Cookie theft, real-time phishing and MFA fatigue attacks threaten multi-factor authentication, which has long been considered unassailable.
From a business perspective, virtual private networks have many benefits. But what is the optimal VPN architecture? IT decision makers have a choice of remote access VPNs, site-to-site VPNs, cloud VPNs, and hybrid architectures. We explain the fundamental differences.
The coronavirus pandemic has shown once again that virtual private networks (VPNs) are an indispensable part of secure communication for companies. Sending a large part of the workforce to work from home within a very short time was only possible thanks to VPN technology. VPNs do not only allow secure remote access to a company network. They can also be used for many other purposes, which we will discuss in more detail below.
Remote Access VPN – Remote access to internal resources
With a remote access VPN, companies enable their employees to access the company network from an external location in a protected and encrypted manner. The respective implementation varies – depending on the specific requirements and the chosen VPN technology.
Remote access VPN is based on a VPN client that is installed on end devices. It communicates with a VPN gateway via an encrypted tunnel. The gateway not only secures the traffic, but also monitors access to the resources in the network. Usually, an authentication server is also used to verify the identity of the employees. Only then does it grant access to internal resources such as servers, network drives, databases and applications.
Remote Access VPNs allow people to do their jobs securely and efficiently while working away from the office. This not only increases flexibility, but also productivity. Companies can also save costs for office space, as employees can work remotely or from home. Remote access VPNs are an essential building block on the way to a hybrid working model. In this case, the employees – under certain conditions – more or less decide for themselves from where they can best carry out their activities.
However, it must be ensured that the end devices with which employees access the company network remotely are also adequately protected. Virus scanners or personal firewalls, for example, are suitable for this. In addition, the network and the VPN gateway must be designed in such a way that there are no bottlenecks in communication. Companies that do not have the staff or resources to build and operate a VPN themselves should therefore contact an experienced service provider.
Site-to-Site VPN – Connecting different locations
A site-to-site VPN connects multiple remote company locations. This makes this VPN architecture different from a remote access VPN, which only connects individual employees to the company network. Offices, branches and even a data centers might be considered as sites that need to communicate securely with each other.
Typically, each site has its own local network. Often, preconfigured VPN appliances are used that connect to the central VPN gateway. However, there are also purely software-based implementations. VPN endpoints establish and manage the VPN tunnels. They ensure the encryption and decryption of traffic or cover other technical aspects such as routing and address translation to avoid network conflicts.
The public internet is often used to connect the locations. Broadband connections via a leased line, DSL and cable or 5G mobile communications are suitable for this. In any case, the line should have enough bandwidth, otherwise there may be delays in data transmission. In order to prevent unauthorized devices from intercepting data traffic, VPN devices need to be authenticated. The setup of redundant VPN devices and the use of failover mechanisms ensure high availability of a site-to-site VPN. In the event of a failure of an appliance or Internet connection, alternative paths are automatically used to maintain connectivity.
Site-to-site VPNs have the advantage that they are very scalable. Existing structures can be expanded with little effort to include additional locations if the company establishes a new branch, for example. Compared to dedicated lines, which use MPLS (Multiprotocol Label Switching), VPNs cost less because they set up their secure tunnels over the public Internet.
Cloud VPN – secure tunnels from cloud providers
A cloud VPN is a VPN solution that is provided via the cloud. Compared to traditional VPN implementations, this simplifies deployment, as there are no additional hardware purchases, for example. A cloud VPN is also suitable for securely connecting employees, individual branches or the entire company to applications that are hosted in the cloud themselves. In addition, cloud VPNs, like other cloud offerings, are relatively easy to adapt to the specific needs of a company.
In this country, cloud VPNs often encounter reluctance from companies, although the skepticism is particularly based on security and data protection concerns. Many decision-makers hesitate because they do not want to entrust their sensitive data and network communication to a cloud platform that is difficult to control. In addition, they fear becoming victims of a data leak – unauthorized third parties could access their data. The compliance requirements that local companies have to fulfill are often unresolved.
Hybrid VPN architectures
In addition to the VPN architectures mentioned, hybrid models also exist. For example, multiple locations can be connected via a site-to-site VPN, while employees can connect to the corporate network from home or another location via a remote access VPN. Access to cloud applications can also be secured via a cloud VPN.
NCP is an experienced security provider that supports you in all VPN needs. Get in touch with us, we'll find the perfect VPN implementation for your needs.