The Castle and Moat: Why the VPN Security Model Was Always Wrong

Once Upon a Time, There Was a Castle

The castle-and-moat is the oldest metaphor in network security, and it's never been more relevant — as a cautionary tale.

Here's the story: your corporate network is a castle. Your firewall is the wall. Your VPN is the drawbridge. Everyone inside the walls is trusted. Everyone outside is not. The moat (the internet) separates the two.

It's a comforting image. It's also completely, fatally wrong for the modern world. Let's follow the analogy to its logical conclusion and see where it breaks.

The Castle: Your Corporate Network

In the medieval version, the castle contains everything worth protecting: the treasury, the armory, the people, the food stores. All in one place, all behind one wall.

In the network version, the "castle" is your corporate network — the servers, databases, applications, and file shares that live behind your firewall. The VPN extends the castle walls to wherever your users happen to be.

Where the analogy holds: In the 1990s and early 2000s, the castle model was reasonable. Corporate resources really were in one place (the data center). The perimeter really was defensible (one internet connection, one firewall). And "inside" really did mean something — if you were physically in the office, you were trusted.

Where it collapses: Your castle isn't a castle anymore. It's more like a kingdom with a hundred villages, each in a different country. Your applications are in AWS, Azure, GCP, Salesforce, GitHub, Slack, and a closet in the office running software from 2009. There is no single wall to build around all of it. The VPN pretends the wall still exists by routing traffic through a central point — but that's not defense, it's detour.

The Drawbridge: Your VPN

The drawbridge is the VPN's perfect metaphor. There's one way in. You verify your identity at the gate (VPN authentication). Once you cross the drawbridge, you're inside the castle and free to go anywhere.

The security implication: The drawbridge checks who you are once. After that, you're trusted. You can walk into the treasury, the armory, the kitchen, or the dungeon. The guards at the gate don't follow you around asking "should you really be here?" at every door.

This is exactly how VPN access works. You authenticate once when connecting. After that, you have network access to everything the VPN subnet reaches. The VPN doesn't know or care if you're headed to the HR portal or the production database.

The attacker implication: If an attacker steals a guard's uniform (phished credentials), they walk across the drawbridge like everyone else. Once inside, they have free run of the castle. This is why credential theft + VPN access is the opening move in the majority of major breaches.

The Moat: The Internet

The moat keeps the barbarians out. You can't reach the castle without crossing it, and the only way across is the drawbridge.

Where the analogy holds: The internet is, in fact, untrusted. You shouldn't send sensitive data across it without encryption.

Where it fails: The moat assumes threats come from outside. Modern attacks are launched by people who are already "inside" — either through stolen credentials, phishing, compromised devices, or malicious insiders. The moat is irrelevant when the threat is already past the drawbridge.

Also, the moat assumes the castle is worth protecting. But if 80% of your applications are SaaS tools hosted outside the castle, your moat is protecting an increasingly empty fortress.

The Villagers: Your Users

In a real castle, the villagers live inside the walls. They go about their business — farming, trading, crafting — within the protected perimeter.

In the VPN model, your employees are the villagers. They "live inside the walls" when connected to the VPN. Their traffic is routed through the castle, and they access resources as members of the trusted interior.

The problem: Your villagers don't live in the castle anymore. They live in 30 different countries, work from coffee shops, co-working spaces, and home offices. Forcing all of them to route through the castle (the VPN concentrator) is like requiring every villager to walk back to the castle to buy bread, even when the bakery is across the street.

The Guard: Your Firewall

The castle has guards on the wall. They watch for external threats and control who enters.

The limit: Guards on the wall can't see what happens inside the castle. If someone sneaks past (or walks in with forged papers), the wall guards are useless. The castle has no internal security — no locks on individual rooms, no per-room access checks, no continuous surveillance.

This is the VPN's fundamental gap. Network firewalls protect the perimeter. Inside the perimeter, there's typically minimal segmentation and inspection. The VPN puts you inside the perimeter, and the firewall doesn't second-guess that decision.

The New Model: No Castle, All Locks

Zero Trust abandons the castle metaphor entirely. Instead of one wall around everything, every room has its own lock and its own guard.

Every application is its own building. It has its own door, its own authentication, its own access policy. You don't get into the treasury just because you're in the courtyard.

Every request is a knock on a door. Each time you want to enter a room, you identify yourself. The guard checks your identity, your purpose, your credentials, and whether you should be there right now. Not just once — every time.

There is no "inside." The concept of a trusted interior is eliminated. Every user, every device, every request is treated the same regardless of network location. An employee in the office, an employee at home, and a contractor in another country all go through the same verification.

The moat is optional. When every door has its own lock, the wall becomes less important. Traffic encryption (TLS) protects data in transit. Identity verification protects access. The moat — the network perimeter — becomes a defense-in-depth layer, not the primary defense.

The Analogy, Updated

If VPNs are a castle with a drawbridge, Zero Trust is a modern city with smart locks:

Why the Castle Persists

If the castle model is so flawed, why do organizations still use it?

Familiarity. IT professionals grew up with the perimeter model. It's intuitive. "Build a wall, keep the bad guys out" is easier to explain to a board of directors than "eliminate implicit trust and verify every request contextually."

Sunk cost. Organizations have spent millions on VPN infrastructure. Admitting it's architecturally flawed feels like admitting that money was wasted. (It was, but that's a hard pill to swallow.)

Vendor incentives. VPN vendors are incentivized to evolve their product, not replace it. "VPN 2.0" is an easier sell than "you need to rethink your entire access model."

Fear. Removing the wall feels scary, even when you're replacing it with something stronger. The castle provides psychological comfort, even when the locks on the doors provide better actual security.

Tearing Down the Wall

The good news: you don't have to demolish the castle overnight. The practical approach:

1. Start locking individual doors. Put your most important applications behind Cloudflare Access. The castle wall (VPN) still exists, but specific rooms now have their own security.

1. Let people skip the drawbridge. Once applications have their own locks (Zero Trust policies), users can access them directly without crossing the drawbridge (connecting to VPN).

1. Watch the drawbridge traffic decline. As more applications get their own locks, fewer people need the drawbridge.

1. Eventually, raise the drawbridge. When the castle is empty — when every application has its own security — the wall and drawbridge serve no purpose.

The castle was a great idea in 1996. But the kingdom has outgrown its walls. It's time to stop building bigger moats and start installing better locks.