Chapter 1

Zero Trust VPN Comparison: An In-Depth Tutorial

February 21, 2023

Like it or not, cybercrime is big business. Organizations that understand this invest in the right technologies to protect their assets. VPNs have been a staple in cybersecurity and networking for some time, while the zero trust concept is a relatively new kid on the block. 

VPNs remain a popular choice for many organizations but come with a debilitating flaw: They do not provide end-to-end security. While VPNs can encrypt data transmitted between the client and the VPN server, the data is decrypted at the server and is potentially vulnerable to interception or tampering at that point.  

Segmenting local area networks (also known as micro-segmentation) offers a higher level of security by partitioning a single corporate local area network into multiple isolated LANs and interconnecting them via VPNs or firewalls. However, this approach burdens network administrators, who have to maintain policies and configurations for more network equipment, and still provides free rein to attackers within each network island as it doesn’t adhere to the core tenets of the zero trust paradigm.

The zero-trust approach to network security addresses these issues by treating all network traffic, including traffic within the VPN tunnel, as untrusted and requiring authentication and authorization. In a zero-trust network, each access request is independently evaluated based on a set of defined security policies, rather than relying on the VPN connection alone to provide security. This approach helps ensure that only authorized users and devices can access network resources, even if the VPN connection is compromised.

In addition to reviewing some of the shortcomings of VPNs in this article, we’ll explore VPNs and zero trust, their advantages and disadvantages, and how you can find the right solution for your organization. We’ll also explain why the term “zero trust VPN” is a bit of a misnomer.

The table below summarizes key concepts from this article and compares VPN and zero trust across several categories.

VPN Zero trust
Trust Trusts users implicitly with broad access to resources Treats each user and device individually, so only authorized resources are offered for access
Device Health Not aware of whether the connecting device is compromised or not Compromised devices can be excluded with access policies
Visibility Unaware of traffic and usage patterns, unless separately deployed Relies on network monitoring tools, security information, and event management systems
User Experience Prone to connectivity problems, burdens helpdesk with providing VPN setup instructions Seamless end-user experience, reduced load on helpdesk
Administration Cumbersome to deploy and manage separate VPNs Managed via centralized policies

What is a VPN?

Virtual private networking was developed as a cost-effective solution for connecting different parts of an organization or allowing outside organizations to access the organization’s network securely. This site-to-site connectivity, commonly used to connect corporate locations, has made it possible to replace expensive leased lines and direct connect circuits with internet-based solutions, saving organizations money on costly infrastructure. More commonly deployed is the client-to-site VPN, where VPN software on a user’s PC connects to the company’s VPN server and effectively places the PC on the corporate network. For all practical purposes, the PC is now treated as if it is located within the company perimeter.

How Does a VPN Work?

To access their organization’s network, a user will typically enter the details for their VPN gateway into their VPN client. If the gateway is responding, it will negotiate with the user’s software to agree on specific cryptographic algorithms to authenticate and create a secure connection. 

VPNs generally support multiple forms of authentication, with simple passwords or pre-shared keys still commonly deployed. In this model, the VPN gateway will first check its local database. If the user isn’t found there, it will reach out to any authentication servers specified in its configuration. This will contact the organization’s RADIUS or Microsoft Active Directory server in many environments to validate user credentials. After successful verification, the gateway will ask the user to enter their login credentials to authenticate. Once authentication is successful, the connection is secured and encrypted with the cryptographic algorithm.

How is a VPN Typically Secured?

Modern VPNs support multi-factor authentication (MFA) versus simply using a username and password – or even worse – a shared password. This technology allows the authentication server to challenge the user with a third verification method, like a phone number, an authenticator application, or challenge questions. Once verified, the VPN establishes a user connection and grants access to the network. 

