6.5. VPNs (IPsec)
💡 First Principle: The internet is hostile—anyone between you and your destination can capture your traffic. Without encryption, credentials, financial data, and trade secrets travel in cleartext through dozens of networks you don't control. VPNs create encrypted tunnels that let you send private data across public networks safely. Think of it as a sealed, armored tube running through a public space—people can see the tube exists, but they can't see or touch what's inside.
What happens without VPNs: Consider a branch office connecting to headquarters over the internet. Every email, file transfer, and database query crosses multiple ISP networks. Anyone on those networks—or anyone who compromises a router along the path—can read your data. Competitors, criminals, nation-states. A VPN encrypts everything between the two sites, turning the hostile internet into an unusable stream of encrypted gibberish for attackers.
Why IPsec dominates enterprise VPNs: IPsec works at the network layer, encrypting everything regardless of application. Email, web, file transfers, database connections—all protected without changing applications. It provides three protections:
- Confidentiality: Encryption (AES) makes data unreadable to eavesdroppers
- Integrity: Hash functions (SHA) detect if someone tampered with the data
- Authentication: Both sides prove their identity before trusting each other
VPN Types:
The exam distinguishes between two fundamental VPN architectures:
| Type | Use Case | Setup | User Experience |
|---|---|---|---|
| Site-to-Site | Connect branch offices permanently | Router-to-router, always on | Transparent—users don't know it's there |
| Remote Access | Mobile/home workers connecting temporarily | Client software to VPN gateway | User initiates connection |
Site-to-Site VPNs connect entire networks. Once configured, traffic between the Denver and Chicago offices automatically gets encrypted—users just see remote resources as if they were local. The VPN exists at the network layer, invisible to applications.
Remote Access VPNs connect individual users. An employee at home runs VPN client software, authenticates, and gets a tunnel to the corporate network. Their laptop gets a corporate IP address and can access internal resources as if plugged in at the office.
IPsec Components
| Protocol | Role | What It Does |
|---|---|---|
| IKE (Internet Key Exchange) | Setup | Negotiates encryption algorithms, exchanges keys, establishes security associations |
| ESP (Encapsulating Security Payload) | Protection | Encrypts and authenticates the payload—this is what protects your data |
| AH (Authentication Header) | Integrity only | Authenticates but doesn't encrypt—rarely used because ESP does both |
IKE Phases:
- Phase 1: Establish a secure channel to negotiate (ISAKMP SA)—authenticates peers
- Phase 2: Use that channel to set up the actual data encryption (IPsec SA)
⚠️ Exam Trap: ESP is almost always used over AH because ESP provides encryption AND integrity. AH only provides integrity—it doesn't encrypt, so your data is readable. The main reason AH exists is that some countries historically restricted encryption.