In this lesson, you’ll learn about:
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy
- What VPNs are and why organizations rely on them
- How tunneling works and how VPNs secure data in transit
- Key VPN protocols (TLS, L2TP/IPsec, AH, ESP) and what each provides
- How organizations manage secure remote access for users
- AAA systems for authentication, authorization, and auditing
- Administrative considerations for supporting remote workers securely
- A Virtual Private Network (VPN) creates a virtual, encrypted connection over an untrusted network (like the internet).
- VPNs protect communications through:
- Confidentiality: Encryption hides data from attackers.
- Integrity: Hashing ensures data isn’t modified.
- AAA: Authentication, Authorization, and Auditing/Accounting.
- VPNs are essential for users working remotely, on public Wi-Fi, or in locations with weak security.
- They defend against attacks such as:
- Traffic sniffing
- IMSI-catcher attacks on mobile networks
- Unauthorized access to internal systems
- Tunneling means encapsulating one network packet inside another using TCP/IP.
- Encryption can be applied at different OSI layers depending on the protocol.
- Tunneling allows remote users to securely reach internal networks as if they were physically inside the office.
- Uses Transport Layer Security (TLS) to secure remote access.
- Accessible through a browser (sometimes called SSL/TLS VPN).
- Must be protected with account lockout policies to block brute-force login attempts.
- Combines L2TP (Layer 2) for tunneling + IPsec (Layer 3) for encryption.
- IPsec includes two main components:
- AH (Authentication Header)
- Provides integrity, authentication, and non-repudiation.
- ESP (Encapsulating Security Payload)
- Provides encryption at Layer 3 so attackers cannot read data.
- AH (Authentication Header)
- Often used for site-to-site VPNs or permanent remote connections.
- Organizations must consider:
- User bandwidth (slow connections → poor performance).
- Encryption strength (weak encryption → vulnerabilities).
- Compatibility with firewall/VPN gateway settings.
- Monitoring and logging of remote sessions to detect misuse.
- Remote workers may face obstacles like:
- Poor-quality internet (e.g., remote regions)
- Location-based blocks (e.g., Great Firewall of China)
- AAA = Authentication, Authorization, Auditing/Accounting
- Common systems include:
- RADIUS
- Diameter (successor to RADIUS)
- TACACS
- Active Directory / SSO systems for unified authentication
- Logs created during the accounting phase help detect misuse.
- Full desktop control:
- RDP, VNC, TeamViewer, LogMeIn, Splashtop, Citrix
- Limited function access (e.g., email only):
- More restrictive remote gateways
- Security teams must:
- Regularly patch these tools
- Restrict access rights
- Align tool capabilities with organizational security goals
- Clear rules must define who:
- Supports equipment
- Fixes or replaces damaged devices
- Handles user connectivity issues
- Policies reduce ambiguity and prevent security gaps.
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Okay, so imagine this for a second. You're not in
the office. You could be anywhere, really working from home,
sitting in a coffee shop, maybe just using your phone
on the go, and you need to access some really
sensitive company data. How do we make sure that information
stays completely secure from the second it leaves the company
server to the moment it hits your screen.
Speaker 2 (00:20):
That is the absolute core question, isn't it? And the
answer really is a virtual private network a VPN. Today
we're going deep into the tech that makes all of
this secure remote work actually possible. And that word virtual
is key. This isn't a physical cable, It's a conceptual connection,
a secure tunnel that can stretch across the entire planet.
Speaker 1 (00:40):
Okay, let's unpack that. I think for this deep dive,
our mission should be to get past the ads you
see everywhere and really understand three things. First, what a
VPN actually does, Second, how it does it this idea
of tunneling, and third the security protocols that make it
all work that guarantee our data is safe. This stuff
is essential for everyone now, not just big corporations.
Speaker 2 (01:00):
Right. The whole point of a VPN is to basically
stretch your private, secure network over a public and frankly
insecure one like the Internet. It creates that virtual link
allowing secure communication between well any two points, and.
Speaker 1 (01:14):
We rely on them so much because they deliver on
those two fundamental promises of security we always come back
to precisely.
Speaker 2 (01:20):
First up is confidentiality. That's your secrecy. It's achieved with
strong encryption, which just scrambles the data so it's unreadable
to anyone who might be snooping. Then you have integrity.
We use something called hashing for that. It creates a
unique digital fingerprint for the data. If even a single
bit of that data gets changed in transit, the fingerprint
(01:41):
won't match, and you know it's been tampered with. A
VPN has to do both.
Speaker 1 (01:45):
Which is exactly why just logging into a Wi Fi
network with a password, you know, like WPA two, it's
just not enough. People think that little lock icon means
they're safe.
