James Thew - Fotolia

Q
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Site-to-site VPN security benefits and potential risks

Not every enterprise needs the functionality of a standard VPN client. A site-to-site VPN may be a better choice for some companies, but it's not without risk.

By

Using a site-to-site VPN can have many benefits over a traditional VPN client, but it all depends on the needs of the organization, the size of the workforce using it and cost considerations.

The main aim of a site-to-site VPN is to securely connect two locations through gateway hardware. Site-to-site VPNs are often used in WANs to connect the LANs of separate branches or offices without the need for individual VPN software on each device. However, for smaller organizations with relatively few employees that need access to the company LAN, traditional VPN clients may be the more cost-effective option.

4 benefits of site-to-site VPNs

Security

Site-to-site VPN security is the most important benefit, as IPsec protocols will ensure all traffic is encrypted in transit through the VPN tunnel. The site-to-site VPN tunnel only allows traffic from one end to the other, blocking any attempts to intercept the traffic from the outside. All traffic must be signed by a digital certificate, and to get authenticated, a public key infrastructure (PKI) must be deployed. Internet Key Exchange, which is usually associated with the IPsec protocol, is not as strong as a PKI.

Scalability

When compared to a traditional VPN, a top benefit of a site-to-site VPN is its scalability. Rather than needing to ensure each employee system is running VPN client software as if it were on a remote access VPN, a site-to-site VPN only requires a VPN gateway at each location. This makes it easy to add a new site or another office branch to the network or relocate a remote office or site.

Lower latency

If an organization needs improved performance, a site-to-site VPN can be configured to lower latency by using MPLS to route traffic over a VPN provider's infrastructure rather than through the public internet. Using MPLS via a VPN provider also means less work by the organization's IT staff as the provider will handle more of the setup and maintenance. However, this will come at a higher cost.

Managed services options

A site-to-site VPN can be run as a fully managed service by a managed security service provider. This may be a less costly option for smaller companies that don't have the budget to invest in security products and the staff to manage them.

A potential alternative to MPLS or IPsec VPN at a lower cost is software-defined WAN, although SD-WAN can be more complex to set up without the help of a provider.

Considerations before adopting a site-to-site VPN

As with any technology, there are some risks to consider before deploying a site-to-site VPN. Settings and configurations must be monitored with care, especially when dealing with a PKI.

Organizations must also always be aware of vulnerabilities in hardware and software. Cisco Adaptive Security Appliance firewalls have had remote attack vulnerabilities that could compromise VPN traffic, and hospitals with VPN vulnerabilities have been targeted by ransomware groups.

Also, note that using a site-to-site VPN assumes the use of central physical locations where employees congregate because the VPN tunnel can only be between two static locations. As more employees work from home, a site-to-site VPN may not be as beneficial as a cloud VPN, VPN service provider or transitioning to Secure Access Service Edge for network security.

Next Steps

Remote access vs. site-to-site VPN: What's the difference?

Comparing SASE vs. traditional network security architectures

SD-WAN vs. VPN: How do they compare?

This was last published in August 2020

Dig Deeper on VPN security

Join the conversation

3 comments

Send me notifications when other members comment.

Register

Please create a username to comment.

Dear Judith,

With due respect to your experience and expertise, are you aware how VPNs are laid out over the IP Core networks of TSP (telephone service provider). This is explained in VPN1.pdf and shows how there is continuous physical connectivity from the Internet to the VPN routers at all locations through the Tier 1 switch of the TSP's IP Core at the location. As you are aware all firewalls are breakable given continuous access from the Internet. Further in all IP networks all routers have continuous connectivity with all other routers and the communications are simultaneous. Thus while routers at A and B are communicating, a router C could communicate simultaneously with A or B or both . Thus while using security protocols like IPSec can ensure fidelity of transmission along the VPN path or even as a matter over the Internet, it cannot prevent C from establishing parallel communication with either A or B or both. And if this C is a hacker, then he can snoop and spoof through the firewall behind the VPN router, and enter the enterprise network. Thus all VPN networks / connectivity are security vulnerable. VPN1A.pdf explains why despite this vulnerability VPNs have gained in popularity with IT Managers  and Consultants. These two documents are available in http//slideshare.net/MIDAUTEL. However, if you send me an email ID, I will be pleased to mail these to you per return mail.

I am sorry to venture into the Statement "VPNs and security are not compatible". The transport over a VPN link is secure using protocols like IPSec. However, every VPN router in an enterprise network provides a freeway for hacker entry.    
Cancel
Does your organization use site-to-site VPN tunnels or traditional VPN clients for its branch offices?
Cancel
I need to update my article on Site-to-Site VPN security benefits and potential risks.  Please get in touch with me about it.  Thank you.
Cancel

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close