Exclusive: Yuvraj Pradhan warns legacy VPNs are now a security risk

Legacy virtual private networks are increasingly viewed by security teams as a structural weakness rather than a safeguard, as organisations extend access beyond the perimeter and attackers exploit ageing designs.

SonicWall argues that the combination of outdated code, broad network access and hybrid work patterns has made traditional VPNs a frequent entry point for breaches.

"Legacy VPNs have been the backbone of the internet for the last two decades. However, as we modernise remote access, it is no longer deemed sufficient to protect today's environment," said Yuvraj Pradhan, Senior Director of Solution Engineering, APAC & Japan, SonicWall, during a recent interview.

"In the last year or so, most breaches are related to legacy VPNs. Every week we see a vendor reporting vulnerabilities in legacy VPNs. The core issue is that the software is outdated, there are vulnerabilities in the core, and the design in which it was built is no longer useful today."

Beyond security flaws, he said operational issues also persist. "We have seen performance issues, management complexity, and the overall design where you provide access to everything once you connect to a VPN. Those are some of the reasons why legacy VPNs are not sufficient."

Outdated software remains common across enterprise estates. "You will be surprised to know about 60 to 70% of customers are still using old code, and that's where they are vulnerable to attacks," said Pradhan.

The long-term risks, he added, go beyond isolated incidents. "Today, legacy VPNs are seen as a weak link rather than an enabler of remote access security. They have been a target of so many attacks," said Pradhan.
"We see unauthorised access, authentication bypass, and they have been a gateway to a lot of ransomware attacks. In some cases, data breaches happen due to legacy VPN attacks. Because of the way they are designed, they can provide full access to an attacker. If somebody has entered the network, they have the keys to the kingdom."

Modern access

For SonicWall, modernising remote access starts with rethinking architecture. "The first is moving from legacy hardware to a cloud-native architecture that is simple to deploy and manage," said Pradhan.
"Second is moving from broad access to not trusting anyone and verifying all access. You need detailed ability to identify who is connecting, validate them, and constantly verify what they are doing."

Protocol choice is also part of the shift. "Adopting modern protocols is important. Today newer communication protocols such as  WireGuard is much faster, has simpler code and is more secure," said Pradhan.

Hybrid working has accelerated the need for that change. "After the pandemic, operations became more flexible, but with more users outside the network the attack surface has changed," said Pradhan.
"Identity becomes a key issue. In a perimeter-based environment, once you are inside the network you feel secure. With everything moving to the cloud, if identity is compromised, they have access to everything."

Threat patterns reflect that exposure. "Identity-based threats are the most common today. In fact, 70% of attacks are related to identity," said Pradhan.

Cloud edge

SonicWall positions cloud secure edge as a replacement for traditional VPN access models. "Cloud secure edge is a way of protecting users, applications and devices wherever they are," said Pradhan.
"It is a cloud-native solution, it follows zero trust principles where you never trust but always verify, and there is continuous verification of privileges."

The model is designed to be location-agnostic. "You could be sitting at home, in a car park, or at a coffee shop," said Pradhan.
"It uses a very lightweight agent, and you can connect from anywhere."

He said customer concerns about migration are often overstated. "A common misconception is that it is very complex to migrate. That is not the case," said Pradhan.
"We have seen customers move within a day from legacy VPNs to modern solutions."

Cost is another concern that does not always materialise. "Customers feel that buying a new solution will cost a lot. We have seen customers paying the same amount or a little premium when they migrate," said Pradhan.
"There is also a perception that this is only for cloud-native enterprises. We have solutions like a private edge, where software is deployed on the customer's premises and connects securely to the cloud."

Mindset shift

Transitioning without disruption requires planning rather than wholesale change. "You need a phased approach. You cannot suddenly migrate everything," said Pradhan.
"You start with a small set of users and applications, do testing, workshops, end-user training and policy fine-tuning, and then migrate."

He said the biggest challenge is cultural rather than technical. "The traditional approach was that once you are inside the perimeter you are secure," said Pradhan.
"The biggest mindset change is assuming breach. You have to assume that at any point your systems could be compromised. Trust has to be earned and validated all the time."

"What we have seen in the past year is a lot of attacks across legacy VPNs," said Pradhan.
"In today's hybrid environment, where data, applications, devices and users are across on-premise, cloud and edge, we need a holistic approach to protect the environment."