Domain 3 of 5 · Chapter 5 of 5

Secure Communication and Network Access

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing CompTIA Security+ premium course — no separate purchase.

Included in this chapter:

  • IPsec: AH vs ESP, IKE, and tunnel vs transport mode
  • TLS, SSL/TLS VPNs, and choosing secure protocols
  • Tunneling scope (split vs full), SD-WAN, SASE, and 802.1X network access

Remote-access and tunneling method selection

Decision criterionIPsec VPNTLS/SSL VPNSASE / ZTNA
LayerNetwork layer (L3)Above transport (L4+)Cloud-delivered policy edge
Transport / portESP (proto 50) + IKE UDP 500/4500TCP 443 (or QUIC)Per-app brokered sessions
NAT / firewall traversalNeeds NAT-T; AH breaks under NATTraverses NAT and firewalls cleanlyOutbound HTTPS, traverses easily
Client requirementVPN client usually requiredClientless or thin browser clientLightweight agent or clientless
Typical useSite-to-site and full client tunnelsBrowser access to internal web appsPer-app least-privilege access for distributed users
Trust modelNetwork-perimeter trust once connectedNetwork-perimeter trust once connectedZero trust: verify per session, never implicit

Decision tree

What is the access goal? admit device / connect / per-app Admit to LAN/WLAN 802.1X + EAP + RADIUS port-based NAC; EAP-TLS strongest Per-app least privilege ZTNA / SASE verify per session, no implicit trust Connect to a network Browser-only or full network? client type drives VPN choice Browser / few web apps TLS / SSL VPN (TCP 443) clientless; traverses NAT/firewall Full network / site-to-site IPsec VPN — which mode? ESP (proto 50) + IKEv2 Gateway terminates Tunnel mode whole packet + new outer header Host-to-host Transport mode payload only; original IP header Always: replace plaintext protocols — SSH→Telnet, HTTPS→HTTP, SFTP/FTPS→FTP, SNMPv3, LDAPS and never use AH across NAT — it authenticates the IP header; use ESP with NAT-T

Cheat sheet

  • AH gives integrity and authentication but never encrypts (proto 51)
  • ESP encrypts the payload, which is why real VPNs use it (proto 50)
  • AH breaks across NAT; ESP with NAT-T survives it
  • Tunnel mode wraps the whole packet in a new IP header
  • Transport mode protects only the payload, keeping the original header
  • IKE builds the keying channel first, then the SAs that carry data
  • Treat IKEv2 as the modern default and IKEv1 as legacy
  • TLS 1.2 is the mandatory floor and TLS 1.3 the preferred version
  • TLS 1.3 makes forward secrecy mandatory and handshakes in 1-RTT
  • Forward secrecy keeps a stolen server key from decrypting past sessions
  • A TLS VPN rides 443; IPsec needs ESP plus the IKE ports opened
  • Swap each plaintext protocol for its encrypted equivalent
  • SFTP and FTPS are separate protocols, not two names for one
  • Full tunnel inspects every flow; split tunnel leaves some uninspected
  • SD-WAN policy-steers WAN traffic across multiple transports
  • SASE delivers networking and security together from the cloud edge
  • ZTNA grants access per application, not to the whole network
  • 802.1X uses supplicant, authenticator, and authentication server
  • EAP travels as EAPOL between supplicant and authenticator
  • EAP-TLS is the strongest; PEAP and EAP-TTLS tunnel a password
  • RADIUS hides only the password; TACACS+ encrypts the whole body

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. RFC 4302: IP Authentication Header (AH) Whitepaper
  2. Encapsulating Security Payload (ESP): glossary
  3. NIST SP 800-77 Rev. 1: Guide to IPsec VPNs
  4. NIST SP 800-52 Rev. 2: Guidelines for the Selection, Configuration, and Use of TLS Implementations
  5. NIST SP 800-113: Guide to SSL VPNs
  6. NIST SP 800-46 Rev. 2: Guide to Enterprise Telework, Remote Access, and BYOD Security
  7. CompTIA Security+ (SY0-701) certification objectives
  8. RFC 2865: Remote Authentication Dial In User Service (RADIUS) Whitepaper