VPN, short for Virtual Private Network, is a technology that allows secure communication over a public network. It works by utilizing security protocols like IPsec, IKEv2, PPTP, OpenVPN, WireGuard, and others to build tunnels between a client and a server. This tunnel encrypts online traffic and prevents third parties from eavesdropping. However, the initial applications of a VPN haven’t disappeared. One such implementation is the site to site VPN, whose advantages and disadvantages we will delve into in today’s article.
Although invented back in the 90s to facilitate secure communication between the branches of a company, VPN has long since evolved into a comprehensive privacy and security tool. Due to the adaptation of commercial VPN providers, who aim to cultivate the online privacy and security sector to its full extent, VPNs have become more and more common. Nowadays, VPNs are best known for making remote access to the internet a possibility.
What is a site to site VPN?
A site to site VPN is a corporate implementation of the VPN technology. While most commercial VPN providers cater to the needs of a singular client, some offer this service. In broader terms, these kinds of VPNs are commercial Virtual Private Networks that can connect two locations, such as a public office to headquarters. This connection is secure as it encrypts any traffic between the two places. However, a site to site VPN can also create a web of interconnections between multiple areas, forming an integrated network.
By location or area, we mean the exit point of a network. However, these networks aren’t interlinked. Instead, with site to site implementations, these systems, established in multiple locations, come together to form a unified but independent network. In a way, this VPN technology helps bridge the distance between real-world remote locations by creating a virtual and private network that can facilitate network-to-network communication.
There’s also a key perk we’ll expand upon later. This technology can ensure data security between multiple locations or networks without using credentials or client apps. This makes the traffic flow substantially smoother.
Site to site VPNs predates the internet. Before the implementation of the internet we know today, businesses used ARPANET by creating a private network over TCP/IP to connect multiple places. Today this technology creates a direct, unshared, secure connection between two (or more) endpoints. It can either be intranet or extranet-based. The connection itself is possible via a VPN gateway. A site to site VPN, therefore, extends the company’s network. It makes the resources present at one location available to employees in a different one. The two main techniques for establishing a site to site VPN are:
- Internet VPN method
- Multiprotocol Label Switching (MPLS) VPN method
Different types of VPNs
For commercial purposes, we can split VPNs into three categories:
- Remote access VPNs — Remote access VPNs are a temporary connection between two or more users and a central location. Typically, remote access VPNs can give each “location” access to a data center. They use the well-known IPsec suite of protocols. This benefits employees working from home or on the go and is one of the main perks of remote accesss VPN. It’s a consumer-grade technology, i.e., suitable for individual use, hence why VPN providers base their business around it.
- Intranet-based site to site VPNs — It is a connection between networks — Intranet-based VPNs connect multiple LANs (Local Area Networks) into a WAN (Wide Area Network). The purpose behind intranet-based VPNs is to bring together multiple offices under the same network. A large building may house different departments, each with its networks. This technology can then incorporate several such departments into one WAN. It also helps those companies that have more than one office.
- Extranet-based site to site VPNs — Extranet-based VPNs allow a company to add another entity/partner to collaborate on a project by sharing resources. Unlike the one above, this kind of VPN won’t give third-party access to the internal files. It is an external module that keeps the connected parties on the peripheries of the network.
How does a site to site VPN work?
It works on the same principles as the consumer VPNs. However, in the absence of a client or credentials, it relies on VPN gateways to monitor and secure data flow. The gateways at both ends work as the sentry to the network. Any encryption or decryption request passes through them.
- When an employee logs into the system to access resources, the request:
- Goes through the VPN gateway, which separates the data packets.
- Encrypts the packets going to the other point/location.
- By utilizing security protocols, it creates a tunnel, connecting both ends of a network.
- The data flows through this tunnel, immune to outside interference.
- Then, the receiving gateway intercepts the data and performs decryption.
- Afterward, it sends it to the server for processing.
- The result travels back via the same method.
- It will then be decrypted by the sender and presented for the employee to view.
Advantages of a site to site VPN
Although it is an age-old implementation of technology, there are certain benefits of a site to site VPN that make companies favor it. Depending on the needs of an organization, the size of the workforce, and cost, a company can benefit from a site to site VPN in the following ways:
Watertight internal network
Using site to site VPNs lets organizations can relax as far as security is concerned. Most VPNs use the IPsec suite of protocols to provide comprehensive protection. It is an undisputed fact: for those employing a VPN, data matters a lot. Using a hardware gateway with proper programming will only allow authenticated data to pass. Moreover, with IPsec handling encryption, any outside attempt to intercept the traffic will be useless. It will ensure safety by relying on digital signatures, certification, and authentication by PKI (Public Key Infrastructure).
Site to site forgoes the use of credentials or client applications. Doing so reduces the steps required to log into the VPN network. On this type of VPN, it will feel as if you are using a generic connection. VPNs can sometimes be intimidating as they tend to get technical. Thankfully, with a site to site implementation, users need not worry. The whole VPN procedure takes place at the gateway, which is more often than not programmed hardware.
It also aids network administration. By relying on VPNs, administrators can remotely monitor and control various networks at once. It makes upgrading security measures, installing the latest features remotely, and denying access to unauthorized users far easier.
Simple and secure scalability
Site to site VPNs are easy to scale. You can have new users, sites, offices, or partners up and about in minutes. You won’t have to add individual devices to the existing network one at a time, either. Deploying gateways permits you to add a new network to an existing one, which makes expansion easy.
In the face of a disaster or emergency, you need not shut down the whole operation at once. By relying on the site to site VPN, you can provide/reject access to LANs as you wish. Thus, disconnecting the affected LAN and adding a new one can ensure business continuity.
Flexible deployment and lower latency
Any deployments can be discerned under site to site implementation. You can skip a department or add a new one to deploy. This possibility provides a lot of flexibility in your management. Furthermore, a business can choose to opt for MPLS to reduce latency issues. MPLS can route the traffic over the organization’s infrastructure rather than the internet.
Disadvantages of a site to site VPN
Since it’s an age-old implementation, this type of VPN comes with some disadvantages:
Lack of integrated security
The problem lies in the fact that it only encrypts the data flow but doesn’t control the tunnel whatsoever. It even allows unhindered access to the target by simply existing on the network. This type of VPN neither performs any security inspection of the content nor does it exercise access control.
Visibility and Management
While it does provide a modicum of flexibility to your management, it takes away visibility. Since every tunnel is independent of one another, trying to manage and monitor all at once can be a nightmare. Thus, the monitoring and management are done individually, i.e., for every tunnel separately. This can not only be a time-consuming chore but also costly for the business.
The drawback above is the primary reason for the implementation of a Hub and Spoke network architecture, i.e., topology. In this setup, data from the tunnels is routed to Hub and Spoke for a detailed security inspection. While this may seem like a solution to the security and visibility problems of the site to site VPN, it ends up being another headache for the organization. The implementation and maintenance of such network topology are expensive. Also, it slows down your connectivity by increasing latency thanks to an additional load it puts on a network.