Domain 4 of 8 · Chapter 3 of 3

Secure Communication Channels

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Certified Information Systems Security Professional premium course — no separate purchase.

Included in this chapter:

  • The channel-selection model: layer, trust, residence
  • Remote access architectures and the four access methods
  • IPsec internals, voice/UC, and third-party links
  • Exam-pattern recognition

Remote-access / site VPN channel technologies compared

PropertyIPsec VPNTLS "SSL" VPNSSH tunnel
Layer protectedNetwork layer (OSI 3) - all IP trafficAbove transport (session) - per applicationApplication/transport - per forwarded port/app
Typical useGateway-to-gateway and remote-access (host-to-gateway)Clientless browser portal or thin tunnel clientAdmin access and ad-hoc port forwarding
Client requirementVPN client software or a network with a VPN gatewayOften just a web browser (portal) or lightweight plug-inSSH client; user-driven, often not centrally managed
Scope of trafficProtects many protocols at once, transparentlyBest for a few specific applicationsTunnels specific protocols/ports a layer at a time
Authoritative NIST guideSP 800-77 Rev. 1SP 800-113NIST IR 7966 / SP 800-46
Common pitfallChoosing AH (no confidentiality) when ESP is requiredTreating a per-app control as a site-wide tunnelHarder to configure/manage; ungoverned user tunnels

Decision tree

What must be protected?All site trafficVoice / UCRemote userConfidentiality required?SIP over TLS + SRTP,voice VLANYesIntegrity onlyGateway-to-gatewayIPsec VPN (ESP)ESP null-encryption(not AH)Endpoint trusted/managed?No (BYOD)YesVDI / TLS portal (no local data)Host-to-gateway tunnel VPN

Cheat sheet

  • Pick the channel control whose layer matches the traffic you must cover
  • Encrypt the channel AND mutually authenticate both endpoints, not just one
  • A tunnel VPN leaves data on the client device; it only protects data in transit
  • For untrusted BYOD, present the session with VDI instead of copying data to the device
  • VDI still exposes the rendered screen to screen-scraping and shoulder-surfing
  • A confidentiality requirement forces ESP, never AH
  • IPsec tunnel mode adds an outer IP header and hides the inner addresses; transport mode does not
  • IKE negotiates and maintains the IPsec security associations
  • Map the scenario to gateway-to-gateway, remote-access, or host-to-host VPN
  • The four remote-access methods differ in where the data and app client live
  • An 'SSL VPN' really uses TLS and comes in portal and tunnel forms
  • SSH can tunnel but is less common and harder to operate than IPsec or TLS VPNs
  • Secure VoIP by encrypting signaling with SIP over TLS and media with SRTP
  • Vishing is voice-channel social engineering, defended by process not encryption
  • A legacy PBX/POTS is a physical-access and toll-fraud problem, not a network one
  • Encrypt end-to-end across a carrier's link; do not trust link encryption alone
  • Evaluate a third-party-managed VPN gateway against your own security policy
  • The VPN tunnel protects client-to-gateway, not gateway-to-internal-resources
  • IKE Phase 1 builds the protected channel; Phase 2 negotiates the IPsec SA for data
  • Perfect Forward Secrecy runs a fresh Diffie-Hellman exchange for every SA
  • IKEv2 establishes a tunnel in four messages with built-in NAT traversal

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. NIST glossary: Transport Layer Security (TLS) Whitepaper
  2. NIST SP 800-46 Rev. 2: Guide to Enterprise Telework, Remote Access, and BYOD Security Whitepaper
  3. NIST SP 800-77 Rev. 1: Guide to IPsec VPNs Whitepaper