Method device and system for policy based packet processing

What is claimed is: 1. A method for policy-based networking comprising the steps: configuring a network appliance with a policy configuration, wherein the network appliance is coupled to at least one wide area network (WAN); receiving an outgoing packet having a destination address on the at least one WAN; associating the outgoing packet with the policy configuration based on a port on which the outgoing packet was received and an application from which the outgoing packet originated; determining a network segment assigned to the port and the application based on the policy configuration; appending a policy header to the outgoing packet; appending a WAN header compatible with at least one WAN interface associated with the network segment, thereby forming an outgoing WAN packet; and forwarding the outgoing WAN packet to the at least one WAN interface. 2. The method of claim 1 , wherein the policy configuration defines relationships between network segments and overlays, wherein the overlays specify handling of packets based on at least one of a label associated with an interface through which the network traffic enters the network appliance or an access list, and wherein the determining the network segment assigned to the port and the application based on the policy configuration comprises: determining that the outgoing packet matches at least one of a label or an access list associated with an overlay; and appending a first policy header that includes a network segment identifier for a network segment associated with the overlay to generate an outgoing network traffic. 3. The method of claim 2 , wherein the overlay is associated with a virtual routing and forwarding (VRF), and wherein the appending the first policy header including the network segment identifier for the network segment associated with the overlay comprises: appending an identifier for a VRF associated with the overlay. 4. The method of claim 1 , wherein the policy configuration defines at least one security policy for the network segment including an overlay or a breakout, wherein the overlay specifies logical tunnels based on different traffic types accessing the network segment, and wherein the breakout specifies at least one of an Internet Software-as-a-Service (SaaS) application control or guest wireless access control for the network segment. 5. The method of claim 1 , wherein the policy configuration defines at least one firewall zone policy applicable to the network segment, wherein the firewall zone policy defines a relationship between a first firewall zone associated with the network segment and a second firewall zone associated with a different network segment, and wherein the method comprises: determining that the at least one firewall zone policy allows forwarding of the outgoing WAN packet from the network segment to the different network segment. 6. The method of claim 1 , wherein the policy configuration defines at least one tunnel to a different network segment, and wherein the method comprises: determining that the destination address is on the different network segment in comparison to the network segment; and translating the destination address to a different address associated with the different network segment. 7. The method of claim 1 , further comprising: determining that the outgoing packet is received over a local area network (LAN); and determining that the destination address is outside the LAN. 8. The method of claim 1 , wherein the policy header includes at least one of a network segment identifier associated with the network segment, information on the application, or a firewall zone associated with the network segment. 9. The method of claim 1 , wherein the network segment identifier identifies which network segment the outgoing packet is received from or sent to. 10. A method for policy-based networking comprising the steps: configuring a network appliance with a policy configuration, wherein the network appliance is coupled to at least one wide area network (WAN) and a local area network (LAN); receiving an incoming packet from a WAN interface associated with the at least one WAN, the incoming packet comprising a WAN header and a policy header; removing the WAN header from the incoming packet, wherein the removing the WAN header leaves an incoming packet payload comprising the policy header; associating the policy header with the policy configuration; determining a destination address for the incoming packet based on the policy header; removing the policy header from the incoming packet payload to generate a modified packet; appending a network protocol header associated with the destination address; and forwarding the modified packet to an interface associated with the LAN. 11. The method of claim 10 , wherein the associating the policy header comprises: classifying the incoming packet based on a port on which the incoming packet was received; determining an application from which the incoming packet originated; and matching the port and the application with parameters in the policy configuration. 12. The method of claim 10 , the method further comprising: decrypting the incoming packet payload; and removing at least one security protocol header from the policy header. 13. The method of claim 12 , wherein the incoming packet payload is encrypted using at least one of UDP-IPsec, IKE-IPsec, and GRE-IPsec. 14. The method of claim 10 , further comprising: verifying the policy header based on a label associated with the WAN interface; and determining that the policy configuration permits the incoming packet to be forwarded to the destination address. 15. The method of claim 10 , further comprising: determining that the policy header indicates for translation of the destination address; and translating the destination address. 16. The method of claim 10 , further comprising: receiving a second incoming packet from the WAN interface; determining whether the second incoming packet satisfies the policy configuration for a networking segment associated with the network appliance; and based on a determination that the second incoming packet does not satisfy the policy configuration for the networking segment, dropping the second incoming packet without forwarding the second incoming packet. 17. The method of claim 10 , wherein the incoming WAN packet is received from a Multi-Protocol Label Switching (MPLS) service. 18. A system for policy-based networking, the system comprising: a plurality of network appliances, each network appliance of the plurality of network appliances having a network interface connected to one wide area network (WAN); and an orchestrator device in communication with each network appliance of the plurality of network appliances, wherein the orchestrator device is configured to: maintain a policy configuration that assigns one more network segments to one or more overlays, wherein: network traffic entering through the network interface of the network appliance is to be matched to an overlay based on a label associated with the network interface; and the network traffic is to be associated with a network segment based on the matching overlay; and distribute the policy configuration to the plurality of network appliances. 19. The system of claim 18 , wherein the policy configuration includes at least one association between the network segment and a second network segment to which the network traffic is to be forwarded in inter-segment routing.