SecurityNetwork+

VPN Security for CompTIA Network+ N10-009

VPN security encompasses the protocols, encryption, and authentication mechanisms that protect VPN tunnels. CompTIA Network+ N10-009 tests VPN security from the security domain perspective — which protocols are secure vs deprecated, what encryption and authentication is used, and how VPNs fit into a defense-in-depth strategy. While VPN implementation is covered separately, VPN security focuses on why certain choices are more secure than others.

7 min

2 sections · 7 exam key points

1 practice questions

VPN Encryption and Integrity

IPsec security algorithms: AES (Advanced Encryption Standard) for encryption — AES-128, AES-192, AES-256. AES-256 is the current gold standard. SHA-2 (SHA-256, SHA-384, SHA-512) for integrity — replaces weak SHA-1 and MD5. Perfect Forward Secrecy (PFS): generates unique session keys for each VPN session — even if the long-term key is compromised, past session traffic cannot be decrypted. Always enable PFS for sensitive VPN traffic.

IKE versions: IKEv1 (older, more complex, multiple modes) vs IKEv2 (simpler, faster, more secure, supports MOBIKE for mobile clients). Use IKEv2 where possible. IKE negotiates the Security Association (SA) — the agreed encryption, integrity, and key-exchange parameters for the tunnel.

Deprecated/weak VPN protocols: PPTP — RC4/MPPE encryption, completely compromised — never use. L2TP alone — no encryption at all. 3DES — deprecated, vulnerable. MD5 — weak hash. Always use AES + SHA-2 + IKEv2 for IPsec VPNs.

VPN Authentication Security

VPN authentication methods ranked by security: Pre-shared key (PSK) — weakest, shared secret, vulnerable to brute force if key is weak. Certificate-based (X.509) — much stronger, uses asymmetric cryptography, mutual authentication. Multi-factor authentication — adds OTP or push notification on top of credentials. RADIUS/LDAP integration — enables per-user authentication with corporate directory.

Split tunneling security risks: when only corporate traffic goes through the VPN, internet traffic bypasses security controls. Malware on the endpoint could use the VPN connection to reach corporate resources while the internet connection is unmonitored. Full tunnel VPN routes all traffic through corporate security stack — higher protection, higher bandwidth cost.

Always-on VPN: endpoints always maintain VPN connection — closes the window when users are off-VPN and unprotected. Prevents bypassing security controls. Required for high-security environments.

Key exam facts — Network+

IPsec: AES-256 for encryption, SHA-256/384/512 for integrity — avoid 3DES and MD5
IKEv2: preferred over IKEv1 — faster, simpler, better mobile support
PFS (Perfect Forward Secrecy): unique session keys — past sessions protected if long-term key compromised
PPTP = deprecated, broken — never use
Certificate-based VPN auth > PSK — more secure, mutual authentication
Split tunneling: only VPN traffic goes through tunnel; full tunnel: all traffic
Always-on VPN ensures endpoints are always protected regardless of location

Common exam traps

All VPNs provide equal security

VPN security varies dramatically by protocol and configuration. PPTP is completely insecure. IPsec with AES-256, SHA-256, IKEv2, and PFS is highly secure. The same 'VPN' label covers both extremes

Practice questions — VPN Security

These questions are representative of what you will see on Network+ exams. The correct answer and explanation are shown immediately below each question.

Q1.A security administrator wants to ensure that even if a VPN long-term key is compromised in the future, past VPN sessions cannot be decrypted. Which IPsec feature achieves this?

A.IKEv2

B.AES-256 encryption

C.Perfect Forward Secrecy (PFS)

D.Certificate-based authentication

Explanation: Perfect Forward Secrecy (PFS) generates unique session keys for every VPN session using Diffie-Hellman key exchange during each IKE Phase 2 negotiation. Even if an attacker later obtains the long-term pre-shared key or private key, past session keys were ephemeral and cannot be derived — past traffic remains protected.

Frequently asked questions — VPN Security

What is the difference between IKEv1 and IKEv2?

IKEv1 uses two phases (Aggressive or Main mode in Phase 1) with more complex negotiation. IKEv2 is streamlined, more efficient, and supports: MOBIKE (mobility for mobile clients changing IPs), EAP (Extensible Authentication Protocol for user authentication), built-in NAT traversal, and is resistant to certain DoS attacks. Always prefer IKEv2 for new deployments.

Practice this topic

Network+practice questions

Test yourself on VPN Security

JT Exams routes you to questions in your exact weak areas — automatically, after every session.

Free practice test Start 7-Day Free Trial

No credit card · Cancel anytime