VPN, Remote Access, and NAC
Key Takeaways
- A Virtual Private Network (VPN) creates an encrypted tunnel, but authorization after the tunnel still needs least privilege.
- Split tunneling routes only selected traffic through the VPN; full tunneling routes all client traffic through the corporate path for inspection.
- IPsec uses IKE with Authentication Header (AH) or Encapsulating Security Payload (ESP); transport mode protects payload only, tunnel mode protects the whole packet.
- Network Access Control (NAC) checks identity and posture and can assign a VLAN, quarantine, or deny a device, often using 802.1X.
- Zero Trust Network Access (ZTNA) grants per-application access and is often the better answer than a broad VPN when users need only one private app.
Balancing Access and Risk
Remote-access architecture trades off confidentiality, usability, and least privilege. SY0-701 repeatedly contrasts VPN, ZTNA, and NAC, and expects you to know that encryption alone does not equal authorization.
VPN Types
| Type | Purpose | Example |
|---|---|---|
| Remote-access VPN | One user reaches private resources | Employee laptop to corporate network |
| Site-to-site VPN | Connects two networks | Branch office to headquarters |
| Clientless (SSL/TLS) VPN | Browser-based access to selected apps | Contractor reaches a web portal |
| IPsec VPN | Network-layer encrypted tunnel | Site-to-site over the internet |
IPsec detail SY0-701 expects: the Internet Key Exchange (IKE) protocol negotiates keys (IKEv2 is current). Authentication Header (AH) provides integrity and authentication but no confidentiality; Encapsulating Security Payload (ESP) provides confidentiality plus integrity, so ESP is used when encryption is required. Transport mode encrypts only the payload (host-to-host); tunnel mode encrypts the entire original packet inside a new header (gateway-to-gateway, the usual site-to-site choice).
Full Tunnel versus Split Tunnel
| Model | Behavior | Security consideration |
|---|---|---|
| Full tunnel | All client traffic traverses the corporate stack | Maximum visibility/control, higher bandwidth use |
| Split tunnel | Only selected subnets traverse the VPN | Lower bandwidth, but internet traffic bypasses corporate inspection |
If the question stresses inspecting all remote traffic, choose full tunnel (or a secure web gateway). If it stresses bandwidth and local breakout with controlled private-app routes, split tunnel is acceptable with compensating controls.
Remote-Access Hardening
| Risk | Control |
|---|---|
| Stolen password | Multifactor authentication (MFA), conditional/risk-based access |
| Unmanaged device | Posture check, MDM, device certificate |
| Broad network access | Per-group ACLs, ZTNA, segmentation |
| Lost endpoint | Disk encryption, remote wipe, EDR |
| Unknown activity | VPN and identity logs, privileged session recording |
| Weak tunnel crypto | IKEv2, modern cipher suites, certificate validation |
NAC Concepts
NAC decides whether a device may connect and what it may reach, typically enforced at the switch or wireless controller via 802.1X (supplicant, authenticator, RADIUS authentication server).
| NAC action | Scenario |
|---|---|
| Allow full access | Managed, patched device with required controls |
| Assign restricted VLAN | Contractor or limited-purpose device |
| Quarantine | Missing patch, disabled EDR, malware suspicion |
| Guest network | Unmanaged visitor device |
| Deny access | Unknown or explicitly blocked device |
NAC may use 802.1X, certificates, posture agents (persistent vs dissolvable/agentless), MDM signals, and MAC Authentication Bypass (MAB) for devices like printers that cannot run a supplicant.
PBQ Scenario: Mixed Hospital Network
Employee laptops, contractor laptops, printers, and guest phones share one wired and wireless network. Better design: (1) 802.1X for managed employee devices; (2) healthy managed devices into role-based VLANs; (3) contractors into a restricted VLAN reaching only required portals; (4) printers into an IoT VLAN with limited print-server access via MAB; (5) guest phones onto internet-only Wi-Fi; (6) quarantine devices that fail posture. Trap: "block all unknown devices forever" breaks printers that cannot do 802.1X; a restricted VLAN plus MAB and monitoring is the practical compensating control.
Privileged Remote-Access Example
Admins need emergency access to production servers from home. Strong design: phishing-resistant MFA, managed-device requirement, VPN or ZTNA to a management jump host only, Privileged Access Management (PAM) credential checkout, session/command logging, firewall rules from the jump host to specific admin ports, and alerts on unusual time, location, or failed logins. Weak design: exposing RDP (TCP 3389) or SSH (TCP 22) from the internet to every server. Encryption does not remove the exposure or brute-force surface.
VPN versus ZTNA versus SASE
SY0-701 expects you to distinguish three access models:
- VPN: extends the corporate network to the endpoint. Once connected, the user is "inside" and can often reach many subnets, so it relies heavily on internal segmentation to stay least-privilege.
- ZTNA: brokers access to a single named application after verifying identity and device posture on every request. The user never joins the network, which shrinks the attack surface and blocks lateral movement.
- Secure Access Service Edge (SASE): converges ZTNA, a secure web gateway, a cloud access security broker, and firewall-as-a-service into one cloud-delivered fabric, applying policy at the edge nearest the user.
When a scenario says "the contractor needs one app, not the network," choose ZTNA. When it says "branch offices need cloud-delivered security with consistent policy," lean SASE.
Remote-Access Protocol Hygiene
Legacy remote-administration protocols are a common wrong answer. Replace Telnet (TCP 23) with SSH (TCP 22), replace plaintext FTP with SFTP or FTPS, and avoid exposing RDP (TCP 3389) directly. Where remote desktop is required, place it behind a Remote Desktop Gateway or a jump host, enforce MFA, apply Network Level Authentication, and rate-limit logon attempts to blunt brute-force and credential-stuffing. Always pair any remote-access path with logging that feeds a central collector so that unusual session times, source geographies, and repeated failures generate alerts.
The exam's consistent message: a tunnel provides confidentiality and integrity in transit, but authorization, posture, and monitoring must still be layered on top to satisfy least privilege.
A company wants all remote user web traffic inspected by corporate security tools while users are connected. Which VPN routing model best fits?
Which are appropriate NAC responses to device posture? Choose three.
Select all that apply
Remote employees need access only to a private payroll web application, not the whole internal network. Which option most closely follows least privilege?