A site to site virtual private network (VPN) can be an excellent way to communicate in a secure and cost-effective way. VPNs leverage the Internet making them relatively inexpensive compared to dedicated circuits. The ability to leverage the public Internet securely is done through encryption.
Site to site VPNs are used for communication between locations by utilizing encrypted tunnels. Each location participating in the VPN has an endpoint device. Encrypted tunnels are built between endpoint devices and the desired traffic passes through securely. This process happens continually and quickly as traffic passes back and forth between the locations across the VPN.
Oftentimes a VPN network is configured as a hub and spoke topology where each branch office has an encrypted connection to a central site. Traffic from branch to branch also often passes through the hub site. A second hub can be activated to provide redundancy to the VPN network. Each branch office would have a VPN connection to each hub. If one hub fails then the other is available to keep traffic flowing.
Four key elements to incorporate into a site-to-site VPN are:
1. Utilize Standard-based Protocols
The VPN should utilize standard protocols. Standard protocols are desirable because they have been vetted by third parties, such as academic and standards bodies, to ensure that they work properly and have multi-vendor support. Multi-vendor support allows devices from different vendors to communicate with each other using the protocol. This interoperability typically translates into increased flexibility when creating VPN connections. This can be useful when an organization has more than one vendor or when connecting to another organization that will potentially have equipment from a different vendor. Standards-based protocols have attributes that allow increased flexibility and resiliency when creating VPN connections.
The opposite of this would be to use proprietary protocols. Typically, proprietary protocols
cannot be vetted,
require the same vendor on each side, and
are more expensive.
Usually these limitations result in increased cost and decreased flexibility.
Today most VPNs are built using Internet Key Exchange (IKE) protocol in conjunction with IPSec. Essentially, IKE is used for authentication and encryption key management while IPSec is used for data encryption.
When setting up the VPN the latest encryption algorithms and longest key lengths practical should be used for best results. Doing this will help to ensure that traffic cannot be viewed or manipulated by outside entities.
2. Ensure Performance
Prior to deploying the VPN, it is important to determine the amount of traffic that will traverse it. The VPN endpoint throughput and Internet connection bandwidth should be properly sized to be able to handle the traffic. It is wise to have some additional capacity on the endpoint and Internet circuit for growth and unanticipated requirements.
Latency of voice and video traffic is also an important consideration when thinking about VPN performance. Internet circuits are historically “best effort” and cannot guarantee service levels for any type of traffic. The impact of latency on real-time services should be carefully considered when looking at VPNs as an option.
Another potential way to improve performance on the VPN is to conserve bandwidth at the branch location. Some ways to do this are by implementing a content cache, content filter, WAN acceleration, or split-tunnel. Each method will potentially conserve bandwidth on the branch office VPN by decreasing the amount of traffic that traverses it. Some of these methods can be combined to provide a cumulative effect.
3. Secure Endpoints
The endpoints should utilize traffic filters as much as possible to only allow other endpoints that are part of the VPN to communicate with it. Filtering traffic in this way can potentially restrict connection attempts from outside or malicious devices.
4. Employ as a Secondary Circuit
VPNs are an excellent choice as a secondary circuit to a branch office due to their relatively low cost and high flexibility. In this type of scenario, the branch office would use the primary connection on a regular basis. If for some reason the primary circuit lost connectivity, traffic would be rerouted to use the VPN connection.
When used in this manner the VPN can keep traffic flowing if the primary circuit goes down. A VPN set up for this purpose will often utilize an Internet connection provided by a broadband connection or 4G wireless service.
VPNs are “tried and true” and an excellent way to provide cost-effective, secure, and flexible communication across a network.