* Because they don't really work. It's better to assume the network is adversarial and work from there than to separate the world into the trustworthy network and untrustworthy network.
* It's much much easier to secure a network when you completely disallow client-to-client communication and block all communication to clients not initiated by them.
* Trusting the client that attackers can physically access is a recipe for disaster.
* Because VPNs are just an application on the internet.
> * It's much much easier to secure a network when you completely disallow client-to-client communication and block all communication to clients not initiated by them.
VPNs and VLANs are a technology that allow this. I think 'Zero Trust Architecture' wonks have done a disservice to industry. If your 'zero trust' app has a bug then your device is exposed (probably) directly to the internet, naked.
If you layer your security - starting with the bare minimum of VLANs, VPNs, network segregation, etc. then you can layer on top zero trust technologies.
What ends up happening is that people build their own pseudo-VPN with user space applications that network together a bunch of machines existing over the internet, potentially exposing dozens of new internal networks to malware vectors.
* It's much much easier to secure a network when you completely disallow client-to-client communication and block all communication to clients not initiated by them.
* Trusting the client that attackers can physically access is a recipe for disaster.
* Because VPNs are just an application on the internet.