A10 Networks Thunder SSLi Review

The SSL decryption successfully decrypts at a rate that has minimal to no impact on our end users

What is our primary use case?

  • SSL encryption
  • SSL decryption
  • Traffic inspection
  • Content inspection

We also have the Thunder SSLi Harmony Controller, which is used for encrypted attacks and inspecting encrypted traffic.

Our primary mission is to ensure students are safe. This is a key component in making sure the safety of our students, client family, and the people who work within our district's boundaries.

We use the most up-to-date version, as we keep our firmware updated. We are using its on-premise hardware.

How has it helped my organization?

It changed the way that we treat external traffic. Before this solution, students used VPNs and proxies. They could do whatever they wanted and we would never know which traffic was going outside. We had to replace another solution because it just wasn't up to the same capacity load that A10s were. That dedicated card is huge. It hardened our network. 

The only certification that the Consortium for School Networking (CoSN) issues for school networks is the Trusted Learning Environment (TLE). The TLE is simply a network hardening solution. By implementing this solution, not only did we harden our network and protect our students, but also we were one step closer to coming into compliance with the Consortium of School Networking globally.

I would assess the solutions' security features very highly. Recently Texas passed Senate Bill 820, which requires us to adopt a security framework and put in security measures to meet the current risks and threats to government entities. This was an integral part to fill that gap. We are very pleased with the security aspect that the equipment brings to us. We plan on continuing to leverage its security capacity to meet the needs of our security environment.

The reason why A10 supports that security mission set so critically is because, at Klein, one of the big things we have done is be an innovator and market leader in adopting technology and using it in the classroom. This is important because we are trying to instill a sense of digital citizenship in each one of our students. So, when they exit, they understand the importance of their data and identities. Then, as they go into this new world, they are less susceptible to identity theft and cybercrimes. By being able to decrypt this information, it allows us to curb unwanted or risky behavior. We have had several bad hackers attempt to get into the network and our A10 has been critical in using packet captures to stop them before they could do something bad.

Our students and staff are better protected because they don't have to worry about encrypted attacks or threats. We provide them with the computer and Internet, taking ownership of the experience from end-to-end.

In the IT environment, we are always asked to do more with less using the available resources that we have. Therefore, we have to work as efficiently as possible. Part of the scoring criteria with a solution coming in was how we could mitigate some of those workloads and consolidate them into a single appliance. Anytime that we can create efficiencies which allow our folks to focus on other tasks, we are more successful. In this case, this appliance has enabled us to do that.

What is most valuable?

With the Thunder SSLi, we're better protected. We can stop use of VPN and proxies. We are better protected against dirty traffic coming back to our schools. Having a secure decrypt zone with the equipment lowers the chances that our security infrastructure could possibly miss an attack. 

It gives us insight into the actual traffic that a student is following. What's the value of identifying possible risks or possible intent based on unencrypted traffic where you have insight to what the student's intent may be? E.g., anonymous bully reporting. It's invaluable to be able to leverage that insight and data to maybe bring help or avert a possible bad circumstance. It's something that's very important to us that this type of system gives us insight into that.

For terms of ease of use, it's fairly simple. My analysts tell me that they don't mind getting in there. It was something new that we had to throw on their plate. Every time you add a new element and a new level of complexity, your analysts will look at you like you're crazy, Our plan was originally to use our native firewalls to do the decryption. Unfortunately, that was a feature set which was added on afterward. It just ended up bogging down our system. That is the reason why we had to add the extra hardware. Once the team understood that, the UI was intuitive and a huge help.

We use the solution’s Harmony analytics and visibility controller. We have been able to proactively engage and deescalate situations with it. 

We love Harmony’s traffic management capabilities because it is centralized management. It has a rich analytics capability. This allows us insight into the aggregate performance of all the boxes. so we can possibly leverage any resources available to enhance the environment.

