Not sure about that...
if what it does is compare the package content to a blacklist, then it might not be that bad of a hit... especially since a hardware firewall can have a quite powerful processor, and doesn't have to do all the other stuff a computer does.
I wonder if hardware firewalls have video cards nowadays, if malware uses the video card for processing power, so should the defenses, right?
Oh, oh, oh!!! I just realized one thing a DPI should definitely check for: if the system has been penetrated, the intruder will want to listen to the traffic on the network, so the firewall should definitely be comparing all outgoing packages with synchronous network activity, to make sure the systems guts don't spill out... that should be doable.
Other things it should definitely watch for are password hashes... once they leave the building, the jig is up, so they should be on the outgoing blacklist too.
