5.3.1. Network Observability and Traffic Analysis
💡 First Principle: A VPN creates a secure, authenticated tunnel across an untrusted network (typically the internet), making geographically separated network segments behave as if they share a private network. The encryption protects confidentiality; the authentication prevents unauthorized tunnel establishment; the tunnel encapsulates traffic from the underlying untrusted network.
VPN types by use case:
| Type | Connects | Protocol Options | Use Case |
|---|---|---|---|
| Site-to-Site (LAN-to-LAN) | Two network gateways | IPsec IKEv2, GRE over IPsec | Permanently connect branch offices to HQ |
| Remote Access (Client-to-Site) | Individual client to corporate gateway | SSL/TLS VPN, IPsec IKEv2, OpenVPN, WireGuard | Road warriors, remote employees |
| SSL/TLS VPN | Browser or thin client to SSL gateway | TLS | Application-specific access; clientless option |
| SD-WAN | Branch to cloud/HQ | Various, often proprietary | Modern WAN replacement with app-aware routing |
IPsec VPN deep dive:
Site-to-site IPsec uses IKE (Internet Key Exchange) to negotiate security associations before tunnel establishment:
| Phase | Process | Mode | What's Negotiated |
|---|---|---|---|
| IKE Phase 1 | Establish secure management channel | Main (6 messages) or Aggressive (3 messages, less secure) | Encryption algo, hash, DH group, authentication method; generates IKE SA |
| IKE Phase 2 | Negotiate IPsec SA for actual data | Quick Mode | IPsec protocols (AH/ESP), encryption algo, SA lifetime; generates IPsec SA |
Main mode vs. Aggressive mode:
- Main mode: identity is protected (encrypted during exchange); more secure
- Aggressive mode: identity sent in cleartext; faster; vulnerable to offline dictionary attacks on pre-shared keys
Split tunneling tradeoffs:
| Configuration | Traffic through VPN | Advantage | Security Risk |
|---|---|---|---|
| Full tunnel | All traffic | Corporate controls all traffic; DLP sees everything | Performance; privacy concerns; VPN becomes single point of failure |
| Split tunnel | Only corporate destinations | Better performance; bandwidth efficiency | Internet traffic bypasses corporate security; malware can exfiltrate via internet path |
| Split tunnel exclude | All except specified | Blocks specified risky destinations; internet through VPN | Complex to maintain; risky destinations must be continuously updated |
WireGuard — modern VPN protocol:
- Uses state-of-the-art cryptography (ChaCha20, Curve25519, BLAKE2)
- Simpler than IPsec (far fewer lines of code = smaller attack surface)
- Faster than OpenVPN; comparable to IPsec
- Limitation: static IP configuration; no dynamic routing integration; public IPs of peers must be known in advance
⚠️ Exam Trap: SSL VPN and TLS VPN are the same thing — TLS replaced SSL, but "SSL VPN" remains the common name for browser-based or thin-client VPN solutions. In contrast to IPsec VPN (operates at Layer 3, requires client software), SSL/TLS VPN can operate at Layer 7 and may be accessed via a standard web browser without installed software — making it well-suited for temporary access from unmanaged devices.
Reflection Question: A law firm has 50 attorneys who work from home, client offices, and coffee shops. They need access to case management software, document repositories, and email. The IT team is debating between full-tunnel IPsec VPN and SSL VPN with split tunneling. Analyze the security tradeoffs of each option, specifically addressing confidentiality risk, performance, and regulatory requirements for protecting client-privileged information.