We love the single pane of glass traffic management. Single pane of glass is huge, centralized logging. It is the buzzword that everyone is talking about right now, except what nobody seems to take into consideration, is that an analyst only has two eyes. The administration piece of it is huge. It allows us to not just look and get the information, but also cipher it, which is actionable. Looking at logs all day is great, but you can stare in the matrix so long before you want to get in the game. This single pane of glass allows us to look at information that's actionable.

What needs improvement?

I would like them to have a better UI (better universal design). Better never stops.

For how long have I used the solution?

We have been using the solution for about a year. I've only been the steward of it for the past eight months.

What do I think about the stability of the solution?

The stability is excellent. We have had no stability issues in 12 months.

It is about uptime and availability to our end users. As of today, there has been zero impact, which is how we support our customers.

We have two analysts (a senior analyst and junior analyst) who monitor and support the A10.

What do I think about the scalability of the solution?

It has met all of our mean needs. We are now looking for other ways to leverage it. As we consolidate our infrastructure and move toward a more efficient way of doing business, we're always looking for ways we can leverage the A10 in other ways: everything from load balancing to web application firewall. Outside of our immediate needs, there's nothing the equipment or system hasn't been able to do at the moment. As far as scalability, it meets our needs and our foreseeable needs.

We currently have over 53,000 students and 6500 staff that can sometimes balloon up to 7000. We have over 80,000 endpoints. We support a one-to-one initiative where students are issued devices that they take home, but are connected to our network. These number in over 35,000. It's a very robust environment.

It is paramount to have that single pane of glass with up to two million concurrent SSL sessions. It would be a management issue just being able to deal with that sheer volume at the enterprise level that we work at with the number of resources available to our department if we did not have that capacity.

How are customer service and technical support?

We've been supported just fine.

For support, just because something hasn't failed doesn't mean support won't respond. Sometimes, we'll ask support to see if something is feasible or how they would recommend doing something. 

We always pay for support. Any organization of our size who doesn't is asking for problems. The support that we've had has all been positive. They've been very responsive. The caveat that we do have is an integrator, and we tend to try to leverage that relationship before we go straight to the manufacturer.

Which solution did I use previously and why did I switch?

SSL decryption was one of the biggest pieces that we took advantage of. We originally tried to do SSL decryption through our firewalls. Because of our size, we currently support over 67,000 customers with over 80,000 endpoint devices (between students and staff). The previous configuration could not handle that traffic. It could not decrypt fast enough. When we went with the A10 solution, we were able to overcome those challenges. We are currently able to successfully decrypt at a rate that has minimal to no impact on our end users.

Last year, we identified a need within the district to shore up some security shortcomings and consolidate some of our efforts. That is when we went out to look for a device that could meet our requirements. It has been about a year since the closing of the competitive bid and procuring the device.

The previous solution that we had couldn't handle our throughput. Our content filter hits 94 terabytes a week, and we are filtering out 4.5 petabytes annually. That is just external web traffic. By virtue of the metrics alone, I have been impressed with the A10.

Also, the previous solution didn't have separated individual cards for decryption. Therefore, our extensive traffic was throttling that device and bogging down the entire network. That's why we had to go out and find a dedicated SSLI solution.

Operationally and organizationally, A10 has made one huge impact. Our previous solution required a bit of cross functionality between three teams: my team and the infrastructure team, networking along with servers, and application and application development. By using the A10, we have been able to get rid of that legacy equipment. Now, it solely resides within the network operations team. Procedurally and policy-wise, it's been a huge change because it's allowed it to leverage its capabilities and put it under the purview of one team. It has decreased ticket time and increased response time. We are more proactive with this solution.

We use a COBIT framework. Even though it resides under my purview, we're still supported by the other two teams. I take responsibility, but have accountability, consulting, and information that is shared between the three teams. It makes it much simpler for my team to be able to take action. We are still cross-functional, but it streamlines the ticket assignment.

How was the initial setup?

The initial setup was very simple.

What about the implementation team?