Speaker 2 (01:54):
It's a really dangerous assumption. Even on a password protected network,
the administrator or any clever person on that same network
could potentially sniff your traffic if it's not encrypted. A
VPN gives you that end to end guarantee. It makes
the network you're on almost irrelevant.
Speaker 1 (02:11):
And this is where things have gotten really interesting lately.
It's not just for corporate road warriors anymore. We're seeing
this huge surge in regular people, private citizens using VPNs
for just basic privacy and anonymity. I mean, the ads
are everywhere.
Speaker 2 (02:26):
It shows that people are finally waking up to the
threats and honestly, even on a network you think is safe,
like your cellular connection from a big carrier like Verizon
or AT and T, you're not completely immused.
Speaker 1 (02:36):
Well that's a big one. Most people totally overlook the
risk on their cell phone. They think five G is
just inherently secure.
Speaker 2 (02:42):
Not entirely. We still have to worry about threats like
IMSI attacks. That's where an attacker sets up a fake
cell tower sometimes called a sting ray, and tricks your
phone into connecting to it. If your data isn't in
a VPN tunnel, they can just siphon it all up.
So the advice now for any organization is to have
VPNs on by default on all devices, laptops, phones, everything.
Speaker 1 (03:04):
Okay, so let's get into the mechanics. How does the
VPN actually build this punnel to carry our data? Right?
Speaker 2 (03:10):
So the mechanism is called tunneling, and it basically uses
the existing rules of the Internet, the TCPIP stack to
encapsulate packets. Think of it like taking your data, putting
it in a locked box and then putting that lock
box inside an armored truck for delivery. And because the
Internet protocol has different layers, we can actually choose which
layer to apply that security. It's really flexible.
Speaker 1 (03:31):
So for applying security at different layers. What are the
main ways we see this done in the real world?
What are the big protocols?
Speaker 2 (03:37):
We really lean on two major approaches today. The first
is the tlsssl VPN now till US Transport Layer Security
is the modern version that replaced the older SSL. This
one works at layer four, the transport layer. It's often
the kind you access through a web browser or a
little app and it uses the same security that protects
you on banking websites.
Speaker 1 (03:58):
That sounds super convenient, but I know there's a huge
catch if you don't manage it right.
Speaker 2 (04:01):
Well. Absolutely, Because these VPNs are often exposed directly to
the Internet and use a simple username and password, they
are a massive target for brute force attacks. An attacker
can just sit there and try millions of password combinations,
which is why you must have an account lockout policy.
You know, after three or five bad password attempts, so
the account is locked. It's non negotiable.
Speaker 1 (04:23):
Makes sense. Okay, So what's the second major approach, the
one that's more of a combo deal.
Speaker 2 (04:27):
That would be the combination of LTTP and ip SC.
And this is really cool because it uses different layers
for different jobs. LGTP the layer two tunneling protocol that
I honestually just bills the tunnel. It creates that point
to point connection. And then ip SC Internet Protocol Security
comes in at layer three and provides all the encryption
and the heavy duty security.
Speaker 1 (04:47):
I want to pause on ip SEC because this is
where it gets really interesting. It's not just about keeping
things secret, it's about it's about creating a paper trail
right for accountability.
Speaker 2 (04:56):
You absolutely hit the nail on the head. iPSC is
brilliant because it splits its duties into two parts. First,
you have the Authentication header or H. This part handles
authentication authorization and the really important one, non repudiation.
Speaker 1 (05:11):
Non repudiation I love that word. It just means a
user can't turn around and deny they did something on
the network exactly.
Speaker 2 (05:17):
The system can prove where the data came from and
that it hasn't been changed. So if someone deletes a
critical database and then says wasn't me, the logs backed
by AH provide very strong evidence to the contrary.
Speaker 1 (05:30):
So AH is the integrity check the auditor. What about
the secrecy part.
Speaker 2 (05:34):
That's the second piece, the ESP or encapsulating security payload.
This part's job is simple encrypt the data. It scrambles
the content, so even if someone intercepts the traffic, all
they see is gibberish. It's the combination of AH for
integrity and ESP for confidentiality that makes ip SC so powerful.
Speaker 1 (05:54):
Okay, it's easy to get lost in all these layers,
but let's bring it back up. What does all this
tech mean for the person trying to manage a remote workforce?
How do you go from a secure protocol to a
successful real world strategy.
Speaker 2 (06:07):
That's the million dollar question. You have to move from
just technology to policy. A good remote access strategy really
stands on three pillars. Connectivity, strong encryption, which we've covered,
and really solid exhalation, authentication, authorization and accounting.
