Site-to-site VPN connections provide a secure tunnel through the Internet between two or more network gateways. This connection must be secure from users, devices, and malware that would try to intercept or corrupt the data.
Remote workers and distributed locations (such as satellite offices) often use a VPN to access company systems. But they can also expose your corporate networks to malicious attacks.
Encryption
One of the site-to-site VPN security best practices is encryption, which encrypts data so that only authorized users may decode it. Sensitive information is protected by encryption on various internet services, including text messages, emails, financial information, and cloud storage.
Site-to-site VPNs are used when network connections need to be securely redirected between sites within an enterprise. These VPNs are ideal when one or more networks have a permanent/static public IP address and the other has a dynamic/temporary public IP address (Hub and Spoke).
The security of site-to-site VPN connections begins with encrypted tunnel data being sent from the remote VPN site to your corporate network. This encrypted data meets a gateway at your corporate network, which decrypts the data so the receiving VPN can read it. The gateway at the other end of the VPN connection can also decrypt data for the receiving network, providing a secure and private link between sites within your company. An IPSec-based gateway can provide perfect forward secrecy to protect against attackers who may be able to read encrypted tunnel data.
Firewall
Site-to-site VPNs enable employees to work from home or other remote locations. It helps businesses to avoid shutdowns in the event of a disaster, minimizing business interruption and allowing employees to continue to serve customers and generate revenue.
Firewalls are powerful security tools that provide a barrier between your private network and the outside world. They are a critical component of your cybersecurity strategy and should be configured to include a comprehensive list of security functions.
A firewall is a set of hardware components that function together to perform various tasks. Traditionally, they separate networks and allow only solicited communications between them. Modern firewalls can also assess Internet traffic, block unsolicited communications, and offer additional functionality such as NAT.
It is crucial to implement a robust zero-trust policy that restricts VPN connections to only those who need them. In addition to limiting connection times, enterprises should encourage remote employees to connect to the VPN only when they need to work, such as to check email or download commonly needed files. It minimizes their exposure to malicious websites, reducing the risk of them becoming malware distribution points for the enterprise.
Authentication
In addition to encryption, a VPN should authenticate the people accessing it. It is done through push notifications (something the user knows, like a password), voice authentication (a code generated by the device, typically over a mobile phone call), and even a combination of these approaches (something the user has, like a token issued by an external service, or something the user is, such as a unique ID that changes regularly).
Most NGFW systems have this capability built-in, with some combining it with an endpoint protection platform that shields users’ devices from malware and ensures they meet minimum software update standards. It helps mitigate the exploitation of VPN vulnerabilities, common attack vectors for cybercriminals. It is also a critical part of a zero trust security and network segmentation policy that limits the access that users can do over the VPN, which is another important way to secure site-to-site VPN connections.
Timeouts
Site-to-site VPN connections allow employees to securely connect from one location to another without using a client app on their devices. It helps companies scale by allowing them to add a new branch, office, or remote employee within minutes.
Because site-to-site VPNs create encrypted tunnels between sites, it is essential to have strict timeouts in place to ensure that idle sessions are not staying active and expose the data on the network to potential attacks. It is recommended that enterprises enforce a timeout period of 10 to 30 minutes for idle sessions.
Once you have deployed your IPSec connection, verify that the device establishes a security association with the remote device using the ping interface interface_name remote_ip_address command on the device CLI. If the command returns an error, the connection is not configured correctly (for example, the local and remote ping metric values do not match).
Monitoring
As more employees work remotely or travel, enterprises must safeguard their connection to company systems. A virtual private network (VPN) can help staff communicate data securely over a public or shared network.
A VPN can be internet-based, where one or more security gateways negotiate a link, or it can use multiprotocol label switching (MPLS), which routes data packets based on labels instead of using IP addresses to determine how to send them from point A to point B. An intranet-based site-to-site VPN lets companies house multiple local LANs together as if they were in the exact location.
For a VPN to be secure, it must be monitored regularly for abnormal activity and be able to shut down connections that don’t have a valid screen lock or are otherwise inactive. More sophisticated NGFW systems can also ensure that each computer that connects to the VPN has strong antivirus, antispam, and personal firewall protection and is up-to-date on critical operating system patches. It can prevent the spread of malware and ransomware.