“My firewall can do that.”

That’s a phrase we often hear from IT professionals when we talk about Bigleaf. 

If you’re referring to basic security and disaster recovery, it might be true, in part. After all, firewalls have been the first line of defense in a network for over a quarter-century. A mature network should have a built-in firewall to ensure a certain level of security and many do that also provide a level of redundant connectivity. 

Your setup may look like Stage 1 of the Internet Maturity Model: where you have a dual-wan firewall that allows you to have a second internet connection that can be activated when your primary connection goes down. When your primary connection fails, your business traffic needs to be moved, either manually or automatically, to the backup circuit. 

Seasoned IT pros can spend hours ensuring layers of redundancy are in place, as well as create Quality of Service rules that play nice with existing firewalls and add a level of application performance management. Rudimentary failover strategies, backup circuits, and QoS configurations like those are better than nothing. However, they can come with a variety of weaknesses which we’ll cover below. 

Check out this head-to-head comparison of your standard firewall vs. integrating Bigleaf into your tech stack alongside your existing firewall.

Firewall Limitations & Strengths

Your trusted firewall is important as it provides security and can provide the level of compliance you need. Some also help with connectivity. We’re not here to argue the security point. Instead, we want to make the case that Bigleaf allows organizations to achieve better connectivity and cloud application performance than firewalls.   

Your firewall – whether a Stateful Inspection, UTM, or an NGFW – or your amalgam of them needs to do more than just keep you compliant. They need to be a part of your infrastructure that keeps your business running smoothly in today’s digital landscape (where the cost of downtime & unusable uptime are rising to levels SMBs can’t afford while remaining competitive).

Round 1: Failover

Referencing Stage 1 of the Internet Maturity Model and tying into Round 1, when failover does happen, reconnecting all your business’ IP-specific internet traffic to the backup circuit is not instant. Your firewall can take seconds to minutes to failover. We’ve seen times ranging between 45 seconds to 8 minutes and some require a manual switch. However long it takes, performance is compromised, focus is lost. In the case of real-time VoIP calls, which drop the instant the connection drops, work completely stops. 

Basic Failover only provides support during outages; when the Internet is completely down. However, as seasoned IT professionals know, poor performance, brownouts, smaller outages, and more, disrupt business connectivity more often than complete outages. 

Bigleaf’s Same IP Address Failover seamlessly reroutes all traffic when there are outages and circuit disruptions, constantly keeping every business-critical application working as it should. With Bigleaf, when one of your circuits has any sort of outage, you don’t. Your IP address doesn’t change so your traffic automatically moves to your other circuit. Your VPN, VoIP call, and business-critical apps stay up! 

Yes, Bigleaf saves the call that would otherwise need to be reinitiated. 

Winner: Bigleaf Networks

Round 2: Intelligent Traffic Management

Optimized cloud application performance is traditionally achieved with policies and manual configurations for QoS, traffic flow management across circuits, and failover. While some firewall solutions have tried to make some of this easier with preset selections, there is still a requirement that each policy is manually set. 

Bigleaf’s self-driving AI automatically identifies and prioritizes your application traffic, configures itself to optimize for your circuit conditions and traffic makeup, and instantly adapts to changes in real-time, improving call & video quality and app performance. 

With only a dual-WAN firewall solution in place, even if it advertised SD-WAN capabilities, an IT Manager would need to manually create or set rules for every app they know their users are using. Let’s explain using a real-world example: 

Firewall Only Example 

Given the state of SaaS adoption and different tools that SMBs use nowadays (and because you need to create rules with every app and every user with most dual-WAN firewalls), a company with only 18 employees could need to create over 400  rules for QoS alone. In other words, the simple solution requires more from your IT resources. 

With Bigleaf, circuit monitoring, load balancing, and traffic identification and prioritization happens automatically regardless of how many or what SaaS apps are being used by your team members. 

Winner: Bigleaf Networks

Round 3: Insights 

Lack of awareness of how your internet circuits are performing is a massive threat to an SMBs bottom line. If you don’t know a problem is happening, you can’t fix it. 

We briefly covered Stage 1 of the Internet Maturity Model – where you get a second circuit, plug it into your firewall, learn that an outage has occurred, then manually failover your traffic to the second line. It may seem “good enough” at first glance – it’s simple and low cost. What if we told you the low cost comes at a high one? 

