Coming October 25: PeerSpot Awards will be announced! Learn more

A10 Networks Thunder SSLi OverviewUNIXBusinessApplication

What is A10 Networks Thunder SSLi?

SSL encrypted traffic is growing, rendering most security devices ineffective.
Gain visibility into encrypted traffic with SSL Insight and stop potential threats.

A10 Networks Thunder SSLi was previously known as Thunder SSLi.

A10 Networks Thunder SSLi Customers

Klein Independent School District

A10 Networks Thunder SSLi Video

Archived A10 Networks Thunder SSLi Reviews (more than two years old)

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
Data Center Network Engineer at Bridgeton Board of Education and Public Schools
Real User
Leaderboard
Enables our content filter to do its job without any noticeable delay
Pros and Cons
  • "Its most valuable feature is its ability to do its job accurately, effectively, and very quickly. The amount of traffic that we have going through our system is astounding... The delay with the SSL decryption turned on is almost unnoticeable."
  • "There is one thing I would like to see changed. In their features for setting things up, there is a templating system that would normally assist clients. However, we had a better time setting up the device either through the command line or through the interface and not using the templates that were pre-installed. So there is room for improvement to the templates for initial installation."

What is our primary use case?

The world of internet traffic is ever-changing. More and more companies are increasing security for their clients, which is counterproductive to what this appliance is supposed to be doing. The devices in question, the Thunder SSLi's, are decryption appliances, among other things. They do things other than decryption but what we bought them for was decryption. They sit in-line in the network, in the middle of the traffic, between servers and the clients, and they decrypt the encrypted traffic and send it to a specific location for processing. The traffic is then sent back and re-encrypted. This way, the user, who was going to some dot-com site, won't know that the website was intercepted, decrypted, looked at, and then cleared for delivery. This helps a lot in trying to identify sites that have malware because, if you can't see the traffic, you don't know what's inside of it.

How has it helped my organization?

This is definitely a better way to go. When you have a dedicated device for SSL decryption, you're not sharing any of the resources to power anything else. When one of the competitors let us demo their unit, we turned on their decryption, but it was also doing the content filtering, the categorizations, and other things. That device could not handle the amount of traffic that we had. It turns out that the solutions that we have in place, between our content filter and the A10s, is definitely the way to go, at least for our size organization.

When you have the ability to decrypt the traffic, you can present a better security posture, which is fundamentally a good thing for a corporation. And in the education field, which is where our organization operates, it has the added benefit that if we have students going to websites that are encrypted via SSL, the content filter won't know what to do with those and sometimes will let them through or sometimes will block them, in error. But by decrypting the traffic, the content filter is able to see it and is able to work its policies on that decrypted traffic. All of this is done without the end-user knowing what's going on.

What is most valuable?

Its most valuable feature is its ability to do its job accurately, effectively, and very quickly. The amount of traffic that we have going through our system is astounding. We have 6,900 students and about 1,100 staff members. Most of our teachers and staff are connecting through our system. You add to that all the cell phones, the iPads, and all the computers, and then each individual website's connection, that's a lot of traffic in a period of one second. The delay with the SSL decryption turned on is almost unnoticeable. That is great because most SSL decryption solutions — a couple of competitors we did try — their devices crashed as soon as we turned decryption on.

What needs improvement?

There is one thing I would like to see changed. In their features for setting things up, there is a templating system that would normally assist clients. However, we had a better time setting up the device either through the command line or through the interface and not using the templates that were pre-installed. So there is room for improvement to the templates for initial installation.

For how long have I used the solution?

We've been using Thunder SSLi for about three-and-a-half years.

What do I think about the stability of the solution?

In the span of three-and-a-half years, we have hardly had any issues.

We had the initial setup issue, but you'll have that with any device that you put into a large network like ours. But once those issues were identified and taken care of, we turned it on and we forgot that we even had it.

What do I think about the scalability of the solution?

It's definitely scalable. However, there are inherent limitations based upon the particular organization. If you're a relatively small organization like ours, the amount of traffic that we generate is good for the device version that we have. However, we did have experience with the version that is less powerful than the one we have now, and that device could not handle our environment. So there are definitely environmental concerns that you have to take into consideration before you select and purchase one of the A10 appliances. You need to make sure that you have enough power for the amount of traffic that you're going to be supporting.

How are customer service and support?

