Network Access Methods N10-009

Slide 1 of 8  |  N10-009 Obj 3.5  |  Remote Access
Network Access Methods:
VPN, SSH & Remote Management
Secure access from anywhere — or a security disaster from everywhere.
Your CEO is traveling and needs secure access to internal resources from a hotel WiFi. The hotel network is untrusted — anyone on it could be sniffing traffic. How do you provide access safely? VPN, SSH, jump hosts, and management planes each solve a different piece of this problem.
8 Slides N10-009 Obj 3.5 Remote Access & Management Concepts + Architecture
Slide 2 of 8
VPN Types: Site-to-Site vs Client-to-Site
Two architectures, two use cases. Encrypted packets travel through the same internet but arrive as if they never left the LAN.
SITE-TO-SITE VPN HQ 192.168.1.0/24 VPN Gateway Internet Branch 10.2.0.0/24 VPN Gateway IPsec Tunnel Encrypted CLIENT-TO-SITE VPN (REMOTE ACCESS) CEO Laptop Hotel WiFi Untrusted Internet HQ VPN Concentrator TLS/SSL or IPsec Encrypted Tunnel Auth + Encrypt Internal resources
Site-to-Site VPN
Connects two networks permanently. Configured on gateway devices (routers/firewalls). Individual users do not need a VPN client — the gateway handles everything. Protocol: IPsec (IKEv2). Use case: connecting branch offices to HQ.
Client-to-Site VPN (Remote Access)
Individual device connects to corporate network. Requires VPN client software. Protocols: SSL/TLS (443), IPsec, WireGuard. After authentication, the laptop gets a virtual IP on the corporate subnet and can reach internal resources. The CEO's scenario.
Slide 3 of 8
Split Tunnel vs Full Tunnel
Split tunnel: corporate traffic goes through VPN, internet traffic goes direct. Full tunnel: all traffic through VPN, no exceptions.
SPLIT TUNNEL Laptop 10.100.0.5 VPN tunnel Corp HQ Intranet Direct (no VPN) Internet Pro: faster internet, less VPN load Con: internet traffic unmonitored FULL TUNNEL Laptop All traffic ALL traffic via VPN tunnel Corp HQ Firewall Proxy Internet Pro: all traffic inspected, DLP Con: VPN bandwidth bottleneck
Split Tunnel Use Case
Corporate resources (SharePoint, ERP, file shares) go through VPN. Streaming video, personal browsing go direct. Reduces VPN concentrator load. Security risk: user on hotel WiFi browses banking site without VPN protection. Also bypasses corporate content filtering.
Full Tunnel Use Case
Every packet — corporate and internet — routes through the VPN concentrator and then out through corporate firewalls and proxies. All traffic is logged and inspected. Required for high-security environments and regulatory compliance. Adds latency for internet browsing.
Slide 4 of 8
SSH: Encrypted Remote Shell
SSH replaced Telnet as the standard for remote CLI access. Port 22. Asymmetric key exchange, symmetric session encryption.
Admin 10.0.0.50 $ ssh admin@ 10.5.0.20 SSH Encrypted Channel Port 22 / AES-256 / HMAC-SHA2 X8k#p@ Server 10.5.0.20 sshd :22 KEY EXCHANGE (simplified) Client Private Key ~/.ssh/id_rsa authorized_keys Server validates No password sent over the wire Compared to: Telnet :23 — PLAINTEXT SSH :22 — Encrypted
SSH Authentication Methods
Public key: most secure. Client holds private key. Server holds public key in authorized_keys. No password transmitted.
Password-based: encrypted but vulnerable to brute force. Disable in sshd_config for production servers.
Certificate-based: SSH CA signs user certs. Scales across many servers without per-server key distribution.
SSH Tunneling
SSH can tunnel other protocols. Local port forwarding: forward a local port through SSH to a remote host. Dynamic forwarding: SSH as a SOCKS proxy. Useful for accessing internal services through a bastion host without a full VPN. ssh -L 8080:internalapp:80 bastion
Telnet is Dead
Telnet transmits credentials in cleartext. Any packet capture on the path reveals the username and password. Never use Telnet for remote administration. If a device only supports Telnet (old IOS), that device is end-of-life and must be replaced.
Slide 5 of 8
RDP, VNC & Console Access
Graphical remote access protocols — each with different security profiles and use cases.
RDP — Remote Desktop Protocol
Port 3389 / TCP
Windows-native GUI remote access
Full Windows desktop over the network. Microsoft proprietary. Supports clipboard, drive, printer, audio redirection. NLA (Network Level Authentication) required — authenticates before desktop session starts, blocking unauthenticated connection attempts.
High-value attack target. Never expose port 3389 directly to the internet. Require VPN or jump host first.