Speaker 1 (06:21):
Or triple A connectivity speed feels like a small thing,
but I've heard stories where it just completely tanks productivity.
Speaker 2 (06:27):
It can be the biggest hurdle. I remember at case
years ago with a user trying to connect from a
super remote part of Alaska. Their pay time the latency
was over two seconds. They were just constantly getting timed out.
So your policies have to account for people on slow
or unreliable Internet connections, and not just slow but sometimes
(06:48):
restricted right depending on where in the world they are. Precisely,
if you have employees traveling, say behind the Great Firewall
of China, their VPN traffic might get slowed down or
even blocked completely. Your security team to have backup plans
for that.
Speaker 1 (07:01):
Okay, so let's talk about that third pillar triple A.
You mentioned non repudiation, which tells me you need one
central system managing who is who and logging everything.
Speaker 2 (07:11):
Absolutely, you cannot have identity managed in a scattered way.
We use centralized systems things like Radius or it's newer,
more capable successor diameter Diameter. Yeah, I know, geometry jokes
and cybersecurity, but these systems, or even single sign on
like active directory, give you that one single source of
truth for who logged in, when and from where. Auditibility
(07:31):
is everything.
Speaker 1 (07:32):
And beyond the tech, there's the human side, the day
to day logistics that it has to deal with that
needs a policy too, right, it's.
Speaker 2 (07:40):
Not negotiable who supports these remote users. What happens if
an employee's monitor breaks at their home office? Does it
ship them a new one? You have to define all
of this beforehand, and maybe most importantly, you have to
define what level of access they're even allowed.
Speaker 1 (07:54):
That's a huge point. You don't want to give someone
full remote control of a critical server just so they
can check.
Speaker 2 (07:59):
Their email exactly. Does the user just need access to
Outlook or do they need to control a whole computer
with software like RDP Team Viewer or Citrix. The more
limited the access, the smaller the risk.
Speaker 1 (08:11):
Which brings us to a final and pretty urgent warning
about all this remote access software tatching. It cannot be
said enough. Every one of these remote access tools is
a potential doorway for an attacker. We've seen major attacks
targeting things like VNC recently. If you use this software,
keeping it patched and up to date is probably the
(08:32):
single most important security task you have for your remote environment.
So to wrap up our deep dive, VPNs are really
the backbone of modern remote work. They create secure encrypted
tunnels using protocols like l twotpip sec or TLS, and
the guarantee both the confidentiality and the integrity of your data,
whether you're a huge company or just someone trying to
stay safe online.
Speaker 2 (08:52):
And remember, your firewall is usually the device that manages
these connections, so check the documentation, configure it properly, and
make sure you enable those critical security controls like account
lockouts to protect your entire network from attack.
Speaker 1 (09:06):
And that leaves us with a final thought for you
to chew on. We talked about how ip SX authentication
header enforces non repudiation. Now, considering a remote user is
by definition in an untrusted location, what's the one key
action your monitoring system has to take during that VPN
session to create a truly undeniable, legally sound record of
(09:26):
what that user did. The answer is in how you
connect those technical logs to your formal official company policies.
Think about what it takes to turnal line and log
file into evidence.
Okay, so imagine this for a second. You're not in
the office. You could be anywhere, really working from home,
sitting in a coffee shop, maybe just using your phone
on the go, and you need to access some really
sensitive company data. How do we make sure that information
stays completely secure from the second it leaves the company
server to the moment it hits your screen.
Speaker 2 (00:20):
That is the absolute core question, isn't it? And the
answer really is a virtual private network a VPN. Today
we're going deep into the tech that makes all of
this secure remote work actually possible. And that word virtual
is key. This isn't a physical cable, It's a conceptual connection,
a secure tunnel that can stretch across the entire planet.
Speaker 1 (00:40):
Okay, let's unpack that. I think for this deep dive,
our mission should be to get past the ads you
see everywhere and really understand three things. First, what a
VPN actually does, Second, how it does it this idea
of tunneling, and third the security protocols that make it
all work that guarantee our data is safe. This stuff
is essential for everyone now, not just big corporations.
Speaker 2 (01:00):
Right. The whole point of a VPN is to basically
stretch your private, secure network over a public and frankly
insecure one like the Internet. It creates that virtual link
allowing secure communication between well any two points, and.
Speaker 1 (01:14):
We rely on them so much because they deliver on
those two fundamental promises of security we always come back
to precisely.
Speaker 2 (01:20):
First up is confidentiality. That's your secrecy. It's achieved with
strong encryption, which just scrambles the data so it's unreadable
to anyone who might be snooping. Then you have integrity.
