Site-to-Site VPN
Site-to-Site Virtual Private Networks (VPNs) allow network infrastructures to securely connect the Local Area Network (LAN) of multiple business locations via public internet. Often referred to as a ‘tunnel’, VPNs allow for an encrypted connection between networks so that they appear to be a single entity. This allows sharing of common resources, applications and data, as if the separated networks were one singular larger private network.
VPN connectivity encrypts transmitted data, providing a secure link between each network join. This allows geographically separated networks to seamlessly communicate and share resources. Site-to-Site VPNs can be considered a cost-effective way to provide private Wide Area Network (WAN) links.
As dedicated communication lines are expensive, VPNs utilise affordable public internet. This significantly reduces the cost to organisations whilst the aforementioned encryption implemented by the VPN means that traffic is still secured over the public internet. This means that the resources are only accessible over the VPN and simplifies security as all devices are considered to be on the same network, meaning only one set of security policies are required. By using public internet, this enables site-to-site VPNs to be scalable, as adding new sites simply requires adding a single endpoint to the VPN network, further reducing the complexity of the overall network architecture.
Key Components
Site-to-Site VPN use several components to allow for shared access between sites:
To ensure security, site-to-site VPNs use encryption protocols (such as AES-256) in order to protect traffic from unauthorised access. Multi-factor authentication (MFA) can be implemented in order to verify identity based on confirmation of several identifiers, further preventing unauthorised access. In the event of a breach, site-to-site VPNs can also provide segmentation to prevent any lateral movement between systems within the network, thus reducing the attack plane.
Site-to-Site VPN solutions can improve ease of use by providing user-friendly systems. These implementations can come in the form of a web-based interface (or similar) and provide network administrators an easy method of managing the VPN over different sites.
Site-to-Site VPNs can also be hosted in the cloud. By utilising the cloud, this offers network administrators remote access from any location. Due to residing in the cloud, this enables seamless VPN connections between different devices.
Another component is that Site-to-Site VPNs are enabling the ability to automate the creation and deployment of new sites, which minimises human error and the need for individual appliances, as through cloud, these new sites can all be managed through a single dashboard. This makes Site-to-Site VPNs able to dynamically scale without re-design, improving the entire network scalability.
For failover, redundant gateways can be created with Site-to-Site VPNs. The distribution of traffic across multiple ISPs provides the network with better resilience and creates more stable connectivity.
Site-to-Site VPN and SD-WAN
When comparing Site-to-Site VPN with Software Defined Wide Area Network (SD-WAN) solutions, SD-WAN provides the benefit of being able to leverage multiple network transport links such as broadband, LTE and MPLS to provide optimal bandwidth utilisation and therefore improve the performance of applications. This improves on Site-to-Site VPN solutions as these only use a single transport link, tunnelling over broadband internet connections.
For some Site-to-Site VPN solutions, a separated management system is required for multiple VPN tunnels running across different sites, creating complexity and increasing workload for network administrators. Unlike Site-to-Site VPN, SD-WAN provides a single controller interface which remotely manages all of the network via infrastructure-wide policies. This therefore reduces the workload on network administrators by minimising complexity, improving on Site-to-Site VPN offerings.
Site-to-Site VPN can be integrated alongside SD-WAN. By integrating the two technologies together, the application-aware routing that SD-WAN provides can be utilised to steer application data over the most secure and reliable connection, therefore steering over site-to-site VPN when this offers the most secure and reliable link, benefitting overall performance.
By integrating Site-to-Site VPN into SD-WAN, this ensures that there is no compromise on security, as SD-WAN can use internet broadband over VPN as a communication link, gaining the privatised network security benefit that Site-to-Site VPN has to offer.
Furthermore, should a network be using multiple Site-to-Site VPN links (via different ISPs), SD-WAN can increase the reliability of the network by switching traffic over these VPN connections when a single VPN link is down or to optimise overall performance of the network.
The Limitations of Traditional VPNs and the Rise of SASE
As more and more businesses shift to cloud, leveraging models such as Software-as-a-Service (SaaS), the limitations of traditional VPNs have been emphasised. The emergence of the SASE framework as a cloud-native networking solution offers increased scalability, security and management over traditional VPNs.
Traditional VPN solutions are not designed to scale to cater for massive scales of remote users or devices, increasing the complexity to manage these systems. SASE improves on this by being designed with a large, distributed workforce in mind, there improving the scalability of the network.
With traditional VPN, there are no inherent additional security components besides encryption, MFA and segmentation. This limits the security of the network without adding further appliances. SASE is designed with Cloud Access Security Broker (CASB), Secure Web Gateway (SWG), Zero Trust Network Access (ZTNA) and Firewall-as-a-Service (FWaaS) in order to provide more layers of security to a network.
