What is a VPN? Site-to-Site, Remote Access, IPSec, and SSL VPN
A Virtual Private Network (VPN) creates an encrypted tunnel between a device and a network over the public internet. VPNs protect data in transit and provide remote users with secure access to corporate resources.
What is a VPN?
A VPN creates a secure, encrypted connection (tunnel) over an untrusted network like the internet. It provides confidentiality (encryption), integrity (tamper detection), and authentication (verifying both ends of the connection).
VPNs are used for: remote employees accessing corporate networks, connecting branch offices (site-to-site), protecting privacy on public Wi-Fi, and bypassing geographic restrictions.
Key VPN components: VPN concentrator (server that manages connections), VPN client (software on the user's device), and the tunneling protocol (defines how data is encapsulated and encrypted).
- VPN: encrypted tunnel over an untrusted network
- Provides confidentiality, integrity, and authentication
- Common uses: remote access, site-to-site, public Wi-Fi protection
- VPN concentrator authenticates clients and manages encryption
Site-to-Site vs Remote Access VPN
Site-to-Site VPN — connects entire networks to each other over the internet. Typically used to connect branch offices to the main corporate network. Both sides have VPN gateways that encrypt traffic between them. End users don't need VPN client software — traffic routes automatically through the gateway.
Remote Access VPN — individual users connect to the corporate network from remote locations. Users run VPN client software on their devices. Common for telecommuting and mobile workers. The user authenticates and gets an IP address on the corporate network, appearing as if they're locally connected.
Split Tunneling — remote users can choose which traffic goes through the VPN (corporate traffic) and which goes directly to the internet (personal browsing). Full Tunneling sends ALL traffic through the VPN. Split tunneling reduces VPN load but creates a security risk if the non-VPN path is compromised.
- Site-to-Site: connects entire networks (branch to HQ) — no client software needed
- Remote Access: individual users connect via client software
- Split Tunneling: corporate traffic through VPN, personal traffic direct to internet
- Full Tunneling: all traffic through VPN (more secure, higher bandwidth usage)
IPSec VPN
IPSec (Internet Protocol Security) is a suite of protocols that encrypts IP traffic. It operates at Layer 3 (network layer) and can protect all IP traffic without modifying applications.
IPSec has two main protocols: Authentication Header (AH) — provides integrity and authentication but NOT encryption. Encapsulating Security Payload (ESP) — provides integrity, authentication, AND encryption. ESP is the more common choice.
IPSec operates in two modes: Transport Mode — encrypts only the payload (data portion) of the IP packet. Used for end-to-end connections. Tunnel Mode — encrypts the entire IP packet and wraps it in a new packet. Used for site-to-site VPNs and creates a virtual tunnel.
IPSec uses Internet Key Exchange (IKE) to negotiate security associations (SA) — the agreed-upon encryption algorithms, keys, and parameters between the two VPN endpoints.
- IPSec: Layer 3 protocol suite — protects ALL IP traffic natively
- AH: integrity + authentication only (no encryption)
- ESP: integrity + authentication + encryption (most common)
- Transport mode: encrypts payload only — end-to-end connections
- Tunnel mode: encrypts entire packet — site-to-site VPNs
SSL/TLS VPN
SSL VPN (more accurately TLS VPN) uses the same encryption protocol as HTTPS. The major advantage: it works through most firewalls and doesn't require specialized client software for many implementations.
Two types: SSL Portal VPN — the user connects to a HTTPS website (portal) that provides access to internal applications. No client software — just a browser. SSL Tunnel VPN — uses browser-based capabilities to create a tunnel for non-web applications.
For the Security+ exam, know the comparison: IPSec VPNs are more complex to configure but provide network-layer access for all applications. SSL VPNs are easier for users (browser-based) but typically only handle TCP traffic. Many modern deployments use both.
- SSL/TLS VPN: uses HTTPS protocol (port 443) — works through most firewalls
- Portal VPN: browser-based access to internal apps — no client software
- Tunnel VPN: clientless tunnel for non-web applications
- Easier to deploy than IPSec — users just need a browser
- Commonly used for remote access VPN scenarios
Securing VPN Deployments
VPN authentication can use pre-shared keys (PSK — simple but less secure), certificates (PKI-based, more scalable), or integration with existing authentication (RADIUS, LDAP, MFA).
Always-on VPN — a modern approach where the VPN connection is automatic and persistent. The device won't send any traffic outside the VPN tunnel. This prevents data leaks from misconfigured split tunneling.
For the Security+ exam, understand VPN deployment risks: VPN concentrator is a single point of failure (redundancy needed), outdated encryption protocols (PPTP is broken — use IPSec or SSL), and split tunneling risks (ensuring corporate data goes through the encrypted tunnel).
- Authentication: PSK, certificates, RADIUS, or MFA integration
- Always-on VPN: automatic, persistent VPN — prevents data leaks
- PPTP is deprecated — use IPSec or SSL/TLS VPN
- VPN concentrator should be redundant for high availability
Exam Tip
Know IPSec vs SSL VPN: IPSec is Layer 3 (all traffic, needs client), SSL is Layer 4-7 (browser-based, easier). IPSec modes: Transport (payload only) vs Tunnel (entire packet). AH vs ESP: ESP provides encryption. Split vs full tunneling.