Comparison of Zero Trust Access and VPN

Zero Trust Access is Cisco's alternative to VPN for secure remote access connections to configured private resources.

You can allow either or both connection methods for each private resource.

Zero Trust Access security benefits

  • Remote users connect to specific private resources rather than to an entire network, minimizing risk surface area.
  • An attacker who breaches a device or zero-trust connection cannot glean information about your internal network
  • You can allow authorized users of unmanaged devices to connect to specific resources without granting them access to your network. You will distribute a dummy URL to those users, so the real address is not exposed. This solution lets you securely provide browser-based access to end users such as:
    • contractors, vendors, trainers, outside legal counsel, etc.
    • employees on leave
  • End-users' endpoint/device posture is evaluated continuously to verify that the end-user device meets requirements. Posture can be assessed each time they access a resource, rather than just once when they join the network.
  • Access to each resource is blocked unless access is granted.
  • Simpler setup than VPN.

Zero Trust Access end user benefits

  • Remote users can connect to internal resources in situations where they cannot use VPN.
    For example, an employee who is visiting a customer or vendor site can connect.
  • Users do not need to log in separately to the network before they can access resources configured for zero trust access.
  • After an end user with a managed device has completed initial setup of Cisco Secure Client, the user has the same experience accessing a resource whether in the office or working remotely.
  • Faster performance than VPN

When to enable VPN

  • To allow end users to connect to all resources on the network that are not configured to disallow VPN access.
  • To enable connections to private destinations that are not configured as private resources.
  • To enforce some endpoint requirements that are not currently available in client-based zero-trust posture profiles.
  • While transitioning your organization to Zero Trust Access.
  • For traffic that cannot be connected using Zero Trust Access, including traffic to the following types of applications:
    • Client-to-client traffic, for example peer-to-peer Voice Over IP (VOIP)
    • Server-to-client traffic, for example remote assistance
    • Applications that require a unique client IP address, for example those that use the SMBv1 protocol
    • Applications that require SRV DNS records, for example Active Directory, Kerberos, or the Microsoft Configuration Manager
    • Applications that perform an ICMP connectivity check before connecting using TCP or UDP

Manage Connections to Private Destinations< Comparison of Zero Trust Access and VPN > Comparison of Client-Based and Browser-Based Zero Trust Connections