Let’s look at some of the leading vendors of well-known legacy VPN products and compare them to Banyan Security’s Zero Trust Network Access (ZTNA) solution featuring Service Tunnel.

Limits of legacy VPN deployments

Vendor Product
Cisco ASA / AnyConnect
Palo Alto Networks GlobalProtect
Ivanti (Pulse Secure) Pulse Connect Secure
Check Point Software Technologies Quantum VPN
F5 BIG-IP Access Policy Manager (APM)
Fortinet FortiGate
SonicWall SonicWall VPN
Array Networks SSL VPN Secure Access
Citrix Access Gateway

Physical appliances have numerous limits. You need to order them and wait for them to arrive (and sometimes make it through Customs), before you unbox, rack, wire, power-on, and provide cooling.

Also, have a single appliance means that both the control and data planes are on the same box. If either fails, there is no access.

Banyan’s ZTNA is cloud native using scalable, highly-available microservices. The Controller is in the cloud and completely independent of the data plane. You’ll have always-available, anywhere access with minimal fuss.

Deploying Active/Passive clusters are expensive. You buy hardware and licenses that are rarely used, if ever.

Banyan’s ZTNA model never charges for gateways or connectors. To get the performance, scale, and best experience possible, Banyan’s ZTNA auto scales as needed to ensure global availability. Deploy connectors to your disaster recovery (DR) sites if you’re deploying software there, all at no additional cost and little configuration changes. You can also automate these deployments using Terraform.

No need to touch the edge

VPNs require inbound and outbound access meaning you’ll need to log in to your edge firewall (FW) and open many ports. Not only does this take time, but each port that’s opened means the attach surface increases.

Banyan’s ZTNA connector does not require any inbound ports to be opened since it only makes outbound connections over standard, secure ports. Add as many ZTNA connectors in your data center or in your cloud provider as needed without ever having to log into your FW.

VPNs require external IP addresses on your DMZ which means logging in to your edge firewall (FW). Not only does this take time, but each external IP address may cost you money.

Banyan’s ZTNA connector does not require a static external IP address. Adding additional ZTNA connectors is possible without consuming a valuable external IP address.

VPNs require certificates which are tied to static hostnames. This means paying for SSL certificates and needing to update DNS records each time you add a single VPN appliance.

Banyan’s ZTNA solution is cloud-based so we automatically take care of DNS and certificates for all aspects of the solution. ZTNA connectors can be spun up without ever having to worry about buying a certificate or adding/updating DNS records.

Decision-less access

Your end user needs to know a lot about your architecture and where backend resources live. They must make the decision on where and how they must connect before they do their actual work.

Banyan ZTNA makes it very simple. End users log in to the Banyan app and are magically connected to all their authorized resources whether you have one office or hundreds of locations, physically or in the cloud. No more decisions, just productivity.

Tunnels made easy

Banyan Security’s vision is to help organizations migrate from inefficient, legacy VPNs and to do so introduced the Service Tunnel (ST) capability. The Service Tunnel isn’t for all members of the organizations. An organization that’s deploying using Zero Trust principles should deploy in the most secure, least privilege access method possible. For super users, and those with special requirements, a Service Tunnel can be the appropriate answer. The Service Tunnel is a tunneled, layer 4 connection to a single server and a specific port. A sample use case for this is when trying to local map a drive to a remote file server. The Service Tunnel can also be used when backhauling traffic that’s intended for a source-IP-validated SaaS application.

Service Tunnel configuration is simple and there a workflow (or wizard) that makes this possible:

The policy to allow the use of a Service Tunnel is also simple to configure. The authorization policy can be based on specific users, groups, devices, and/or a combination of these parameters.

The access policy can be to a specific IP and port, or it can be expanded to subnets, ports, and various protocols:

A single service tunnel can be used to connect to resources sitting behind multiple (or all) of your Banyan Connectors.

For the end user, the only decision that needs to be made is whether to access Banyan or not. Your end user doesn’t need to know where VPN appliances are deployed, or what backend resource is available through which VPN appliance. Simply log in to Banyan and be productive.

Next steps

  1. Learn more about legacy VPN replacement
  2. Sign up for Team Edition and quickly deploy a Service Tunnel
  3. Learn more about getting started with Banyan’s Free Team Edition


author avatar
Ashur Kanoon