A10 Networks Thunder SSLi Review

Enables our content filter to do its job without any noticeable delay


What is our primary use case?

The world of internet traffic is ever-changing. More and more companies are increasing security for their clients, which is counterproductive to what this appliance is supposed to be doing. The devices in question, the Thunder SSLi's, are decryption appliances, among other things. They do things other than decryption but what we bought them for was decryption. They sit in-line in the network, in the middle of the traffic, between servers and the clients, and they decrypt the encrypted traffic and send it to a specific location for processing. The traffic is then sent back and re-encrypted. This way, the user, who was going to some dot-com site, won't know that the website was intercepted, decrypted, looked at, and then cleared for delivery. This helps a lot in trying to identify sites that have malware because, if you can't see the traffic, you don't know what's inside of it.

How has it helped my organization?

This is definitely a better way to go. When you have a dedicated device for SSL decryption, you're not sharing any of the resources to power anything else. When one of the competitors let us demo their unit, we turned on their decryption, but it was also doing the content filtering, the categorizations, and other things. That device could not handle the amount of traffic that we had. It turns out that the solutions that we have in place, between our content filter and the A10s, is definitely the way to go, at least for our size organization.

When you have the ability to decrypt the traffic, you can present a better security posture, which is fundamentally a good thing for a corporation. And in the education field, which is where our organization operates, it has the added benefit that if we have students going to websites that are encrypted via SSL, the content filter won't know what to do with those and sometimes will let them through or sometimes will block them, in error. But by decrypting the traffic, the content filter is able to see it and is able to work its policies on that decrypted traffic. All of this is done without the end-user knowing what's going on.

What is most valuable?

Its most valuable feature is its ability to do its job accurately, effectively, and very quickly. The amount of traffic that we have going through our system is astounding. We have 6,900 students and about 1,100 staff members. Most of our teachers and staff are connecting through our system. You add to that all the cell phones, the iPads, and all the computers, and then each individual website's connection, that's a lot of traffic in a period of one second. The delay with the SSL decryption turned on is almost unnoticeable. That is great because most SSL decryption solutions — a couple of competitors we did try — their devices crashed as soon as we turned decryption on.

What needs improvement?

There is one thing I would like to see changed. In their features for setting things up, there is a templating system that would normally assist clients. However, we had a better time setting up the device either through the command line or through the interface and not using the templates that were pre-installed. So there is room for improvement to the templates for initial installation.

For how long have I used the solution?

We've been using Thunder SSLi for about three-and-a-half years.

What do I think about the stability of the solution?

In the span of three-and-a-half years, we have hardly had any issues.

We had the initial setup issue, but you'll have that with any device that you put into a large network like ours. But once those issues were identified and taken care of, we turned it on and we forgot that we even had it.

What do I think about the scalability of the solution?

It's definitely scalable. However, there are inherent limitations based upon the particular organization. If you're a relatively small organization like ours, the amount of traffic that we generate is good for the device version that we have. However, we did have experience with the version that is less powerful than the one we have now, and that device could not handle our environment. So there are definitely environmental concerns that you have to take into consideration before you select and purchase one of the A10 appliances. You need to make sure that you have enough power for the amount of traffic that you're going to be supporting.

How are customer service and technical support?

The support is very good. We had an open ticket during the entire installation process and, even though we were busy in our day-to-day operations, the technician assigned to support us would check in with us every couple of weeks. He would send an email and say, "How is it going? Is the device up and running? What are the issues? What can we do to fix it?"

I never felt like I was left on my own or abandoned. They were always there to offer support and that's one thing that we value. We tend to do things on our own a lot and try to figure things out, but when we can't, it's nice to have somebody in a team of people who is able to look at our individual problem and come up with a customized solution for our environment.

Which solution did I use previously and why did I switch?

We acquired the Thunder SSLi units when we got one of our content filters and needed to have the decryption in-line so that our content filter could see all of the traffic coming through and do what it needs to do for the rules that we had set up for it.

We had attempted to use built-in solutions within different content filters, but the amount of SSL traffic made it near impossible to keep the content filters online with the SSL decryption turned on. That's the primary reason we switched to A10. In fact, the content filter that we're using right now supports SSL decryption. However, it does not have the processing power to handle the load that the SSL puts on the device. So every time we had turned on SSL decryption on that appliance, the appliance crashed and internet traffic was no longer filtered, and it took us a little while to get everything back online.