The support is very good. We had an open ticket during the entire installation process and, even though we were busy in our day-to-day operations, the technician assigned to support us would check in with us every couple of weeks. He would send an email and say, "How is it going? Is the device up and running? What are the issues? What can we do to fix it?"

I never felt like I was left on my own or abandoned. They were always there to offer support and that's one thing that we value. We tend to do things on our own a lot and try to figure things out, but when we can't, it's nice to have somebody in a team of people who is able to look at our individual problem and come up with a customized solution for our environment.

Which solution did I use previously and why did I switch?

We acquired the Thunder SSLi units when we got one of our content filters and needed to have the decryption in-line so that our content filter could see all of the traffic coming through and do what it needs to do for the rules that we had set up for it.

We had attempted to use built-in solutions within different content filters, but the amount of SSL traffic made it near impossible to keep the content filters online with the SSL decryption turned on. That's the primary reason we switched to A10. In fact, the content filter that we're using right now supports SSL decryption. However, it does not have the processing power to handle the load that the SSL puts on the device. So every time we had turned on SSL decryption on that appliance, the appliance crashed and internet traffic was no longer filtered, and it took us a little while to get everything back online.

How was the initial setup?

The setup was a little challenging, but the company, A10 Networks, was very willing to help and very present during the entire phase of the setup. They even helped us mitigate certain issues and new challenges we presented to them as a new customer. They were completely willing to work with us through all our issues to get us up and running. And once everything was up and running, we turned it on. Until we were presented a minor issue related to how the unit works, we forgot that we had turned it on. That's how well it was doing its job.

We haven't had to use the solution's traffic flow management capabilities to troubleshoot traffic flow issues, but to diagnose issues that came up during the setup, the built-in utilities and some of the display infographics in the user interface definitely assisted in identifying first that there was a problem, and second where to go find a solution for the problem.

Because we were busy and deep into other projects, our deployment was a little bit longer than most. We had about a year's worth of deployment time.

Initially, our deployment plan was to get the device up and running by using the templates and A10 was helping us do that. That's where we discovered the first issue, but the company worked with us to get everything straightened out and fixed. Once the issues were identified and resolved, then it was trial and error to get the right combination of settings for our environment. Once we achieved that, we were good to go.

It took three people to deploy and one person to maintain it. The three people are me and two engineers with our company. I'm also the person who manages it as the systems administrator.

What was our ROI?

We have seen a return on our investment. Thunder SSLi is definitely something that has helped us prevent certain types of attacks that come through in malware events and the like.

What's my experience with pricing, setup cost, and licensing?

Our licensing costs, yearly, are just under $15,000.

The licensing that we have is based upon what we need to do more than anything else. We have a URL categorization license and an SSL decryption license. As far as limits on the amount of traffic go, I'm not aware that our license is built that way.

Outside of the cost for the devices, there are no additional costs to the standard licensing fees. Your initial cost of acquisition is obviously going to be more than $15,000, but the cost of ownership is around $15,000 for the version and the licensing that we have.

Which other solutions did I evaluate?

We did not evaluate other, standalone SSL decryption appliances. We have a vendor who looks at a lot of the things in the IT world and who reports their best assessment to us, based upon what their engineers are looking at. Based on the size of our organization and their experience with us, they pointed us in this direction.

What other advice do I have?

My advice is to rely on the tech support. They're there to help and they will not abandon you. Their engineering team is very good at what it does. They're definitely going to work out — in their own environment — any issues you may have during your installation, and will find a solution and help you implement that solution, so that you're not left with a very expensive paperweight.

The biggest lesson I have learned from using SSLi is that the internet is still changing. It is getting more secure, relatively speaking, and from an administrator's standpoint, because it's getting more secure, it's getting harder to protect the end-users from malicious activity and from themselves. The Thunder SSLi appliances definitely help us maintain a better security posture so that we don't have problems.

If you look at it from a different point of view, it's kind of scary that these appliances actually exist, but they exist for a good reason. The good reason is that we need to be secure in our lives and sometimes, as a corporation, you need to protect your assets, and this is one device that can definitely help protect your assets.

There are several models. We have the second-tier edition. We have a pair. One device is set as incoming traffic and the other device is set as outgoing traffic. They're running on the latest firmware as of a year-and-a-half ago. This is one of those devices that, once you turn it on and it's functioning properly, you'll forget that you have it. And as long as the code was good when you started using it, until something major changes, you never really have to go into it to look at anything that's going on.

