Secure Communication and Network Access
Unlock the complete study guide + 1,040 practice questions across 16 full exams.
Bundled into the existing CompTIA Security+ premium course — no separate purchase.
Included in this chapter:
- IPsec: AH vs ESP, IKE, and tunnel vs transport mode
- TLS, SSL/TLS VPNs, and choosing secure protocols
- Tunneling scope (split vs full), SD-WAN, SASE, and 802.1X network access
Remote-access and tunneling method selection
| Decision criterion | IPsec VPN | TLS/SSL VPN | SASE / ZTNA |
|---|---|---|---|
| Layer | Network layer (L3) | Above transport (L4+) | Cloud-delivered policy edge |
| Transport / port | ESP (proto 50) + IKE UDP 500/4500 | TCP 443 (or QUIC) | Per-app brokered sessions |
| NAT / firewall traversal | Needs NAT-T; AH breaks under NAT | Traverses NAT and firewalls cleanly | Outbound HTTPS, traverses easily |
| Client requirement | VPN client usually required | Clientless or thin browser client | Lightweight agent or clientless |
| Typical use | Site-to-site and full client tunnels | Browser access to internal web apps | Per-app least-privilege access for distributed users |
| Trust model | Network-perimeter trust once connected | Network-perimeter trust once connected | Zero trust: verify per session, never implicit |
Decision tree
Cheat sheet
Unlock with Premium — includes all practice exams and the complete study guide.
Also tested in
References
- RFC 4302: IP Authentication Header (AH) Whitepaper
- Encapsulating Security Payload (ESP): glossary
- NIST SP 800-77 Rev. 1: Guide to IPsec VPNs
- NIST SP 800-52 Rev. 2: Guidelines for the Selection, Configuration, and Use of TLS Implementations
- NIST SP 800-113: Guide to SSL VPNs
- NIST SP 800-46 Rev. 2: Guide to Enterprise Telework, Remote Access, and BYOD Security
- CompTIA Security+ (SY0-701) certification objectives
- RFC 2865: Remote Authentication Dial In User Service (RADIUS) Whitepaper