How was the initial setup?

The setup was a little challenging, but the company, A10 Networks, was very willing to help and very present during the entire phase of the setup. They even helped us mitigate certain issues and new challenges we presented to them as a new customer. They were completely willing to work with us through all our issues to get us up and running. And once everything was up and running, we turned it on. Until we were presented a minor issue related to how the unit works, we forgot that we had turned it on. That's how well it was doing its job.

We haven't had to use the solution's traffic flow management capabilities to troubleshoot traffic flow issues, but to diagnose issues that came up during the setup, the built-in utilities and some of the display infographics in the user interface definitely assisted in identifying first that there was a problem, and second where to go find a solution for the problem.

Because we were busy and deep into other projects, our deployment was a little bit longer than most. We had about a year's worth of deployment time.

Initially, our deployment plan was to get the device up and running by using the templates and A10 was helping us do that. That's where we discovered the first issue, but the company worked with us to get everything straightened out and fixed. Once the issues were identified and resolved, then it was trial and error to get the right combination of settings for our environment. Once we achieved that, we were good to go.

It took three people to deploy and one person to maintain it. The three people are me and two engineers with our company. I'm also the person who manages it as the systems administrator.

What was our ROI?

We have seen a return on our investment. Thunder SSLi is definitely something that has helped us prevent certain types of attacks that come through in malware events and the like.

What's my experience with pricing, setup cost, and licensing?

Our licensing costs, yearly, are just under $15,000.

The licensing that we have is based upon what we need to do more than anything else. We have a URL categorization license and an SSL decryption license. As far as limits on the amount of traffic go, I'm not aware that our license is built that way.

Outside of the cost for the devices, there are no additional costs to the standard licensing fees. Your initial cost of acquisition is obviously going to be more than $15,000, but the cost of ownership is around $15,000 for the version and the licensing that we have.

Which other solutions did I evaluate?

We did not evaluate other, standalone SSL decryption appliances. We have a vendor who looks at a lot of the things in the IT world and who reports their best assessment to us, based upon what their engineers are looking at. Based on the size of our organization and their experience with us, they pointed us in this direction.

What other advice do I have?

My advice is to rely on the tech support. They're there to help and they will not abandon you. Their engineering team is very good at what it does. They're definitely going to work out — in their own environment — any issues you may have during your installation, and will find a solution and help you implement that solution, so that you're not left with a very expensive paperweight.

The biggest lesson I have learned from using SSLi is that the internet is still changing. It is getting more secure, relatively speaking, and from an administrator's standpoint, because it's getting more secure, it's getting harder to protect the end-users from malicious activity and from themselves. The Thunder SSLi appliances definitely help us maintain a better security posture so that we don't have problems.

If you look at it from a different point of view, it's kind of scary that these appliances actually exist, but they exist for a good reason. The good reason is that we need to be secure in our lives and sometimes, as a corporation, you need to protect your assets, and this is one device that can definitely help protect your assets.

There are several models. We have the second-tier edition. We have a pair. One device is set as incoming traffic and the other device is set as outgoing traffic. They're running on the latest firmware as of a year-and-a-half ago. This is one of those devices that, once you turn it on and it's functioning properly, you'll forget that you have it. And as long as the code was good when you started using it, until something major changes, you never really have to go into it to look at anything that's going on.

It doesn't necessarily update automatically, but the device works so well that, until something major in the world changes in SSL traffic, there's really no reason for you to go in there and make any updates. Sometimes you'll come across a bug where you'll have to go in and make those changes, but that's true of any device.

In terms of efficiency of operations, this type of solution it will slow things down a little bit, but that's the nature of SSL decryption. However, the effect that it has is what I would call net-neutral. When the device is turned on, there's really no noticeable impact to the end-user. That is really important to us because we have a lot of media delivery from YouTube for the classes. We have a lot of business applications and learning applications that need timely content delivery. The benefit far outweighs the efficiency hits that we took on traffic flow.

It's been a little while since I've been in to configure the product, but as far as improvements go there really isn't much needed. The product is on track for a really good run.

Based on the experiences with the setup, I'd have to give the solution a nine out of 10. It's not a 10 because the templates and the initial setup are a little odd, but because the support is there, I'll give it a nine.

**Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Add a Comment
Guest