One study showed that about half of new embedded devices include some type of communication protocol. The other half are standalone devices that are never connected to any network. The stand alone devices, as you point out, don't require this type of protection. Some cars now provide communication capability and have been hacked. Our view is that any device that communicates needs protection, and we have seen many examples that support this.
I would assume that some embedded devices do not need protection if they do not connect to the internet or other networks. On the other hand there is a need to ensure safe operation for those critical devices (cars come to mind)not "connected" to anything but non the less are life safety related. While having everything "on line/connected" seems like a great idea; my question is why "everything"? We should consider what needs to be connected versus what needs to be programmed or monitored remotely. Then the considerations for each unique system's use can come into play.
That assume that the embedded device is using Linux as the operating system - and a lot of devices do not use Linux.
Even if you are using Linux, it is important to understand the requirements of the firewall for the device being built. Does the filtering provided by the Linux firewall provide the best solution? Or would something designed for embedded devices provide a better solution? That really depends on the specific requirements of the device.
You are correct in that embedded devices are lean. An embedded firewall needs to be designed to be fast and small. It does not need to support antivirus filtering (unless it is a windows device), simple rules-based filtering will meet the needs of most embedded devices.
A separate infrastructure that isolates them from the normal Internet is not realistic in all cases. Many devices will be on the Internet and do need some level of protection.
Embedded devices are the most lean kind of software/hardware systems. It may going too far in putting firewalls, antivirus and all that kind stuff to avoid their hacking.
Instead why not have separate network infrastructure for them which is secure and totally isolated from the normal internet?