A10 Networks Thunder SSLi Review

We used to have to bypass on the firewall, proxy, and IPS; now we can do it in one place

What is our primary use case?

We're using it for our SSL operation. A10 has a "sandwich model." There are two boxes, one of them is on our internal network and the other one is on our external network which is just in front of the internet router. The first box decrypts SSL traffic, HTTPS traffic, and the other box, in front of the router, encrypts again. Between these two boxes, all the HTTPS traffic is clear text, and all the devices between the two A10 devices see all the clear text which means they can intercept all the traps or all the applications.

We have a firewall, proxies, IPS, and some network deep-packet inspection devices all between two SSLi boxes so they can see the clear text traffic. They can intercept all traffic without decrypting and encrypting. The traffic is all ready for them.

We use it on-prem.

How has it helped my organization?

A10 fits our IT environment because we like to intercept some traffic at several points. For example, firewalls are doing threat interception and prevention. Our IPS also has some threat prevention features and, of course, it has IPS capabilities. Then, on the proxies, we're checking for malicious and suspicious websites. But when they are on HTTPS, if you don't intercept you cannot catch them. We can intercept all our HTTPS encrypted traffic with A10. That's the reason it fits us: Our security and network devices intercept all the HTTPS and SSL traffic on our network and security devices. A10 is a much better fit than other vendors' products in our organization.

Think about an example where one website, with a simple destination address, needs to be bypassed for SSL. Before, we had to do the bypass operation on the firewall, on the proxy, and also on the IPS. But with A10, we are doing it on just the A10 and nothing else. Also, all those other security devices managed SSL operations differently. So doing a bypass of that one URL on the firewall was different than bypassing it on the proxy. We were doing the same operation repeatedly on every single security device. Now, we just do it once and everything is ready for us. In a week if we have, say, ten bypass operations, which could take three hours, now it is less than one hour.

What is most valuable?

A10 supports net devices. All our servers and all our end-users, after the firewall, are connecting to public IP addresses. That means the second box cannot see the source IP addresses. Users use internal IP addresses, but after the firewall, the firewall translates the IP addresses to the public. But A10 can recognize the same HTTPS traffic without looking to source IP addresses. A10 actually translates the port as well. For example, the HTTPS port is 443, and we translate it to a different port. The second box catches this port and then encrypts the traffic and sends it to the internet. This is one of the cool features which other vendors don't have. 

SSLi is also a local answer. We have several proxies in our environment, so we localized internet traffic between these proxies. Instead of getting a really huge proxy box, according to our size, we can use three boxes and share the traffic with A10's load-balancer feature.

What needs improvement?

For us, it would be great if it supported SSL operations according to Active Directory users. For example, if we want to bypass one of the servers or a client's internet access for SSL interception, we have to do it according to the IP address. It would be better if we could do it according to the Active Directory username. A10 says they kind of support that but we haven't tested it.

Another thing is SNI. A10 intercepts all the traffic according to the SNI, the server name indicator. It would be better if it intercepted traffic according to the IP addresses. A10 can only understand that a website is within the banking category or the website is in the social media category, according to the SNI. Without SNI, there is no way to understand it; there is no bypass operation. It would be better if worked without SNI as well.

Also, the solution comes with web categories like banking and social media. There are suspicious URLs, malicious URLs, etc. It would be better if it had an application category as well. For example, it would be helpful if we had the chance to bypass all Office 365 applications: OneDrive, Skype, Outlook, etc. According to Microsoft, we need to bypass SSL for all Office 365 applications but we need to create custom categories and put all the Microsoft URLs in them and then we can bypass. It would be great if an application category could recognize Dropbox, for example. For now, we have to put the Dropbox URLs in one custom category and bypass them. Application categories could be very useful.

For how long have I used the solution?

We've been using SSLi for more than a year.

What do I think about the stability of the solution?

It is very stable on our site. We haven't had any blocks which have impacted all our traffic. We have had some minor things but they were not a big problem for us. For example, we upgraded several times for the new features we would we like to run.

What do I think about the scalability of the solution?

We have very new boxes and we did a good job of sizing with the A10 team and our partner. It seems like it will serve us for three years, that we can go with these boxes for that long. We haven't had any scaling issues.

