What Legacy Security Gateways Are Still Running in Defense Networks?
Defense networks operate on equipment lifecycles that commercial enterprises abandoned years ago. VPN concentrators deployed in 2014. Jump servers running Windows Server 2012 R2. SSL/TLS gateways with firmware from 2018. Standalone data diodes connected to SMB proxies connected to point TCP connectors – each from a different vendor, each with its own patch cadence (or absence of one), each creating an attack surface that adversaries actively target.
This is not a theoretical concern. As of early 2025, only 14% of DoD target-level zero trust activities had been completed. The Pentagon’s September 2027 deadline for target-level Zero Trust across IT systems is approaching, with OT-specific deadlines set for FY 2030 and FY 2033. The November 2025 DoD guidance “Zero Trust for Operational Technology Activities and Outcomes” outlined 84 target-level and 21 advanced-level ZT activities specifically for OT and control systems – covering everything from facility control systems and power grids to water treatment and transportation infrastructure.
Meanwhile, adversary activity is intensifying. Dragos tracked 119 ransomware groups targeting industrial organizations in 2025, a 64% increase year-over-year. The fiscal 2026 defense authorization bill allocated roughly $15 billion toward cyber initiatives tied to modernization and Zero Trust. The message from Congress, the Pentagon, and the threat landscape is the same: replace legacy security gateway defense zero trust architectures now, not later.
This article provides a practical replacement guide for defense security officers who need to decommission legacy gateway infrastructure and stand up Zero Trust connectivity that meets DoD requirements – without disrupting operational systems.
What Exactly Needs to Be Replaced?
The question is not “should we replace legacy gateways?” The mandate is clear. The question is what specifically constitutes legacy gateway infrastructure in a defense network, and what replaces each component.
The Legacy Gateway Stack
Most defense installations operate some combination of these components at the boundary between classified/unclassified networks, between IT and OT, or between the installation and external partners:
Legacy Component | What It Does | Why It Is a Problem in 2026 |
VPN concentrator | Provides encrypted tunnel for remote access | Opens inbound ports; grants network-level access; primary ransomware entry vector; requires constant patching of internet-facing firmware |
Jump server / bastion host | Provides RDP/SSH access to internal systems | Creates lateral movement pathway; typically has broad network access; shared credentials common; limited or no session recording |
SSL/TLS gateway | Terminates encrypted sessions at network boundary | Often running outdated TLS versions; may not support TLS 1.3; limited policy granularity |
Standalone data diode | Enforces unidirectional data transfer | Handles files only; cannot support interactive sessions, bidirectional file sharing, or API connectivity |
SMB proxy / file gateway | Provides bidirectional file sharing between zones | Separate product from access controls; own logs, own policies, own vendor |
Point TCP connectors | Enables specific bidirectional application connections | Often undocumented; embedded in vendor products; invisible to SOC; no identity integration |
Legacy MFA appliance | Provides two-factor authentication | May not support FIDO2/PIV/CAC natively; often SMS or token-only; not per-session |
The truePass platform consolidates the functions of all seven components into a single architecture. The VPN concentrator, jump server, standalone SMB proxy, point TCP connectors, and legacy MFA appliance are eliminated. The data diode is retained only where regulation mandates physical unidirectional enforcement.
How to Identify What You Actually Have
Defense security officers often discover that the documented gateway inventory is incomplete. Legacy infrastructure accumulates – a connector installed for a vendor integration in 2019, a persistent SSH tunnel that was “temporary,” a direct database connection that bypasses the DMZ entirely.
Before starting any replacement, complete this inventory:
- Export the full firewall rule set for every boundary between classification zones, between IT and OT, and between the installation and external networks
- Run a 14-day network flow analysis at each boundary to capture all active connections – not just documented ones
- Identify every user and service account with cross-boundary access
- Document every vendor remote access mechanism – including embedded tunnels in vendor-supplied equipment
- Record the firmware/software version of every gateway component – note anything end-of-life or end-of-support
This inventory typically reveals 30–50% more connectivity than documented. Every undocumented connection is an unmonitored attack path.
What Does the DoD Zero Trust Framework Require for Gateway Replacement?
DTM 25-003 (July 2025) directs all DoD components to achieve target-level Zero Trust across all systems. The November 2025 OT-specific guidance adds 84 target-level activities. The NSA’s Zero Trust Implementation Guidelines (January 2026) provide phased implementation from Discovery through Phase Two.
