VPNs and Secure Management Design
Key Takeaways
- VPNs build an encrypted tunnel across untrusted networks for remote-access or site-to-site connectivity, but still rely on AAA, filtering, and endpoint security.
- IPsec commonly secures site-to-site tunnels (tunnel mode); SSL/TLS VPNs are common for remote user access and traverse NAT and firewalls easily.
- Split tunnel saves bandwidth but bypasses corporate inspection; full tunnel forces all traffic through the VPN for central inspection at higher cost.
- Secure management uses encrypted protocols (SSH, HTTPS, SNMPv3), a restricted management plane, MFA, AAA, central logging, and out-of-band options.
- Management interfaces must never be reachable from guest, general-user, or Internet networks, even when the protocol is encrypted.
VPNs and Secure Management
A virtual private network (VPN) creates an encrypted path across a network that is not fully trusted. VPNs serve remote workers, branch offices, partners, cloud links, and administrative access. A VPN does not magically make traffic safe; it builds a protected tunnel and then leans on authentication, authorization, routing, filtering, monitoring, and endpoint security to do the rest.
VPN Types
| VPN type | Common use | Design notes |
|---|---|---|
| Remote-access VPN | User connects from a laptop or phone | Needs user authentication, MFA, posture checks, group-based access |
| Site-to-site VPN | Joins offices, data centers, or clouds | Usually IPsec between gateways; always-on |
| Clientless SSL VPN | Browser-based access to selected apps | Good for limited application reach, no client install |
| Always-on VPN | Auto-connects managed devices | Reduces user error, enforces consistent policy |
IPsec secures site-to-site tunnels and runs in tunnel mode to protect whole-packet traffic between networks; it relies on IKE for key exchange (UDP 500 and 4500 for NAT traversal). SSL/TLS VPNs dominate remote access because TLS over TCP 443 passes through most firewalls and NAT devices and integrates with portals or thin clients.
Split Tunnel and Full Tunnel
| Design | Traffic flow | Benefit | Risk or cost |
|---|---|---|---|
| Split tunnel | Corporate traffic uses the VPN; Internet exits locally | Saves bandwidth, lowers latency | Internet traffic bypasses corporate inspection |
| Full tunnel | Most or all traffic traverses the VPN | Central inspection and consistent egress controls | More bandwidth and latency on VPN gear |
The right choice follows business need. A firm handling regulated data often picks full tunnel so every flow is inspected and logged. A cloud-heavy firm with strong endpoint controls may use split tunnel plus conditional access and a secure web gateway. The exam frequently frames this as "we must inspect all remote Internet traffic" - that is the full-tunnel cue. The opposite cue, "users complain video calls are slow and saturating the VPN concentrator," points toward split tunnel so that high-bandwidth, low-risk traffic exits locally rather than hairpinning through headquarters.
Recognize that split versus full is a trade between inspection coverage and bandwidth, not a security-versus-insecurity choice.
Secure Management Plane
The management plane is how administrators configure and monitor devices, and it must be guarded more tightly than user traffic.
| Area | Secure design choice |
|---|---|
| Protocols to use | SSH (22), HTTPS (443), SNMPv3, authenticated APIs |
| Protocols to avoid | Telnet (23), HTTP management, SNMPv1/v2c, TFTP for configs |
| Reachability | Dedicated management VLAN, jump host/bastion, VPN, or PAW subnet |
| Authentication | Named accounts, MFA where supported, RADIUS or TACACS+ |
| Authorization | Command sets or roles aligned to job duties |
| Accounting | Central logs for logins, config changes, and failed attempts |
| Resilience | Out-of-band management (console server) for critical devices |
Management interfaces must not be reachable from guest Wi-Fi, general user VLANs, or the public Internet. Even an encrypted protocol like SSH increases attack surface when exposed broadly, because it still presents a brute-force and vulnerability target. The defense-in-depth pattern the exam rewards is a jump host (bastion): administrators first connect to one hardened, heavily logged system, and only that host is permitted to reach device management addresses. A privileged access workstation (PAW) extends the idea to a dedicated, locked-down machine used solely for administration, never for email or web browsing.
Design Scenario
A retailer manages branch firewalls, switches, and wireless controllers over HTTPS from any corporate subnet, and a few old switches still allow Telnet. The improved design: disable Telnet, require SSH or HTTPS, restrict management to a management VLAN or jump host, authenticate admins through TACACS+ or RADIUS, require MFA at the VPN or jump host, and ship all logs to a central collector (syslog/SIEM).
For remote administration, the VPN should drop admins into a restricted management group, not the broad group used by general remote workers, and firewall rules should permit only the needed management protocols to specific device addresses.
Layer the controls so each closes a different gap. Encrypted protocols protect the session contents, the management VLAN and jump host limit who can even reach the interface, AAA ties every action to a named person, and central logging preserves the evidence. Removing any single layer reopens a class of risk: encryption without reachability limits still leaves SSH facing brute force; reachability limits without AAA still allows an insider with a shared password to act anonymously.
Out-of-band (OOB) management completes the picture. A console server or dedicated management network lets administrators reach a device even when the production data path is down - during a misconfigured ACL, a routing failure, or an upgrade gone wrong. Because OOB bypasses the normal data plane, it must be guarded just as tightly: dedicated credentials, MFA, and logging, never an open modem or default password.
Common Traps
- VPN access is not a substitute for least privilege; tunnel users still need scoped authorization.
- Exposing SSH or HTTPS management directly to the Internet is still risky even though it is encrypted.
- SNMPv3 is the choice when authentication and encryption are required; SNMPv2c sends community strings in clear text.
- A shared local admin password destroys accountability even over an encrypted session.
- Out-of-band management aids recovery during outages but still demands strong access control and logging.
A company requires that all remote-user Internet traffic be inspected by corporate security tools while users are connected to the VPN. Which design best fits?
Which protocol should replace Telnet for command-line management of network devices?
Which set of choices belongs in a secure network management design?