Hey All,
We have devices on the internet communicating inbound over SSL to the PA on the perimeter. We are looking to drop all SSL traffic that does not originate from these devices without using SSL decryption. Right now I have suggested matching on the CN from the cert being presented by the device but... I was looking for something that is a little more concrete than that I.E. checking the cert is from an internal CA. So is there a way we can establish a forward trust with the CA, Check the CRL and then establish an SSL session without the SSL decryption feature?
Or if there is a better way to do this I am open to ideas.
Thanks!
No comments:
Post a Comment