Chapter 67 Β· Glossary

Secure Communication β€” Term Reference

Key terms for VPN types, concentrators, IPsec tunneling, SD-WAN, and SASE architecture.

VPN β€” Virtual Private Network
A technology that encrypts private data and sends it across a public network (typically the internet) so that the data remains private and confidential in transit. "Virtual" because the private network is constructed logically through encryption over shared public infrastructure, not through dedicated physical connections. "Private" because only authorized parties with the correct decryption keys can read the data. VPNs are used for remote user access to corporate networks, site-to-site network connections, and increasingly as the underlying transport mechanism in SD-WAN and SASE architectures. All VPN implementations require an encryption/decryption endpoint β€” the VPN concentrator β€” at each side of the tunnel.
VPN Concentrator
The device that terminates VPN tunnels β€” responsible for encrypting outbound traffic before it enters the public network and decrypting inbound traffic received from the tunnel. Can be implemented as dedicated hardware (specialized cryptographic processors), integrated into a firewall (the most common modern deployment β€” the perimeter firewall also serves as the VPN concentrator), or as software. On the remote user's side, VPN client software installed on the laptop or built into the operating system acts as the user-side concentrator. The concentrator at the corporate side handles all tunnel establishment, key exchange, encryption algorithm negotiation, and session management for all connected users.
SSL/TLS VPN
A VPN that uses the TLS (Transport Layer Security) protocol over TCP port 443 β€” the same protocol and port used by HTTPS web traffic. Because port 443 is universally allowed by firewalls (web traffic must work everywhere), SSL/TLS VPNs have essentially no firewall traversal problems. The client can be a lightweight VPN application, a browser plugin, or software built into the operating system β€” no heavy client installation is required. Supports flexible authentication (username/password, MFA, certificates, SSO) without requiring digital certificates by default. Used primarily for remote access from individual devices. Can be on-demand (user initiates) or always-on (auto-connects on boot). Also called remote access VPN.
Remote Access VPN
A VPN deployment model where individual user devices (laptops, smartphones) connect to a VPN concentrator to access corporate resources from a remote location. The user device has VPN client software; the concentrator is at the corporate network edge. Traffic from the user's device is encrypted by the client, sent through the public internet to the concentrator, decrypted, and forwarded to the internal network. Return traffic follows the reverse path. Remote access VPNs are most commonly implemented with SSL/TLS (port 443) for ease of firewall traversal. The user must authenticate to establish the tunnel. Contrast with site-to-site VPN, where no user client software is involved.
Site-to-Site IPsec VPN
A VPN deployment model where two networks (typically a corporate headquarters and a branch office) are connected by a persistent encrypted tunnel. The VPN concentrators at each end are the perimeter firewalls β€” no client software is installed on user devices. Users at either location send traffic normally; the firewalls intercept traffic destined for the remote network, encrypt it, and send it through the IPsec tunnel. The other firewall decrypts it and delivers it to the destination. The entire process is transparent to users β€” they experience the remote network as if it were local. Always-on: the tunnel is established when both firewalls are online and maintained without user intervention. Uses IPsec (Internet Protocol Security) for encryption and authentication.
IPsec β€” Internet Protocol Security
A suite of protocols that provides encryption, authentication, and integrity for IP communications. In VPN tunneling (IPsec tunnel mode), the original IP packet (header + data) is encrypted entirely and encapsulated inside a new packet: [new outer IP header] [IPsec header] [encrypted original packet] [IPsec trailer]. The new outer header routes the packet to the VPN concentrator; the IPsec header identifies the security association (which keys and algorithms to use); the IPsec trailer marks the end of the encrypted payload. The concentrator strips the outer headers, decrypts the payload, and recovers the original packet. IPsec is typically used for site-to-site VPNs; SSL/TLS is more common for remote user access.
Always-On VPN
A VPN configuration where the client software automatically establishes and maintains the VPN tunnel whenever the device has internet connectivity β€” without requiring the user to manually initiate a VPN session. From the moment the device starts and connects to any network, all traffic is routed through the encrypted tunnel. Always-on VPN is used for managed corporate devices to ensure that corporate security policies (web filtering, DLP, threat inspection) are applied to all traffic at all times, regardless of whether the user is at the office, at home, or at a coffee shop. If the VPN tunnel drops, always-on clients are configured to either block all internet traffic (fail-closed for security) or continue with unprotected traffic (fail-open for availability).
SD-WAN β€” Software Defined Networking in a Wide Area Network
A WAN architecture that uses software-defined control to intelligently route traffic across multiple WAN connections based on application type, performance requirements, and destination. SD-WAN decouples WAN management from physical hardware β€” a central controller pushes routing policies to SD-WAN edge devices at every location. The key capability: traffic to cloud applications can be routed directly from the branch to the cloud (local internet breakout) rather than backhauling through headquarters VPN. This eliminates the latency penalty of routing cloud-bound traffic through a central hub. SD-WAN provides network efficiency and flexibility for cloud-connected organizations, but is primarily a networking optimization technology β€” it does not by itself provide comprehensive security for cloud-routed traffic.
SASE β€” Secure Access Service Edge
A cloud-delivered platform that combines networking services (SD-WAN, VPN, QoS, routing) with security services (ZTNA, Cloud SWG, CASB, FWaaS, DLP, DNS security, threat prevention) into a unified service delivered from cloud-hosted points of presence distributed globally. SASE is the "next generation" of VPN for cloud-first organizations β€” instead of routing traffic to a corporate data center VPN concentrator, SASE clients on every device connect to the nearest SASE PoP, where both network optimization and security inspection occur before traffic continues to its destination (cloud apps, internet, or corporate data center). Provides consistent policy enforcement and user experience regardless of whether the user is at the office, at home, or mobile.
ZTNA β€” Zero Trust Network Access
A security model and SASE component that replaces traditional VPN remote access with identity-verified, per-application access control. Traditional VPN grants a user access to the entire corporate network subnet once authenticated β€” if an attacker compromises a VPN credential, they get broad network access. ZTNA grants access only to specific, individually authorized applications β€” the user proves their identity (and optionally device posture) per session, and access is scoped to only what they are explicitly authorized for. "Zero trust" refers to the principle: no implicit trust based on network location. Every access request is verified regardless of where it originates.
CASB β€” Cloud Access Security Broker
A SASE security component that acts as a security policy enforcement point between users and cloud applications. A CASB provides visibility into which cloud applications employees are using (sanctioned or shadow IT), enforces data security policies for cloud-bound uploads and downloads (DLP for cloud), controls which specific cloud services are permitted, and applies access controls based on user identity and device posture. Without a CASB, an organization has limited visibility into what employees are uploading to cloud services or which unsanctioned applications they are using. CASB answers the question: "Are our employees using cloud applications safely and in compliance with policy?"