You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
Virtual Private Networks (VPNs) and secure remote access technologies allow users and sites to communicate securely over untrusted networks such as the public internet. In modern network security architecture, remote access is no longer optional — it is a core design requirement.
A VPN creates an encrypted tunnel between two endpoints over an untrusted network, providing confidentiality, integrity, and authentication for the traffic that passes through it.
Remote User Corporate Network
│ │
└──── [Encrypted VPN Tunnel] ────────────────────┘
over the public internet
| Type | Description | Use Case |
|---|---|---|
| Remote Access VPN | Connects individual users to the corporate network | Remote workers, travelling employees |
| Site-to-Site VPN | Connects two entire networks | Branch office to headquarters |
| Client-to-Site | Software client on user device connects to VPN gateway | BYOD, contractors |
| Clientless VPN | Browser-based access to specific applications (typically SSL/TLS) | Quick access without client software |
| Protocol | Encryption | Performance | Security | Notes |
|---|---|---|---|---|
| IPsec | AES-256, 3DES | Good | Strong | Industry standard for site-to-site |
| IKEv2/IPsec | AES-256 | Excellent | Strong | Fast reconnection, good for mobile |
| OpenVPN | AES-256-GCM | Good | Strong | Open source, highly configurable |
| WireGuard | ChaCha20, Poly1305 | Excellent | Strong | Modern, simple codebase (~4,000 lines) |
| SSL/TLS VPN | AES-256 | Good | Strong | Browser-based or lightweight client |
| L2TP/IPsec | AES via IPsec | Moderate | Moderate | Legacy — being replaced by IKEv2 |
| PPTP | MPPE (broken) | Fast | Broken | Never use — deprecated |
IPsec operates in two modes:
| Mode | Encrypts | Use Case |
|---|---|---|
| Transport Mode | Payload only (original IP header preserved) | Host-to-host communication |
| Tunnel Mode | Entire original packet (new IP header added) | Site-to-site VPNs, gateway-to-gateway |
| Component | Purpose |
|---|---|
| IKE (Internet Key Exchange) | Negotiates security associations and exchanges keys |
| ESP (Encapsulating Security Payload) | Provides encryption, integrity, and authentication |
| AH (Authentication Header) | Provides integrity and authentication only (no encryption) |
| SA (Security Association) | Defines the parameters (algorithms, keys, lifetime) for a connection |
Phase 1 (IKE SA):
Site A ←──── Negotiate encryption, authenticate ────→ Site B
Result: Secure management channel established
Phase 2 (IPsec SA):
Site A ←──── Negotiate data encryption parameters ──→ Site B
Result: Encrypted data tunnel active
Remote User
│
▼
[VPN Client]
│
▼ (Encrypted tunnel over internet)
│
[VPN Concentrator / Gateway]
│
▼
[Internal Firewall]
│
▼
[Internal Network Resources]
| Approach | Description | Advantage | Risk |
|---|---|---|---|
| Full Tunnel | All traffic routed through VPN | Complete visibility and control | Higher latency, more bandwidth on VPN |
| Split Tunnel | Only corporate traffic through VPN; internet direct | Better performance for users | Internet traffic bypasses corporate security |
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.