For defense security officers planning gateway replacement, the relevant requirements map to specific architectural decisions:
DoD ZT Requirement | What It Means for Gateway Replacement |
Continuous authentication | Every session must re-verify identity – not just the initial VPN login. Per-session MFA replaces VPN-level authentication |
Least privilege access | Application-level access to specific resources replaces network-level VPN access. Users reach one workstation, not the entire SCADA zone |
Network segmentation | Microsegmentation at the application level replaces VLAN-based segmentation. Each session is an isolated segment |
Deny-by-default | Zero inbound ports replaces “deny most, allow some.” The firewall has no inbound rules – period |
Continuous monitoring | Unified audit trail with per-session recording replaces fragmented logs from 4–6 legacy products |
Data-level controls | CDR scanning and file-level policy enforcement replaces uncontrolled SMB file sharing |
Device compliance | Device posture check at every session replaces one-time VPN client validation |
The 91 Capability Outcomes
The DoD Zero Trust Strategy defines 91 capability outcomes for target-level IT ZT and 61 for advanced-level. For OT, the November 2025 guidance defines 84 target-level and 21 advanced-level outcomes. A single consolidated platform that handles identity, access, file sharing, session recording, and audit inherently addresses more of these outcomes than a stack of 5–6 legacy products – because the outcomes assume integrated, per-request decision-making that fragmented architectures cannot deliver.
How to Replace Legacy Security Gateway Defense Zero Trust: Component by Component
Replacing the VPN Concentrator
What you remove: Internet-facing VPN appliance with inbound port 443 or 1194, VPN client software on endpoints, split-tunnel or full-tunnel configuration, VPN-level authentication (typically username/password + token).
What you deploy: Access Gateway in the DMZ (authentication and policy enforcement only) + Access Controller inside the protected network (initiates outbound HTTPS 443 to Gateway). The Access Controller pulls authorized sessions inward through the outbound tunnel. No inbound firewall rules. No internet-facing attack surface.
What changes for the user: They authenticate at the Gateway with their PIV/CAC + MFA, and receive application-level access to the specific resource they are authorized for. They do not receive network-level access to anything.
What changes for the attacker: There is nothing to scan. No VPN portal to probe. No inbound port to exploit. No login page to brute-force. The protected network is invisible.
Success criteria: External scan (Shodan, Censys, Nmap) returns zero results for the installation’s IP range. VPN firmware patch cycles are eliminated from the maintenance calendar.
Replacing the Jump Server
What you remove: Windows Server-based jump server with RDP access to multiple internal systems. Typically has broad network connectivity to the SCADA zone or classified segment. Often shared credentials. Rarely session-recorded.
What you deploy: Per-workstation RDP policies through the consolidated platform. Each user receives RDP access to their specific authorized workstation only – not to the jump server, and not to the network. Session recording (video + keystroke) is mandatory. Clipboard, drive, and printer redirection are disabled by policy.
What changes for the user: The RDP session looks and behaves identically. The user no longer logs into a jump server first – they authenticate once at the Gateway and receive a direct (tunneled) RDP session to their target workstation.
What changes for the SOC: Instead of correlating VPN logs + jump server Windows Event Logs + target workstation logs from three different systems, they see a single audit record per session with complete identity, device posture, policy authorization, and full recording.
Replacing the SMB Proxy / File Gateway
What you remove: Standalone SMB proxy or file gateway that handles bidirectional file sharing between zones. Separate vendor, separate console, separate logs, no identity integration.
What you deploy: Integrated SMB Proxy with Kerberos/NTLM authentication, SMB Signing, end-to-end encryption, and CDR (Content Disarm & Reconstruction) scanning. File transfers are policy-enforced, identity-attributed, and fully audited through the same platform that handles application access.
What changes for file transfers: Every file crossing a zone boundary is scanned (CDR strips malicious content), encrypted, attributed to a named identity, and recorded in the unified audit trail. Firmware updates, configuration backups, and vendor deliverables all flow through a single controlled path.
Replacing Point TCP Connectors
What you remove: Application-specific connectors that provide bidirectional TCP connectivity for individual applications. Often embedded in vendor products, undocumented, and invisible to the SOC.
What you deploy: Zero Trust Application Access for HTTP, SSH, and custom TCP applications. Each application connection is policy-enforced, identity-attributed, and routed through the reverse-access tunnel. No direct TCP connections between zones.
What changes for the application: Nothing – the application protocol runs inside the tunnel unchanged. What changes is that every connection is now visible, attributed, policy-controlled, and auditable.
What Is the Deployment Sequence for a Defense Installation?
The replacement follows a risk-priority sequence: highest-risk legacy components are replaced first, with parallel operation ensuring no connectivity gap.
