VPN vs. ZTNA vs. SDP vs. NAC: What’s the difference? | SC Media
Zero trust
BrandView

VPN vs. ZTNA vs. SDP vs. NAC: What’s the difference?

November 23, 2021
  • Exposed ports: VPNs can be easily found and queried to discover the manufacturer and version, paving the way for threat actors to get in using common hacking tools
  • Over-privileged access: VPNs are dependent on overly complex rules to prevent lateral movement
  • Limited throughput: a typical VPN maxes out below 1Gbps which adds extra cost and complexity
  • Vulnerable to man-in-the-middle attacks: VPNs don’t validate certificates on both sides of the communication path
  • Centralized architecture: users coming into a central VPN access point are routed to the ultimate destination on the backend over some type of wide area network (WAN) … a topology that adds latency, causes performance issues, frustrates users and creates complicated routing dependencies
  • Lack dynamic scale: VPNs must be architected to handle a certain volume of remote users and can’t dynamically scale up or down to handle unforeseen user fluctuations
  • Can’t provide fine-grained least privilege access and rely on existing network segmentation or VLANs (Virtual LAN)
  • Have limited ability to make access decisions based on user context
  • Don’t provide secure, encrypted communications between clients and services
  • Must be used with another solution (such as a VPN) for remote users, which adds more cost, complexity and administration
  • Aren’t practical to manage or scale due to the IT administration required to add devices and firewall rules for networks with large amounts of diverse users and devices that constantly change
  • Don’t enable cloud security
  1. Identity-centric: designed around the user identity, not the IP address, and requires user authentication before granting network access
  2. Zero Trust: applies the principle of least privilege to the network and users by using micro-segmentation to make unauthorized resources invisible
  3. Cloud-centric: engineered to operate natively in the cloud and deliver scalable security
prestitial ad