We will likely increase our usage because only A10 can support our SSL operations requirements with security devices. Other vendors don't support the same things that A10 does.

Which solution did I use previously and why did I switch?

In terms of support for our on-premise applications, we were doing SSL interception before, but we were doing it on several security boxes. For example, our firewall was doing SSL interception, and our proxies used to do SSL interception. Now we just have A10 doing that SSL interception.

The driver for looking at a solution like SSLi was that we were always doing SSL interception on our proxies. But then, we changed our firewalls and they had new features like threat prevention, application control, IPS — those kinds of security features. Also, our dedicated IPS was changed and our SSL traffic was increasing every single day.

Three or four years ago, our SSL traffic was something like 50 to 60 percent of our entire internet traffic. Now, SSL traffic is 90 percent because all the applications go to an encrypted, secure environment. That's what drove us to find a complete SSL solution, instead of doing every single security device separately. With the increase in SSL-encrypted traffic, we definitely needed something to manage this operation with one dedicated device.

How was the initial setup?

For our topology, the initial setup was complex. Overall, the setup operation is very easy. You put one box on your internal network, you put the other box on your external network, and then intercept traffic. What was complex in our topology was that we also to load-balance our internet traffic between proxies. That was the tough point of our project. But that's not the fault of A10. It was something we requested. I am happy we had A10 to support that.

The design process was very long but the implementation took something like two weeks. Including the designing, it took two months.

Last year, we migrated our data center to a new data center and we implemented everything there with A10. Then we tested it and then we forwarded the traffic to the new data center. We didn't implement it directly in the production environments. We implemented it at first in a very clean environment, tested it, and then forwarded our users' and servers' traffic to the A10 environment.

What about the implementation team?

We have a partner in Turkey called Netsys. We implemented A10 with them. A10 Turkey supported us as well. Especially in the design phase, as that was the hardest part of the project for us.

There were five people involved. 

What was our ROI?

It has been a good investment. We used to have six proxies to handle our internet traffic and for SSL interception. But the SSL interception was a very CPU-based operation. Since the A10 implementation, we have decreased the number of proxies to three. They are not doing SSL operations now and their CPU resources are much more available for other operations. It could happen for other devices: our firewall, our IPS. But last year, with our data center migration, we didn't look at their resource usage because the data center migration was a huge project. There was a possibility of missing our SLAs and our company wouldn't accept that. Instead of lift-and-shift, they said we should set up the new data center and then forward to traffic there without an SLA-out. That's the reason we couldn't investigate how we can save resources on other boxes. I believe it could work the same way the proxies did.

By not renewing six proxy boxes, rather just three of them, it saved over $100,000. It could even be more than that.

What's my experience with pricing, setup cost, and licensing?

Our boxes are only dedicated to the SSL operation. We only have a subscription license for them because some of the URL categories need to be bypassed, such as banks or healthcare access.

Which other solutions did I evaluate?

We demo'ed Blue Coat SSL Visibility. It doesn't support net devices because it needs to see all the source IP addresses. It encrypts and decrypts the traffic according to the source IP address, but after the firewall, the source IP address changes. So it can't catch the same traffic, encrypt it again, and send it to the internet. This was the main difference as far as our project goes.

Another difference is that Blue Coat is not a local answer.

What other advice do I have?

For SSL operations, if you need to intercept traffic and cover all your security network devices, it is better to use A10. It can support all SAN boxes, proxies, net devices, and all IPS devices. If you need traffic load-balancing between security devices - proxies, firewalls - A10 has a really good and a strong local-answer feature. It's good for that as well.

SSLi is a very powerful device. It has many features and to get them configured is kind of tough. I cannot say it is easy to use, but I can say that is was successful in accomplishing our project.

We don't use the solution's visibility controller because after we decrypt the traffic we send it to other security devices which give us the visibility. Our A10 solution has no connection with containers. We don't use a lot of the features it has. We use it just to decrypt and encrypt all of our outbound internet traffic. We have something like 9,000 users and more than 2,000 servers. We use A10 for all those users' access to the internet.

**Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Add a Comment