The very nature of virtualization makes it unique in that it adds a barrier between the traditional hardware and operating system layers. By very definition, virtualization creates an operating environment on the host hardware that allows for complete customization and allocation of resources, regardless of which operating system is installed. It is not uncommon to have several different operating systems reside side by side. In fact, recently even Microsoft opened their proprietary Azure cloud platform to support Linux builds.
When firewalls were first designed, their role was to control traffic between network segments and physical hardware. As we move into greater adoption of cloud and virtualized infrastructure, the physical design of the network becomes less dominant, largely due to the collapsing of physical servers into fewer virtualized servers. This means the main source of security control needs to also be adapted as the threats start to move to the individual VMs residing in servers, especially when multi-tenancy is utilized. This means that the logical barriers segregating virtual machines become the concern for firewalls, not just the network around the physical server. So how do you protect the inter-VM traffic when a traditional firewall cannot see traffic beyond the physical NIC card of the server?