Phase | Weeks | What Happens | What Gets Decommissioned |
1: Infrastructure | 1–4 | Deploy Access Controller + Gateway; integrate with installation AD/LDAP; configure PIV/CAC authentication; validate outbound tunnel | Nothing yet – legacy stack remains operational |
2: VPN replacement | 5–8 | Migrate all interactive sessions (RDP, SSH, HTTP) from VPN + jump server to platform; enforce per-session MFA and session recording | VPN concentrator; jump server |
3: File sharing | 9–16 | Migrate bidirectional file sharing from standalone SMB proxy to platform SMB Proxy with CDR; parallel operation for 4 weeks | Standalone SMB proxy / file gateway |
4: TCP connectors | 17–20 | Identify and migrate point TCP connectors to platform application access; document previously invisible connections | Point TCP connectors; embedded vendor tunnels |
5: Diode evaluation | 21–24 | Evaluate each diode-handled flow: retain for regulated, migrate to platform for non-regulated | Diode retained for regulated flows only |
6: Hardening | 25–26 | Deny-all inbound on all zone firewalls; external scan validation; penetration test; compliance documentation | Legacy MFA appliances |
Rollback at every phase: Legacy infrastructure configurations are archived (not deleted) for 90 days. The diode runs unchanged throughout. If any phase produces unacceptable results, the previous state is restorable without re-procurement.
For organizations following a structured migration playbook, the entire replacement completes in 6 months with measurable success criteria at each phase boundary.
How Does This Map to the DoD Zero Trust Seven Pillars?
DoD ZT Pillar | Legacy Gateway Coverage | Consolidated Platform Coverage |
Users | VPN authenticates at login only; jump server may use shared credentials | Per-session MFA with PIV/CAC; named identity for every session; device posture at every access |
Devices | VPN client checks at connection; no continuous posture | Device compliance checked per-session: OS, EDR, encryption, patch level |
Applications & Workloads | No application-level access control; VPN grants network access | Per-application/per-workstation policies; application-level isolation |
Data | SMB proxy moves files without identity; no CDR integration | SMB Proxy with CDR, identity attribution, encryption, and audit per file |
Network & Environment | Firewall rules with inbound exceptions; VLAN segmentation | Zero inbound ports; application-level microsegmentation; deny-all default |
Automation & Orchestration | Manual provisioning across 4–6 products | Automated policy engine; approval workflows; single-console management |
Visibility & Analytics | Fragmented logs from 4–6 products in different formats | Unified Syslog feed; per-session audit trail; session recording; single SIEM integration |
The legacy stack covers the Users pillar partially (VPN authentication) and the Network pillar partially (firewall rules). The remaining five pillars are either unaddressed or fragmented across multiple products. A consolidated platform addresses all seven pillars through a single architecture – which is what the DoD ZT Strategy’s 91 capability outcomes assume.
What Are the Top Concerns Defense Security Officers Raise – and the Answers?
“We cannot modify classified network infrastructure”
The Access Controller deploys as a new component that connects outbound. It does not modify existing network infrastructure, workstations, PLCs, or classification guards. The protected network is unaware of the platform’s existence until a session is authorized. No changes to existing SCADA systems, no changes to classification guards, no changes to firewall rules beyond removing legacy inbound rules.
“Our OT systems run legacy protocols that modern platforms do not support”
The platform supports RDP, SSH, SFTP, HTTP/HTTPS, and SMB – which collectively cover the interactive access requirements for OT engineering workstations, historian servers, and HMI consoles. The OT devices themselves (PLCs, RTUs, DCS controllers) are not directly accessed through the platform – they are managed through the engineering workstations that the platform provides secure access to. The legacy protocols running between PLCs and workstations on the OT network are untouched.
“We need to maintain physical unidirectional enforcement for certain data flows”
Correct – and the platform does not replace the diode for those flows. The evaluation framework for homeland security environments applies equally to defense: retain the diode where regulation mandates physical unidirectionality (nuclear under RG 5.71, IEC 62443 SL4 classified). Migrate everything else – interactive sessions, bidirectional file sharing, vendor access, non-regulated one-way flows – to the platform. The typical end state is platform handling 80–90% of connectivity, diode handling 10–20%.
“We have FY budget constraints and cannot procure all at once”
The phased deployment is designed for defense budget realities. Phase 1–2 (VPN and jump server replacement) delivers the highest security impact and can be funded as a single procurement action. Phases 3–6 can be funded in subsequent fiscal years. The platform deploys on standard VMs – no specialized hardware procurement required.
“How do we demonstrate compliance to the AO?”
