Security / VPN / Tunneling

This section explores key protocols and technologies that secure communication over untrusted networks. These include encryption, tunneling, and segmentation techniques to ensure data confidentiality and integrity.

Protocol / Tech	Description	Use Case
SSH (Secure Shell)	Secure remote access protocol using encryption and key authentication. Supports tunneling, file transfer, and remote command execution.	Secure remote login to servers and network devices.
IPsec (Internet Protocol Security)	Suite of protocols for securing IP traffic via encryption and authentication. Works in transport or tunnel mode.	Site-to-site or remote-access VPNs.
L2TP (Layer 2 Tunneling Protocol)	Tunneling protocol often combined with IPsec for encryption. Encapsulates PPP frames for VPNs.	Secure remote VPN access.
IKEv2 (Internet Key Exchange v2)	Protocol for setting up security associations in IPsec. Supports fast reconnection and mobility.	Mobile VPNs, secure key negotiation.
VPN (Virtual Private Network)	Encrypted connection over the internet that emulates a private network. Utilizes protocols like IPsec, SSL, OpenVPN.	Remote access to internal networks.
DMZ (Demilitarized Zone)	Network segment exposed to external users but isolated from internal LAN. Hosts public services like web or mail servers.	Hosting internet-facing apps securely.
Firewall	Security system that filters traffic based on rules. Protects networks from unauthorized access.	Enforcing access control between networks.
MACsec (802.1AE)	Link-layer encryption for LAN security. Encrypts Ethernet frames to prevent snooping.	Securing Layer 2 segments in enterprise networks.

SSH (Secure Shell)

RFC: RFC 4251–4254

Main Features:

• Encrypted remote access to devices and servers

• Supports tunneling, port forwarding, and file transfers (SCP/SFTP)

• Key-based authentication and session security

Use Cases:

• Secure system administration

• File transfer over insecure networks

Alternative Protocols:

• Telnet (insecure, legacy)

• RDP – for graphical remote access

Let us learn more about SSH:

• Learnings in this section

• Terminology

• Version Info

• SSH Version&RFC Details

• SSH Basic Setup on Ubuntu using IPv4

• SSH Basic Setup on Ubuntu using IPv6

• SSH Protocol Packet Details

• SSH Usecases

• SSH Basic Features

• SSH Feature : Secure Remote Access

• SSH Feature : Authentication Methods

• SSH Feature : Encryption

• SSH Feature : Port Forwarding

• SSH Feature : File Transfer

• SSH Feature : Command Execution

• SSH Feature : Session Management

• SSH Feature : Key Management

• SSH Feature : Access Control

• SSH Feature : Logging & Auditing

• Reference links

Jump to “SSH”

IPsec (Internet Protocol Security)

RFC: RFC 4301 (Framework), RFC 4303 (ESP), RFC 2402 (AH)

Main Features:

• Encrypts and authenticates IP packets

• Supports transport and tunnel mode

• Often used in VPNs and secure WAN communication

Use Cases:

• Enterprise VPNs (site-to-site or remote access)

• Secure communication between data centers

Alternative Protocols:

• SSL VPN (OpenVPN, WireGuard)

• MACsec – for Layer 2 encryption

Let us learn more about IPsec:

• Learnings in this section

• Terminology

• Version Info

• IPsec Version&RFC Details

• IPsec Basic Setup on Ubuntu using IPv4

• IPsec Basic Setup on Ubuntu using IPv6

• IPsec Protocol Packet Details

• IPsec Usecases

• IPsec Basic Features

• IPsec Feature : Encryption

• IPsec Feature : Authentication

• IPsec Feature : Integrity Checking

• IPsec Feature : Transport Mode Support

• IPsec Feature : Key Exchange (IKE/IKEv2)

• IPsec Feature : Security Associations (SAs)

• IPsec Feature : Protocol Support (ESP & AH)

• IPsec Feature : NAT Traversal

• IPsec Feature : Replay Protection

• IPsec Feature : Flexible Algorithm Support

• Reference links

Jump to “IPsec”

L2TP (Layer 2 Tunneling Protocol)

RFC: RFC 2661

Main Features:

• Tunnels PPP frames across IP networks

• No built-in encryption (typically paired with IPsec)

• Often used in legacy VPN setups

Use Cases:

• L2TP/IPsec VPN for remote users

• Legacy Windows VPN infrastructure

Alternative Protocols:

• PPTP (deprecated)

• OpenVPN, WireGuard

Let us learn more about L2TP:

• Learnings in this section

• Terminology

• Version Info

• L2TP Version&RFC Details

• L2TP Basic Setup on Ubuntu using IPv4

• L2TP Basic Setup on Ubuntu using IPv6

• L2TP Protocol Packet Details

• L2TP Usecases

• L2TP Basic Features

• L2TP Feature : Tunneling

• L2TP Feature : Session Multiplexing

• L2TP Feature : Control and Data Separation

• L2TP Feature : Protocol Independence

• L2TP Feature : UDP-Based Transport

• L2TP Feature : No Native Encryption

• L2TP Feature : AVP-Based Control Messages

• L2TP Feature : Reliability for Control Messages

• L2TP Feature : Tunnel and Session IDs

• L2TP Feature : Extensibility (L2TPv3)

