One issue in particular to address with your vendor and in testing is how the next-gen firewall handles encrypted traffic. Can the firewall intercept, decrypt and re-encrypt SSL/TLS, SSH and VPN traffic, and, if it does, at what cost to performance? Determine realistic requirements for your production environments and test accordingly. Where and how you use the next-gen firewall is a strong factor to consider in assessing performance. Financial transactions, stock trading, and so on, are extremely performance-sensitive. Weigh the criticality of the assets and systems you are protecting when creating appropriate rule sets and deciding which security services to enable. For example, says NSS Labs' Moy, unified threat management (UTM) performance typically drops by 60 percent from 10Gbps to 3 or 4Gbps when IPS is enabled, and there is an even more drastic reduction, to 300 to 400Mbps, when antivirus capabilities are turned on.
"I'd be skeptical about turning on [antivirus] on the firewall," he says. "In front of the data center, probably not, but maybe at the perimeter."
More and more complex rules will also affect performance, so factor that into your testing.
"The deeper the policies, the more you feel an impact," says Core Competence's Phifer. "As you layer on additional checks, it is going to get slower and slower."
There are a number of high-end products on the market that perform load and security testing. These are expensive, but worth investing in if you are going to be doing a lot of network equipment and network security product testing in-house. If not, there are third-party testing providers, many of whom make use of these tools.
"Pilot the heck out of it," says Kwong. "I've dealt with many firewalls, and out-of-box we needed to tune a lot of parameters before we got to the right performance level. From my experience with previous firewalls, I've always found performance didn't quite match the claims."
Be realistic about application control. Before you are blown away by a vendor's assertion that they have so many thousand applications in their library, consider your application policies and practices. Learn which applications your company's employees are using for legitimate business purposes, which are likely to be used in the future, who is using them and how are they being used. Armed with this information, you can create security and appropriate-use policies and evaluate next-gen firewall products on their ability to monitor and enforce policy around these apps.
"Vendors claiming large numbers of applications is kind of meaningless; the numbers are not important," says Gartner's Young. He recommends that once you decide which applications you want to deal with, you make sure they are in the library, find out whether they produce false negatives or positives, and run them through a configuration exercise.
"If you want to block Mafia Wars or allow Facebook for sales and marketing, how difficult is the task, and does the workflow it produces make sense?" he says. Configuring an application should be easy, and should be done using a wizard-like, hierarchical interface.
Young also suggests testing a topical application that's known to be malicious or cause problems on networks and see if the appliance catches it.