<img src="http://www.shrfbdg004.com/63997.png" style="display:none;">


Best Practices for Managing Site to Site VPN

Posted by Paul Centanni on 7/13/17 9:55 AM

A site to site virtual private network (VPN) can be an excellent way to communicate in a secure and cost-effective way. VPNs leverage the Internet making them relatively inexpensive compared to dedicated circuits. The ability to leverage the public Internet securely is done through encryption.

Site to site VPNs are used for communication between locations by utilizing encrypted tunnels. Each location participating in the VPN has an endpoint device. Encrypted tunnels are built between endpoint devices and the desired traffic passes through securely. This process happens continually and quickly as traffic passes back and forth between the locations across the VPN.

Oftentimes a VPN network is configured as a hub and spoke topology where each branch office has an encrypted connection to a central site. Traffic from branch to branch also often passes through the hub site. A second hub can be activated to provide redundancy to the VPN network. Each branch office would have a VPN connection to each hub. If one hub fails then the other is available to keep traffic flowing.

Four key elements to incorporate into a site-to-site VPN are:

1. Utilize Standard-based Protocols

The VPN should utilize standard protocols. Standard protocols are desirable because they have been vetted by third parties, such as academic and standards bodies, to ensure that they work properly and have multi-vendor support. Multi-vendor support allows devices from different vendors to communicate with each other using the protocol. This interoperability typically translates into increased flexibility when creating VPN connections. This can be useful when an organization has more than one vendor or when connecting to another organization that will potentially have equipment from a different vendor.  Standards-based protocols have attributes that allow increased flexibility and resiliency when creating VPN connections.

The opposite of this would be to use proprietary protocols. Typically, proprietary protocols

  • cannot be vetted,

  • require the same vendor on each side, and

  • are more expensive.

Usually these limitations result in increased cost and decreased flexibility.

Today most VPNs are built using Internet Key Exchange (IKE) protocol in conjunction with IPSec.  Essentially, IKE is used for authentication and encryption key management while IPSec is used for data encryption.

When setting up the VPN the latest encryption algorithms and longest key lengths practical should be used for best results. Doing this will help to ensure that traffic cannot be viewed or manipulated by outside entities.

2. Ensure Performance

Prior to deploying the VPN, it is important to determine the amount of traffic that will traverse it. The VPN endpoint throughput and Internet connection bandwidth should be properly sized to be able to handle the traffic. It is wise to have some additional capacity on the endpoint and Internet circuit for growth and unanticipated requirements.

Latency of voice and video traffic is also an important consideration when thinking about VPN performance. Internet circuits are historically “best effort” and cannot guarantee service levels for any type of traffic. The impact of latency on real-time services should be carefully considered when looking at VPNs as an option.

Another potential way to improve performance on the VPN is to conserve bandwidth at the branch location. Some ways to do this are by implementing a content cache, content filter, WAN acceleration, or split-tunnel. Each method will potentially conserve bandwidth on the branch office VPN by decreasing the amount of traffic that traverses it. Some of these methods can be combined to provide a cumulative effect.

3. Secure Endpoints

The endpoints should utilize traffic filters as much as possible to only allow other endpoints that are part of the VPN to communicate with it. Filtering traffic in this way can potentially restrict connection attempts from outside or malicious devices.

4. Employ as a Secondary Circuit

VPNs are an excellent choice as a secondary circuit to a branch office due to their relatively low cost and high flexibility. In this type of scenario, the branch office would use the primary connection on a regular basis. If for some reason the primary circuit lost connectivity, traffic would be rerouted to use the VPN connection.

When used in this manner the VPN can keep traffic flowing if the primary circuit goes down. A VPN set up for this purpose will often utilize an Internet connection provided by a broadband connection or 4G wireless service.

VPNs are “tried and true” and an excellent way to provide cost-effective, secure, and flexible communication across a network.

Get more content like this at SightLine 2017   Meet the author of this post in his session at our upcoming technology  conference! Paul will discuss what a Defense-in-Depth approach to security  really looks like and explore point products that can be installed throughout  the network. Join us in Albany, NY on Oct. 17-18.   Learn More

Topics: Mobility

Related posts

Power Automation and Intelligence with your IT Network  Nunc vel tempor mollis, odio mauris vulputate nisi, non pulvinar urna enim Download Now

the author

Paul Centanni

Paul is a Senior Solutions Architect of the Mobility and Security practice at Annese and Associates in the Albany area. Paul has a Bachelor of Science in Optics from the University of Rochester. Paul is a seasoned network professional who brings experience in the areas of network infrastructure, wireless, and security. Before joining Annese Paul worked on the early Internet then as a consultant providing enterprise level professional services. Paul currently has a CISSP certification along with some Cisco professional level certifications. In his personal time Paul enjoys spending time with his family and hiking.

Post a Comment