TL;DR
The Problem
Section titled “The Problem”Our VPN firewall (Palo Alto PA-2020) has been unsupported for 6 years. It’s being actively attacked — 1.7 million login attempts in a single day. Our TLS is outdated, our crypto is weak, and 90% of users only connect to it to reset their password.
The Fix
Section titled “The Fix”Replace it with NetBird — an open-source WireGuard mesh VPN that has no login portal to attack.
What Changes
Section titled “What Changes”| Before (GlobalProtect) | After (NetBird) | |
|---|---|---|
| User experience | Open app, click connect, wait | Nothing — it’s always connected |
| Password resets | Connect to VPN first, then reset | Just go to aka.ms/sspr — VPN is already on |
| Attack surface | Login page on the public internet | None — no page exists |
| Encryption | TLS 1.0, 3DES, no forward secrecy | WireGuard (formally verified, modern crypto) |
| Cost | Can’t even renew — hardware is dead | ~$35-51/month (Azure VM management server) |
| Helpdesk tickets | ~200/year for VPN password issues | ~0 |
What It Costs
Section titled “What It Costs”| Option | 5-Year Cost |
|---|---|
| NetBird on Azure (recommended) | ~$2,100-3,100 |
| NetBird on-prem | ~$180 |
| Buy a new Palo Alto | ~$85,000 |
| Do nothing (risk-adjusted) | $155,000 — $832,000 |
How Long
Section titled “How Long”A single weekend (with pre-work the week before). NetBird runs alongside GlobalProtect during migration — zero downtime, instant rollback if anything breaks.
The Risk of Doing Nothing
Section titled “The Risk of Doing Nothing”- PA-2020: 6 years without a security patch
- Active credential-spraying campaign hitting our portal right now
- Insurers report 11x ransomware likelihood with self-managed VPNs
- Running EOSL hardware may void cyber insurance claims
What We Need
Section titled “What We Need”Approval to start. Phase 1 is pre-work (Azure VM, DNS, Entra ID config) — all reversible, takes one week of prep then a weekend deployment.