Identity-Based Network Security
Learn More
Enable secure point-to-point encryption and authentication across your organization
Easily configure, deploy, and manage your zero trust mesh security from a single portal
100% cloud-hosted, fault tolerant, and highly scalable - no need to purchase hardware
Learn More
Identity-Based Network Security
Designed on an SDP framework
Learn More
Delivers zero trust network access for today's hybrid networks & workforce
Allows organizations to dynamically create and enforce granular, context aware access policies
Scales seamlessly as businesses expand their network infrastructure, adopt new technologies, and/or experience fluctuations in user demand
Learn More

Challenges With Using a VPN

While VPNs solve many problems, they can be difficult to install and manage. A corporate VPN involves installing and configuring costly hardware. When the organization needs to support more remote users or higher data volumes, it requires upgrading to even more expensive, upgraded hardware. The hardware is augmented with expensive service and support contracts, and requires expertise to administer it properly. It also becomes a single point of congestion, a single point of failure, and a single point of attack from intruders.

Additionally, due to the number of ingress and egress points, there is an increased complexity of investigation and troubleshooting due to policy changes or software disparities. As the number of requests for access by end users grows, so do the costs to manage their access. Despite the additional spending, the end-user experience leaves much to be desired. 

Network compliance can become tedious as Zero Trust best practices dictate that an organization’s network should be segmented, ideally using micro-segmentation. Each segment will have its own VPN server, separately-managed policies, and firewall rules between network segments. This approach makes administering and auditing policies challenging. Organizations eventually start demanding solutions to control access across the organization’s network better and enable faster, more accurate provisioning of new entries. 

The Case for Zero Trust Network Access 

Zero trust network access (ZTNA) is a concept of explicit authentication, authorization, and end-to-end security. In this framework, verification is based on authenticating the user, client device, server, and service and verifying that the authorization policy permits access. Clients and servers must be authenticated and authorized, and all traffic must be encrypted. By implementing the principle of least privilege, zero trust ensures that users and services can only access the services they need and no more. It also assumes everything is compromised until end-to-end verification is complete. In other words, zero trust is about having no assumptions about implicit trust.

Zero trust is policy-driven and posits that perimeter-based protections are ineffective; hence, every communications session must be established and authorized. It doesn’t matter if it’s a remote user talking to a server, a user within the organization, or one service interacting with another service. In other words, where legacy security was based on protecting perimeters and trusting anyone within the perimeter, ZTNA takes a parameterless approach.

ZTNA consists of a set of technologies and processes that allow organizations to securely access their networks and applications from any device, anywhere, without requiring traditional VPNs. The goal of ZTNA is to replace the reliance on the conventional perimeter-based security model with a more secure, granular, and adaptive approach.

Zero Trust Network Access (ZTNA), Explained

A visual explanation of Zero trust security. (Source)

The building blocks of a Zero Trust Network Access are:

  1. A secure cloud-based environment outside of the organization’s network. The service is only used for managing access policies. The data only flows between endpoints, regardless of where they are. This security architecture reduces the attack surface because
    1. Unauthorized users cannot connect to anything.
    2. Authorized and authenticated users can communicate only with the services for which they are authorized.
    3. Services or users within an organization are restricted from freely connecting to any unauthorized resources.
    4. All communications are encrypted and tamper-evident, thus not susceptible to snooping, modification, or replay attacks.
  2. A multi-factor authentication method to determine who the user is, what permissions they have, and what access policy the user is assigned.
  3. The centrally-managed access policies that control network access.
Identity-Based Network Security
Learn More
Attribute
Traditional VPN
ZTMesh
Blameless
Multiple consoles 
Centralized administration 
Encryption
VPN links using outdated algorithms
Multiple consoles 
Breach containment
Attackers free once inside
Every session is authenticated
Total cost of ownership
Individual deployed hardware units
No capital expenditure and scalable
Learn More
Identity-Based Network Security
Designed on an SDP framework
Learn More
Delivers zero trust network access for today's hybrid networks & workforce
Allows organizations to dynamically create and enforce granular, context aware access policies
Scales seamlessly as businesses expand their network infrastructure, adopt new technologies, and/or experience fluctuations in user demand
Learn More

Explicit Verification in Zero Trust Networks

Explicit verification in zero trust networks authenticates users and devices, and restricts access to services on those devices to ensure a secure, trusted computing environment. This process involves verifying user identities, validating device identity and integrity, and providing secure communication between devices. 

