Answer
Not every enterprise needs the functionality of a standard VPN client. A site-to-site VPN may be a better choice for some companies, but it's not without risk.
By
- Michael Heller,TechTarget
- Judith Myerson
Published: 28 Aug 2020
Using a site-to-site VPN can have many benefits over a traditional VPN client, but it all depends on the needs of the organization, the size of the workforce using it and cost considerations.
The main aim of a site-to-site VPN is to securely connect two locations through gateway hardware. Site-to-site VPNs are often used in WANs to connect the LANs of separate branches or offices without the need for individual VPN software on each device. However, for smaller organizations with relatively few employees that need access to the company LAN, traditional VPN clients may be the more cost-effective option.
4 benefits of site-to-site VPNs
Security
Site-to-site VPN security is the most important benefit, as IPsec protocols will ensure all traffic is encrypted in transit through the VPN tunnel. The site-to-site VPN tunnel only allows traffic from one end to the other, blocking any attempts to intercept the traffic from the outside. All traffic must be signed by a digital certificate, and to get authenticated, apublic key infrastructure (PKI)must be deployed. Internet Key Exchange, which is usually associated with the IPsec protocol, is not as strong as a PKI.
Scalability
When compared to a traditional VPN, a top benefit of a site-to-site VPN is its scalability. Rather than needing to ensure each employee system is running VPN client software as if it were on aremote access VPN, a site-to-site VPN only requires a VPN gateway at each location. This makes it easy to add a new site or another office branch to the network or relocate a remote office or site.
Lower latency
If an organization needs improved performance, a site-to-site VPN can be configured to lower latency by usingMPLS to route traffic over a VPN provider's infrastructure rather than through the public internet. Using MPLS via a VPN provider also means less work by the organization's IT staff as the provider will handle more of the setup and maintenance. However, this will come at a higher cost.
Managed services options
A site-to-site VPN can be run as a fully managed service by amanaged security service provider. This may be a less costly option for smaller companies that don't have the budget to invest in security products and the staff to manage them.
A potential alternative to MPLS or IPsec VPN at a lower cost is software-defined WAN, although SD-WAN can be more complex to set up without the help of a provider.
Considerations before adopting a site-to-site VPN
As with any technology, there are some risks to consider before deploying a site-to-site VPN. Settings and configurations must be monitored with care, especially when dealing with a PKI.
Organizations must also always be aware of vulnerabilities in hardware and software. Cisco Adaptive Security Appliance firewalls have had remote attack vulnerabilities that could compromise VPN traffic, and hospitals with VPN vulnerabilities have been targeted by ransomware groups.
Also, note that using a site-to-site VPN assumes the use of central physical locations where employees congregate because the VPN tunnel can only be between two static locations. As more employees work from home, a site-to-site VPN may not be as beneficial as a cloud VPN, VPN service provider or transitioning to Secure Access Service Edge for network security.
Next Steps
Remote access vs. site-to-site VPN: What's the difference?
Comparing SASE vs. traditional network security architectures
SD-WAN vs. VPN: How do they compare?
Related Resources
- 5 Basic Steps for Effective Cloud Network Security–Cloud Gateway
- Converged infrastructure fundamentals–TechTarget ComputerWeekly.com
- Escalating cyber threats whilst under pressure to reduce IT costs–Superloop
- ESG: Revisting a Software-Based Approach to Network Security–Palo Alto Networks
Dig Deeper on Network security
- SD-WAN vs. VPN: How do they compare?By: RobertSturt
- WAN (wide area network)By: JessicaScarpati
- Internet Key Exchange (IKE)By: AndrewZola
- dynamic multipoint VPN (DMVPN)By: RahulAwati
Related Q&A from Michael Heller
How to send secure email attachments
Sending sensitive information in attachments is inherently unsafe, and the main way to secure them -- encryption -- can be implemented inconsistently...Continue Reading
Identifying and troubleshooting VPN session timeout issues
Troubleshooting VPN session timeout and lockout issues should focus first on isolating where the root of the problem lies -- be it the internet ...Continue Reading
The risks and effects of spyware
Spyware can steal mundane information, track a user's every move and everything in between. Read up on the types of spyware and how to best fix ...Continue Reading