We use something called hashing for that. It creates a
unique digital fingerprint for the data. If even a single
bit of that data gets changed in transit, the fingerprint
(01:41):
won't match, and you know it's been tampered with. A
VPN has to do both.
Speaker 1 (01:45):
Which is exactly why just logging into a Wi Fi
network with a password, you know, like WPA two, it's
just not enough. People think that little lock icon means
they're safe.
Speaker 2 (01:54):
It's a really dangerous assumption. Even on a password protected network,
the administrator or any clever person on that same network
could potentially sniff your traffic if it's not encrypted. A
VPN gives you that end to end guarantee. It makes
the network you're on almost irrelevant.
Speaker 1 (02:11):
And this is where things have gotten really interesting lately.
It's not just for corporate road warriors anymore. We're seeing
this huge surge in regular people, private citizens using VPNs
for just basic privacy and anonymity. I mean, the ads
are everywhere.
Speaker 2 (02:26):
It shows that people are finally waking up to the
threats and honestly, even on a network you think is safe,
like your cellular connection from a big carrier like Verizon
or AT and T, you're not completely immused.
Speaker 1 (02:36):
Well that's a big one. Most people totally overlook the
risk on their cell phone. They think five G is
just inherently secure.
Speaker 2 (02:42):
Not entirely. We still have to worry about threats like
IMSI attacks. That's where an attacker sets up a fake
cell tower sometimes called a sting ray, and tricks your
phone into connecting to it. If your data isn't in
a VPN tunnel, they can just siphon it all up.
So the advice now for any organization is to have
VPNs on by default on all devices, laptops, phones, everything.
Speaker 1 (03:04):
Okay, so let's get into the mechanics. How does the
VPN actually build this punnel to carry our data? Right?
Speaker 2 (03:10):
So the mechanism is called tunneling, and it basically uses
the existing rules of the Internet, the TCPIP stack to
encapsulate packets. Think of it like taking your data, putting
it in a locked box and then putting that lock
box inside an armored truck for delivery. And because the
Internet protocol has different layers, we can actually choose which
layer to apply that security. It's really flexible.
Speaker 1 (03:31):
So for applying security at different layers. What are the
main ways we see this done in the real world?
What are the big protocols?
Speaker 2 (03:37):
We really lean on two major approaches today. The first
is the tlsssl VPN now till US Transport Layer Security
is the modern version that replaced the older SSL. This
one works at layer four, the transport layer. It's often
the kind you access through a web browser or a
little app and it uses the same security that protects
you on banking websites.
Speaker 1 (03:58):
That sounds super convenient, but I know there's a huge
catch if you don't manage it right.
Speaker 2 (04:01):
Well. Absolutely, Because these VPNs are often exposed directly to
the Internet and use a simple username and password, they
are a massive target for brute force attacks. An attacker
can just sit there and try millions of password combinations,
which is why you must have an account lockout policy.
You know, after three or five bad password attempts, so
the account is locked. It's non negotiable.
Speaker 1 (04:23):
Makes sense. Okay, So what's the second major approach, the
one that's more of a combo deal.
Speaker 2 (04:27):
That would be the combination of LTTP and ip SC.
And this is really cool because it uses different layers
for different jobs. LGTP the layer two tunneling protocol that
I honestually just bills the tunnel. It creates that point
to point connection. And then ip SC Internet Protocol Security
comes in at layer three and provides all the encryption
and the heavy duty security.
Speaker 1 (04:47):
I want to pause on ip SEC because this is
where it gets really interesting. It's not just about keeping
things secret, it's about it's about creating a paper trail
right for accountability.
Speaker 2 (04:56):
You absolutely hit the nail on the head. iPSC is
brilliant because it splits its duties into two parts. First,
you have the Authentication header or H. This part handles
authentication authorization and the really important one, non repudiation.
Speaker 1 (05:11):
Non repudiation I love that word. It just means a
user can't turn around and deny they did something on
the network exactly.
Speaker 2 (05:17):
The system can prove where the data came from and
that it hasn't been changed. So if someone deletes a
critical database and then says wasn't me, the logs backed
by AH provide very strong evidence to the contrary.
Speaker 1 (05:30):
So AH is the integrity check the auditor. What about
the secrecy part.
Speaker 2 (05:34):
That's the second piece, the ESP or encapsulating security payload.
This part's job is simple encrypt the data. It scrambles
the content, so even if someone intercepts the traffic, all
they see is gibberish. It's the combination of AH for
integrity and ESP for confidentiality that makes ip SC so powerful.