It also includes inspecting traffic flows and verifying that all communications are safe and trustworthy. Organizations can protect their network infrastructure and data from unauthorized access and malicious activity by implementing explicit verification in a zero trust network. 

Specifically, explicit verification involves evaluating the following: 

1. User Identity

Verifying the user’s identity with a trustworthy authentication protocol, such as passwords or multi-factor authentication, is a core requirement of zero trust. Zero Trust Networks (ZTN) rely on explicit authentication to confirm the identity of a user. If a user fails to provide the correct credentials, their access to the requested endpoint is denied. 

ZTN can also monitor user activity to look for abnormal behavior, such as logging in from an unexpected location or multiple failed login attempts. If any suspicious activity is detected, the user can be further verified before access is granted.

2. Device Location

Ascertain the device’s physical location and determine whether it is allowed to be present. This verification process can involve various techniques, such as GPS coordinates or IP geolocation, which helps ensure that the device is located in a secure area and that access is only granted to legitimate users. Additionally, this verification process can detect suspicious activity, such as an attempt to access the network from an unauthorized location.

3. Device Health

Ensure the device is suitable for the organization’s environment. Verify the health of all devices that are trying to access the network. This process ensures that each device is free of malware and is not being used as part of a malicious attack. The verification can include checking the device’s operating system version, patch level, anti-malware software, and other security measures. The verification process can also involve scans to ensure the device is free of malware and safe to connect to the network.

4. Service or Workload Security

Provides additional layers of security to the service or workload security and helps protect against malicious actors. This can be done through authentication and authorization, encryption, and data integrity verification. Authentication and authorization ensure that only authorized users can access resources and services. Encryption provides data privacy, and data integrity verification ensures that data has not been modified or tampered with. 

5. Types of Access 

Determine which services a user (or any authenticated system) can access. The implementation uses various specifications:

  • Access Control Lists (ACLs) can be used to define which users have access to which resources and what type of access is allowed. Users as well as resources may be grouped to simplify administration. For instance, a Type Enforcement (TE) model enables the definition of user groups, resource groups, and rules that define which groups of users can access which groups of objects.
  • Role-Based Access Control (RBAC) can be used to grant access to users depending on the role they have or their job title. The role of an individual user may change over time.
  • Network Access Control (NAC) can control network access based on a user’s identity, device type, and other attributes. NAC can be used to enforce policies and monitor user behavior to ensure that only authorized users have access to the network.

6. Anomaly Detection 

Additional services can be deployed to provide advanced analytics and machine learning to identify anomalous user and system behavior. This can include monitoring user activity, network traffic, and application usage to detect patterns that may indicate malicious activity. These patterns can then trigger alerts and further investigation into the security incident. Additionally, organizations can leverage tools such as honeypots and honeynets (two or more honeypots on a network) to detect and respond to malicious activity.

Privilege Access Enforcement in Zero Trust Networks

The principle of least privilege is enforced by limiting access to only what is required to perform needed tasks. Zero trust security blocks all access until the user is authenticated and authorized. After that, the computer can access only the systems and services that the access policy allows for that user. This approach differs from traditional perimeter-based security rules, where firewalls may restrict access to specific hosts and ports without source authentication. VPNs may authenticate the user but provide broad access within the internal network. Perimeter-based protections often make it easy to configure policies that allow an administrator to block specific traffic but otherwise allow all other traffic. Compromised user computers can be identified through authentication failure alerts or attempts to connect to unauthorized services. 

Breach Assumption in Zero Trust Networks

Breach assumption is the assumption that security breaches will occur. It is a mindset rather than an architectural framework that leads to deploying a Zero Trust Architecture. A zero trust architecture supports this mindset by allowing each system to access only explicitly authorized systems and services. This prevents a compromised machine from probing the network, doing port scans, and attempting to connect to arbitrary services within the network.

