In high-assurance security, they go further by putting that functionality into a dedicated device with minimal components, a separation kernel (or RTOS), and strong isolation of networking. Idea being it always, by static design, forces networking traffic to go through the encryptor with almost no attack surface from external network. External network stack usually in own partition, too.