Cloud Security & Operations Learning Center
Learn the Fundamentals

Learning Objectives

The objectives of this research paper are a detailed study involving the different types of VPNs, VPN configurations, various architectural implementations of the site to cloud VPNs and a detailed study regarding the various key distribution mechanisms for security enhancement.

What is Site to Cloud VPN?

Today's businesses provide employees with the opportunity to work from home or on the road. When a company allows their staff to gain access to the internal network, it is important that this is done safely. Many company employees who are often traveling, or who simply do not need to sit at a fixed place in an office to do their job need to have secure access to the company network. When one works from outside the environment and needs information to work, it is important that he or she gets access from his or her location. Today, a broadband connection makes possible a quick way to send and retrieve information over the Internet. Just as there are thieves in the community, there are people on the Internet attempting to get access to other people’s computers to steal information, or just to destroy it.

The solution for secure remote connectivity

A common solution to most security threats is a Virtual Private Network (VPN). A VPN allows a user to access the internal resources of the company from an external network such as the Internet. This allows users to access internal resources in a secure manner. The VPN technology is then preferable to have as fast, secure and reliable a connection as possible.

VPN Architecture

Types of VPNs

There are three different VPN connectivity models that can be implemented over a public network:

  • Remote-access VPNs: It provides remote access to an enterprise customer’s intranet or extranet over a shared infrastructure. Deploying a remote-access VPN enables corporations to reduce communications expenses by leveraging the local dial-up infrastructures of internet service providers. At the same time, VPN allows mobile workers, telecommuters, and day extenders to take advantage of broadband connectivity. Access VPNs impose security over analog, dial, ISDN, digital subscriber line (DSL), Mobile IP, and cable technologies that connect mobile users, telecommuters, and branch offices.
  • Intranet VPNs: It links enterprise customer headquarters, remote offices, and branch offices in an internal network over a shared infrastructure. Remote and branch offices can use VPNs over existing Internet connections, thus providing a secure connection for remote offices. This eliminates costly dedicated connections and reduces WAN costs. Intranet VPNs allow access only to enterprise customer’s employees.
  • Extranet VPNs: It links outside customers, partners, or communities of interest to an enterprise customer’s network over a shared infrastructure. Extranet VPNs differ from intranet VPNs in that they allow access to uses outside the enterprise.

VPN configurations

There are two main types of VPN configurations for deploying a VPN connection over a public network. These are Site to Site and Site to Cloud.

Site-to-site VPNs

This is sometimes referred to as a secure gateway-to-gateway connection over the internet, private or outsourced networks. This configuration secures information sent across multiple LANs or between two or more office networks and this can be done effectively by routing packets across a secure VPN tunnel over the network between two gateway devices or routers. The secure VPN tunnel enables two private networks (sites) to share data through an insecure network without fear that the data will be intercepted by unauthorized persons outside the sites. The site-to-site VPN establishes a one-to-one peer relationship between two networks via the VPN tunnel – Kaeo, M. (2004. Also, Holden, G. (2003), describes a site-to-site VPN as a link between two or more networks. This is mostly used in Intranet VPNs and sometimes in extranet VPNs.

Site-to-site VPN architecture

Advantage: Site-to-site VPNs offer greater scalability and flexibility because only the gateway VPN needs to support IPSec functionality and hence the installation and management costs across deployed gateways are minimal. Also, it offloads the processing overhead from individual systems to the gateway router thus freeing up memory consumption and processing speed.

Disadvantage: However, the processing overheads managed by the gateway routers increase CPU utilization thus degrading user performance in terms of communication speed.

Client-to-Site VPNs

This is a configuration that involves a client at an insecure remote location who wants to access internal data from outside the organization network’s LAN. Holden, G. (2003) explains a client-to-site VPN as a network made accessible to remote users who need dial-in access. While Kaeo, M. (2004) defined a client-to-site VPN as a collection of many tunnels that terminate on a commonly shared endpoint on the LAN side. In this configuration, the user needs to establish a connection to the VPN server in order to gain a secure route into the site’s LAN and this can be done by configuring a VPN client which could either be a computer operating system or hardware VPN – such as a router. By so doing, the connection enables the client to access and use internal network resources. This kind of configuration is also referred to as a secure client-to-gateway connection. This is usually used in access VPNs and sometimes in extranet VPNs.

Advantage: Remote access VPN has its advantages of enhancing productivity, providing secure communication, reducing costs and increasing flexibility of VPNs.

Disadvantage: One drawback in these VPNs is that all these approaches require VPN client software to be installed on each remote client and the target VPN gateway that supports the same protocol and extensions for remote access.

The second type of VPN configuration is Site to Cloud

Site to Cloud VPN is a type of VPN that utilizes a cloud-based network infrastructure to deliver VPN services. It provides globally accessible VPN access to end users and subscribers through a cloud platform over the public Internet.

The objective behind the site to cloud VPN is to provide the same level of secure and globally accessible VPN service access without the need for any VPN infrastructure on the user's end. The user connects to the cloud VPN through the provider’s website or a desktop/mobile app. Similarly, the pricing of cloud VPN is different than standard VPN service as it charges the customer based on pay per usage or a flat-fee subscription. Users are charged based on the amount of hardware, storage, network, and other resources utilized.

Site to Cloud VPN Importance to Business

Cloud VPN combines secure communication and additional security functions in the cloud with a high degree of automation in provisioning and self-service management. With this solution, customers can easily and securely access all important company data from anywhere - whether in branch offices or at remote locations.

The Site to Cloud VPN service uses a self-service online portal to give customers a simple way to select, subscribe to and activate the service. The service portfolio includes branch, site-to-site and remote access encrypted VPNs as well as firewall and web security. It is offered as a cloud-managed IT solution on a monthly subscription basis.

Customers have access to a management dashboard where they can track the service status or change service features such as the number of users, the bandwidth, the traffic prioritization or select between predefined levels of web-security with a simple mouse click.

Benefits of the site to site to cloud VPN
  • Cost effective - no need to invest in hardware, software or IT manpower
  • High availability with back-up service to ensure uninterrupted service
  • Secure remote access to company email and intranet
  • Windows, Mac OS, Android and iOS compatible
  • Two Factor Authentication with the stringent 2-step verification process
How Site to Cloud VPN works:

Site to cloud supports connectivity between organization Gateways in the cloud and on-premise routers.

Conclusion

Site to cloud VPN puts an organization’s entire on-premise VPN into the cloud. With no additional on-premise hardware required, the company will enjoy the security and functionality of a private network. The access of internal and administrative applications can be restricted to only authorized employees, suppliers or clients. Enabled administrators and employees at branch offices or remote locations will then be able to access corporate systems and resources via an Internet connection on the go.