James Thew - Fotolia

Evaluate

Are there security benefits to using a site-to-site VPN?

Not every enterprise needs the functionality of a standard VPN client. Expert Judith Myerson explains why a site-to-site VPN may be a better choice for some companies.

Judith Myerson

My company is looking at VPN options. Are there any benefits to using a site-to-site VPN over a traditional VPN client?

Yes, there are benefits to using a site-to-site VPN over a traditional VPN client. Here are four of them.

First, a site-to-site VPN secures connections when you use it with IPsec. All traffic is encrypted as it begins the journey through the tunnel from one site to another. The site-to-site VPN tunnel shuts out hackers, viruses and malicious content from the sea of internet monsters. All traffic must have a digital signature (digital certificate) authentication as its "ticket" to ride in the tunnel. To get the authentication, a public key infrastructure (PKI) must be deployed. Internet Key Exchange, which is usually associated with the IPsec protocol, is not as strong as the PKI.

Second, a site-to-site VPN is scalable. It is easy to add a new site or another office branch to the network. When you decide to relocate a remote office or site, it is nearly painless to set up the VPN at the new location. You won't need to have each of your 1,000 computers run VPN client software as if they were on a remote access VPN.

If you need to have greater scalability than a standard IPsec tunnel can offer, you can use dynamic multipoint VPN (DMVPN) technologies, such as Cisco's DMVPNs or Brocade's vRouter series. A DMVPN can create a secure network between two branch offices without having to route the traffic through the enterprise's network.

Third, a site-to-site VPN can be configured to lower latency in the network. You can combine IPsec with a bucket of protocols, such as multiprotocol label switching (MPLS). Standard IPsec doesn't provide support for multiprotocol and IP multicast traffic. Also, it's important to note that MPLS doesn't handle encryption.

Finally, a site-to-site VPN can be run as a managed service by a managed security service provider. This may be a less costly option for smaller companies that don't have the budget to invest in security products and the staff to manage them. Choose this option if you don't want to be bothered with the hassle of setting up a site-to-site VPN on your own.

Next Steps

Read more on the differences between Generic Routing Encapsulation tunnels and IPsec tunnels

Find out how the managed security service provider model is changing

Learn about out-of-band management for enterprise networks

This was last published in December 2016

Dig Deeper on VPN security

Judith Myerson asks:

Does your organization use site-to-site VPN tunnels or traditional VPN clients for its branch offices?

Join the Discussion

Related Q&A from Judith Myerson

Should I worry about the Constrained Application Protocol?

The Constrained Application Protocol underpins IoT networks. But the protocol could allow a threat actor to launch an attack. Continue Reading

How can I protect my self-encrypting drives?

Dutch researchers discovered flaws in ATA security and TCG Opal affecting self-encrypting drives. What steps can you take to guard data stored on ... Continue Reading

How did Signal Desktop expose plaintext passwords?

The Signal Desktop application was found to be making decryption keys available in plaintext. Learn how the SQLite database and plaintext passwords ... Continue Reading

SearchCloudSecurity

Privacy-preserving machine learning assuages infosec fears

Implementing privacy-preserving machine learning controls, such as federated learning and homomorphic encryption, can address top...

How Azure, AWS, Google handle data destruction in the cloud

Data destruction is a topic that has been poorly covered until recently. Regardless of which cloud service provider you use, this...

Multi-cloud security strategies rely on visibility, uniformity

More companies are instituting a multi-cloud strategy that creates unforeseen security challenges. In this tip, get answers to ...

SearchNetworking

SASE market emerges as the 'wave of the future'

Secure Access Service Edge is the latest technology to garner industry buzz in networking and security. Although it's still ...

Tech pros focus on application delivery during pandemic

Tech pros have added security, automation and session capacity to their application delivery infrastructure to support business ...

How the cloud fractures application delivery infrastructure ops

Within a single IT organization, traditional network teams may clash with cloud teams over application delivery infrastructure ...

SearchCIO

4 ways CIOs can drive IT cost savings during the pandemic

Here are four ways to drive tech savings amid the COVID-19 pandemic that can both yield quick wins and position organizations to ...

Post COVID-19 strategies for CIOs on leading through crisis

To see their companies through the current crisis, CIOs should consider these five strategies focused around IT budgets, ...

Workplace of the future undergoes last-minute alterations

Future of work plans entailed offices that fostered better employee engagements and productivity, while accommodating a small ...

SearchEnterpriseDesktop

Citrix microapps look to ease office reopening

With new Workspace microapps, Citrix is looking to make it easier for offices to reopen. Company representatives said the tools ...

VMware Workspace One unifies reshaped digital workforces

As companies struggle to rebalance their on-site and remote digital workforces in the wake of COVID-19, Workspace One helps ...

Macs to run on Apple silicon, leaving Intel behind

Future Macs will not run on Intel processors but on Apple silicon chips. The change could present compatibility issues, although ...

SearchCloudComputing

What's behind cloud providers' push for custom hardware?

The nature of the cloud market demands innovation, and custom hardware might be the next move for the major vendors in this space...

Review the top sessions from recent cloud conferences

Build your own cloud conference from home. Watch sessions from the past year to learn about modern application architecture, ...

Test your cloud knowledge: VMs vs. containers vs. serverless

Take this quiz to help guide your choice between virtual machines, containers and serverless functions. Identify the uses, ...

ComputerWeekly.com

Nutanix claims growth in ASEAN amid growing cloud adoption

Nutanix’s business in ASEAN grew by over 40% as the region’s enterprises warm to hybrid and multi-cloud services

Lorca scale-ups bring diverse security to the fore

London Office for Rapid Cybersecurity Advancement announces the cyber security scale-ups that will make up its fifth cohort

Need to secure industrial IoT more acute than ever

A report from the Lloyd’s Register Foundation is calling for urgent action to secure industrial infrastructure, as the IoT leaves...

Join the conversation

2 comments

Send me notifications when other members comment.

Oldest

[-]

pankajmitra - 3 Jan 2017 4:47 AM

Dear Judith,

With due respect to your experience and expertise, are you aware how VPNs are laid out over the IP Core networks of TSP (telephone service provider). This is explained in VPN1.pdf and shows how there is continuous physical connectivity from the Internet to the VPN routers at all locations through the Tier 1 switch of the TSP's IP Core at the location. As you are aware all firewalls are breakable given continuous access from the Internet. Further in all IP networks all routers have continuous connectivity with all other routers and the communications are simultaneous. Thus while routers at A and B are communicating, a router C could communicate simultaneously with A or B or both . Thus while using security protocols like IPSec can ensure fidelity of transmission along the VPN path or even as a matter over the Internet, it cannot prevent C from establishing parallel communication with either A or B or both. And if this C is a hacker, then he can snoop and spoof through the firewall behind the VPN router, and enter the enterprise network. Thus all VPN networks / connectivity are security vulnerable. VPN1A.pdf explains why despite this vulnerability VPNs have gained in popularity with IT Managers and Consultants. These two documents are available in http//slideshare.net/MIDAUTEL. However, if you send me an email ID, I will be pleased to mail these to you per return mail.

I am sorry to venture into the Statement "VPNs and security are not compatible". The transport over a VPN link is secure using protocols like IPSec. However, every VPN router in an enterprise network provides a freeway for hacker entry.

Judith Myerson - 11 Apr 2017 12:36 AM

Does your organization use site-to-site VPN tunnels or traditional VPN clients for its branch offices?

Are there security benefits to using a site-to-site VPN?