When choosing between a site-to-site VPN vs. remote-access VPNs, enterprises must consider the role they want their...
remote-access connectivity technology to play.
Site-to-site VPNs connect entire networks to each other -- for example, connecting a branch office network to a company headquarters network. In a site-to-site VPN configuration, hosts do not have VPN client software; they send and receive normal TCP/IP traffic through a VPN gateway.
The VPN gateway is responsible for encapsulating and encrypting outbound traffic, sending it through a VPN tunnel over the internet to a peer VPN gateway at the target site. Upon receipt, the peer VPN gateway strips the headers, decrypts the content and relays the packet toward the target host inside its private network.
By comparison, remote-access VPNs connect individual hosts to private networks -- for example, travelers, teleworkers and mobile users who need to access their company's internal network securely over the internet.
In a remote-access VPN, every host accessed by remote users must have VPN client software. Whenever the host tries to send any traffic, the VPN client software encapsulates and encrypts that traffic before sending it over the internet to the VPN gateway at the edge of the target network.
Upon receipt, that VPN gateway behaves just like site-to-site VPNs. If the target host inside the private network returns a response, the VPN gateway performs the reverse process to send an encrypted response back to the VPN client over the internet.
Remote-access VPN security protocols
Security is an important factor in choosing between a site-to-site VPN vs. remote-access VPNs. The most common secure tunneling protocol used in site-to-site VPNs is the IPsec Encapsulating Security Payload, an extension to the standard IP security standard used by the internet and most corporate networks today. Most routers and firewalls now support IPsec, and it can be used as a VPN gateway for the private network behind them. Another site-to-site VPN protocol is MPLS, although MPLS does not provide encryption.
Remote-access VPN configuration protocols are more varied, ranging from the Point-to-Point Tunneling Protocol to IPsec alone. These approaches require VPN client software on every host, as well as a VPN gateway that supports the same protocol and options or extensions to provide access to remote users.
An alternative to IPsec VPNs are Secure Sockets Layer (SSL) VPNs. These are often referred to as clientless in that they do not require the use of specialized software on the user's computer. In an SSL VPN, the remote user connects to the network through a web browser. Information is encrypted either with SSL or the Transport Layer Security protocol.
Benefits of site-to-site VPNs
Site-to-site VPNs connect individual networks to each other, so they are well-suited for organizations with multiple locations. Information can be sent securely through site-to-site VPNs, and they can also handle mission-critical traffic, such as VoIP communications, that require low latency and good quality of service.
Site-to-site VPNs also offload encryption and processing overheads from host PCs or devices to a separate security or router component. Additionally, they reduce the need for users to constantly log in or log out of a VPN connection.
Benefits of remote-access VPNs
Remote-access VPNs enable remote users to connect to the corporate network from any location, which makes them beneficial for enterprises with employees and customers who are highly mobile. Data transmitted through remote-access VPNs is encrypted, which means remote users can take advantage of public Wi-Fi connections or other places where traffic isn't generally secured.
How to build an enterprise VPN
IPSec versus SSL: What are the risks?
Dig Deeper on Network Security
Related Q&A from Lisa Phifer
As the remote workforce increases, network managers and users might opt to set up two concurrent VPN connections from the same remote device. But ... Continue Reading
Is there a difference between a wireless access point vs. a router? Yes -- while the two wireless devices are related, they meet different needs in a... Continue Reading
Need to send an email, check your flight's status or get ready for a presentation? You can do it all on your smartwatch, thanks to a slew of Apple ... Continue Reading