Network Access Control, VPNs, and Remote Connectivity: Letting People In Safely

Hook / Why this matters

CISSP Lens: Pick answers that align business risk, governance intent, and practical control execution.

Remote work, partner access, and vendor support all depend on network connectivity from outside your walls. If you do not control how people connect and what they can reach once they are in, you effectively extend your internal network to the entire internet.

Core concept explained simply

Remote connectivity is about providing secure pathways into your environment while keeping exposure as small as possible. Network Access Control (NAC) and Virtual Private Networks (VPNs) are core tools, but they only work if you understand their strengths, limits, and configuration choices.

Types of remote access

Several patterns recur in enterprise networks:

• Remote access VPNs let individual users connect from laptops or mobile devices into the corporate network.
• Site to site VPNs connect entire networks, such as branch offices or partners, over the internet.
• SSL VPNs and remote access portals expose applications through a browser without full network connectivity.
• Remote desktop gateways and bastions allow administrators or users to connect to desktops and servers through an intermediate, controlled endpoint.
• Zero trust access solutions provide application level access based on identity and device posture rather than network location.

The right choice depends on who needs access, from where, and to what.

How VPNs work at a high level

VPNs create encrypted tunnels between endpoints. A remote access VPN client establishes a secure tunnel to a gateway. Traffic inside that tunnel is protected from eavesdropping and tampering as it crosses untrusted networks.

Key concepts:

• Authentication verifies the user and often the device.
• Encryption protects the confidentiality and integrity of packets in transit.
• Tunneling encapsulates private network traffic inside another protocol, commonly IPsec or TLS.

VPNs do not magically make everything on the far side safe. They simply provide a secure pathway into your environment.

Split tunneling vs full tunneling

Split tunneling decides whether a remote user's traffic goes only to the corporate network or both to the internet and the corporate network simultaneously.

• Full tunneling sends all traffic through the VPN. The organization can apply consistent controls like filtering and logging but must handle all that bandwidth.
• Split tunneling sends only traffic for corporate resources through the VPN, while other traffic goes directly to the internet. This improves performance but creates a risk.

With split tunneling, the remote device acts as a bridge between the corporate network and the public internet. Malware running on that device, or an attacker on the local network, can potentially use the VPN connection to reach internal resources.

Network Access Control fundamentals

Network Access Control verifies that devices meet certain conditions before connecting to the network. Typical checks include:

• Operating system version and patch level.
• Presence and status of endpoint protection.
• Disk encryption and configuration policies.

NAC often relies on 802.1X authentication at the switch or wireless controller, combined with a RADIUS server that makes access decisions.

Devices that do not meet policy may be placed in a quarantine network with limited access until they are remediated.

Identity centric and device aware access

Modern designs rely on both user identity and device posture. Instead of giving full network access to anyone with VPN credentials, organizations are moving toward:

• Per application access based on single sign on and strong authentication.
• Device certificates or management enrollment as prerequisites for access.
• Conditional access policies that consider location, device health, and risk signals.

This is more aligned with zero trust principles and reduces reliance on network location alone.

CISSP lens

For CISSP Domain 4, focus on:

• Matching remote access type to requirement. For a partner that needs ongoing access between two sites, a site to site VPN is appropriate. For individual employees, a remote access VPN or application gateway is more suitable.
• Recognizing split tunneling risks. Know why split tunneling is risky and when an exam scenario might push you toward full tunneling.
• Understanding NAC goals. NAC enforces security posture before devices join sensitive networks, particularly on internal wired and wireless segments.
• Balancing security and usability. On the exam, you will often choose the option that controls risk while remaining feasible for the organization described.
• Protecting administrative access. Admin connections should go through more controlled paths, such as jump hosts or bastions, with stronger authentication and logging.

When evaluating options in questions, ask yourself: "Does this approach limit what a compromised remote device or account can do?".

Real-world scenario

A consulting firm allowed remote staff and contractors to connect via a VPN from any device, including personal laptops. The VPN used split tunneling, and authentication relied only on usernames and passwords.

One contractor's personal laptop was infected with malware that established command and control back to an attacker. When the contractor connected to the corporate VPN, the malware:

• Enumerated reachable internal IP ranges.
• Scanned file servers for open shares.
• Attempted to connect to management interfaces exposed on the internal network.

Because there were few internal segmentation controls and no posture checks, the attacker quickly found and exfiltrated sensitive client documents.

In response, the firm made several changes:

• Restricted VPN use to managed corporate devices enrolled in endpoint management.
• Implemented NAC checks to verify endpoint protection and patch levels.
• Limited VPN user groups to specific, least privilege access sets, rather than broad internal reachability.
• Required remote administrative access to go through hardened jump hosts with multifactor authentication and full session logging.
• Re evaluated split tunneling and tightened policies, using full tunneling for high risk roles.

These steps did not eliminate remote access risk, but they dramatically reduced the chance that a single infected personal device could threaten the entire network.

Common mistakes and misconceptions

Organizations often misstep in similar ways:

• Assuming VPN authentication is enough. Strong authentication helps, but device health matters just as much. A trusted user on a compromised device still presents serious risk.
• Treating all VPN users as equal. Admins, developers, and general staff should not share the same broad level of network access.
• Allowing direct remote administrative protocols from the internet. Exposing RDP or SSH directly to the internet, even with passwords, remains a common cause of breaches.
• Enabling split tunneling by default without understanding the tradeoff. This is often done for performance, but the risk needs explicit acceptance and compensating controls.
• Neglecting logging and monitoring. Remote access gateways are critical chokepoints. If you do not log and review their activity, you lose valuable detection and investigation data.

A CISSP should be able to articulate these issues and guide policy decisions.

Actionable checklist

To improve remote access and NAC in your environment:

• Inventory all current remote access methods, including VPNs, remote desktop solutions, and third party tools such as remote support software.
• Disable or phase out direct admin access protocols from the internet. Require administrators to use VPN plus jump hosts or bastion services.
• Define a split tunneling policy that specifies which roles, if any, may use it and under what conditions. Document the risk acceptance.
• Implement or strengthen NAC checks for corporate devices, focusing on operating system updates, endpoint security, and disk encryption.
• Ensure that all remote access systems enforce strong, multifactor authentication tied to corporate identity systems.
• Centralize and monitor logs from VPN gateways, remote access portals, and bastions, with alerts for unusual access patterns.
• Review partner and vendor access accounts regularly, removing unused accounts and tightening scopes.

Key takeaways

• Remote access is necessary exposure that must be tightly controlled.
• Network Access Control helps ensure that only healthy, trusted devices join sensitive networks.
• Split tunneling is a tradeoff decision, and the risk must be understood and managed.
• Administrative access requires stronger controls than general user access.
• Good logging and monitoring at remote entry points are critical for detection and investigation.

Optional exam-style reflection question

A remote employee connects to the corporate network using a VPN configured for split tunneling. What is the main security risk of this configuration?

Answer: With split tunneling, the employee's device is connected to both the internet and the corporate network at the same time. Malware on the device or an attacker on the local network can potentially use the VPN connection to access internal resources, bypassing corporate perimeter defenses.