps the system confirm the validity of certificates it receives from the server by supporting Certificate Revocation Lists (CRL) and Online Certificate Status Protocol (OCSP). These protocols help verify the origin certificate is valid.
Ensure Compliance and Privacy
Thunder SSLi allows for selective decryption, making sure that organizations can keep up with industry, government and other compliance and privacy standards. For example, HIPAA compliance may forbid the decryption of private and sensitive healthcare information.
Reduce Operational Costs
This solution offers a centralized point to decrypt enterprise traffic, forwarding it to many inline and non-inline security devices. This eliminates the decryption overhead of each security device, improving performance while maintaining proper security diligence. It also eliminates the need to purchase bigger security devices just to support resource-exhausting decryption and encryption functions.
Simplify Operations and Management
Wizard-based configuration, deployment and management tool, AppCentric Templates make Thunder SSLi the easiest-to-use decryption solution in the industry. With informative dashboards, organizations can track their network with ease. Thunder SSLi also includes an industry-standard CLI, a web user interface and a RESTful API (aXAPI®), which integrates with third-party or custom management consoles.
AppCentric Templates help users manage their encrypted traffic using a dashboard to visualize SSL traffic, decryption and encryption, bypassing, traffic management using categorization, and more.
Reference Architectures
Traffic Flow Through the Decrypt Zone
Thunder SSLi by A10 Networks provides visibility via a logical decrypt zone where third-party security devices inspect traffic for threats. It can be deployed in a one- or two-appliance configuration.
Multiple Deployment & Decryption Options
Thunder SSLi may be deployed inline, on the enterprise perimeter, and can decrypt traffic fora variety of security products simultaneously, including inline, non-inline (passive/TAP) and ICAP-enabled devices.
Thunder SSLi