Your firewall may let you know of outages at the time they happen, requiring you to act on the issue at that moment. However, you may not be aware of circuit and traffic performance issues that are consistently happening but seem minor or insignificant in your day-to-day application and internet performance. These issues can go unnoticed and cost you losses in revenue, productivity, user experience, reputation, and more. 

Visibility of your circuit and traffic performance across each of your ISP circuits delivers the insight you need when things change and need attention, and what to do to ensure reliable performance for each of your cloud applications and technologies. When it comes to reporting, Bigleaf edges out. Our Risk Monitoring feature goes above & beyond, taking the aggregate of the health and performance metrics we track and record to isolate critical events that can threaten your business continuity. Each risk alert is designed to give you a clear explanation and path to resolution so it can be resolved.  

Winner: Bigleaf Networks

Champion: Bigleaf by Unanimous Decision

In summary, Bigleaf delivers much more than your firewall in ensuring reliable connectivity and optimal cloud application and Internet performance. We like to say that “having Bigleaf in your network is like having a Network Engineer on staff 24×7, who doesn’t take vacations, need breaks, or is subject to human error.” From Same IP Address Failover and Intelligent Load Balancing to Dynamic QoS and World-Class Support – we’ve got you covered.  

The results indicate that Bigleaf Networks beat your firewall by unanimous decision; but a knockout would be a more accurate conclusion. 

Next time you feel the urge to say, “My Firewall does that,” remember Bigleaf offers:  

• true redundancy 
• end-to-end network and cloud application performance optimization 

• self-correcting network resilience 
• insight that enables problem-solving before users are impacted 

Does your firewall do that?

*Bonus* Firewall-Friendly SD-WAN

If you’re convinced of the value that an SD-WAN solution like Bigleaf’s can bring your business, like it has 100,000 other users, you’ll be pleased to know that Bigleaf is a firewall-friendly solution. Bigleaf installs outside firewalls. So, an organization can use a firewall for the security and compliance it provides AND add on Bigleaf for the same IP-failover, intelligent and automated QoS prioritization, circuit monitoring, and load balancing that delivers above and beyond what most firewalls will ever. – it’s the easiest way to implement SD-WAN.

Wrap Up

If your business or customers use cloud-based and SaaS apps, if you can’t afford to have poor internet connectivity or downtime, have enterprise-grade goals, and you want to focus your IT efforts on strategic business initiatives, then Bigleaf Networks may be the best solution for you. 

Can your firewall really do all this? 

SMBs rely more on their Internet connectivity than ever, and while a firewall has its strengths, good enough is not good enough to improve business continuity and internet performance. If you’re curious to learn more about this topic or Bigleaf in general, request a demo, ping us at sales@bigleaf.net, or check out our other SD-WAN resources. 

With all the industry excitement and fervor around SD-WAN, I feel compelled to leave my own mark by addressing one of the most exciting aspect of SD-WAN — Price Comparison! I know this might not be the sexiest thing to talk about in the fastest growing sector of telecom, but it’s very important. It’s also something many of our partners and customers see as a Bigleaf advantage, and something we need to do a better job of highlighting. So, here we are.

At the surface, our pricing model looks very similar to that of other SD-WAN service providers and 3rd party carriers. However, upon closer examination, there is a significant differentiator that must be factored in when comparing Bigleaf to other options in the market.

How does Bigleaf Pricing Work?

As we’ve probably shared with you in the past, our team’s background and foundation is rooted squarely in the telecom industry. We don’t come from the network hardware world. I jokingly tell people I can’t tell you the cheapest place to buy RAM in China, but I can share my many experiences in dealing with customers who’ve experienced issues with their voice or Internet services.

This telecom background and mindset drove our pricing convention of offering Bigleaf as a monthly service with package pricing determined by symmetric speeds, similar to the way in which SLA-backed Internet services are offered. When looking at a Bigleaf quote or speed package, note that the listed speed is symmetric and supported in both directions. In plain English, when we say 50Mbps Bigleaf package, we mean both 50Mbps upload and 50Mbps download.

How is that any different from others?

