VPN (Virtual Private Network).

A VPN establishes a cryptographically protected tunnel between two endpoints so traffic crossing untrusted networks stays confidential, integrity-protected, and authenticated. Implementations differ: IPsec (RFC 4301) operates at layer 3 with IKEv2 key exchange; SSL/TLS VPNs tunnel over HTTPS for clientless browser access; OpenVPN uses a custom TLS-based protocol; and WireGuard, in the mainline Linux kernel since 5.6, uses fixed modern primitives — Curve25519, ChaCha20-Poly1305, BLAKE2s — for a small, fast codebase.

VPN concentrators are high-value targets because they sit at the perimeter and broker access to the internal network. CVE-2019-11510, a pre-auth arbitrary-file-read in Pulse Connect Secure (CVSS 10.0), let attackers harvest plaintext credentials and was used to deploy REvil/Sodinokibi ransomware against hospitals and government bodies. CVE-2018-13379, a path traversal in Fortinet FortiOS SSL-VPN, leaked session files containing cleartext credentials; around 50,000 device credentials were dumped publicly in November 2020. Both stayed exploited long after patches shipped.

Defences: patch concentrators promptly, enforce phishing-resistant MFA at the tunnel, restrict split-tunnel where policy requires full inspection, and monitor session logs for impossible-travel and credential reuse. Increasingly, organisations replace broad network-level VPN access with zero-trust application gateways that grant per-application rather than per-network reach.

flowchart LR
  C[Client / endpoint] -->|1. Authenticate + IKE/TLS key exchange| G[VPN gateway]
  C -->|2. Encrypted ESP/TLS tunnel across internet| G
  G -->|3. Decrypt and forward| R[Internal resources]
  A[Eavesdropper] -. sees only ciphertext .-> C