It doesn't necessarily update automatically, but the device works so well that, until something major in the world changes in SSL traffic, there's really no reason for you to go in there and make any updates. Sometimes you'll come across a bug where you'll have to go in and make those changes, but that's true of any device.

In terms of efficiency of operations, this type of solution it will slow things down a little bit, but that's the nature of SSL decryption. However, the effect that it has is what I would call net-neutral. When the device is turned on, there's really no noticeable impact to the end-user. That is really important to us because we have a lot of media delivery from YouTube for the classes. We have a lot of business applications and learning applications that need timely content delivery. The benefit far outweighs the efficiency hits that we took on traffic flow.

It's been a little while since I've been in to configure the product, but as far as improvements go there really isn't much needed. The product is on track for a really good run.

Based on the experiences with the setup, I'd have to give the solution a nine out of 10. It's not a 10 because the templates and the initial setup are a little odd, but because the support is there, I'll give it a nine.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Enterprise Security Manager at a mining and metals company with 5,001-10,000 employees
Real User
Leaderboard
We used to have to bypass on the firewall, proxy, and IPS; now we can do it in one place
Pros and Cons
  • "We have several proxies in our environment, so we localized internet traffic between these proxies. Instead of getting a really huge proxy box, according to our size, we can use three boxes and share the traffic with A10's load-balancer feature."
  • "It would be great if it supported SSL operations according to Active Directory users. For example, if we want to bypass one of the servers or a client's internet access for SSL interception, we have to do it according to the IP address. It would be better if we could do it according to the Active Directory username. A10 says they kind of support that but we haven't tested it."

What is our primary use case?

We're using it for our SSL operation. A10 has a "sandwich model." There are two boxes, one of them is on our internal network and the other one is on our external network which is just in front of the internet router. The first box decrypts SSL traffic, HTTPS traffic, and the other box, in front of the router, encrypts again. Between these two boxes, all the HTTPS traffic is clear text, and all the devices between the two A10 devices see all the clear text which means they can intercept all the traps or all the applications.

We have a firewall, proxies, IPS, and some network deep-packet inspection devices all between two SSLi boxes so they can see the clear text traffic. They can intercept all traffic without decrypting and encrypting. The traffic is all ready for them.

We use it on-prem.

How has it helped my organization?

A10 fits our IT environment because we like to intercept some traffic at several points. For example, firewalls are doing threat interception and prevention. Our IPS also has some threat prevention features and, of course, it has IPS capabilities. Then, on the proxies, we're checking for malicious and suspicious websites. But when they are on HTTPS, if you don't intercept you cannot catch them. We can intercept all our HTTPS encrypted traffic with A10. That's the reason it fits us: Our security and network devices intercept all the HTTPS and SSL traffic on our network and security devices. A10 is a much better fit than other vendors' products in our organization.

Think about an example where one website, with a simple destination address, needs to be bypassed for SSL. Before, we had to do the bypass operation on the firewall, on the proxy, and also on the IPS. But with A10, we are doing it on just the A10 and nothing else. Also, all those other security devices managed SSL operations differently. So doing a bypass of that one URL on the firewall was different than bypassing it on the proxy. We were doing the same operation repeatedly on every single security device. Now, we just do it once and everything is ready for us. In a week if we have, say, ten bypass operations, which could take three hours, now it is less than one hour.

What is most valuable?

A10 supports net devices. All our servers and all our end-users, after the firewall, are connecting to public IP addresses. That means the second box cannot see the source IP addresses. Users use internal IP addresses, but after the firewall, the firewall translates the IP addresses to the public. But A10 can recognize the same HTTPS traffic without looking to source IP addresses. A10 actually translates the port as well. For example, the HTTPS port is 443, and we translate it to a different port. The second box catches this port and then encrypts the traffic and sends it to the internet. This is one of the cool features which other vendors don't have. 

SSLi is also a local answer. We have several proxies in our environment, so we localized internet traffic between these proxies. Instead of getting a really huge proxy box, according to our size, we can use three boxes and share the traffic with A10's load-balancer feature.

What needs improvement?

For us, it would be great if it supported SSL operations according to Active Directory users. For example, if we want to bypass one of the servers or a client's internet access for SSL interception, we have to do it according to the IP address. It would be better if we could do it according to the Active Directory username. A10 says they kind of support that but we haven't tested it.

