What is a VPN? Virtual Private Networks Explained

How VPNs Work

A VPN client on the user's device establishes an encrypted tunnel to a VPN server or concentrator. All network traffic from the device is routed through this tunnel, encrypting it from the originating device to the VPN endpoint. From the VPN endpoint, traffic continues to its destination on the corporate network or internet, originating from the VPN server's IP address rather than the user's actual IP address.

Enterprise VPN vs. Consumer VPN

Enterprise VPNs — Cisco AnyConnect, Palo Alto GlobalProtect, Fortinet FortiClient — provide authenticated remote access to corporate networks. A remote employee connects through the VPN, authenticates with corporate credentials and MFA, and gains network-level access to corporate resources. All traffic between the employee's device and the corporate network is encrypted.

Consumer VPNs — NordVPN, ExpressVPN, Mullvad — are privacy tools that encrypt consumer internet traffic and route it through the VPN provider's servers, masking the user's IP address from websites and ISPs. They provide no access to corporate networks and are irrelevant to corporate security posture except as a potential policy concern when employees use them on corporate devices.

Split Tunneling

VPN split tunneling routes only traffic destined for corporate networks through the encrypted VPN tunnel, while traffic destined for the public internet goes directly from the user's device without VPN protection. Full tunnel VPN routes all traffic through the corporate network, giving security teams visibility into employee internet activity but increasing bandwidth consumption and latency. Most enterprise VPN deployments use split tunneling for performance reasons, which means internet-bound traffic from remote employee devices bypasses corporate security controls entirely.

VPN Security Limitations and Attack Vectors

VPN Vulnerabilities

VPN appliances are among the most targeted internet-facing systems in enterprise environments, for a simple reason: a successfully exploited VPN gives an attacker authenticated network access equivalent to a legitimate remote employee. This makes VPN appliances high-value targets for nation-state and criminal actors. Critical vulnerabilities in Pulse Secure VPN, Fortinet FortiGate, Citrix ADC, and Ivanti Connect Secure have been actively exploited in campaigns targeting government agencies, healthcare organizations, and critical infrastructure operators. CVE-2024-21887, a command injection vulnerability in Ivanti Connect Secure, was exploited by nation-state actors against US government agencies before a patch was available.

The Network Access Problem

The fundamental architectural weakness of VPN is that it grants network-level access — not application-level access. A remote employee connecting through VPN typically gains access to the entire corporate network segment their VPN policy permits, not just the specific applications they need. An attacker who compromises VPN credentials or exploits a VPN vulnerability gains the same broad network access. This stands in stark contrast to the principle of least privilege, which holds that users and systems should have access only to what they specifically need.

Zero Trust Network Access: The VPN Replacement

Zero Trust Network Access — ZTNA — is the architectural approach replacing VPN for corporate remote access. Rather than granting network-level access after authentication, ZTNA grants application-level access to specific resources based on continuous verification of user identity, device health, and contextual signals. An employee using ZTNA to access a financial reporting application gets access only to that application — not to the network segment containing it, adjacent servers, or other resources.

ZTNA eliminates the lateral movement opportunity that VPN creates. An attacker who compromises credentials in a ZTNA environment gains access to the specific applications the compromised user could access — not to the broader corporate network. Palo Alto Prisma Access, Zscaler Private Access, Cloudflare Access, and Microsoft Entra Private Access are the leading ZTNA platforms.

What PE Operating Partners Should Assess

For portfolio company remote access assessment: What VPN platform is deployed and when was it last patched? Are critical vulnerabilities in the deployed VPN version known and remediated? Is MFA required for VPN authentication? Is split tunneling configured, and what traffic bypasses corporate security controls? Is there a roadmap for migrating from VPN to ZTNA architecture? These questions reveal whether remote access represents a critical exposure point in the security posture.

Real-World Example: Ivanti VPN Exploited by Nation-State Actors 2024

In January 2024, CISA issued an emergency directive requiring US federal agencies to disconnect Ivanti Connect Secure and Policy Secure VPN appliances after multiple critical vulnerabilities were disclosed and actively exploited. The exploiting threat actors — attributed to Chinese nation-state groups — used the vulnerabilities to gain unauthenticated remote code execution on VPN appliances, then moved laterally into agency networks. CISA's directive was unusual in its urgency: agencies were required to disconnect the appliances regardless of patch status because the attackers had developed techniques for persisting through the factory reset process.