A common approach to preventing network intrusions is to place a security device in-line in the network and to intercept and evaluate a whole packet received by the security device before making the decision whether to forward or drop the packet. This approach involves buffering whole packets. In networks that are delay constrained (and particularly networks that run at relatively slow link speeds), such as some networks in real time systems, the additional delay imposed by these steps (buffering and evaluation of a packet as a whole) may lead to incorrect system behavior.