We leveraged our institute business partner and integrator Layer 3 Communications. Therefore, the initial setup was very simple internally. From a project management point of view, they are amazing to work with. They stand by their work. Once they got the A10 into place, we did a stress test. It worked as intended.

A unique aspect of this deployment was Layer 3 Communication's familiarity with our environment and infrastructure. They were able to configure and set this equipment up in a sandbox outside of our environment, run it, configure it, and match what our requirements would be inside. Then, once they were ready to deliver, it was a seamless transition. It was plug and play, which made the job on our end a lot easier, and was deeply appreciated.

What was our ROI?

The true measure of a solution is what impact to our customer does it have. In the past year, we have had zero impact. That is what matters the most.

The ROI is still maturing because of its ability to leverage some capabilities that wasn't necessarily the initial intent. I think the jury's out on total. I can only expect it to go up. I don't think we have a hard number we could give you today on ROI. From a system-wide perspective, we know what's going to be in the positive.

A lot of what we do in technology are soft benefits. E.g., what's the going value for a five-year-old's social security number on the dark web? What's the going value for a school administrator's credit card number? Louisiana just declared a state of emergency because they had three schools get attacked by ransomware. With our data segmentation in our Thunder SSLi, we don't have those same concerns. Those extra two hours a night that I get to sleep, how do I quantify that?

What's my experience with pricing, setup cost, and licensing?

When you purchase the equipment, you purchase the licensing and warranty. It's all fairly standard. We haven't been caught with anything surprising.

Which other solutions did I evaluate?

There was a competitive process that went to bid.

What other advice do I have?

Before you go with any product, especially when it comes to security and the ability to shore up initiatives, sit down and do a gap analysis. Understand the environment before moving forward. Sometimes, we become very reactionary and need to fill the gaps. We find an appliance that will fit the gap immediately, and then we're left eight years down the road trying to build upon that solution. My advice is make sure to understand your current needs, project your future needs in an efficient way, and that they are grounded in the actual data. That is what we did, partnered with our integrator and our outstanding infrastructure staff. We were able to do an assessment. Get stakeholder buy-in. With security, it's hard to convey the message, especially to stakeholders who are funding the initiative. Making sure they have buy-in and understand the needs will take you well beyond just the anticipated short-term gains since the security area tends to be a very reactionary sector. You can spend a lot of time firefighting instead of focusing on how you can leverage your capacity to grow.

We use it every second of every day (24/7). We currently have plans to leverage it in more areas because it has been so reliable. The next thing we are looking at is utilizing its web application firewall in conjunction with our on-premise firewalls.

it reinforces some of our processes and relationships with not only vendors, but also integrators and then staff. Klein ISD tends to to be a leader. We tend to be early adopters. We look at technology and are not afraid of it. We like to find ways to have it enhance what we are doing. At Klein, we're here to support students and teachers. Anything we could do to enhance that relationship and expand the knowledge transfer from a teacher to a student. We're here to support that. By doing this, it helps make us better digital citizens. Our students will not graduate and get caught unaware by a ransomware attack. That's not our goal. Our goal is to support the students and their learning experience, making sure that we're doing our part in bringing promise to purpose.

We are comfortable with the equipment and are enjoying using it. We don't regret the purchase. We look forward to seeing how they adapt to the new requirements. We try not to use the change word around here since change is scary. Nobody changes for change's sake. We always respond to outside stimuli. I don't know any company who doesn't adapt. As long as A10 continues to knock it out the park, we're happy to be in business with them.

We are not using the solution’s support for expanding infrastructure to public, private, and hybrid cloud. We have talked about migrating some of our other equipment, but are not implementing it currently.

We are not using Kubernetes at the moment.

Which version of this solution are you currently using?

Thunder SSLi
**Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Learn what your peers think about A10 Networks Thunder SSLi. Get advice and tips from experienced pros sharing their opinions. Updated: June 2021.
513,091 professionals have used our research since 2012.
Add a Comment
ITCS user