Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

4.2.3. Secure Communication and Access

šŸ’” First Principle: Every communication channel is a potential interception point. Securing communication means encrypting data in transit, authenticating both endpoints, and controlling who can access management interfaces.

VPN types:
  • Site-to-site VPN ā€” connects two networks (e.g., headquarters to branch office) over an encrypted tunnel. Uses IPSec. Always-on, transparent to users.
  • Remote access VPN ā€” connects individual users to the corporate network. Uses IPSec or SSL/TLS. Initiated by the user when needed.
  • Split tunnel vs. full tunnel ā€” split tunnel only routes corporate traffic through the VPN (better performance, less security). Full tunnel routes ALL traffic through the VPN (more secure, slower). Full tunnel ensures all traffic is inspected by corporate security controls.
Secure protocols:
  • SSH ā€” encrypted remote administration (replaces Telnet)
  • TLS/HTTPS ā€” encrypted web communication
  • SFTP/SCP ā€” encrypted file transfer (replaces FTP)
  • SNMPv3 ā€” encrypted network management (replaces SNMPv1/v2)
  • LDAPS ā€” encrypted directory queries

Out-of-band management ā€” managing network devices through a separate, dedicated management network that's isolated from production traffic. If the production network is compromised, the management channel remains accessible. Requires separate physical or logical infrastructure.

Jump server (bastion host) ā€” a hardened intermediary that administrators connect through to reach internal systems. Instead of exposing management interfaces directly, all administrative access routes through the jump server. This creates a single, auditable choke point: every admin session is logged, and the jump server can enforce MFA, session recording, and time-limited access. If the jump server is compromised, you disable one system rather than re-securing every device.

Port security on switches restricts which devices can connect to physical ports by limiting allowed MAC addresses. Port security prevents rogue devices from connecting to the network ā€” if an unauthorized MAC appears, the port can be configured to shut down, restrict traffic, or alert administrators.

āš ļø Exam Trap: Split tunnel is faster but less secure because non-corporate traffic bypasses VPN inspection. If a question describes a security concern about remote users accessing both corporate resources and the internet, full tunnel is the more secure answer.

Alvin Varughese
Written byAlvin Varughese
Founderā€¢15 professional certifications