As the SD-WAN market has grown, vendors have looked for ways to differentiate based on features. One way that some vendors have chosen to differentiate is by including application policy-based policies into their platforms. But it’s important to understand a few things about how application policy and SD-WAN work together if you want to get the maximum benefit from the solution you choose.
What is Application Policy?
Controlling application policies in SD-WAN lets administrators control what applications get used on their network, when and by whom. Application traffic can be enabled, blocked or restricted based on factors including:
- Time of day
- User name
- Application type
- User group
To do this, the SD-WAN platform compares the first packet of each new network session to a database to determine if the application is known and permitted. It’s basically like a traffic cop for your network activity. Sounds pretty good, right? It does — except for that it’s doing a job that your firewall or security platform already does.
Your Firewall is a Traffic Cop
We all know that firewalls and security platforms exist to prevent attacks on your network. They do that by deciding what data is allowed in or out of your network, based on the configurations you set. Sound familiar?
So, if you’re already using a security platform to prevent malware from entering your network or block connections to applications or sites that might introduce threats, why wouldn’t you use the same security platform to control internal traffic on your network as well? (Hint: of course you can! That’s what your firewall is for.)
Application Policy and SD-WAN
OK, so your firewall is offering the same protection that an SD-WAN solution with application policy can provide. But is having two layers of protection really so bad? If the risks are rising, why not have both?
Because it’s driving down the performance of your network.
Let’s think about that statement…Why would combining application policy and SD-WAN make your network performance worse? SD-WAN solutions with application policy rely on session-based load balancing, as opposed to packet-based load balancing. Let’s take a look at what that means.
Session-Based Load Balancing
SD-WAN platforms built around session-based load balancing rely heavily on the assumption that networks are fundamentally stable, consistent and available. This system — the basis for application policy and SD-WAN solutions — transmits each user-application session over a specific circuit. If that circuit fails or degrades, the session is restarted on a different circuit — meaning there is a temporary network outage. This is obviously not ideal for any application, but is especially problematic when dealing with high-latency applications.
Packet-Based Load Balancing
In contrast, SD-WAN solutions that use packet-based load balancing are designed to view networks and network conditions as variable. Packet-based solutions respond to failing or degrading circuits by re-routing packets to a more stable circuit, minimizing the risk of outages and disruptions.
Choosing to combine application policy and SD-WAN forces a reliance on a session-based solution. It means you’re opting for a lower-quality connection — so even if your traffic cop is great, your network connection might not be. You’re effectively compromising connection quality to get control of your network traffic, which your firewall already provides.
Single-Vendor versus Best of Breed
Using application policy controls from your SD-WAN vendor relies on your SD-WAN vendor having a policy library and keeping it current. Again, if you’re already paying your Security vendor for these libraries, why not use them again and simply integrate your SD-WAN with existing Security solutions? This makes sense.
And, if you’re a MSP or Service Provider supporting multiple end-customers, not all of them will want the embedded Security offered by Vendor C, S or V. Having the flexibility to deploy multiple Security platforms or to integrate with a customer’s existing Security platform will help you deliver the bespoke solutions that all customers want.
How to Get the Best SD-WAN
Want to maximize the benefits of your SD-WAN solution? There are two easy ways to do that.
- Avoid combining application policy and SD-WAN. Leave the traffic cop duties to your firewall — that’s what it’s there for
- Work with an SD-WAN partner who is focused providing a solution that is:
- More reliable
- Easier to manage
At Multapplied, we take pride in offering an SD-WAN solution that’s built to serve our clients’ needs — and is free of features that degrade your connection while offering little value in return. If you want the strongest, fastest, most reliable SD-WAN network connection around, make Multapplied your first choice. Contact us today to learn more about what we can do for you.