James Thew - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Are there security benefits to using a site-to-site VPN?

Not every enterprise needs the functionality of a standard VPN client. Expert Judith Myerson explains why a site-to-site VPN may be a better choice for some companies.

My company is looking at VPN options. Are there any benefits to using a site-to-site VPN over a traditional VPN client?

Yes, there are benefits to using a site-to-site VPN over a traditional VPN client. Here are four of them.

First, a site-to-site VPN secures connections when you use it with IPsec. All traffic is encrypted as it begins the journey through the tunnel from one site to another. The site-to-site VPN tunnel shuts out hackers, viruses and malicious content from the sea of internet monsters. All traffic must have a digital signature (digital certificate) authentication as its "ticket" to ride in the tunnel. To get the authentication, a public key infrastructure (PKI) must be deployed. Internet Key Exchange, which is usually associated with the IPsec protocol, is not as strong as the PKI.

Second, a site-to-site VPN is scalable. It is easy to add a new site or another office branch to the network. When you decide to relocate a remote office or site, it is nearly painless to set up the VPN at the new location. You won't need to have each of your 1,000 computers run VPN client software as if they were on a remote access VPN.

If you need to have greater scalability than a standard IPsec tunnel can offer, you can use dynamic multipoint VPN (DMVPN) technologies, such as Cisco's DMVPNs or Brocade's vRouter series. A DMVPN can create a secure network between two branch offices without having to route the traffic through the enterprise's network.

Third, a site-to-site VPN can be configured to lower latency in the network. You can combine IPsec with a bucket of protocols, such as multiprotocol label switching (MPLS). Standard IPsec doesn't provide support for multiprotocol and IP multicast traffic. Also, it's important to note that MPLS doesn't handle encryption.

Finally, a site-to-site VPN can be run as a managed service by a managed security service provider. This may be a less costly option for smaller companies that don't have the budget to invest in security products and the staff to manage them. Choose this option if you don't want to be bothered with the hassle of setting up a site-to-site VPN on your own.

Next Steps

Read more on the differences between Generic Routing Encapsulation tunnels and IPsec tunnels

Find out how the managed security service provider model is changing

Learn about out-of-band management for enterprise networks

This was last published in December 2016

Dig Deeper on VPN security

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Dear Judith,

With due respect to your experience and expertise, are you aware how VPNs are laid out over the IP Core networks of TSP (telephone service provider). This is explained in VPN1.pdf and shows how there is continuous physical connectivity from the Internet to the VPN routers at all locations through the Tier 1 switch of the TSP's IP Core at the location. As you are aware all firewalls are breakable given continuous access from the Internet. Further in all IP networks all routers have continuous connectivity with all other routers and the communications are simultaneous. Thus while routers at A and B are communicating, a router C could communicate simultaneously with A or B or both . Thus while using security protocols like IPSec can ensure fidelity of transmission along the VPN path or even as a matter over the Internet, it cannot prevent C from establishing parallel communication with either A or B or both. And if this C is a hacker, then he can snoop and spoof through the firewall behind the VPN router, and enter the enterprise network. Thus all VPN networks / connectivity are security vulnerable. VPN1A.pdf explains why despite this vulnerability VPNs have gained in popularity with IT Managers  and Consultants. These two documents are available in http//slideshare.net/MIDAUTEL. However, if you send me an email ID, I will be pleased to mail these to you per return mail.

I am sorry to venture into the Statement "VPNs and security are not compatible". The transport over a VPN link is secure using protocols like IPSec. However, every VPN router in an enterprise network provides a freeway for hacker entry.    
Does your organization use site-to-site VPN tunnels or traditional VPN clients for its branch offices?