| π Back to Exam Syllabus | πΊ RooCloud on YouTube | π RooCloud Practice Exams |
CISSP 12.8 - Virtual Private Network (Part 2 of 2)
This episode of the ISC2 Certified Information Systems Security Professional (CISSP) exam prep series continues the tour of virtual private networks from Domain 4, moving from tunnel behavior into the protocols that actually carry a VPN. It looks at how a tunnel is configured, when protection should stay connected on its own, and how the choices you make decide whether remote traffic stays trustworthy.
What this episode covers
- Always-on VPN β reconnects automatically whenever a link comes up, so protection is ready before you touch a resource.
- Split tunnel vs full tunnel β a split tunnel reaches corporate and internet at once, while a full tunnel routes everything through your defenses.
- The VPN protocol family β PPTP, L2TP, Secure Shell, OpenVPN, and IPSec, ranging from obsolete to current standard.
- PPTP and L2TP β a legacy dial-up descendant with an unencrypted setup, and a tunneling standard that leans on IPSec for encryption.
- Secure Shell and OpenVPN β host-to-host encrypted access on port 22, and a TLS-based option with easy setup and native access-point support.
- The IPSec toolbox β Authentication Header, Encapsulating Security Payload, hashing, and compression working together.
- Internet Key Exchange β how IPSec builds security associations, two one-way associations per tunnel to send and receive.
Watch the full episode above for the worked examples and detailed explanations of each concept.
Frequently Asked Questions
What is an always-on VPN?
An always-on VPN tries to reconnect automatically every time a network link comes up, so protection never waits for a human to click connect. You mostly see it on phones and laptops that roam, and you can tune it to trigger only on wireless links or only on public internet links. Since any open link is risky, it guarantees the secure channel is up before you touch a single online resource.
What is the difference between a split tunnel and a full tunnel?
A split tunnel lets the connected device reach both your corporate network and the open internet at the same time, which is usually a security risk because that traffic often skips your filtering. A full tunnel sends everything back through your network first, then out through your own proxy or firewall. Think of a split tunnel as a house with a second unguarded door, while a full tunnel forces every visitor through the front gate.
Which protocols are used to build a VPN?
There is a small family to recognize: the older Point-to-Point Tunneling Protocol, the Layer 2 Tunneling Protocol, Secure Shell, OpenVPN, and IPSec. They range from obsolete to todayβs standard. PPTP is a legacy dial-up descendant to avoid for new work, L2TP has no native encryption and is paired with IPSec, Secure Shell offers host-to-host protection, and OpenVPN pairs strong security with easy setup.
Why is IPSec considered the heavyweight of VPN protocols?
IPSec is a set of security extensions for IP that delivers both authenticated identity and encrypted data, making it the go-to for site-to-site and host-to-host tunnels. It is not one protocol but a toolbox of them: the Authentication Header proves a message is genuine and blocks replay, the Encapsulating Security Payload encrypts the contents, and hashing and compression support them. It bundles authentication, encryption, integrity, and managed key exchange into one framework.
How does IPSec agree on its secret keys?
IPSec uses a component called Internet Key Exchange, which blends three helpers: one generates and exchanges keys, one swaps keys securely, and one organizes and manages them once they exist. The result is a security association, the agreed-upon method of authentication and encryption between two parties. Each IPSec tunnel uses two one-way associations, one to send and one to receive, which lets a single host run several IPSec VPNs at once.
π Master the ISC2 CISSP Exam!
Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISC2 CISSP certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.
Reference: This article is based on concepts discussed in CISSP 12.8 - Virtual Private Network (Part 2 of 2).