0 / 10 flipped
VPN β Virtual Private Network
Tap to reveal
Encrypts private data and sends it across a public network (internet) so that intercepted traffic is unintelligible to an attacker. "Virtual" because the private network is constructed logically through encryption over shared public infrastructure. Requires a VPN concentrator at each end for encryption and decryption. Two main deployment models: remote access VPN (individual user to corporate network) and site-to-site VPN (network to network). The concentrator is typically integrated into the perimeter firewall on the corporate side.
VPN Concentrator
Tap to reveal
The device that terminates VPN tunnels β encrypts outbound traffic before it enters the public network and decrypts inbound traffic received from the tunnel. Can be dedicated hardware (specialized crypto processors), integrated into a firewall (most common), or software-based. On the corporate side, the perimeter firewall typically serves as the concentrator. On the remote user side, VPN client software on the laptop is the concentrator equivalent. All session management, key exchange, and encryption/decryption happens at the concentrator.
IPsec Tunnel Structure
Tap to reveal
In IPsec tunnel mode, the original IP packet (header + data) is encrypted entirely and wrapped in a new packet: [New outer IP header] [IPsec header] [Encrypted original IP header + data] [IPsec trailer]. The new outer header routes the packet to the VPN concentrator; the IPsec header identifies the security association (keys/algorithms); the IPsec trailer marks the payload end. The concentrator strips outer headers, decrypts, and recovers the original packet. Internet routers see only the outer header β the original source, destination, and content are all invisible.
SSL/TLS VPN (Remote Access VPN)
Tap to reveal
A VPN that uses TLS over TCP port 443 β the same protocol/port as HTTPS. Because port 443 is universally allowed by firewalls (blocking it breaks web browsing), SSL/TLS VPN has essentially no firewall traversal problems. Requires VPN client software on the user's device (browser, OS-built-in, or lightweight app). Supports flexible authentication (username/password, MFA, SSO) without requiring digital certificates. Primary use case: individual user remote access from anywhere. Can be on-demand (user initiates) or always-on (auto-connects on network detection).
Site-to-Site IPsec VPN
Tap to reveal
A VPN that connects two networks (typically headquarters and a branch office) with a persistent encrypted tunnel. The VPN concentrators at each end are the perimeter firewalls β no client software on user devices. Users send traffic normally; firewalls intercept and encrypt all traffic destined for the remote network, tunneling it automatically. Always-on: tunnels are established and maintained without user action. Network-to-network scope: all devices on both networks can communicate. Primary use case: permanent branch office connectivity to headquarters.
Always-On VPN
Tap to reveal
A VPN configuration where the client automatically establishes and maintains the encrypted tunnel whenever the device has internet connectivity β without user action. All traffic is always encrypted, regardless of whether the user is at the office, home, or a coffee shop. Used for managed corporate devices to ensure security policies (web filtering, DLP, threat inspection) are applied to all traffic at all times. If the tunnel drops, can be configured fail-closed (block all traffic until tunnel re-establishes) or fail-open (allow unprotected traffic if tunnel is unavailable).
SD-WAN
Tap to reveal
Software Defined Networking in a Wide Area Network β a WAN architecture that uses software-defined control to intelligently route traffic based on application type, performance, and destination. Solves the cloud backhauling problem: instead of routing all traffic through headquarters (which adds latency for cloud-bound traffic), SD-WAN routes cloud app traffic directly from the branch to the cloud via local internet, while internal app traffic still routes securely through the corporate WAN. Primarily a networking optimization technology β does not provide comprehensive security for direct-to-cloud traffic on its own.
SASE β Secure Access Service Edge
Tap to reveal
A cloud-delivered platform combining networking services (SD-WAN, VPNs, QoS, routing, SaaS acceleration) with security services (ZTNA, Cloud SWG, CASB, FWaaS, DLP, DNS security, threat prevention) into a unified service. A SASE client on every device auto-connects to the nearest cloud PoP, where traffic is inspected and optimally routed. Provides consistent security posture and performance for corporate office, home, and mobile users. The "next generation" VPN for cloud-first organizations β replaces traditional VPN concentrators with cloud-distributed security and networking.
ZTNA β Zero Trust Network Access
Tap to reveal
A SASE security component that replaces traditional VPN with identity-verified, per-application access control. Traditional VPN: authenticate once β access the entire corporate network subnet. ZTNA: authenticate per session β access only the specific authorized applications, not the full network. Limits lateral movement risk: a compromised credential gains access only to its authorized applications, not the whole network. "Zero trust" = no implicit trust based on network location β every access request is verified regardless of source. Used in SASE to provide remote access to specific applications without exposing the entire internal network.
SD-WAN vs. SASE
Tap to reveal
SD-WAN manages network connectivity β it routes traffic efficiently to cloud and on-premises destinations, eliminating WAN backhauling. It does NOT provide comprehensive security; direct-to-cloud traffic bypasses on-premises security appliances. SASE = SD-WAN + cloud security (ZTNA, SWG, CASB, FWaaS, DLP). SASE adds the security stack that SD-WAN lacks β all traffic, including direct-to-cloud, is inspected at the nearest SASE PoP. The exam distinction: SD-WAN alone has security limitations (direct cloud traffic uninspected); SASE addresses both connectivity and security for cloud-first environments. They are not alternatives β SASE includes SD-WAN and adds security.