VNC — Virtual Network Computing
Port 5900+ / TCP
Cross-platform GUI remote access
Platform-agnostic (Windows, Linux, macOS). Uses RFB protocol. Lower performance than RDP. Authentication varies by implementation — some versions send passwords with weak encryption. Always tunnel VNC through SSH for security in production.
Use case: accessing Linux servers with GUI or cross-platform admin where RDP is not available.
Console Access (OOB)
Serial / IPMI / iDRAC / iLO
Hardware-level, network-independent
Direct hardware management plane. Works even when the OS is down, the network card has failed, or the OS is locked up. Console servers aggregate physical serial ports. IPMI/iDRAC/iLO provide remote power control, KVM, and virtual media over a separate management interface.
The last resort. If all else fails, console access lets you recover. Isolate on a separate management VLAN.
Security Rule
RDP (3389) and VNC (5900) should never be directly exposed to the internet. The baseline approach: users connect to VPN first, then RDP/VNC within the trusted tunnel. Alternatively, use a jump host (next slide) to add an authentication checkpoint.
Slide 6 of 8
Jump Box / Bastion Host
A hardened intermediary — you connect to it first, then to the target. One path in. One audit trail.
Admin External Internet 1. SSH to jump box (port 22) Authenticated + Logged JUMP BOX Bastion Host DMZ / public IP MFA + key auth AUDIT Firewall 2. SSH/RDP to target Server-01 10.5.0.10 Server-02 10.5.0.11 DB-Server Internal only No direct external access SIEM All sessions logged here
Why a Jump Box
Internal servers never have public IPs. No one can SSH directly to Server-01 from the internet because there is no route. All admin access flows through the jump box, creating a single, auditable chokepoint. The jump box enforces MFA and logs every session.
Jump Box Hardening
Minimal installed software — no web browsers, no email. Public key auth only, no passwords. MFA required. All commands logged to immutable SIEM. Regular vulnerability scanning. Separate admin account for jump box vs. production servers. Rotate access keys on departure.
Slide 7 of 8
In-Band vs Out-of-Band Management
In-band shares the production network. Out-of-band has its own independent path — and works when production fails.
Core SW Production Network OK Admin Workstation Router-01 Managed device In-band: uses production SW Management traffic PRODUCTION NETWORK DOWN Out-of-band: separate management network Dedicated VLAN / physically separate / console server / cellular OOB still works
In-Band Management
Management traffic shares the production network. SSH to the switch's production IP. Simpler and cheaper — no separate infrastructure. Fatal flaw: if the production network fails (misconfigured ACL, routing loop, hardware failure), you lose management access at exactly the moment you need it most.
Out-of-Band Management
Separate, dedicated management network. Physically separate interfaces or a dedicated management VLAN on isolated infrastructure. Console servers for serial access. IPMI/iDRAC for servers. When production fails, OOB is how you get in to fix it. Required for data centers and enterprise environments.
OOB Options
Dedicated management switch (separate physical path). Cellular/4G modem as last-resort fallback. Console server aggregating serial ports from all devices. IPMI/iDRAC/iLO on servers. Cloud-managed network gear (Meraki, etc.) provides internet-based OOB for branch sites.
Slide 8 of 8  |  Summary
Network Access Methods: What You Now Know
1Site-to-site VPN connects two networks permanently via IPsec gateways. Client-to-site VPN connects individual devices to the corporate network using SSL/TLS or IPsec.
2Split tunnel: corporate traffic via VPN, internet direct. Full tunnel: all traffic via VPN. Full tunnel provides visibility and policy enforcement at the cost of VPN bandwidth.
3SSH (port 22) provides encrypted remote shell access. Public key authentication is more secure than password. Never use Telnet (port 23) — credentials sent in cleartext.
4RDP (3389) for Windows GUI. VNC (5900) for cross-platform GUI. Console access (serial/IPMI/iDRAC) for hardware-level out-of-band access. Never expose RDP directly to the internet.
5Jump box (bastion host): hardened intermediary that forces all admin access through a single auditable chokepoint. Internal servers have no direct public access.
6In-band: management over production network. Out-of-band: dedicated management path that works even when production fails — required for enterprise and data center environments.
The CEO is connected securely. VPN client on the laptop establishes a full-tunnel IPsec connection to the corporate concentrator. Hotel WiFi traffic is irrelevant — all packets are encrypted before leaving the laptop. The CEO hits SharePoint, file shares, and internal apps as if sitting in HQ. The session is logged at the VPN concentrator. If the CEO closes the laptop, the tunnel drops and rebuilds on reconnect.

Hotel WiFi: untrusted. CEO's data: encrypted and contained.
N10-009 Obj 3.5 Coverage
Site-to-site vs client-to-site VPN, split vs full tunnel, IPsec, SSL/TLS VPN, SSH (port 22), Telnet (port 23), RDP (port 3389), VNC (port 5900), jump box / bastion host, in-band vs out-of-band management, console access, IPMI/iDRAC.