TL;DR: Legacy VPNs were built for a different access model, and the SonicWall case shows how patch dependency, end-of-life exposure, and broad network reach create avoidable risk in hybrid environments, according to Appgate. The practical shift is toward identity-based, least-privilege access that reduces lateral movement and removes dependence on constant firefighting.
NHIMG editorial — based on content published by Appgate: the SonicWall VPN story and what it means for modern remote access security
Questions worth separating out
Q: What breaks when a VPN is used as the main remote access control in hybrid environments?
A: The main failure is that a VPN authenticates the user and then grants broad network reach, which makes lateral movement much easier than application-scoped access would.
Q: Why do legacy VPNs increase the risk of lateral movement after a successful login?
A: Legacy VPNs often place an authenticated user inside a trusted network zone, where internal segmentation is weaker than the access decision at the edge.
Q: How do security teams know whether a remote access programme is actually reducing exposure?
A: A remote access programme is working when each session has a limited, measurable reach and the organisation can show that users only see the applications they need.
Practitioner guidance
- Inventory all legacy VPN exposure points Map every internet-facing remote access gateway, its support status, patch history, and the internal resources reachable after authentication.
- Tie remote access retirement to lifecycle deadlines Build a formal replacement plan for end-of-life VPN infrastructure before support expires, including migration milestones, fallback controls, and owner assignments for each environment.
- Reduce lateral movement through resource-scoped policies Move remote users and third parties to policies that authorize access to specific applications or services instead of full network segments.
What's in the full article
Appgate's full article covers the operational detail this post intentionally leaves for the source:
- Specific arguments for replacing broad tunnel access with identity-based access controls in hybrid environments
- Discussion of the SonicWall patching and end-of-life lessons that shape the broader remote access risk story
- Explanation of how Zero Trust changes the access model from network entry to resource authorisation
- Operational framing for why modernization is about resilience rather than product substitution
👉 Read Appgate's analysis of VPN risk, patch debt, and Zero Trust access →
VPN replacement and zero trust access: what teams need to know?
Explore further
Legacy VPNs create an access governance problem, not just a network design problem. The article’s core lesson is that tunnel-based access still assumes trust after authentication, which no longer holds in hybrid environments. Once a user or third party is inside the network, the model provides too much lateral reach for modern risk tolerance. Practitioners should treat remote access as an authorisation problem governed by identity policy, not as a connectivity layer issue.
A question worth separating out:
Q: Who is accountable when legacy remote access infrastructure stays in production after support ends?
A: Accountability sits with the teams that own access governance, infrastructure lifecycle, and risk acceptance together. Unsupported remote access systems are not just technical debt, they are formal risk decisions. Organisations should require named owners, retirement dates, and exception approvals so that end-of-life infrastructure cannot persist by default.
👉 Read our full editorial: Traditional VPN risk is outpacing hybrid access governance