Another thing is SNI. A10 intercepts all the traffic according to the SNI, the server name indicator. It would be better if it intercepted traffic according to the IP addresses. A10 can only understand that a website is within the banking category or the website is in the social media category, according to the SNI. Without SNI, there is no way to understand it; there is no bypass operation. It would be better if worked without SNI as well.

Also, the solution comes with web categories like banking and social media. There are suspicious URLs, malicious URLs, etc. It would be better if it had an application category as well. For example, it would be helpful if we had the chance to bypass all Office 365 applications: OneDrive, Skype, Outlook, etc. According to Microsoft, we need to bypass SSL for all Office 365 applications but we need to create custom categories and put all the Microsoft URLs in them and then we can bypass. It would be great if an application category could recognize Dropbox, for example. For now, we have to put the Dropbox URLs in one custom category and bypass them. Application categories could be very useful.

For how long have I used the solution?

We've been using SSLi for more than a year.

What do I think about the stability of the solution?

It is very stable on our site. We haven't had any blocks which have impacted all our traffic. We have had some minor things but they were not a big problem for us. For example, we upgraded several times for the new features we would we like to run.

What do I think about the scalability of the solution?

We have very new boxes and we did a good job of sizing with the A10 team and our partner. It seems like it will serve us for three years, that we can go with these boxes for that long. We haven't had any scaling issues.

We will likely increase our usage because only A10 can support our SSL operations requirements with security devices. Other vendors don't support the same things that A10 does.

Which solution did I use previously and why did I switch?

In terms of support for our on-premise applications, we were doing SSL interception before, but we were doing it on several security boxes. For example, our firewall was doing SSL interception, and our proxies used to do SSL interception. Now we just have A10 doing that SSL interception.

The driver for looking at a solution like SSLi was that we were always doing SSL interception on our proxies. But then, we changed our firewalls and they had new features like threat prevention, application control, IPS — those kinds of security features. Also, our dedicated IPS was changed and our SSL traffic was increasing every single day.

Three or four years ago, our SSL traffic was something like 50 to 60 percent of our entire internet traffic. Now, SSL traffic is 90 percent because all the applications go to an encrypted, secure environment. That's what drove us to find a complete SSL solution, instead of doing every single security device separately. With the increase in SSL-encrypted traffic, we definitely needed something to manage this operation with one dedicated device.

How was the initial setup?

For our topology, the initial setup was complex. Overall, the setup operation is very easy. You put one box on your internal network, you put the other box on your external network, and then intercept traffic. What was complex in our topology was that we also to load-balance our internet traffic between proxies. That was the tough point of our project. But that's not the fault of A10. It was something we requested. I am happy we had A10 to support that.

The design process was very long but the implementation took something like two weeks. Including the designing, it took two months.

Last year, we migrated our data center to a new data center and we implemented everything there with A10. Then we tested it and then we forwarded the traffic to the new data center. We didn't implement it directly in the production environments. We implemented it at first in a very clean environment, tested it, and then forwarded our users' and servers' traffic to the A10 environment.

What about the implementation team?

We have a partner in Turkey called Netsys. We implemented A10 with them. A10 Turkey supported us as well. Especially in the design phase, as that was the hardest part of the project for us.

There were five people involved. 

What was our ROI?

It has been a good investment. We used to have six proxies to handle our internet traffic and for SSL interception. But the SSL interception was a very CPU-based operation. Since the A10 implementation, we have decreased the number of proxies to three. They are not doing SSL operations now and their CPU resources are much more available for other operations. It could happen for other devices: our firewall, our IPS. But last year, with our data center migration, we didn't look at their resource usage because the data center migration was a huge project. There was a possibility of missing our SLAs and our company wouldn't accept that. Instead of lift-and-shift, they said we should set up the new data center and then forward to traffic there without an SLA-out. That's the reason we couldn't investigate how we can save resources on other boxes. I believe it could work the same way the proxies did.

By not renewing six proxy boxes, rather just three of them, it saved over $100,000. It could even be more than that.

What's my experience with pricing, setup cost, and licensing?

Our boxes are only dedicated to the SSL operation. We only have a subscription license for them because some of the URL categories need to be bypassed, such as banks or healthcare access.

Which other solutions did I evaluate?

