TL;DR
The Problem
Section titled “The Problem”Our VPN firewall (Palo Alto PA-2020) has been unsupported for 6 years. It’s being actively attacked — 1.7 million login attempts in a single day. Our TLS is outdated, our crypto is weak, and 90% of users only connect to it to reset their password.
The Fix
Section titled “The Fix”Replace it with NetBird — an open-source WireGuard mesh VPN that has no login portal to attack.
What Changes
Section titled “What Changes”| Before (GlobalProtect) | After (NetBird) | |
|---|---|---|
| User experience | Open app, click connect, wait | Nothing — it’s always connected |
| Password resets | Connect to VPN first, then reset | Just go to aka.ms/sspr — VPN is already on |
| Attack surface | Login page on the public internet | None — no page exists |
| Encryption | TLS 1.0, 3DES, no forward secrecy | WireGuard (formally verified, modern crypto) |
| Cost | Can’t even renew — hardware is dead | $0/month on existing infrastructure |
| Helpdesk tickets | ~200/year for VPN password issues | ~0 |
What It Costs
Section titled “What It Costs”| Option | 5-Year Cost |
|---|---|
| NetBird on our existing servers | ~$10,000 (labor only) |
| Buy a new Palo Alto | ~$85,000 |
| Do nothing (risk-adjusted) | $155,000 — $832,000 |
How Long
Section titled “How Long”10 weeks. NetBird runs alongside GlobalProtect during migration — zero downtime, instant rollback if anything breaks.
The Risk of Doing Nothing
Section titled “The Risk of Doing Nothing”- PA-2020: 6 years without a security patch
- Active credential-spraying campaign hitting our portal right now
- Insurers report 11x ransomware likelihood with self-managed VPNs
- Running EOSL hardware may void cyber insurance claims
What We Need
Section titled “What We Need”Approval to start. Phase 1 is spinning up a VM on existing hardware — reversible, zero cost, takes one day.