SSL/TLS Decryption Features
Read what people say are the most valuable features of the solutions they use.
One of the most valuable aspects of this solution is that it's easy to deploy without a lot of complications. Of course, one has to be very good at understanding the PKI as a whole. But in terms of implementation, we are utilizing Fail-to-Network, which means even if SSLV for some reason goes down, we don't get traffic interruption. In terms of SSLV's feature itself, it is very flexible in terms of whitelisting. For example, if I do not want to encrypt some things that are subject to compliance, it has easy categorization of the hostname that is out of the box. In one click I am able to dictate which hostname it should encrypt or not. It is easy to abide by the compliance policy. It is not just category-based, it is also very easy to whitelist or bypass the decryption based on IP addresses. For example, we have a finance minister who is in our network and we do not want to see all of his internet activity. It allows us to bypass it based on his IP address. There are many ways we can bypass SSL decryption. Be it destination IP, the source IP, the URL, the hostname, et cetera. This is the easiest solution and I did a little bit of research before and I could not find another solution that does this. There is also a return on investment. They have very good hardware and it is already prepaid for SSL 1.3. They have a way to do that. Not all types of versions can be decrypted. But to some extent, they can do that also, SSL 1.3. That is something amazing and most of the other vendors cannot do that. View full review »
There are a lot of noticeable benefits including the ability to categorize and detect a lot of URLs, hostnames, and file types. This solution is really easy to deploy as long as the implementer understands PKI as a whole. The most valuable feature is the Fail-to-Network (FTN) option, which means that if for any reason the appliance goes down then there is no interruption in traffic. It allows for easy categorization of data according to the hostname, out of the box. For example, we may not want to unencrypt certain things that are subject to compliance, such as an e-commerce site, government site, or a banking site. We can easily detect and classify these, acting accordingly once they have been classified. In a single click, I am able to specify which category of hostnames it should decrypt or not decrypt. This allows us to easily comply with enterprise policy. It is easy to bypass decryption not just by category but also by using the IP address. For instance, we have a finance minister who sits in our network and we do not want to see their internal activity. This solution allows us to bypass that traffic based on IP, whether it is the source or destination. We can also bypass decryption based on the URL. View full review »
Its most valuable feature is its ability to do its job accurately, effectively, and very quickly. The amount of traffic that we have going through our system is astounding. We have 6,900 students and about 1,100 staff members. Most of our teachers and staff are connecting through our system. You add to that all the cell phones, the iPads, and all the computers, and then each individual website's connection, that's a lot of traffic in a period of one second. The delay with the SSL decryption turned on is almost unnoticeable. That is great because most SSL decryption solutions — a couple of competitors we did try — their devices crashed as soon as we turned decryption on. View full review »
With the Thunder SSLi, we're better protected. We can stop use of VPN and proxies. We are better protected against dirty traffic coming back to our schools. Having a secure decrypt zone with the equipment lowers the chances that our security infrastructure could possibly miss an attack. It gives us insight into the actual traffic that a student is following. What's the value of identifying possible risks or possible intent based on unencrypted traffic where you have insight to what the student's intent may be? E.g., anonymous bully reporting. It's invaluable to be able to leverage that insight and data to maybe bring help or avert a possible bad circumstance. It's something that's very important to us that this type of system gives us insight into that. For terms of ease of use, it's fairly simple. My analysts tell me that they don't mind getting in there. It was something new that we had to throw on their plate. Every time you add a new element and a new level of complexity, your analysts will look at you like you're crazy, Our plan was originally to use our native firewalls to do the decryption. Unfortunately, that was a feature set which was added on afterward. It just ended up bogging down our system. That is the reason why we had to add the extra hardware. Once the team understood that, the UI was intuitive and a huge help. We use the solution’s Harmony analytics and visibility controller. We have been able to proactively engage and deescalate situations with it. We love Harmony’s traffic management capabilities because it is centralized management. It has a rich analytics capability. This allows us insight into the aggregate performance of all the boxes. so we can possibly leverage any resources available to enhance the environment. We love the single pane of glass traffic management. Single pane of glass is huge, centralized logging. It is the buzzword that everyone is talking about right now, except what nobody seems to take into consideration, is that an analyst only has two eyes. The administration piece of it is huge. It allows us to not just look and get the information, but also cipher it, which is actionable. Looking at logs all day is great, but you can stare in the matrix so long before you want to get in the game. This single pane of glass allows us to look at information that's actionable. View full review »
A10 supports net devices. All our servers and all our end-users, after the firewall, are connecting to public IP addresses. That means the second box cannot see the source IP addresses. Users use internal IP addresses, but after the firewall, the firewall translates the IP addresses to the public. But A10 can recognize the same HTTPS traffic without looking to source IP addresses. A10 actually translates the port as well. For example, the HTTPS port is 443, and we translate it to a different port. The second box catches this port and then encrypts the traffic and sends it to the internet. This is one of the cool features which other vendors don't have. SSLi is also a local answer. We have several proxies in our environment, so we localized internet traffic between these proxies. Instead of getting a really huge proxy box, according to our size, we can use three boxes and share the traffic with A10's load-balancer feature. View full review »