A zero trust architecture constantly scrutinizes connections and logs information about authentication, connectivity, and data traffic. Armed with this data, an organization’s security operations center can effectively mitigate breaches because all the relevant information is constantly being preserved.

Zero Trust Network Access (ZTNA) vs. Zero Trust Architecture (ZTA)

Now that we’ve discussed zero trust, let’s focus on “zero trust network access”. The distinctions between Zero Trust Architecture and Zero Trust Network Access vary among vendors. ZTA and ZTNA are often used interchangeably. ZTNA provides identity-based access to applications regardless of their network segment and the connecting user’s location. ZTNA hides the applications from discovery by unauthenticated and unauthorized systems and users.

In general, ZTA is an overarching goal, while ZTNA focuses on the practical elements of delivering ZTA within the scope of data networking. 

ZTNA is different from a VPN because it does not require an appliance or server to protect the boundary between the Internet and the organization’s network. With ZTNA, the concept of a protected perimeter vanishes.

Instead, ZTNA is a host-based solution that uses client software to provide point-to-point security.

Clients and servers connect to the ZTNA provider’s cloud. This cloud connection has secure access to the organization’s directory services, allowing policy management to take place in the cloud environment.

ZTNA helps organizations respond faster to zero-day vulnerabilities and attacks, providing higher protection for their data and systems. A ZTNA provider offers organizations a unified network security model that covers all networks. With it, administrators can enforce policies on users no matter what device they choose to use and where the devices are located. End-user satisfaction is improved through direct connectivity. Security teams will have increased visibility into network traffic due to the inherent nature of zero trust and the fact that every connection is authenticated and authorized. ZTNA providers have the power to offer greater visibility and faster mitigation of security vulnerabilities across their customer base.

Traditional VPNs will remain popular in the coming years, especially in organizations that have yet to adopt ZTNA. They offer quick remote access, and the necessary hardware is readily available. Plus, not all organizations are equipped to take on the subscription costs of ZTNA, as they may have already invested in a VPN solution. Despite those initial adoption challenges, and because of its superior security model, zero trust is being deployed as a more secure alternative to VPNs and firewalls across large enterprises and government agencies. The adoption curve has been accelerated by the U.S. government mandate that federal agencies have until September 2024 to deploy zero trust architectures. 

Conclusion

VPN networking is no longer the preferred choice of security experts within IT organizations due to its lack of scalability, security vulnerabilities, and limited flexibility. While traditional perimeter-based security is being challenged, a new generation of network security solutions like ZTMesh have come to market providing secure end-to-end tunneling all the way to the endpoint. These enable the end-to-end secure connectivity that is needed for ZTNA and enables them to serve as building blocks for a zero trust network architecture. 

Organizations are increasingly adopting zero trust network access (ZTNA) as a secure way to access their networks. ZTNA provides more robust authentication and access control, allowing organizations to protect their networks from unauthorized access. This technology is reliable and constantly improved, making it far superior to traditional VPNs. The advantages of ZTNA-based access are vast, including enhanced visibility into user activities, improved security controls, and simplified access management. At the same time, its disadvantages are few and far between, making it the new go-to option for many organizations.

Identity-Based Network Security
Learn More
Enable secure point-to-point encryption and authentication across your organization
Easily configure, deploy, and manage your zero trust mesh security from a single portal
100% cloud-hosted, fault tolerant, and highly scalable – no need to purchase costly hardware
Learn More
Next-Gen Mesh VPN Alternative
Designed on an SDP framework
Learn More
Delivers zero trust network access for today's hybrid networks & workforce
Allows organizations to dynamically create and enforce granular, context aware access policies
Scales seamlessly as businesses expand their network infrastructure, adopt new technologies, and/or experience fluctuations in user demand
Learn More
Subscribe to our LinkedIn Newsletter to receive more educational content
Subscribe now
Subscribe to our Linkedin Newsletter to receive more educational content
Subscribe now