In comparison, most of the SD-WAN industry (not including 3^rd party resellers like ISPs and carriers – but rather the people who are actually developing SD-WAN platforms and technologies), come from a hardware development background. If you are looking, they probably do know where to find cheap RAM in China!

As expected, their pricing convention follows common hardware industry trends of quoting aggregate speed, or as some say “total horsepower”. So, their pricing is the sum of both upload and downloads speeds at the same time. Again, in plain English, when they say 50Mbps SD-WAN package, that’s a combination of both upload and download speeds totaling up to 50Mbps (i.e. 40Mbps down + 10Mbps up = a 50 Mbps package).

What does this mean for me?

To help clarify this differentiation and further drive home our commitment to providing a finished service, we have updated our pricing to clarify that our speeds are symmetric. For example, we have changed our 100Mbps package labeling to a 100Mpbs/100Mbps package.

Please take note of this when quoting or reviewing Bigleaf services. Again for example, when reviewing options from multiple SD-WAN providers, a more accurate comparison would be Bigleaf’s 50Mbps/50Mbps solution to other’s 100Mbps option. While we happen to think one pricing convention is significantly better than the other, we’ll leave the final determination up to you. We just want to make sure you aren’t comparing apples to oranges!

SD-WAN stands for Software Defined Wide Area Networking. It’s a combination of Software Defined Networking (SDN), which was created for use in cloud data centers, and Wide Area  Networking (WAN) which is the network outside of your office (e.g. the internet, or site-to-site networks  like MPLS and Metro Ethernet).

The SD-WAN umbrella

Network engineers would love to strictly define SD-WAN, but marketing departments have turned it into an umbrella term, like “cloud.” There are many types of cloud services, like SaaS, PaaS, Public, Private, and Hybrid Cloud; and similarly there are multiple categories of offerings that come with an SD-WAN label. This guide will help you decipher the choices and shed some light on the decision-making process.

The 3 categories of SD-WAN

1. Cloud-managed routers and firewalls

How do you make 15-year old router and firewall technology look appealing? Add a cloud-based web management interface and market it as SD-WAN! That’s essentially what you’re getting with this category. You buy a network appliance to connect your ISP circuits into, and instead of logging into an interface on the actual device to configure it, you now log into the vendor’s shiny new cloud-hosted management dashboard.

Common labels

• Load Balancer, Aggregator, Firewall, Bonding Appliance, Link Balancer, Failover Router, Dual-WAN
• Cloud Managed, Cloud Provisioning, Cloud Based
• Centralized Management, Single Pane of Glass, Dashboard

Pros

• Low Cost
• Familiar Vendor

Cons

• 15-year-old technology at the core
• No real-time adaptation to ISP performance issues for cloud traffic
• Ineffective (upload-only, fixed rate) QoS
• Generally have access to all your private LAN data (see note on security in category below)

2. VPN services and devices

Most “real” SD-WAN offerings fall into this category. They are meant as a lower cost tool to displace MPLS for site-to-site connections. At their core, these devices and services provide site-to-site VPNs, just like standard firewalls or routers.

So the question becomes: what’s the difference between these SD-WAN solutions and standard network edge devices like firewalls? Well, there’s nothing significant at first glance. They boast of cloud-based management (as noted above), plus other existing networking hardware features like application or user-based security and routing policies, or WAN-optimization features like compression or TCP optimization.

But there is a major differentiator, and that is awareness of and adaptation to quality issues on the network paths between sites. Traditional firewalls and routers don’t monitor for or adapt to issues like 3% packet loss or 70ms jitter. These performance issues that affect real-time applications can now be identified and resolved through SD-WAN. Buyer beware: how this detection and adaptation works differs greatly by vendor, with varying results.

One big factor you’ll want to consider when looking at this category is that you’re now trusting your network security to your SD-WAN vendor. Since they’re providing the site-to-site VPNs, all of your private traffic is now touching their equipment, unencrypted. That brings up some questions:

• If someone hacks their cloud-based management can they access your private data? Are you sure?
• Is their system and/or company PCI, HIPAA, or [insert your compliance need here] compliant?
• How do their security practices and implementations compare with the security offered by major brands like Palo Alto, Watchguard, Checkpoint, Cisco, and others that spend huge resources on this?

