James Thew - Fotolia

Evaluate

Are there security benefits to using a site-to-site VPN?

Not every enterprise needs the functionality of a standard VPN client. Expert Judith Myerson explains why a site-to-site VPN may be a better choice for some companies.

Judith Myerson

My company is looking at VPN options. Are there any benefits to using a site-to-site VPN over a traditional VPN client?

Yes, there are benefits to using a site-to-site VPN over a traditional VPN client. Here are four of them.

First, a site-to-site VPN secures connections when you use it with IPsec. All traffic is encrypted as it begins the journey through the tunnel from one site to another. The site-to-site VPN tunnel shuts out hackers, viruses and malicious content from the sea of internet monsters. All traffic must have a digital signature (digital certificate) authentication as its "ticket" to ride in the tunnel. To get the authentication, a public key infrastructure (PKI) must be deployed. Internet Key Exchange, which is usually associated with the IPsec protocol, is not as strong as the PKI.

Second, a site-to-site VPN is scalable. It is easy to add a new site or another office branch to the network. When you decide to relocate a remote office or site, it is nearly painless to set up the VPN at the new location. You won't need to have each of your 1,000 computers run VPN client software as if they were on a remote access VPN.

If you need to have greater scalability than a standard IPsec tunnel can offer, you can use dynamic multipoint VPN (DMVPN) technologies, such as Cisco's DMVPNs or Brocade's vRouter series. A DMVPN can create a secure network between two branch offices without having to route the traffic through the enterprise's network.

Third, a site-to-site VPN can be configured to lower latency in the network. You can combine IPsec with a bucket of protocols, such as multiprotocol label switching (MPLS). Standard IPsec doesn't provide support for multiprotocol and IP multicast traffic. Also, it's important to note that MPLS doesn't handle encryption.

Finally, a site-to-site VPN can be run as a managed service by a managed security service provider. This may be a less costly option for smaller companies that don't have the budget to invest in security products and the staff to manage them. Choose this option if you don't want to be bothered with the hassle of setting up a site-to-site VPN on your own.

Next Steps

Read more on the differences between Generic Routing Encapsulation tunnels and IPsec tunnels

Find out how the managed security service provider model is changing

Learn about out-of-band management for enterprise networks

This was last published in December 2016

Dig Deeper on VPN security

Judith Myerson asks:

Does your organization use site-to-site VPN tunnels or traditional VPN clients for its branch offices?

Join the Discussion

Related Q&A from Judith Myerson

Should I worry about the Constrained Application Protocol?

The Constrained Application Protocol underpins IoT networks. But the protocol could allow a threat actor to launch an attack. Continue Reading

How can I protect my self-encrypting drives?

Dutch researchers discovered flaws in ATA security and TCG Opal affecting self-encrypting drives. What steps can you take to guard data stored on ... Continue Reading

How did Signal Desktop expose plaintext passwords?

The Signal Desktop application was found to be making decryption keys available in plaintext. Learn how the SQLite database and plaintext passwords ... Continue Reading

SearchCloudSecurity

Defining and evaluating SOC as a service

As cloud use increases, many enterprises outsource some security operations center functions. Evaluate if SOCaaS is the best ...

Get to know the elements of Secure Access Service Edge

Cloud services use cases continue to expand, but implementation challenges remain. Discover Secure Access Service Edge, or SASE, ...

Boost security with a multi-cloud workload placement process

IT must incorporate a multi-cloud workload placement process into its multi-cloud strategy in order to maintain or improve cloud ...

SearchNetworking

A deep dive into the differences between 5G and Wi-Fi 6

While the latest cellular and Wi-Fi technology generations -- 5G and Wi-Fi 6, respectively -- have been pitted against one ...

Maintaining network infrastructure in a pandemic and beyond

Network infrastructure that supports remote workers is essential today and will be far into the future. That includes VPN ...

DriveNets' disaggregated router tech wins innovation award

Networking startup DriveNets is bringing cloud principles to carrier networks with disaggregated router technology that could ...

SearchCIO

How IT can build an agile business partnership

Gene Kim, award-winning researcher, author and founder of IT Revolution, discusses why IT leaders need to involve their ...

Former Cisco CEO offers C-suite leadership tips in time of crisis

COVID-19 is forcing enterprises to make tough decisions. There is no one-size-fits-all roadmap, but those who've survived earlier...

COVID-19 radically refocuses CIO agendas in 4 key areas

As a result of the COVID-19 virus, CIOs must shift their priorities and now focus on the impact the pandemic has on the economy, ...

SearchEnterpriseDesktop

How CMT, MDM and EMM merged into UEM software

The differences between CMT, MDM, EMM and UEM can be confusing. Learn how they differ and how vendors offer these capabilities in...

How to enable and troubleshoot fast startup in Windows 10

The fast startup feature on Windows desktops can add value, but IT must understand when it should and shouldn't enable this ...

4 negotiation tactics for success in a Microsoft software agreement

A Microsoft software agreement requires skill and knowledge. Use these four Microsoft negotiation tactics to get the best ...

SearchCloudComputing

Explore the pros and cons of cloud computing

Familiarize yourself with the basics of computing in the cloud, how the market has changed over the years, and the advantages and...

How to protect and manage Azure Pipelines secrets with Key Vault

Follow along with this Azure Key Vault tutorial to securely manage passwords and other sensitive information in an Azure DevOps ...

7 Google Cloud database options to free up your IT team

Moving data to a cloud database is an effective way to optimize cost and performance for applications. Review seven of Google's ...

ComputerWeekly.com

What we can learn from Marriott’s new data breach embarrassment

Marriott International has egg on its face once again following a second data breach in as many years, but there are encouraging ...

Security, network services top enterprise challenges for deploying UCaaS, CCaaS

Research finds ongoing challenges in deploying unified-communications-as-a-service and contact-centre-as-a-service firms also ...

Coronavirus: NHSX working on contact tracing app

A contact tracing app to track the spread of infection is being developed, although specific technical details remain scarce

Join the conversation

2 comments

Send me notifications when other members comment.

Oldest

[-]

pankajmitra - 3 Jan 2017 4:47 AM

Dear Judith,

With due respect to your experience and expertise, are you aware how VPNs are laid out over the IP Core networks of TSP (telephone service provider). This is explained in VPN1.pdf and shows how there is continuous physical connectivity from the Internet to the VPN routers at all locations through the Tier 1 switch of the TSP's IP Core at the location. As you are aware all firewalls are breakable given continuous access from the Internet. Further in all IP networks all routers have continuous connectivity with all other routers and the communications are simultaneous. Thus while routers at A and B are communicating, a router C could communicate simultaneously with A or B or both . Thus while using security protocols like IPSec can ensure fidelity of transmission along the VPN path or even as a matter over the Internet, it cannot prevent C from establishing parallel communication with either A or B or both. And if this C is a hacker, then he can snoop and spoof through the firewall behind the VPN router, and enter the enterprise network. Thus all VPN networks / connectivity are security vulnerable. VPN1A.pdf explains why despite this vulnerability VPNs have gained in popularity with IT Managers and Consultants. These two documents are available in http//slideshare.net/MIDAUTEL. However, if you send me an email ID, I will be pleased to mail these to you per return mail.

I am sorry to venture into the Statement "VPNs and security are not compatible". The transport over a VPN link is secure using protocols like IPSec. However, every VPN router in an enterprise network provides a freeway for hacker entry.

Judith Myerson - 11 Apr 2017 12:36 AM

Does your organization use site-to-site VPN tunnels or traditional VPN clients for its branch offices?

Are there security benefits to using a site-to-site VPN?