VPNs, TLS in Transit & Secure Remote Access¶

Protecting data in transit is non-negotiable on untrusted networks (the internet, public Wi-Fi).

TLS — Transport Layer Security¶

TLS (the "S" in HTTPS) provides:

1.Confidentiality — traffic is encrypted.
2.Integrity — tampering is detected.
3.Authentication — the server proves its identity via a certificate.

The TLS Handshake (simplified)¶

1.Client says hello, lists supported ciphers.
2.Server presents its certificate (signed by a trusted CA).
3.Client verifies the cert chain.
4.Both derive a shared session key (using ephemeral Diffie-Hellman for forward secrecy).
5.Encrypted communication begins.

Always prefer TLS 1.3. Disable SSLv3, TLS 1.0/1.1 — they have known weaknesses.

VPNs — Virtual Private Networks¶

A VPN creates an encrypted tunnel across an untrusted network.

Type	Use case
Remote-access VPN	Employee → corporate network
Site-to-site VPN	Branch office → HQ

Common protocols: IPsec (network-layer) and WireGuard / OpenVPN (modern, fast).

VPN ≠ Anonymity¶

A VPN protects data in transit and hides traffic from local eavesdroppers, but the VPN provider can see your traffic. It is a confidentiality tool, not an invisibility cloak.

The Shift Toward Zero Trust Network Access (ZTNA)¶

Traditional VPNs grant broad network access once connected — a flat, over-trusting model. ZTNA instead grants access to specific applications, re-verifying identity and device posture on every request. This drastically limits what a stolen VPN credential can reach.

Practical Checklist¶

Enforce HTTPS everywhere (HSTS header, redirect HTTP→HTTPS).
Use TLS 1.3; disable legacy versions and weak ciphers.
Require VPN or ZTNA for all remote administrative access.
Never expose RDP (3389) or SSH (22) directly to the internet — gate behind a VPN/bastion.
Rotate and protect certificates; monitor expiry.

TLS — Transport Layer Security¶

TLS (the "S" in HTTPS) provides:

1.Confidentiality — traffic is encrypted.

2.Integrity — tampering is detected.

3.Authentication — the server proves its identity via a certificate.

The TLS Handshake (simplified)¶

1.Client says hello, lists supported ciphers.

2.Server presents its certificate (signed by a trusted CA).

3.Client verifies the cert chain.

4.Both derive a shared session key (using ephemeral Diffie-Hellman for forward secrecy).

5.Encrypted communication begins.

Always prefer TLS 1.3. Disable SSLv3, TLS 1.0/1.1 — they have known weaknesses.

VPNs — Virtual Private Networks¶

A VPN creates an encrypted tunnel across an untrusted network.

Type	Use case
Remote-access VPN	Employee → corporate network
Site-to-site VPN	Branch office → HQ

Common protocols: IPsec (network-layer) and WireGuard / OpenVPN (modern, fast).

VPN ≠ Anonymity¶

A VPN protects data in transit and hides traffic from local eavesdroppers, but the VPN provider can see your traffic. It is a confidentiality tool, not an invisibility cloak.

Practical Checklist¶

Enforce HTTPS everywhere (HSTS header, redirect HTTP→HTTPS).

Use TLS 1.3; disable legacy versions and weak ciphers.

Require VPN or ZTNA for all remote administrative access.

Never expose RDP (3389) or SSH (22) directly to the internet — gate behind a VPN/bastion.

Rotate and protect certificates; monitor expiry.