Replacing Legacy VPN and NAC Solutions with a Next-Generation Network Security Client for Endpoints

4 min. read

With thousands of knowledge workers entering the mobile workforce every day, enterprises worldwide are reaping the benefits of operational agility, enhanced productivity and transformative collaboration. The ubiquity of mobile devices means any workers who happen to be mobile can connect their devices to access the corporate network from just about any location, be it from home, out in the field or anywhere on the go.  

While there is no doubt that the business benefits of a mobile workforce are many to count, remote workers also introduce significant security risks. Each time employees leave the physical boundaries of the corporate campus with their laptops or smartphones, they are leaving the protection of the network security perimeter. Making sure a roaming employee is secure is paramount to protecting both the employee and the corporate network from the risk of a breach.

Organizations clearly recognize the risks and alleviate them by allowing only authorized users and devices to connect to the network. By applying appropriate access controls and security policies, they ensure access to roaming workers from outside the typical perimeter of the corporate network. IT personnel typically rely on a virtual private network, or VPN, as their linchpin to provision mobile workers with a secure encrypted connection for remote access to the corporate network.  

A traditional VPN enables mobile workers to access proprietary corporate data over an untrusted personal or public network from their laptops, tablets and mobile phones as if these devices were connected directly to the organization’s central network. A network access control, or NAC, solution – optionally implemented inside the corporate perimeter – allows only authenticated mobile devices that comply with predefined security policies to retrieve proprietary resources available from the corporate network when the user is in the office.

So, to put it simply, these legacy VPN and NAC solutions serve only two main purposes: the former provisions mobile workers with remote access connectivity to the corporate network while the latter provides access control to workers from their approved, authenticated devices only when they are in the office. Nevertheless, both are deficient in terms of what organizations need today: the ability to provide advanced protection for their mobile workforce and corporate network against modern exploits prevalent today.

Legacy Solutions Fall Short in Protecting Mobile Users from Modern Exploits

Today, legacy VPN and NAC solutions fall short when it comes to providing foolproof security. These solutions were not designed for a new world where data and users are located everywhere. A massive widening of the threat surface due to enterprise data and applications being increasingly delivered from the cloud has made legacy solutions typically limited in their ability to provide adequate protection against growing security risks.  

While VPNs offer only remote connectivity and NAC provides some level of inside-the-office compliance checking and access control protection, they unfortunately cannot protect the mobile workforce from advanced attack tactics employed by today’s sophisticated threat actors – tactics such as advanced persistent threats, SaaS threats, spear phishing and identity theft. For IT personnel, legacy solutions fall short in removing remote access blind spots that arise by failing to provide deep visibility into application traffic carried over the secure VPN. In addition to failing in security aspects, just having to deploy a NAC solution with a VPN adds to the cost, complexity and management effort.

The Benefits of a Next-Generation Network Security Client for Endpoints

A next-generation network security client for endpoints goes much further to protect against modern exploits:

  1. Delivers full traffic visibility: It safeguards mobile users by inspecting all traffic using the organization’s next-generation firewalls (NGFWs) deployed as internet gateways—whether at the perimeter, in the demilitarized zone (DMZ) or in the cloud. 

  2. Stops advanced threats: It prevents highly evasive, advanced threats from infiltrating the corporate network from a compromised endpoint by identifying new, previously known and highly targeted malware from the mobile user’s traffic. The remote access client extends the security protections of the next-generation firewall to remote users by inspecting all traffic for malware by running it through an automated threat detection and prevention service.

  3. Controls access to SaaS applications: It provides secure access to SaaS applications by enforcing policies for sanctioned and tolerated SaaS applications while blocking unsanctioned applications.

  4. Implements Zero Trust: It implements Zero Trust principles, such as reliable user identification and multi-factor authentication, to allow access to sensitive information only on a need-to-know basis. 

  5. Enables secure, app-level access to third parties: It provides secure access to applications to partners, business associates and contractors by enabling a clientless SSL VPN simply through a web interface without requiring them to set up a full SSL VPN from their unmanaged BYOD devices.

The following table provides a basic comparison of key benefits among a next-generation network security client for endpoints, legacy VPN and legacy NAC solutions.

Key Benefits Next-Generation Network Security Client for Endpoints  Legacy VPN Legacy NAC

Provides remote access 


Provides secure connectivity 


Prevents internet and SaaS threats



Prevents identity theft



Protects internal networks


Implements Zero Trust



Enforces access policies based on user, device, content and application for complete visibility and granular control 



To learn more about how Palo Alto Networks secures mobile and roaming users with its next-generation network security client for endpoints outside traditional boundaries of the network perimeter, get a copy of our GlobalProtect datasheet.