Domain 3 of 5 · Chapter 8 of 8

Remote Access and Management

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing CompTIA Network+ premium course — no separate purchase.

Included in this chapter:

  • In-band vs out-of-band management
  • SSH: the secure CLI that replaced Telnet
  • VPN architectures: who connects, what tunnels, how much
  • Management interfaces, bastion hosts, and exam patterns

Choosing a secure remote-access channel

Decision factorSite-to-site IPsec VPNClient-to-site TLS/SSL VPNSSH
What it connectsTwo whole networks, gateway-to-gatewayOne user's device into the networkOne administrator into one host's CLI
Typical transportESP (IP proto 50) + IKE (UDP 500/4500)TCP 443 (or QUIC)TCP 22
Client softwareNone per user; configured on gatewaysDedicated client or clientless in a browserSSH client (terminal)
NAT/firewall traversalNeeds ESP + IKE permitted; NAT-T for NATTraverses NAT and port-443 firewalls cleanlySingle well-known port, usually allowed
Best fitPermanent office-to-office linksRemote/work-from-home usersDay-to-day device administration

Decision tree

Is the device reachableover the network?Out-of-bandconsole / mgmt networkNo (down / recovery)What are you connecting?scope of the sessionYesSSH (TCP 22)one host CLI, not Telnetone host CLISite-to-site IPsectwo networks, ESP tunneltwo sitesRemote user deviceclient-to-site VPNone userREST APIbulk / automated changemany devices, scriptedFull tunnelinspect all trafficinspect allSplit tunnelonly corp traffic in VPNreduce backhaul

Cheat sheet

  • Separate the management path from the protocol that secures it
  • Use out-of-band management to recover an unreachable device
  • Console and serial ports are the local, network-free recovery interface
  • In-band management is cheap and convenient but dies with the data plane
  • SSH replaced Telnet because it encrypts the whole session
  • SSH key authentication sends no reusable password
  • A site-to-site VPN joins two networks gateway-to-gateway
  • A client-to-site VPN connects one remote user's device
  • A clientless VPN reaches internal web apps through the browser
  • IPsec ESP is the encrypting protocol; AH does not encrypt
  • AH breaks across NAT; ESP with NAT-T survives it
  • IPsec tunnel mode encrypts the whole packet; transport mode only the payload
  • IKE negotiates IPsec keys over UDP 500, switching to UDP 4500 for NAT-T
  • TLS/SSL VPNs traverse firewalls better than IPsec because they use TCP 443
  • Full tunnel inspects all traffic; split tunnel sends only corporate traffic through the VPN
  • Use the REST API, not the GUI, for repeatable bulk changes
  • A bastion host is the single hardened entry point for admin sessions
  • Disable plaintext management protocols in favor of their encrypted peers
  • REST APIs use HTTP verbs, JSON bodies, and stateless requests
  • SCP transfers files securely over SSH on TCP port 22

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. Cisco: Network Management System best practices
  2. RFC 4251: The Secure Shell (SSH) Protocol Architecture Whitepaper
  3. RFC 4301: Security Architecture for the Internet Protocol Whitepaper
  4. NIST SP 800-77 Rev. 1: Guide to IPsec VPNs Whitepaper
  5. NIST SP 800-52 Rev. 2: Guidelines for the Selection, Configuration, and Use of TLS Implementations Whitepaper
  6. Microsoft: What is Azure Bastion?