Why Firewalls and VPNs Are Bad for Security (and what to use instead)
For decades, firewalls and VPNs have been the go-to products for securing corporate networks. But in today’s hybrid, cloud-first world, those same tools are becoming liabilities — exposing organizations to security gaps, slowing down performance, and adding significant operational complexity. It’s time to rethink them, not as pillars of security, but as outdated choke points.
The Problem with Firewalls: The Castle Walls Are Crumbling and the people have left
The traditional firewall approach is rooted in the “moat and castle” model — trust everyone inside, block everyone outside. This assumes that threats only come from beyond the perimeter. In reality, attackers often gain entry through compromised accounts, phishing, or vulnerable devices inside the network. Once in, a firewall offers little protection against lateral movement.
The rise of SaaS, cloud workloads, and remote users has rendered the concept of a fixed, static perimeter obsolete. Firewalls were never built to manage today’s dispersed environments, forcing IT teams to patch together products, rules and exceptions that often introduce more risks than they mitigate.
VPNs: The Door That Stays Open
While VPNs were intended to provide secure remote access, they’ve become a favorite target for cybercriminals. The VPN model grants broad network access once a user is authenticated, meaning if an account or device is compromised, attackers can roam freely.
Worse, VPNs have a long history of severe vulnerabilities and zero-day exploits. By the time a CVE is published, many of these flaws are already being exploited in the wild. Publishing the address of your VPN gateway so users can legitimately access is also an open door for attack. Fortinet alone had over 123 CVEs in 2024 — and multiple already in early 2025. Constant patching is an unsustainable game of whack-a-mole.
A recent CSO Online article, “,” echoes this sentiment, naming VPNs and legacy perimeter defenses as prime examples of outdated, high-risk security methods.
The Performance and Productivity Penalty
Security aside, both firewalls and VPNs can degrade user experience. Hairpinning traffic through data centers or Points of Presence (PoPS), especially for cloud and SaaS apps, adds unnecessary latency and creates bottlenecks. This not only frustrates employees but also impacts productivity. One insurance company saw such severe performance issues with Fortinet and Cisco AnyConnect that they replaced them with — eliminating connectivity complaints almost overnight.
Moving Beyond Legacy Security
The alternative is adopting a high-performance Zero-Trust Network Access (ZTNA) approach through a modern, software-only platform like Cloudbrink’s Personal SASE. Unlike firewalls and VPNs, Cloudbrink:
- Enforces least-privilege, identity-based access for every session, with continuous device posture checks.
- Left shifts the enforcement point from centralized to the user following them wherever they go.
- Uses Mutual TLS 1.3 with certificate rotation every 8 hours, closing the door on long-lived credentials.
- Eliminates the need for hairpinning, delivering LAN-like speeds even over lossy networks.
- Is inherently immune to the VPN zero-day vulnerabilities that plague traditional solutions.
By replacing legacy firewalls and VPNs with a zero-trust, high-performance model, organizations can protect against modern threats while boosting user experience and productivity.