When connecting to a cloud service via traditional VPN, data would be required to be backhauled via a central data centre before accessing the cloud. SASE eliminates this as the framework uses Points of Presence (PoPs) to provide direct access to the cloud, closer to users and devices. This reduces latency and improves overall network performance.
Cloud Implementations
Cloud implementations of Site-to-Site VPN solutions differ between cloud providers.
For Amazon Web Services (AWS), initially a Virtual Private Cloud (VPC) must be configured. To allow connections, a Virtual Private Gateway (VGW) must be attached to the VPC. Then a device or piece of software must be deployed on-premises to act as the customer gateway, enabling a connection between the VGW and customer gateway. This connection is the VPN tunnel, either through two IPsec tunnels, or static/dynamic BGP routing.
For Microsoft Azure cloud, a Virtual network gateway must be deployed within the gateway subnet of Azure net. Using an on-premises local network gateway enables connections by defining connection type (such as IPsec) and entering the shared key.
Despite differences in implementations, leveraging cloud implementations for Site-to-Site VPN solutions can have multiple benefits. As cloud implementations allow Site-to-Site VPNs to be deployed quickly, this enables rapid scaling of the network infrastructure. Cloud providers offer many endpoints, with tunnels across large geographical regions, creating high availability to the network. The integration with other cloud networking services, such as transit gateways, accelerators and traffic mirroring improve network performance and reliability. Cloud implementations of Site-to-Site VPN solutions offer monitoring and logging of traffic telemetry throughout the entirety of communicates and, cloud providers manage all underlying infrastructure and endpoints, ensuring less complexity and cost to businesses to maintain these links.
Vendor-Specific Solutions
Feature/Aspect | Cisco ASA | Cisco Meraki | Palo Alto | pfSense | UniFi |
VPN Type | Policy-based and route-based | Cloud-managed, AutoVPN | Route-based | Open source, policy-based and route-based | Policy-based and route-based |
Protocol Supported | IKEv1, IKEv2 (IPSEC), GRE, DMVPN, GET VPN | IKEv1, IKEv2 (IPSEC), L2TP, PPTP | IKEv1, IKEv2 (IPSEC), GRE | IKEv1, IKEv2 (IPSEC), OpenVPN, Wireguard, PPTP | IKEv1, IKEv2 (IPSEC), WireGuard, OpenVPN, L2TP, OSPF |
Key Features | Range of encryption and authentication, integrates with Cisco ASDM | Automatic tunnel configuration, dynamic IP support, split/full-tunnel options | Global Protection for mobile, supports up to 1024 spokes | Wizard setup, advanced options, runs on commodity hardware | Automatic setup, high performance, supports remote gateways |
Management | Cisco ASDM GUI | Cloud-managed | Centralized monitoring with Panorama | Wizard-based setup | Cloud-based management |
Unique Selling Point | Ideal for connecting Cisco ASA devices and third-party VPN endpoints | Easy setup with full mesh or hub-and-spoke topologies | Scalable management via Panorama | Cost-effective due to commodity hardware usage | Simplified management without individual site configuration |
Comparison with Point-to-Site VPN
Point-to-Site VPN solutions differ from Site-to-Site VPN as they designed for a limited number of clients to remotely connect to the network. Point-to-Site VPNs do have a benefit over Site-to-Site VPNs as they have no additional setup for client connections. This means that Point-to-Site VPN may be preferable for telecommuters and mobile workers. However, each user must establish their own connection.
Due to this, Site-to-Site VPN implementations are the better VPN option for connecting multiple LANs into a singular unified WAN. This provides seamless always-on access between sites and prevents the need to re-initialise communication. Site-to-Site is therefore optimal when resources must be shared across locations.
Conclusion
In conclusion, Site-to-Site Virtual Private Network solutions enable secure, cost-effective connectivity across multiple business locations, such as a main headquarters and several branch offices. This is a better method for full business connections, as Point-to-Site Virtual Private Network solutions are primarily geared to individual remote users and therefore Site-to-Site VPN enables better scalability for businesses.
It should also be noted that each Site-to-Site VPN vendor provides different key offerings with their solutions, catering to different network requirements. IT decision makers should consider each vendor's unique selling points, such as Cisco's integration capabilities or Palo Alto's scalable management and compare these to their network requirements in order to best leverage the VPN.
Furthermore, cloud implementations of Site-to-Site VPN solutions are becoming more popular. With the rise of SD-WAN for flexible, multi-transport link utilisation and SASE, a comprehensive security framework for distributed workforces, cloud integrated Site-to-Site VPNs enable greater scalability, reduce management complexity for network administrators and assists with future-proofing the network.