Creating an ASIC for inspecting TCP/IP payloads is suboptimal. A software based design is better for maintenance and flexibility. Such a design is employed by Cisco FWSM. Common Vulnerabilities and Exposures (CVE) identifier CVE-2007-5584 summarizes a recent Cisco vulnerability. An excerpt from the vendor's advisory:
A vulnerability exists in the processing of data in the control-plane path with Layer 7 Application Inspections, that may result in a reload of the FWSM. The vulnerability can be triggered with standard network traffic, which is passed through the Application Layer Protocol Inspection process.
The recommended workaround is to disable TCP normalizing or "scrubbing".
FWSM# config terminal
FWSM(config)# no control-point tcp-normalizer
FWSM(config)#
FWSM#
If the scrubbing was done in the data-plane. There is no way to solve this vulnerability except replace the whole FWSM module.
Cisco is now focusing more on software design. The size of their software development team easily surpasses their hardware counterpart. By the way the inclusion of TCL shell scripting support into Cisco IOS is neat. IOS is becoming more of a full fledged operating system.
