Security is critical to data centers, especially multi-tenant data centers that host a variety of applications in a single facility. Conventional schemes place security devices (middleboxes) at a few choke points (e.g., core routers) and rely on routing policy to guarantee middlebox traversal. Coupling routing and security services together complicates operation and troubleshooting since routing and security are operated by different teams. When a data center scales, the security system needs upgrade accordingly. However, the current approaches are not flexible and incur high cost. Observing that rich computing resources are already available in data centers, we are interested in using a large number of software middleboxes to achieve scalability and cost efficiency. We present Hybrid Security Architecture (HSA), a design to decouple security services from routing and to allow the integration of hardware and software middleboxes in a complementary way. HSA is more cost-effective and flexible compared to the conventional schemes that solely use hardware middleboxes. It allows topology and routing changes with minimal impact to security services, and vice versa. In particular, HSA does not require modification to switches and routers. This paper explains the framework of HSA, describes the key techniques, presents a testbed to validate the design, and discusses future research directions.