Firewalls, intrusion prevention systems and VLANs (virtual LANs) that form the connections between physical systems must stay in place and be maintained. However, the functions of these systems need to move inside the virtual network that is created to connect VMs. Usually this virtual network is created using a virtual switch that resides with the VMs on top of the hypervisor on a physical system.
Today, when intraVM traffic needs to be monitored for security purposes, it's common to route that traffic out to a physical system designed for that purpose. Once processed, the traffic is sent back onto the virtual network. It almost goes without saying that this likely makes the network the bottleneck for increased productivity among the VMs.
A hybrid solution of this type also ties VMs to the physical systems on which they are installed, unless elaborately architected physical systems are in place to support this activity if the VMs migrate to a different physical host. There are so many problems with this approach that only the fact that there are very few alternatives explains why it would be used at all.
The first problem is that using the hybrid approach clings to the recently ended era when machines came online and stayed online until death or retirement. Security products necessarily developed a static, accretive approach to understanding the physical and logical connections of systems.
In physically oriented tools, security policy revolved around brittle, static models of the network. To be quite frank, even what we see today as the glacial pace of change in the data center still often outpaced IT managers' ability to keep up with topographical and logical changes embodied in traditional IT security tools.