VPN, Remote Access, and NAC
Key Takeaways
- VPNs create encrypted tunnels for remote users or site-to-site connectivity, but access should still be least privilege.
- Split tunneling routes only selected traffic through the VPN; full tunneling routes all client traffic through the VPN.
- Remote access should use MFA, device posture checks, strong encryption, logging, and scoped authorization.
- NAC evaluates devices before or during network access and can assign VLANs, restrict access, or quarantine systems.
- ZTNA may be better than broad VPN access when users need only specific private applications.
VPN, Remote Access, and NAC
Remote access architecture must balance confidentiality, usability, and least privilege. The exam often compares VPN, ZTNA, NAC, and device posture controls.
VPN Types
| Type | Purpose | Example |
|---|---|---|
| Remote access VPN | Individual user connects to private resources | Employee laptop to corporate network |
| Site-to-site VPN | Connects two networks | Branch office to headquarters |
| Clientless VPN | Browser-based access to selected apps | Contractor reaches web portal |
| SSL/TLS VPN | Uses TLS-based tunnel | Remote access through VPN gateway |
| IPsec VPN | Network-layer secure tunnel | Site-to-site encrypted connection |
VPN provides an encrypted path, but it does not automatically provide least privilege. After the tunnel is established, firewall policy and authorization still matter.
Full Tunnel vs Split Tunnel
| Model | Behavior | Security consideration |
|---|---|---|
| Full tunnel | All client traffic goes through corporate security stack | More visibility and control, more bandwidth use |
| Split tunnel | Only selected traffic goes through VPN | Less bandwidth, but internet traffic may bypass corporate inspection |
If the question emphasizes inspection of all remote user traffic, full tunnel or secure web gateway integration may be best. If it emphasizes bandwidth and local internet access with controlled private app routes, split tunnel may be acceptable with compensating controls.
Remote Access Hardening
| Risk | Control |
|---|---|
| Stolen password | MFA, conditional access, risk-based challenge |
| Unmanaged device | Device posture check, MDM, certificate requirement |
| Broad network access | Per-group ACLs, ZTNA, segmentation |
| Lost endpoint | Disk encryption, remote wipe, EDR |
| Unknown activity | VPN logs, identity logs, session recording for admins |
| Weak tunnel security | Modern protocols, strong cipher suites, certificate validation |
NAC Concepts
Network Access Control checks whether a device should connect and what access it should receive.
| NAC action | Scenario |
|---|---|
| Allow full access | Managed, healthy device with required controls |
| Assign restricted VLAN | Contractor or limited-purpose device |
| Quarantine | Missing patch, disabled EDR, malware suspicion |
| Guest network | Unmanaged visitor device |
| Deny access | Unknown or explicitly blocked device |
NAC can use 802.1X, certificates, posture agents, MDM signals, MAC authentication bypass for limited devices, and integration with switches or wireless controllers.
PBQ-Style Scenario
A hospital allows employee laptops, contractor laptops, printers, and guest phones on the same wired and wireless networks. Security wants to reduce exposure without breaking access.
Better design:
- Use 802.1X for managed employee devices.
- Place healthy managed devices in role-based VLANs.
- Place contractor systems in a restricted VLAN with access only to required portals.
- Place printers in an IoT/device VLAN with limited print-server access.
- Place guest phones on internet-only guest Wi-Fi.
- Quarantine devices that fail posture checks.
Trap: "Block all unknown devices forever" may be too disruptive when printers or special devices cannot support 802.1X. A restricted VLAN or MAC authentication bypass with monitoring may be a practical compensating control.
Remote Access Design Example
Requirement: Administrators need emergency access to production servers from home.
Stronger design:
- MFA with phishing-resistant method where supported.
- Managed device requirement.
- VPN or ZTNA path to a management jump host only.
- PAM checkout for privileged credentials.
- Session recording or command logging.
- Firewall rules from jump host to specific admin ports.
- Alerts for unusual login time, location, or failed attempts.
Weak design: allow RDP or SSH from the internet to every production server. Encryption alone does not fix exposure and brute-force risk.
A company wants all remote user web traffic inspected by corporate security tools while users are connected remotely. Which VPN routing model best fits?
Which are appropriate NAC responses to device posture? Choose three.
Select all that apply
Remote employees need access only to a private payroll web application, not the whole internal network. Which option most closely follows least privilege?