We demo'ed Blue Coat SSL Visibility. It doesn't support net devices because it needs to see all the source IP addresses. It encrypts and decrypts the traffic according to the source IP address, but after the firewall, the source IP address changes. So it can't catch the same traffic, encrypt it again, and send it to the internet. This was the main difference as far as our project goes.

Another difference is that Blue Coat is not a local answer.

What other advice do I have?

For SSL operations, if you need to intercept traffic and cover all your security network devices, it is better to use A10. It can support all SAN boxes, proxies, net devices, and all IPS devices. If you need traffic load-balancing between security devices - proxies, firewalls - A10 has a really good and a strong local-answer feature. It's good for that as well.

SSLi is a very powerful device. It has many features and to get them configured is kind of tough. I cannot say it is easy to use, but I can say that is was successful in accomplishing our project.

We don't use the solution's visibility controller because after we decrypt the traffic we send it to other security devices which give us the visibility. Our A10 solution has no connection with containers. We don't use a lot of the features it has. We use it just to decrypt and encrypt all of our outbound internet traffic. We have something like 9,000 users and more than 2,000 servers. We use A10 for all those users' access to the internet.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Chris Cummings - PeerSpot reviewer
Director of Information Technology at Klein Independent School District
Real User
Leaderboard
The SSL decryption successfully decrypts at a rate that has minimal to no impact on our end users
Pros and Cons
  • "With the Thunder SSLi, we're better protected. We can stop use of VPN and proxies. We are better protected against dirty traffic coming back to our schools. Having a secure decrypt zone with the equipment lowers the chances that our security infrastructure could possibly miss an attack."
  • "I would like them to have a better UI (better universal design)."

What is our primary use case?

  • SSL encryption
  • SSL decryption
  • Traffic inspection
  • Content inspection

We also have the Thunder SSLi Harmony Controller, which is used for encrypted attacks and inspecting encrypted traffic.

Our primary mission is to ensure students are safe. This is a key component in making sure the safety of our students, client family, and the people who work within our district's boundaries.

We use the most up-to-date version, as we keep our firmware updated. We are using its on-premise hardware.

How has it helped my organization?

It changed the way that we treat external traffic. Before this solution, students used VPNs and proxies. They could do whatever they wanted and we would never know which traffic was going outside. We had to replace another solution because it just wasn't up to the same capacity load that A10s were. That dedicated card is huge. It hardened our network. 

The only certification that the Consortium for School Networking (CoSN) issues for school networks is the Trusted Learning Environment (TLE). The TLE is simply a network hardening solution. By implementing this solution, not only did we harden our network and protect our students, but also we were one step closer to coming into compliance with the Consortium of School Networking globally.

I would assess the solutions' security features very highly. Recently Texas passed Senate Bill 820, which requires us to adopt a security framework and put in security measures to meet the current risks and threats to government entities. This was an integral part to fill that gap. We are very pleased with the security aspect that the equipment brings to us. We plan on continuing to leverage its security capacity to meet the needs of our security environment.

The reason why A10 supports that security mission set so critically is because, at Klein, one of the big things we have done is be an innovator and market leader in adopting technology and using it in the classroom. This is important because we are trying to instill a sense of digital citizenship in each one of our students. So, when they exit, they understand the importance of their data and identities. Then, as they go into this new world, they are less susceptible to identity theft and cybercrimes. By being able to decrypt this information, it allows us to curb unwanted or risky behavior. We have had several bad hackers attempt to get into the network and our A10 has been critical in using packet captures to stop them before they could do something bad.

Our students and staff are better protected because they don't have to worry about encrypted attacks or threats. We provide them with the computer and Internet, taking ownership of the experience from end-to-end.

In the IT environment, we are always asked to do more with less using the available resources that we have. Therefore, we have to work as efficiently as possible. Part of the scoring criteria with a solution coming in was how we could mitigate some of those workloads and consolidate them into a single appliance. Anytime that we can create efficiencies which allow our folks to focus on other tasks, we are more successful. In this case, this appliance has enabled us to do that.

What is most valuable?

With the Thunder SSLi, we're better protected. We can stop use of VPN and proxies. We are better protected against dirty traffic coming back to our schools. Having a secure decrypt zone with the equipment lowers the chances that our security infrastructure could possibly miss an attack. 

