3.2 Secure communication

Question 1

VPN

Answer 1

• Virtual Private Networks– Encrypted (private) data traversing a public network
• Concentrator– Encryption/decryption access device– Often integrated into a firewall
• Many deployment options– Specialized cryptographic hardware– Software-based options available
• Used with client software - Sometimes built into the OS

Question 2

Encrypted tunnel

Answer 2

• Keep data private across the public Internet– Encryption is the key
• Encrypt your data - Add new headers and trailers
• Decrypt on the other side - Original data is delivered

Question 3

SSL/TLS VPN (Secure Sockets Layer VPN)

Answer 3

Uses common SSL/TLS protocol (tcp/443)– (Almost) No firewall issues!
* No big VPN clients– Usually remote access communication
* Authenticate users– No requirement for digital certificates or shared
passwords (like IPSec)
* Can be run from a browser or from a (usually light)
VPN client– Across many operating systems

Question 4

SSL/TLS VPN

Answer 4

• On-demand access from a remote device– Software connects to a VPN concentrator
• Some software can be configured as always-on

Question 5

Site-to-site IPsec VPN

Answer 5

• Always-on– Or almost always
• Firewalls often act as VPN concentrators– Probably already have firewalls in place

Question 6

SD-WAN

Answer 6

• Software Defined Networking in a Wide Area Network– A WAN built for the cloud
• The data center used to be in one place– The cloud has changed everything
• Cloud-based applications communicate directly
  to the cloud– No need to hop through a central point

Question 7

Secure Access Service Edge (SASE)

Answer 7

• Update secure access for cloud services– Securely connect from different locations
• Secure Access Service Edge (SASE)– A “next generation” VPN
• Security technologies are in the cloud– Located close to existing cloud services
• SASE clients on all devices– Streamlined and automatic

Question 8

Selection of effective controls

Answer 8

Many different security options– Selecting the right choice can be challenging
* VPN– SSL/TLS VPN for user access– IPsec tunnels for site-to-site access
SSL/TLS VPN
2
* SD-WAN– Manage the network connectivity to the cloud– Does not adequately address security concerns
* SASE– A complete network and security solution– Requires planning and implementation

Question 9

SSL/TLS VPN process.

Answer 9

1. Remote user creates a secure tunnel to the VPN concentrator.
2. VPN concentrator
   decrypts the tunneled
   traffic and routes it
   into the corporate network.
3. The process is reversed
   for the return traffic

Question 10

Site to Site IPsec VPN process.

Answer 10

1. Traffic is encrypted
   as it passes through the
   local VPN concentrator.
2. Traffic is decrypted
   in the VPN concentrator
   on the other side of
   the tunnel

Question 11

Secure Access Service Edge (SASE) See course notes example