VPNs and Secure Management Design
Key Takeaways
- VPNs protect traffic across untrusted networks and can support remote access or site-to-site connectivity.
- IPsec commonly supports site-to-site VPNs, while SSL/TLS VPNs are common for remote user access.
- Split tunnel and full tunnel designs trade bandwidth and inspection coverage.
- Secure management uses encrypted protocols, restricted management planes, MFA, AAA, logging, and out-of-band options where appropriate.
- Management interfaces should not be exposed broadly to user, guest, or Internet networks.
VPNs and Secure Management
A virtual private network, or VPN, creates an encrypted path across a network that is not fully trusted. VPNs are used for remote workers, branch offices, business partners, cloud connectivity, and administrative access. A VPN does not automatically make all traffic safe; it creates a protected tunnel and then relies on authentication, authorization, routing, filtering, monitoring, and endpoint security.
VPN Types
| VPN type | Common use | Design notes |
|---|---|---|
| Remote access VPN | User connects from laptop or mobile device | Requires user authentication, MFA, posture checks, and group-based access |
| Site-to-site VPN | Connects offices, data centers, or cloud networks | Often uses IPsec between gateways |
| Clientless SSL VPN | Browser-based access to selected apps | Useful for limited application access |
| Always-on VPN | Automatically connects managed devices | Reduces user error and supports consistent policy |
IPsec is common for site-to-site tunnels and can operate in tunnel mode to protect traffic between networks. SSL/TLS VPNs are common for remote access because they work well through many networks and can integrate with portals or client software.
Split Tunnel and Full Tunnel
| Design | How traffic flows | Benefit | Risk or cost |
|---|---|---|---|
| Split tunnel | Corporate traffic uses VPN; Internet traffic exits locally | Saves bandwidth and may improve performance | Internet traffic may bypass corporate inspection |
| Full tunnel | Most or all traffic passes through VPN | Central inspection and consistent egress controls | More bandwidth and latency on VPN infrastructure |
The stronger choice depends on business requirements. A company handling sensitive regulated data may prefer full tunnel for inspection and logging. A company with many cloud applications and strong endpoint controls may use split tunnel with conditional access and secure web gateways.
Secure Management Plane
The management plane is how administrators configure and monitor devices. It should be protected more tightly than normal user traffic.
| Area | Secure design choice |
|---|---|
| Protocols | SSH, HTTPS, SNMPv3, secure API access |
| Insecure protocols to avoid | Telnet, HTTP management, SNMPv1 or SNMPv2c for sensitive use |
| Reachability | Dedicated management VLAN, jump host, VPN, or privileged workstation subnet |
| Authentication | Named accounts, MFA where supported, RADIUS or TACACS+ |
| Authorization | Command sets or roles based on job duties |
| Accounting | Central logs for logins, configuration changes, and failed attempts |
| Resilience | Out-of-band management for critical devices where justified |
Management interfaces should not be reachable from guest Wi-Fi, general user VLANs, or the public Internet. Even when a protocol is encrypted, broad exposure increases attack surface.
Design Scenario
A retailer has branch firewalls, switches, and wireless controllers. Administrators currently manage devices over HTTPS from any corporate subnet, and some older switches still allow Telnet. The better design is to disable Telnet, require SSH or HTTPS, restrict management access to a management VLAN or jump host, authenticate administrators through TACACS+ or RADIUS, require MFA at the VPN or jump host, and send logs to a central collector.
For remote administration, a VPN should place administrators into a restricted management group, not the same broad access group used by general remote workers. Firewall rules should allow only needed management protocols to specific device addresses.
Common Traps
- VPN access is not a substitute for least privilege.
- Exposing SSH or HTTPS management to the Internet is still risky.
- SNMPv3 is preferred when authentication and encryption are needed.
- A shared local admin password weakens accountability even over an encrypted management session.
- Out-of-band management can help during outages but still needs strong access control.
A company wants all remote user Internet traffic inspected by corporate security tools while users are connected to VPN. Which design best fits?
Which protocol should replace Telnet for command-line management of network devices?
Which controls belong in a secure network management design? Select three.
Select all that apply