System and method for dynamic security insertion in network virtualization

We claim: 1. A computer-implemented method comprising: receiving, at a network device from a second network device comprising a network firewall device, a data packet and application specific data extracted by the network firewall device from security processing and deep packet inspection of contents of the data packet, the data packet received from a client device having a new network connection for which there are no matching entries in a flow table of the network firewall device, wherein the application specific data determined by the network firewall device during the deep packet inspection and the security processing comprises data indicative of at least: an application that generated the data packet, content of the data packet extracted by the network firewall device during the deep packet inspection, and a purpose of data within the packet; generating a routing decision by the network device for the new network connection associated with the data packet received from the client device, the routing decision generated based, at least in part, on application of a policy to a combination of the application, content, and purpose associated with the application specific data; and transmitting the routing decision from the network device to the network firewall device to enable the network firewall device to analyze the application specific data extracted from contents of the data packet and route the data packet based on the routing decision of the network device. 2. The method of claim 1 , wherein generating the routing decision and transmitting the routing decision further comprise: generating an updated flow table for the second network device that includes the routing decision, wherein the updated flow table includes one or more entries, and wherein each entry in the updated flow table specifies a value in a data packet field and corresponding actions to be performed by the second device on future data packets with a matching value in a corresponding data packet field; and transmitting the updated flow table to the second network device. 3. The method of claim 1 , wherein the routing decision is generated for routing the data packet over one of a plurality of virtual networks or firewall devices deployed on a physical network. 4. The method of claim 3 , wherein the network device provides centralized routing decision generation for data routing in the one of the plurality of virtual networks. 5. The method of claim 1 , further comprising: generating a second flow table for a third network device based on the routing decision, wherein the second flow table instructs the third network device how to process data packets for a connection that includes the data packet. 6. The method of claim 1 , wherein generating the routing decision for the data packet further comprises: determining one or more data routing policies relevant to the application specific data; determining a configuration of a virtual network over which the data is to be routed; and generating the routing decision for the network connection associated with the data packet based on the one or more data routing policies and the configuration of the virtual network. 7. The method of claim 1 , wherein the network device and the second network device communicate with one another regarding the routing decision using a network virtualization communications protocol. 8. An article of manufacture having one or more non-transitory computer readable storage media storing executable instructions thereon which when executed cause a system to perform a method comprising: receiving, at a network device from a second network device comprising a network firewall device, a data packet and application specific data extracted by the network firewall device from security processing and deep packet inspection of contents of the data packet, the data packet received from a client device having a new network connection for which there are no matching entries in a flow table of the network firewall device, wherein the application specific data determined by the network firewall device during the deep packet inspection and the security processing comprises data indicative of at least: an application that generated the data packet, content of the data packet extracted by the network firewall device during the deep packet inspection, and a purpose of data within the packet; generating a routing decision by the network device for the new network connection associated with the data packet received from the client device, the routing decision generated based, at least in part, on application of a policy to a combination of the application, content, and purpose associated with the application specific data; and transmitting the routing decision from the network device to the network firewall device to enable the network firewall device to analyze the application specific data extracted from contents of the data packet and route the data packet based on the routing decision of the network device. 9. The article of manufacture of claim 8 , wherein generating the routing decision and transmitting the routing decision further comprise: generating an updated flow table for the second network device that includes the routing decision, wherein the updated flow table includes one or more entries, and wherein each entry in the updated flow table specifies a value in a data packet field and corresponding actions to be performed by the second device on future data packets with a matching value in a corresponding data packet field; and transmitting the updated flow table to the second network device. 10. The article of manufacture of claim 8 , wherein the routing decision is generated for routing the data packet over one of a plurality of virtual networks or firewall devices deployed on a physical network. 11. The article of manufacture of claim 10 , wherein the network device provides centralized routing decision generation for data routing in the one of the plurality of virtual networks. 12. The article of manufacture of claim 8 , further comprising: generating a second flow table for a third network device based on the routing decision, wherein the second flow table instructs the third network device how to process data packets for a connection that includes the data packet. 13. The article of manufacture of claim 8 , wherein generating the routing decision for the data packet further comprises: determining one or more data routing policies relevant to the application specific data; determining a configuration of a virtual network over which the data is to be routed; and generating the routing decision for the network connection associated with the data packet based on the one or more data routing policies and the configuration of the virtual network. 14. The article of manufacture of claim 8 , wherein the network device and the second network device communicate with one another regarding the routing decision using a network virtualization communications protocol. 15. A network device, comprising: a memory; and a processor coupled with the memory to receive, at a network device from a second network device comprising a network firewall device, a data packet and application specific data extracted by the network firewall device from security processing and deep packet inspection of contents of the data packet, the data packet received from a client device having a new network connection for which there are no matching entries in a flow table of the network firewall device, wherein the application specific data determined by the network firewall device during the deep packet in