James Thew - Fotolia

Site-to-site VPN security benefits and potential risks

Not every enterprise needs the functionality of a standard VPN client. A site-to-site VPN may be a better choice for some companies, but it's not without risk.

Using a site-to-site VPN can have many benefits over a traditional VPN client, but it all depends on the needs of the organization, the size of the workforce using it and cost considerations.

The main aim of a site-to-site VPN is to securely connect two locations through gateway hardware. Site-to-site VPNs are often used in WANs to connect the LANs of separate branches or offices without the need for individual VPN software on each device. However, for smaller organizations with relatively few employees that need access to the company LAN, traditional VPN clients may be the more cost-effective option.

4 benefits of site-to-site VPNs

Security

Site-to-site VPN security is the most important benefit, as IPsec protocols will ensure all traffic is encrypted in transit through the VPN tunnel. The site-to-site VPN tunnel only allows traffic from one end to the other, blocking any attempts to intercept the traffic from the outside. All traffic must be signed by a digital certificate, and to get authenticated, a public key infrastructure (PKI) must be deployed. Internet Key Exchange, which is usually associated with the IPsec protocol, is not as strong as a PKI.

Scalability

When compared to a traditional VPN, a top benefit of a site-to-site VPN is its scalability. Rather than needing to ensure each employee system is running VPN client software as if it were on a remote access VPN, a site-to-site VPN only requires a VPN gateway at each location. This makes it easy to add a new site or another office branch to the network or relocate a remote office or site.

Lower latency

If an organization needs improved performance, a site-to-site VPN can be configured to lower latency by using MPLS to route traffic over a VPN provider's infrastructure rather than through the public internet. Using MPLS via a VPN provider also means less work by the organization's IT staff as the provider will handle more of the setup and maintenance. However, this will come at a higher cost.

Managed services options

A site-to-site VPN can be run as a fully managed service by a managed security service provider. This may be a less costly option for smaller companies that don't have the budget to invest in security products and the staff to manage them.

A potential alternative to MPLS or IPsec VPN at a lower cost is software-defined WAN, although SD-WAN can be more complex to set up without the help of a provider.

Considerations before adopting a site-to-site VPN

As with any technology, there are some risks to consider before deploying a site-to-site VPN. Settings and configurations must be monitored with care, especially when dealing with a PKI.

Organizations must also always be aware of vulnerabilities in hardware and software. Cisco Adaptive Security Appliance firewalls have had remote attack vulnerabilities that could compromise VPN traffic, and hospitals with VPN vulnerabilities have been targeted by ransomware groups.

Also, note that using a site-to-site VPN assumes the use of central physical locations where employees congregate because the VPN tunnel can only be between two static locations. As more employees work from home, a site-to-site VPN may not be as beneficial as a cloud VPN, VPN service provider or transitioning to Secure Access Service Edge for network security.

Next Steps

Remote access vs. site-to-site VPN: What's the difference?

Comparing SASE vs. traditional network security architectures

SD-WAN vs. VPN: How do they compare?

Dig Deeper on Network security