It is definitely possible to enforce signature-based blocking or inline patching farther upstream from the server. Using layer-7 protection technologies like Web application firewalls or in-line intrusion prevention systems (IPS) will help mitigate or resolve virus or other malware threats before they reach the server.
However, I would not place such a product in front of the firewall connection, given the amount of noise generated by unfiltered Internet traffic. Ideally, these products would be placed as a layer-2 bridge on the link between the firewall and the switch infrastructure hosting the servers.
As this blocking is being handled further upstream -- outside of the virtual environment -- it is effective at protecting multiple virtual servers hosted on the same physical hardware.
This was first published in February 2011