It gives us insight into the actual traffic that a student is following. What's the value of identifying possible risks or possible intent based on unencrypted traffic where you have insight to what the student's intent may be? E.g., anonymous bully reporting. It's invaluable to be able to leverage that insight and data to maybe bring help or avert a possible bad circumstance. It's something that's very important to us that this type of system gives us insight into that.

For terms of ease of use, it's fairly simple. My analysts tell me that they don't mind getting in there. It was something new that we had to throw on their plate. Every time you add a new element and a new level of complexity, your analysts will look at you like you're crazy, Our plan was originally to use our native firewalls to do the decryption. Unfortunately, that was a feature set which was added on afterward. It just ended up bogging down our system. That is the reason why we had to add the extra hardware. Once the team understood that, the UI was intuitive and a huge help.

We use the solution’s Harmony analytics and visibility controller. We have been able to proactively engage and deescalate situations with it. 

We love Harmony’s traffic management capabilities because it is centralized management. It has a rich analytics capability. This allows us insight into the aggregate performance of all the boxes. so we can possibly leverage any resources available to enhance the environment.

We love the single pane of glass traffic management. Single pane of glass is huge, centralized logging. It is the buzzword that everyone is talking about right now, except what nobody seems to take into consideration, is that an analyst only has two eyes. The administration piece of it is huge. It allows us to not just look and get the information, but also cipher it, which is actionable. Looking at logs all day is great, but you can stare in the matrix so long before you want to get in the game. This single pane of glass allows us to look at information that's actionable.

What needs improvement?

I would like them to have a better UI (better universal design). Better never stops.

For how long have I used the solution?

We have been using the solution for about a year. I've only been the steward of it for the past eight months.

What do I think about the stability of the solution?

The stability is excellent. We have had no stability issues in 12 months.

It is about uptime and availability to our end users. As of today, there has been zero impact, which is how we support our customers.

We have two analysts (a senior analyst and junior analyst) who monitor and support the A10.

What do I think about the scalability of the solution?

It has met all of our mean needs. We are now looking for other ways to leverage it. As we consolidate our infrastructure and move toward a more efficient way of doing business, we're always looking for ways we can leverage the A10 in other ways: everything from load balancing to web application firewall. Outside of our immediate needs, there's nothing the equipment or system hasn't been able to do at the moment. As far as scalability, it meets our needs and our foreseeable needs.

We currently have over 53,000 students and 6500 staff that can sometimes balloon up to 7000. We have over 80,000 endpoints. We support a one-to-one initiative where students are issued devices that they take home, but are connected to our network. These number in over 35,000. It's a very robust environment.

It is paramount to have that single pane of glass with up to two million concurrent SSL sessions. It would be a management issue just being able to deal with that sheer volume at the enterprise level that we work at with the number of resources available to our department if we did not have that capacity.

How are customer service and technical support?

We've been supported just fine.

For support, just because something hasn't failed doesn't mean support won't respond. Sometimes, we'll ask support to see if something is feasible or how they would recommend doing something. 

We always pay for support. Any organization of our size who doesn't is asking for problems. The support that we've had has all been positive. They've been very responsive. The caveat that we do have is an integrator, and we tend to try to leverage that relationship before we go straight to the manufacturer.

Which solution did I use previously and why did I switch?

SSL decryption was one of the biggest pieces that we took advantage of. We originally tried to do SSL decryption through our firewalls. Because of our size, we currently support over 67,000 customers with over 80,000 endpoint devices (between students and staff). The previous configuration could not handle that traffic. It could not decrypt fast enough. When we went with the A10 solution, we were able to overcome those challenges. We are currently able to successfully decrypt at a rate that has minimal to no impact on our end users.

Last year, we identified a need within the district to shore up some security shortcomings and consolidate some of our efforts. That is when we went out to look for a device that could meet our requirements. It has been about a year since the closing of the competitive bid and procuring the device.

The previous solution that we had couldn't handle our throughput. Our content filter hits 94 terabytes a week, and we are filtering out 4.5 petabytes annually. That is just external web traffic. By virtue of the metrics alone, I have been impressed with the A10.

Also, the previous solution didn't have separated individual cards for decryption. Therefore, our extensive traffic was throttling that device and bogging down the entire network. That's why we had to go out and find a dedicated SSLI solution.

