A security boundary, sometimes referred to as a security zone, is defined so that network devices share the same security policies within the same security boundary. The network devices cannot communicate with the network devices in different security boundary without explicit permission. Conventional network security devices are designed to protect a static, fixed security boundary, primary using interface or IP address to define the security boundary. In a data center where virtual machines are deployed, network administrators could add or move the virtual machines to any physical servers, which may connect to the security gateways from different interfaces with different IP addresses and subnets. Thus, conventional security devices cannot create effective security boundary for the virtual machines since interface or IP address is not enough to classify virtual machines to different security boundaries.
As many companies deploy virtual machines in their IT environment, the fixed security boundary cannot support the dynamic nature of virtual machines. Many virtual machines may acquire IP address from DHCP server, and the virtual machines may be moved from one host to another host with different IP address at run time. In such a case, the security gateway interfacing the virtual machines to the network would not recognize the virtual machine because the virtual machine was attempting to use a different IP address for communication.