Chapter 67 Β· Concepts

Secure Communication β€” Concept Reference

VPN type comparison, IPsec tunnel structure, SSL/TLS vs. IPsec side-by-side, SD-WAN vs. traditional WAN, and SASE component breakdown in structured reference form.

VPN Type Comparison β€” Full Reference

AttributeSSL/TLS VPN (Remote Access)Site-to-Site IPsec VPNSD-WANSASE
Primary use caseIndividual user remote access from any locationPermanent network-to-network connection between two sitesOptimized WAN routing for cloud applicationsComplete cloud-native network + security platform for all users
Who initiatesIndividual user (on-demand) or auto-connect (always-on)Firewalls β€” automatic, no user actionSD-WAN edge device β€” automatic per-flow routingSASE client on device β€” automatic, transparent
Client softwareRequired on user device (browser or lightweight client)None on user devices β€” only firewalls involvedSD-WAN edge device (hardware or software at branch)SASE client installed on all devices
Port / protocolTCP 443 (TLS) β€” passes through all firewallsIPsec (UDP 500, 4500, ESP protocol 50)Multiple transports (MPLS, broadband, LTE, SD-WAN overlay)Cloud-hosted PoPs β€” all transports
AuthenticationFlexible: username/password, MFA, SSO, certificates β€” no requirement for certsPre-shared key or certificates; stronger key management requiredDevice-based (no per-user auth at WAN level)Identity-based; ZTNA per-application verification
Always-onOptional (can be configured)Yes β€” tunnels are persistentYes β€” routing is always activeYes β€” client connects automatically
Security providedEncrypts traffic between user and concentratorEncrypts traffic between two network gatewaysRouting optimization; limited securityFull security stack: ZTNA, SWG, CASB, FWaaS, DLP, threat prevention
Cloud optimizationNo β€” traffic still routes through corporate concentratorNo β€” all traffic routes through both firewallsYes β€” direct-to-cloud routingYes β€” traffic inspected at nearest cloud PoP, then sent directly

IPsec Tunnel Mode β€” Packet Structure

ORIGINAL PACKET (before tunneling):
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚ Original IP Header   β”‚ Data Payload                       β”‚
β”‚ (src: 192.168.1.10   β”‚ (application data, unencrypted)    β”‚
β”‚  dst: 10.10.1.30)    β”‚                                    β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

TUNNELED PACKET (after IPsec encapsulation):
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚ New IP   β”‚ IPsec    β”‚ ENCRYPTED PAYLOAD                β”‚ IPsec    β”‚
β”‚ Header   β”‚ Header   β”‚ [Original IP Header] [Data]      β”‚ Trailer  β”‚
β”‚          β”‚          β”‚                                  β”‚          β”‚
β”‚ src: userβ”‚ Security β”‚ ← completely invisible to routers β”‚ Marks    β”‚
β”‚ dst: VPN β”‚ assoc ID β”‚    between user and concentrator    β”‚ payload  β”‚
β”‚ conc. IP β”‚          β”‚                                  β”‚ end      β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
    β†‘                              β†‘
Routers read this to forward     Concentrator reads this to decrypt

The concentrator strips New IP Header + IPsec Header, decrypts the payload, recovers the original packet, and forwards it to the internal destination.

SSL/TLS VPN vs. Site-to-Site IPsec VPN

AttributeSSL/TLS VPNSite-to-Site IPsec VPN
Also calledRemote access VPNSite-to-site VPN; LAN-to-LAN VPN
Transport protocolTLS over TCP 443IPsec (AH / ESP); uses UDP 500 (IKE), UDP 4500 (NAT-T), protocol 50 (ESP)
Firewall traversalAlmost never a problem β€” port 443 is universally allowedCan be blocked if UDP 500/4500 or ESP protocol is blocked; NAT-T helps in most cases
Client software on user deviceRequired (browser, OS-built-in, or lightweight client)Not required on user devices β€” only the two firewalls are involved
Authentication flexibilityHigh β€” username/password, MFA, SSO, SAML, certificates (not required)Lower β€” pre-shared key or PKI certificates required for IKE negotiation
User awarenessUser must initiate (or always-on auto-connects)Completely transparent to users β€” no action needed
Scope of accessTypically per-user session; can be scoped to specific resourcesNetwork-to-network β€” all devices on both networks can communicate
Typical endpoint devicesLaptops, smartphones β€” user endpoint devicesFirewalls, routers β€” network infrastructure only

Traditional WAN vs. SD-WAN β€” The Cloud Problem

AttributeTraditional Hub-and-Spoke WANSD-WAN
ArchitectureAll branch traffic routes through headquarters before reaching cloud or internetTraffic routed directly to destination (cloud apps go direct to cloud; internal apps go via tunnel)
Cloud app pathBranch β†’ WAN β†’ HQ β†’ Internet β†’ Microsoft 365 (2 internet hops, backhauling)Branch β†’ Local internet β†’ Microsoft 365 (1 hop, direct)
Latency for cloud appsHigher β€” extra hop through HQ adds latencyLower β€” direct path to cloud app
HQ bandwidth consumptionHigh β€” all branch cloud traffic passes through HQLower β€” cloud traffic bypasses HQ
Security for cloud trafficInspected by HQ firewall (good security but poor performance)Requires SASE or cloud-hosted security β€” SD-WAN alone provides no security for direct-to-cloud traffic
Routing intelligenceStatic β€” same path for all trafficDynamic β€” chooses best path per-flow based on application type and link quality

SASE Architecture β€” Three Service Pillars

PillarServices IncludedWhat It Replaces / Enhances
Network as a ServiceSD-WAN, VPNs, QoS, routing, SaaS accelerationReplaces traditional MPLS/hub-and-spoke WAN; provides cloud-optimized routing
Security as a ServiceZero Trust Network Access (ZTNA), Cloud Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), Firewall as a Service (FWaaS), DLP, DNS security, threat preventionReplaces on-premises VPN (with ZTNA), on-premises web proxy (with cloud SWG), and on-premises NGFW (with FWaaS)
User ExperienceSASE client on all devices, automatic connections, consistent security posture across all locationsEliminates per-location VPN configuration; uniform experience whether at office, home, or mobile

Technology Selection Guide

RequirementTechnologyWhy
Remote employee needs access to corporate apps from hotel Wi-FiSSL/TLS VPN (remote access)Port 443 works everywhere; flexible auth; user-initiated or always-on client
Branch office needs persistent encrypted connection to headquartersSite-to-site IPsec VPNAlways-on tunnel between firewalls; transparent to users; no client software
Organization migrating to cloud β€” employees backhauling cloud traffic through HQSD-WANEnables direct-to-cloud routing; eliminates HQ backhauling; optimizes cloud app performance
Cloud-first org needs consistent security for users anywhere β€” office, home, mobileSASECloud-delivered network + security; ZTNA replaces VPN; SWG/FWaaS replace on-prem appliances
SD-WAN is deployed but cloud-bound traffic is leaving branches uninspectedSASE (adds Security as a Service to SD-WAN)SD-WAN routes traffic; SASE inspects it at cloud PoP before delivery to cloud app
Organization wants to limit remote users to specific apps, not entire VPN subnetZTNA (SASE component)Per-application access control; user gets access only to authorized apps β€” not the full network