Speaker 1 (05:54):
Okay, it's easy to get lost in all these layers,
but let's bring it back up. What does all this
tech mean for the person trying to manage a remote workforce?
How do you go from a secure protocol to a
successful real world strategy.
Speaker 2 (06:07):
That's the million dollar question. You have to move from
just technology to policy. A good remote access strategy really
stands on three pillars. Connectivity, strong encryption, which we've covered,
and really solid exhalation, authentication, authorization and accounting.
Speaker 1 (06:21):
Or triple A connectivity speed feels like a small thing,
but I've heard stories where it just completely tanks productivity.
Speaker 2 (06:27):
It can be the biggest hurdle. I remember at case
years ago with a user trying to connect from a
super remote part of Alaska. Their pay time the latency
was over two seconds. They were just constantly getting timed out.
So your policies have to account for people on slow
or unreliable Internet connections, and not just slow but sometimes
(06:48):
restricted right depending on where in the world they are. Precisely,
if you have employees traveling, say behind the Great Firewall
of China, their VPN traffic might get slowed down or
even blocked completely. Your security team to have backup plans
for that.
Speaker 1 (07:01):
Okay, so let's talk about that third pillar triple A.
You mentioned non repudiation, which tells me you need one
central system managing who is who and logging everything.
Speaker 2 (07:11):
Absolutely, you cannot have identity managed in a scattered way.
We use centralized systems things like Radius or it's newer,
more capable successor diameter Diameter. Yeah, I know, geometry jokes
and cybersecurity, but these systems, or even single sign on
like active directory, give you that one single source of
truth for who logged in, when and from where. Auditibility
(07:31):
is everything.
Speaker 1 (07:32):
And beyond the tech, there's the human side, the day
to day logistics that it has to deal with that
needs a policy too, right, it's.
Speaker 2 (07:40):
Not negotiable who supports these remote users. What happens if
an employee's monitor breaks at their home office? Does it
ship them a new one? You have to define all
of this beforehand, and maybe most importantly, you have to
define what level of access they're even allowed.
Speaker 1 (07:54):
That's a huge point. You don't want to give someone
full remote control of a critical server just so they
can check.
Speaker 2 (07:59):
Their email exactly. Does the user just need access to
Outlook or do they need to control a whole computer
with software like RDP Team Viewer or Citrix. The more
limited the access, the smaller the risk.
Speaker 1 (08:11):
Which brings us to a final and pretty urgent warning
about all this remote access software tatching. It cannot be
said enough. Every one of these remote access tools is
a potential doorway for an attacker. We've seen major attacks
targeting things like VNC recently. If you use this software,
keeping it patched and up to date is probably the
(08:32):
single most important security task you have for your remote environment.
So to wrap up our deep dive, VPNs are really
the backbone of modern remote work. They create secure encrypted
tunnels using protocols like l twotpip sec or TLS, and
the guarantee both the confidentiality and the integrity of your data,
whether you're a huge company or just someone trying to
stay safe online.
Speaker 2 (08:52):
And remember, your firewall is usually the device that manages
these connections, so check the documentation, configure it properly, and
make sure you enable those critical security controls like account
lockouts to protect your entire network from attack.
Speaker 1 (09:06):
And that leaves us with a final thought for you
to chew on. We talked about how ip SX authentication
header enforces non repudiation. Now, considering a remote user is
by definition in an untrusted location, what's the one key
action your monitoring system has to take during that VPN
session to create a truly undeniable, legally sound record of
(09:26):
what that user did. The answer is in how you
connect those technical logs to your formal official company policies.
Think about what it takes to turnal line and log
file into evidence.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
My Favorite Murder with Karen Kilgariff and Georgia Hardstark
My Favorite Murder is a true crime comedy podcast hosted by Karen Kilgariff and Georgia Hardstark. Each week, Karen and Georgia share compelling true crimes and hometown stories from friends and listeners. Since MFM launched in January of 2016, Karen and Georgia have shared their lifelong interest in true crime and have covered stories of infamous serial killers like the Night Stalker, mysterious cold cases, captivating cults, incredible survivor stories and important events from history like the Tulsa race massacre of 1921. My Favorite Murder is part of the Exactly Right podcast network that provides a platform for bold, creative voices to bring to life provocative, entertaining and relatable stories for audiences everywhere. The Exactly Right roster of podcasts covers a variety of topics including historic true crime, comedic interviews and news, science, pop culture and more. Podcasts on the network include Buried Bones with Kate Winkler Dawson and Paul Holes, That's Messed Up: An SVU Podcast, This Podcast Will Kill You, Bananas and more.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com