VPNs: Use Cases and Selection Criteria

Virtual Private Networks occupy a defined role in both enterprise security architecture and individual privacy practice, serving as encrypted tunnels that route network traffic through controlled endpoints. This page describes the VPN service sector — how the technology functions, where it is appropriately deployed, how variants differ, and what technical and regulatory factors govern selection. The classification boundaries here matter because VPN selection is frequently driven by marketing rather than architectural requirements, leading to mismatches between tool capability and operational need.

Definition and scope

A VPN is a network technology that creates an encrypted, authenticated communication channel between a client endpoint and a remote network or server, making the traffic appear to originate from the VPN endpoint rather than the originating device. The underlying mechanism separates VPNs from proxies, anonymization networks, and software-defined perimeter solutions, each of which addresses different threat models.

The NIST National Cybersecurity Framework and associated publications — particularly NIST SP 800-77 Rev. 1, Guide to IPsec VPNs — classify VPN implementations into two primary categories:

1. Remote access VPNs — connect individual users to a private network over a public internet path. Used by employees accessing corporate resources from off-premises locations.
2. Site-to-site VPNs — establish persistent encrypted tunnels between two or more fixed network locations, typically branch offices or data centers, without requiring per-user configuration.

A third category, consumer/commercial VPN services, routes user traffic through a provider-operated server for privacy or geo-routing purposes. This category operates under a fundamentally different trust model: the user shifts trust from the ISP to the VPN provider, rather than eliminating a trust dependency.

Protocol variants include IPsec (Internet Protocol Security), SSL/TLS-based solutions (including OpenVPN and Cisco AnyConnect), WireGuard, and L2TP/IPsec. NIST SP 800-77 Rev. 1 provides the federal baseline for IPsec configurations, while NIST SP 800-113 covers SSL VPN guidance for enterprise deployments.

How it works

A VPN session proceeds through four discrete operational phases:

1. Authentication — The client and server mutually verify identity using certificates, pre-shared keys, or multi-factor credentials. Federal implementations are expected to align with NIST SP 800-207 (Zero Trust Architecture), which frames strong authentication as a prerequisite for any access control mechanism.
2. Tunnel establishment — A cryptographic handshake negotiates cipher suites, key exchange parameters, and session parameters. IPsec uses Internet Key Exchange (IKEv2) for this phase; TLS-based VPNs use the TLS handshake protocol.
3. Encapsulation and encryption — User data packets are encapsulated within the VPN protocol headers and encrypted using the negotiated algorithm. AES-256 is the standard cipher for US federal use under CISA and NSA guidance.
4. Routing and decapsulation — Packets travel to the VPN endpoint, are decrypted, and are forwarded to the destination network. Return traffic follows the reverse path.

Split tunneling is a configurable option in most enterprise deployments, allowing only traffic destined for specific subnets to traverse the VPN while general internet traffic exits locally. CISA has issued advisories warning that improperly configured split tunneling can expose enterprise networks — a documented risk in remote access deployments for federal contractors under CMMC (Cybersecurity Maturity Model Certification) requirements.

Common scenarios

VPNs are deployed across four operationally distinct scenarios, each with its own compliance context and technical requirements.

Enterprise remote access is the dominant enterprise deployment. Organizations subject to HIPAA, the Gramm-Leach-Bliley Act (GLBA), or the Defense Federal Acquisition Regulation Supplement (DFARS) are required to protect data in transit. A remote access VPN satisfies the encryption-in-transit requirement when configured to NIST or sector-specific standards. HIPAA's Security Rule at 45 CFR § 164.312(e) mandates transmission security controls for electronic protected health information.

Branch office connectivity uses site-to-site VPNs to replace or supplement MPLS (Multiprotocol Label Switching) links. Organizations with 10 or more geographically distributed offices frequently use site-to-site VPN as a cost-efficient alternative to leased lines.

Third-party and vendor access uses purpose-scoped VPN tunnels to grant external contractors time-limited, network-segmented access to internal resources. This scenario intersects with Zero Trust principles documented in NIST SP 800-207.

Consumer privacy routing deploys commercial VPN services to obscure browsing activity from ISPs or to bypass geographic content restrictions. The FTC has taken enforcement action under Section 5 of the FTC Act (15 U.S.C. § 45) against VPN providers making deceptive privacy claims, most notably in the FTC's 2022 action against Vpnaro and related entities.

For researchers and professionals mapping providers across these scenarios, the Cyber Safety Listings section documents verified service categories.

Decision boundaries

VPN selection turns on six determinative factors, not on provider marketing claims.

Protocol and cipher support — Federal and regulated-industry deployments must use FIPS 140-3 validated cryptographic modules. Validation status is searchable through the NIST Cryptographic Module Validation Program (CMVP).

Logging policy and jurisdiction — Consumer VPNs operating in jurisdictions subject to mandatory data retention laws cannot offer the same privacy properties as providers in non-retention jurisdictions. The legal framework differs materially between US-based providers (subject to NSLs under 18 U.S.C. § 2709) and offshore operators.

Split tunneling policy — Enterprise deployments protecting regulated data should default to full-tunnel configurations unless specific business justification overrides the security tradeoff.

Authentication strength — Deployments handling data classified under CMMC, HIPAA, or FedRAMP must enforce MFA. Password-only VPN authentication does not meet the authentication standards in NIST SP 800-63B.

Remote access VPN vs. Zero Trust Network Access (ZTNA) — Traditional VPNs grant broad network access once authenticated; ZTNA solutions enforce per-application, per-session policy. For organizations migrating to Zero Trust architectures, VPN functions as a transitional control, not a terminal architecture. CISA's Zero Trust Maturity Model frames this transition across five pillars.

Vendor auditability — Third-party audit reports (SOC 2 Type II, ISO 27001) provide independent validation of provider security claims. Absent audit documentation, provider privacy and no-log claims are unverified assertions.

The scope of this sector and how listings are structured is described in the Cyber Safety Directory Purpose and Scope reference. Information on navigating provider categories within this resource is available at How to Use This Cyber Safety Resource.

References

• NIST SP 800-77 Rev. 1 — Guide to IPsec VPNs
• NIST SP 800-113 — Guide to SSL VPNs
• NIST SP 800-207 — Zero Trust Architecture
• NIST SP 800-63B — Digital Identity Guidelines: Authentication and Lifecycle Management
• NIST Cryptographic Module Validation Program (CMVP)
• NIST Cybersecurity Framework (CSF)
• CISA Zero Trust Maturity Model
• CISA — Resources and Tools
• HHS — HIPAA Security Rule, 45 CFR § 164.312(e)
• DoD — Cybersecurity Maturity Model Certification (CMMC)
• FTC — Section 5 of the FTC Act, 15 U.S.C. § 45