Firewalls in the Data Center: Main Strategies and Metrics

For those who are involved in "Sizing" a "Next Generation Firewall", I would like to share with you this paper:

Firewalls in the Data Center: Main Strategies and Metrics
Joel Snyder, PhD
Senior Partner, Opus One

Abtract:
Measuring performance in networks has usually involved looking at one number: throughput. Since the first days of switches and routers, organizations have added up the performance they need, compared it to a total on a manufacturer’s data sheet, and used those values to decide whether or not they had the right hardware.

Unfortunately for security and network practitioners, the same basic metric of throughput cannot be used to
evaluate firewall performance. Because a security appliance actively participates in connections from Layer 2 up to Layer 7, you cannot simply look at bits-per-second throughput to predict how a firewall will behave in the data center.

In this document, you will learn key metrics you should use to evaluate firewall performance in the data center and why raw throughput is almost never the most important performance metric to use in your planning. Selecting a firewall does not mean simply picking the fastest firewall, but the one that is designed to handle the rapidly evolving,
network-intensive application environment of the data center.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/Opus_One_Layout-928.pdf