🏠 Back to Exam Syllabus 📺 RooCloud on YouTube 🌐 RooCloud Practice Exams

CISSP 12.8 - Virtual Private Network (Part 1 of 2)

This episode of the ISC2 Certified Information Systems Security Professional (CISSP) exam prep series begins Domain 4’s look at building a private path across a network you do not trust. It covers what a VPN is and protects, the role of the VPN concentrator, the mechanics and limits of tunneling, how a VPN link behaves, and the split between transport mode and tunnel mode.

What this episode covers

Watch the full episode above for the worked examples and detailed explanations of each concept.

Frequently Asked Questions

What exactly is a VPN, and what does it protect?

A virtual private network is a communication channel between two entities across an untrusted intermediary network. It can supply authentication, access control, and the confidentiality and integrity of what it carries, and most VPNs rely on encryption to shield the data, though encryption is not strictly required. It can link two whole networks or just two systems, but note one gap: a VPN gives confidentiality and integrity yet does not guarantee availability.

What is a VPN concentrator?

A VPN concentrator is a dedicated hardware device built to service many concurrent VPN sessions at once, scaling into the hundreds or even thousands, delivering high availability, scalability, and performance. You will hear it called a VPN gateway, server, or appliance, but they all point to the same role. Because these devices are transparent to the systems behind them, individual hosts do not need their own VPN software when an appliance is present.

What is tunneling, and why is it the heart of a VPN?

Tunneling is the process of protecting one protocol’s packets by wrapping them inside packets of another protocol. That wrapping creates the illusion of a private tunnel across the untrusted network, running between the point that encapsulates the data and the point that unwraps it. When that wrapping includes encryption, tunneling lets sensitive data cross hostile networks without losing confidentiality or integrity.

Where does tunneling fall short?

Tunneling is inefficient, because most protocols carry their own error handling and session features, so stacking one inside another doubles the overhead for a single message. The wrapping creates larger or extra packets that eat more bandwidth and can saturate a link. Tunneling is point-to-point, so it does not handle broadcast traffic, and it blinds your defenses, since firewalls, intrusion detection, and malware scanners cannot inspect an encrypted payload and must sit outside the tunnel.

What is the difference between transport mode and tunnel mode?

The distinction turns on what gets encrypted. In transport mode, the link is anchored at the individual hosts and only the payload is encrypted while the original header stays visible, making it a host-to-host, end-to-end connection best used within a trusted network. In tunnel mode, the link is anchored at the VPN devices on the network boundaries, and the entire original packet is encapsulated and given a fresh header, which is what you use to cross untrusted networks.

📚 Master the ISC2 CISSP Exam!

Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISC2 CISSP certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.


Reference: This article is based on concepts discussed in CISSP 12.8 - Virtual Private Network (Part 1 of 2).