If you choose one of these devices or services, be sure you feel good about the answers to those questions.

Common labels

• SD-WAN, Cloud WAN, Intelligent WAN, MPLS replacement, Hybrid MPLS, Cloud Networking, Overlay WAN
• Realtime, Adaptive, Dynamic, Variable
• Cloud-Managed, Orchestrated, Controller, Control Plane, Forwarding Plane
• Security Policy, Application Aware, Application SLA

Pros

• Usually lower cost than MPLS
• Adapts site-to-site traffic to changing network performance (but generally not public cloud applications)
• Strong QoS for site-to-site (not cloud) traffic, as long as network bandwidth is 100% stable (generally only SLA-backed fiber or T1s)
• All-in-one box for firewalling, VPNs, DHCP, NAT and other network edge needs

Cons

• Ineffective QoS for cloud traffic like VoIP, VDI/DaaS, and SaaS
• Non-seamless or no network performance adaptation for real-time public cloud traffic
• Many solutions are very expensive hardware, plus yearly maintenance/support fees
• Typically highly complex, requiring lots of configuration and fine-tuning
• Generally require ripping out your existing firewall, or disabling many of its features
• Often trusting your security to a younger company focused on fast growth

3. Internet and cloud optimization

Bigleaf is the leader in this category, providing optimization for access to the cloud, and for remote access to on-site resources. Public-cloud and other Internet-based applications are the most difficult to optimize connectivity for, because traditionally there is so little visibility and control to the public cloud. Unlike site-to-site VPNs, which are relatively simple to set up and monitor, connections to cloud services like VoIP and SaaS involve a lot more complexity.

To optimize internet-based applications like cloud, you first need visibility. Bigleaf monitors each internet connection from your office to the core of the internet 10 times per second, across the exact same paths that all of your data travels. This end-to-end monitoring typically covers over 98% of the path from your office to your cloud applications.

You then need control. Bigleaf routes all your traffic via our redundant gateway clusters in the core of the internet. We collocate these in datacenters called “Carrier Hotels.” These locations are the major internet peering points in each region, ensuring you have the lowest possible latency. Because we route all your traffic through these gateway clusters we have 100% control of the routing and QoS prioritization of your traffic. This dedicated network architecture is core to our success in optimizing cloud-based applications.

Of course, you also need the best possible network security. There are many vendors that have spent hundreds of millions of dollars building advanced network security offerings, and you’re probably already using them. With Bigleaf, you can keep using your best-of-breed security solutions, and still get cutting-edge SD-WAN benefits for your traffic! Bigleaf drops-in between your firewall and your ISP connections, optimizing traffic while your firewall handles security and VPNs. This creates a stable, reliable, and adaptive foundation for both cloud-based applications and site-to-site VPN traffic.

Common labels

• Internet Optimization, Cloud Optimization, Cloud Acceleration
• Distributed Architecture, Split Architecture, Cloud Routing
• Seamless Failover, Same-IP Failover, No-Drop Failover
• Intelligent Load Balancing, Mid-Stream Adaptation
• Cloud-Managed, Automated, Seamless, Simple, Plug-n-Play
• Dynamic QoS, Cloud QoS, QoS over Broadband, VoIP QoS, SIP QoS

Pros

• Automatically adapts both site-to-site VPN and public-cloud traffic to changing network performance
• Strong bi-directional QoS for both site-to-site VPNs and public-cloud traffic that adapts to changing network bandwidth (great for cable and wireless)
• Compliments existing firewall/security
• Doesn’t touch private network data
• Usually lower cost than SLA-backed circuits (plus Bigleaf adds a service SLA even when circuits don’t have one)
• Easy to use with no complex configuration

Cons

• Not an all-in-one network-edge box with advanced security functions
• Typically small increase in baseline latency
• Overlay tunnels add slight throughput overhead

Which SD-WAN option is right for you?

While there can be many considerations to end up at the right vendor, the decision of which category is pretty simple. Here’s an infographic with some basic questions to help you choose:

While SD-WAN can be confusing, I hope this guide has made the options clear and oriented you in the right direction. If you have any questions please don’t hesitate to request a demo, we would be glad to discuss if Bigleaf is best for your environment.