The unified audit trail produces exportable compliance records mapped to DoD ZT capability outcomes. Session recordings provide forensic evidence for every cross-boundary access. The IEC 62443 FR mapping, NIST 800-207 alignment, and FISMA controls are documented as part of Phase 6 hardening. The Authorizing Official receives a single compliance package rather than separate documentation from 4–6 vendors.
What Happens If You Do Not Replace Legacy Gateways?
This is not a hypothetical question. The consequences of maintaining legacy gateway infrastructure in defense networks are documented in incident reports and threat intelligence:
VPN concentrator exploitation is systematic, not opportunistic. Dragos reported that ransomware affiliates in 2025 consistently authenticated into VPN portals using valid credentials obtained from infostealers, then leveraged RDP and SMB to move laterally toward OT systems. Ivanti, Fortinet, Palo Alto Networks, and Cisco all had VPN/firewall vulnerabilities actively exploited in 2024–2025 – many with proof-of-concept exploits publicly available within days of disclosure. A defense installation running an unpatched VPN concentrator is not at theoretical risk – it is at active, ongoing, documented risk.
The jump server is the lateral movement enabler. When the VPN is compromised, the attacker lands on the jump server. The jump server has network-level access to classified or OT systems. From there, lateral movement to SCADA workstations, historian servers, and engineering stations is trivial – because the jump server was designed to reach them. The security control that was supposed to contain access becomes the pathway for expansion.
Fragmented logs delay incident response to the point of irrelevance. With 4–6 legacy products generating logs in different formats, different time zones, and different identifiers, the IR team spends hours correlating data before they can answer basic questions: who connected, to what, when. Dragos reported 42 days average dwell time for ransomware in OT environments in 2025 – and fragmented visibility is a primary contributor. Every hour the IR team spends correlating logs from legacy products is an hour the attacker spends moving laterally.
Budget erosion is continuous. Legacy gateway maintenance is not a one-time cost. It is annual licensing renewals for 4–6 vendors, firmware update cycles for internet-facing appliances, integration labor to keep logs flowing to the SIEM, and emergency patching cycles when the next VPN CVE drops. The FY 2026 NDAA allocated $15 billion for cyber modernization – organizations that spend that budget maintaining legacy gateways instead of deploying Zero Trust platforms are spending modernization dollars on preservation.
What Does the Before/After Look Like for a Typical Defense Installation?
Metric | Before (Legacy Stack) | After (Consolidated Platform) |
Inbound firewall ports to classified/OT zones | 3–8 (VPN, RDP, custom) | 0 |
Internet-facing components | VPN concentrator + SSL gateway | None – zero discoverable services |
Products managing cross-boundary connectivity | 5–7 | 1–2 (platform + diode if retained) |
Vendors | 4–6 | 1–2 |
Session attribution | 40–60% (shared credentials, no recording) | 95%+ (named identity, MFA, full recording) |
Mean time to investigate cross-boundary session | 3–6 hours (4+ log sources) | < 15 minutes (single audit trail + recording) |
DoD ZT pillars addressed | 2 of 7 (partial) | 7 of 7 |
Patch urgency for internet-facing components | Critical (VPN CVEs actively exploited) | Eliminated (no internet-facing components) |
External scan results | 2–5 discoverable services | 0 |
Conclusion
The DoD Zero Trust mandate is not a future requirement – DTM 25-003 is effective now, the 91 target-level capability outcomes have deadlines, and the OT-specific guidance adds 84 more. Legacy security gateways – VPN concentrators, jump servers, SSL gateways, standalone file proxies, point TCP connectors – were not designed for Zero Trust and cannot be retrofitted to meet these requirements. They were designed for a perimeter model that the DoD has explicitly abandoned.
To replace legacy security gateway defense zero trust architectures, defense security officers do not need to build a new stack from multiple vendors. They need a single platform that eliminates inbound ports, enforces per-session identity verification, provides application-level access instead of network-level access, integrates file sharing with CDR scanning, records every session, and produces a unified audit trail for the Authorizing Official.
The legacy gateway stays in the rack until its replacement is proven. The replacement runs in parallel until every connectivity type is validated. The diode stays where regulation demands it. And at the end of the migration, the installation has fewer vendors, fewer attack surfaces, fewer inbound ports (ideally zero), faster investigations, and a compliance posture aligned with where the DoD ZT Strategy is heading – not where it was when the legacy gateway was deployed.
The TerraZone solutions portfolio for defense and federal agencies provides architecture reviews, phased deployment planning, and integration engineering tailored to defense classification and compliance requirements.
