🏠 Back to Exam Syllabus πŸ“Ί RooCloud on YouTube 🌐 RooCloud Practice Exams

CISSP 12.8 - Virtual Private Network (Part 2 of 2)

This episode of the ISC2 Certified Information Systems Security Professional (CISSP) exam prep series continues the tour of virtual private networks from Domain 4, moving from tunnel behavior into the protocols that actually carry a VPN. It looks at how a tunnel is configured, when protection should stay connected on its own, and how the choices you make decide whether remote traffic stays trustworthy.

What this episode covers

Watch the full episode above for the worked examples and detailed explanations of each concept.

Frequently Asked Questions

What is an always-on VPN?

An always-on VPN tries to reconnect automatically every time a network link comes up, so protection never waits for a human to click connect. You mostly see it on phones and laptops that roam, and you can tune it to trigger only on wireless links or only on public internet links. Since any open link is risky, it guarantees the secure channel is up before you touch a single online resource.

What is the difference between a split tunnel and a full tunnel?

A split tunnel lets the connected device reach both your corporate network and the open internet at the same time, which is usually a security risk because that traffic often skips your filtering. A full tunnel sends everything back through your network first, then out through your own proxy or firewall. Think of a split tunnel as a house with a second unguarded door, while a full tunnel forces every visitor through the front gate.

Which protocols are used to build a VPN?

There is a small family to recognize: the older Point-to-Point Tunneling Protocol, the Layer 2 Tunneling Protocol, Secure Shell, OpenVPN, and IPSec. They range from obsolete to today’s standard. PPTP is a legacy dial-up descendant to avoid for new work, L2TP has no native encryption and is paired with IPSec, Secure Shell offers host-to-host protection, and OpenVPN pairs strong security with easy setup.

Why is IPSec considered the heavyweight of VPN protocols?

IPSec is a set of security extensions for IP that delivers both authenticated identity and encrypted data, making it the go-to for site-to-site and host-to-host tunnels. It is not one protocol but a toolbox of them: the Authentication Header proves a message is genuine and blocks replay, the Encapsulating Security Payload encrypts the contents, and hashing and compression support them. It bundles authentication, encryption, integrity, and managed key exchange into one framework.

How does IPSec agree on its secret keys?

IPSec uses a component called Internet Key Exchange, which blends three helpers: one generates and exchanges keys, one swaps keys securely, and one organizes and manages them once they exist. The result is a security association, the agreed-upon method of authentication and encryption between two parties. Each IPSec tunnel uses two one-way associations, one to send and one to receive, which lets a single host run several IPSec VPNs at once.

πŸ“š Master the ISC2 CISSP Exam!

Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISC2 CISSP certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.


Reference: This article is based on concepts discussed in CISSP 12.8 - Virtual Private Network (Part 2 of 2).