Operationally and organizationally, A10 has made one huge impact. Our previous solution required a bit of cross functionality between three teams: my team and the infrastructure team, networking along with servers, and application and application development. By using the A10, we have been able to get rid of that legacy equipment. Now, it solely resides within the network operations team. Procedurally and policy-wise, it's been a huge change because it's allowed it to leverage its capabilities and put it under the purview of one team. It has decreased ticket time and increased response time. We are more proactive with this solution.

We use a COBIT framework. Even though it resides under my purview, we're still supported by the other two teams. I take responsibility, but have accountability, consulting, and information that is shared between the three teams. It makes it much simpler for my team to be able to take action. We are still cross-functional, but it streamlines the ticket assignment.

How was the initial setup?

The initial setup was very simple.

What about the implementation team?

We leveraged our institute business partner and integrator Layer 3 Communications. Therefore, the initial setup was very simple internally. From a project management point of view, they are amazing to work with. They stand by their work. Once they got the A10 into place, we did a stress test. It worked as intended.

A unique aspect of this deployment was Layer 3 Communication's familiarity with our environment and infrastructure. They were able to configure and set this equipment up in a sandbox outside of our environment, run it, configure it, and match what our requirements would be inside. Then, once they were ready to deliver, it was a seamless transition. It was plug and play, which made the job on our end a lot easier, and was deeply appreciated.

What was our ROI?

The true measure of a solution is what impact to our customer does it have. In the past year, we have had zero impact. That is what matters the most.

The ROI is still maturing because of its ability to leverage some capabilities that wasn't necessarily the initial intent. I think the jury's out on total. I can only expect it to go up. I don't think we have a hard number we could give you today on ROI. From a system-wide perspective, we know what's going to be in the positive.

A lot of what we do in technology are soft benefits. E.g., what's the going value for a five-year-old's social security number on the dark web? What's the going value for a school administrator's credit card number? Louisiana just declared a state of emergency because they had three schools get attacked by ransomware. With our data segmentation in our Thunder SSLi, we don't have those same concerns. Those extra two hours a night that I get to sleep, how do I quantify that?

What's my experience with pricing, setup cost, and licensing?

When you purchase the equipment, you purchase the licensing and warranty. It's all fairly standard. We haven't been caught with anything surprising.

Which other solutions did I evaluate?

There was a competitive process that went to bid.

What other advice do I have?

Before you go with any product, especially when it comes to security and the ability to shore up initiatives, sit down and do a gap analysis. Understand the environment before moving forward. Sometimes, we become very reactionary and need to fill the gaps. We find an appliance that will fit the gap immediately, and then we're left eight years down the road trying to build upon that solution. My advice is make sure to understand your current needs, project your future needs in an efficient way, and that they are grounded in the actual data. That is what we did, partnered with our integrator and our outstanding infrastructure staff. We were able to do an assessment. Get stakeholder buy-in. With security, it's hard to convey the message, especially to stakeholders who are funding the initiative. Making sure they have buy-in and understand the needs will take you well beyond just the anticipated short-term gains since the security area tends to be a very reactionary sector. You can spend a lot of time firefighting instead of focusing on how you can leverage your capacity to grow.

We use it every second of every day (24/7). We currently have plans to leverage it in more areas because it has been so reliable. The next thing we are looking at is utilizing its web application firewall in conjunction with our on-premise firewalls.

it reinforces some of our processes and relationships with not only vendors, but also integrators and then staff. Klein ISD tends to to be a leader. We tend to be early adopters. We look at technology and are not afraid of it. We like to find ways to have it enhance what we are doing. At Klein, we're here to support students and teachers. Anything we could do to enhance that relationship and expand the knowledge transfer from a teacher to a student. We're here to support that. By doing this, it helps make us better digital citizens. Our students will not graduate and get caught unaware by a ransomware attack. That's not our goal. Our goal is to support the students and their learning experience, making sure that we're doing our part in bringing promise to purpose.

We are comfortable with the equipment and are enjoying using it. We don't regret the purchase. We look forward to seeing how they adapt to the new requirements. We try not to use the change word around here since change is scary. Nobody changes for change's sake. We always respond to outside stimuli. I don't know any company who doesn't adapt. As long as A10 continues to knock it out the park, we're happy to be in business with them.

We are not using the solution’s support for expanding infrastructure to public, private, and hybrid cloud. We have talked about migrating some of our other equipment, but are not implementing it currently.

We are not using Kubernetes at the moment.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user