• Reference links

Jump to “L2TP”

IKEv2 (Internet Key Exchange v2)

RFC: RFC 7296

Main Features:

• Automates key exchange and session setup in IPsec

• Supports EAP authentication

• Handles mobility and reconnection efficiently

Use Cases:

• Mobile VPNs on iOS, Android

• IPsec-based secure tunnels

Alternative Protocols:

• IKEv1 (legacy)

• SSL/TLS for non-IPsec VPNs

Let us learn more about IKEv2:

• Learnings in this section

• Terminology

• Version Info

• IKEv2 Version&RFC Details

• IKEv2 Basic Setup on Ubuntu using IPv4

• IKEv2 Basic Setup on Ubuntu using IPv6

• IKEv2 Protocol Packet Details

• IKEv2 Usecases

• IKEv2 Basic Features

• IKEv2 Feature : Secure Key Exchange

• IKEv2 Feature : Authentication

• IKEv2 Feature : Security Associations (SAs)

• IKEv2 Feature : Mobility and Multihoming (MOBIKE)

• IKEv2 Feature : Session Resumption

• IKEv2 Feature : Message Fragmentation

• IKEv2 Feature : Traffic Selectors

• IKEv2 Feature : Encryption Agility

• IKEv2 Feature : Post-Quantum Readiness

• IKEv2 Feature : Extensibility via Payloads

• Reference links

Jump to “IKEv2”

VPN (Virtual Private Network)

Standard: Conceptual (uses multiple protocols)

Main Features:

• Encrypts traffic across public networks

• Protects identity and location

• Supports multiple protocols (IPsec, SSL, WireGuard, etc.)

Use Cases:

• Secure remote access

• Privacy and bypassing censorship

Alternative Protocols:

• MPLS VPN (carrier-grade)

• Zero Trust models

Let us learn more about VPNs:

Jump to “VPN”

DMZ (Demilitarized Zone)

Standard: Architecture Concept

Main Features:

• Isolated network segment for public-facing services

• Restricts external access to internal LAN

• Limits exposure and attack surface

Use Cases:

• Hosting public servers securely (e.g., web, mail)

• Isolating test/dev environments

Alternative Technologies:

• Reverse proxy

• Bastion hosts

Let us learn more about DMZ:

• Learnings in this section

• Terminology

• Version Info

• DMZ Version&RFC Details

• DMZ Basic Setup on Ubuntu using IPv4

• DMZ Basic Setup on Ubuntu using IPv6

• DMZ Protocol Packet Details

• DMZ Usecases

• DMZ Basic Features

• DMZ Feature : Network Segmentation

• DMZ Feature : Firewall Enforcement

• DMZ Feature : Public Service Hosting

• DMZ Feature : Access Control

• DMZ Feature : Intrusion Detection/Prevention

• DMZ Feature : Logging and Monitoring

• DMZ Feature : Reverse Proxy Support

• DMZ Feature : VPN Termination Point

• DMZ Feature : Redundancy and High Availability

• DMZ Feature : Cloud-Compatible Design

• Reference links

Jump to “DMZ”

Firewall

RFC: Varies (vendor implementation)

Main Features:

• Filters traffic using rules and policies

• Supports stateless and stateful inspection

• May inspect up to Layer 7 (Next-Gen Firewalls)

Use Cases:

• Enterprise network protection

• Access control and segmentation

Alternative Technologies:

• Access Control Lists (ACLs)

• Host-based firewalls

Let us learn more about Firewalls:

Jump to “Firewall”

MACsec (802.1AE)

Standard: IEEE 802.1AE

Main Features:

• Layer 2 (Ethernet) encryption

• Protects against LAN sniffing and replay attacks

• Point-to-point security on switches and routers

Use Cases:

• Securing enterprise LANs

• Government and financial infrastructure

Alternative Technologies:

• IPsec – for higher-layer encryption

• 802.1X – for authentication

Let us learn more about MACsec:

• Learnings in this section

• Terminology

• Version Info

• MACsec_802_1ae Version&RFC Details

• MACsec_802_1ae Basic Setup on Ubuntu using IPv4

• MACsec_802_1ae Basic Setup on Ubuntu using IPv6

• MACsec_802_1ae Protocol Packet Details

• MACsec_802_1ae Usecases

• MACsec_802_1ae Basic Features

• MACsec_802_1ae Feature : Layer 2 Encryption

• MACsec_802_1ae Feature : Data Integrity and Authentication

• MACsec_802_1ae Feature : AES-GCM Encryption

• MACsec_802_1ae Feature : Replay Protection

• MACsec_802_1ae Feature : Per-Hop Security

• MACsec_802_1ae Feature : No IP Dependency

• MACsec_802_1ae Feature : Compatibility with 802.1X

• MACsec_802_1ae Feature : Minimal Latency Overhead

• Reference links

Jump to “MACsec”