5.3. Network Monitoring and Management

💡 First Principle: Network communication that doesn't have cryptographic protection is vulnerable to interception and modification by anyone with access to the communication path — and "access to the communication path" in a cloud/internet world means a much wider range of actors than in a private data center. Secure channels add the encryption, authentication, and integrity protection that the underlying network protocols lack.

The choice of secure channel protocol depends on the use case: what layer of the stack needs protection, whether forward secrecy is required, whether both endpoints are under organizational control, and whether hardware or software implementation is preferred. TLS protects web traffic; IPsec protects network traffic; SSH protects administrative sessions; WPA3 protects wireless links.

Why this matters: Secure channel protocol selection is directly tested. Questions will present scenarios (remote work, site-to-site, wireless) and ask which protocol is most appropriate for the described requirement. The answer requires knowing the protocol's scope, the layer it operates at, and its authentication model.

⚠️ Common Misconception: "VPNs provide complete security for remote workers." A VPN creates an encrypted tunnel to the corporate network — but it only protects traffic that flows through that tunnel. Split tunneling (where only corporate traffic goes through the VPN) means internet traffic bypasses corporate security controls entirely. Full-tunnel VPN avoids this but creates performance and privacy tradeoffs. Neither VPN approach protects against malware already on the remote device.