3.2.5 Secure Communication & Access
VPN, TLS, IPSec, SD-WAN, SASE.
Secure communication and access ensure that data remains confidential and available while transiting networks through the application of encryption protocols and standardized connectivity frameworks.
Virtual Private Networks (VPN) VPNs create encrypted tunnels over untusted networks to ensure data privacy and integrity. - IPsec (Internet Protocol Security): Operates at the Network Layer (Layer 3). It uses Authentication Headers (AH) for integrity and Encapsulating Security Payloads (ESP) for confidentiality. Often used for site-to-site tunnels. - SSL/TLS VPN: Operates at the Application Layer. It is more flexible than IPsec as it typically only requires a web browser (clientless) rather than specialized software. - Full Tunnel vs. Split Tunnel: In a Full Tunnel, all traffic is routed through the VPN; in a Split Tunnel, only traffic destined for the corporate network is encrypted, while web surfing goes out the local gateway.
Modern Network Architecture Traditional wide-area networking is evolving toward software-defined and cloud-centric models. - SD-WAN (Software-Defined Wide Area Network): Decouples the networking hardware from its control mechanism. It uses software to manage connectivity between data centers and remote branches, improving performance and reducing costs. - SASE (Secure Access Service Edge): A framework that converges SD-WAN capabilities with cloud-native security services (like FWaaS and CASB). It emphasizes identity-based access regardless of a user's physical location.
Remote Access Protocols and Encryption Securing the "handshake" between devices is critical for preventing unauthorized interception. - TLS (Transport Layer Security): The successor to SSL. It uses Symmetric Encryption (like AES) for data bulk because it is low-latency and efficient, but uses Asymmetric Encryption for the initial secure key exchange to solve the scaling problem. - Always-On VPN: Configures mobile devices to automatically establish a VPN tunnel whenever they connect to the internet, ensuring security policies are enforced continuously.
Access Control Models Once a secure line is established, authorization policies determine what a user can do. - Role-Based Access Control (RBAC): Users are assigned to predefined roles (e.g., Manager, Auditor) rather than individual permissions. Access is non-discretionary and managed by administrators. - Rule-Based Access Control: Access is granted based on specific triggers or conditions, such as time of day, geographic location, or device health status.
Quick recall - Symmetric Encryption: Best for large data volumes; fast and low-latency. - Asymmetric Encryption: Solves the key distribution problem. - SASE: Merges WAN functions with security functions at the edge. - IPsec ESP: Provides encryption (confidentiality) for VPN traffic. - Split Tunneling: Saves bandwidth but increases risk by bypassing the corporate firewall for general internet traffic.