Large networks today tend to have a large number of entry points (for performance, failover, and other reasons).
Furthermore, many sites employ internal firewalls to provide some form of compartmentalization.
Allowing end-to-end encryption through a firewall implies considerable trust to the users on behalf of the administrators.
Finally, there is an increasing need for finer-grained access control which standard firewalls cannot readily accommodate without greatly increasing their complexity and processing requirements.
The ability to gather reports and maintain updates centrally makes distributed security practical. Usually deployed behind the traditional firewall, they provide a second layer of defense.Policies can be defined and pushed out on an enterprise-wide basis.A feature of distributed firewalls is centralized management.This enables them to prevent hacking attacks that originate from both the Internet and the internal network.This is important because the most costly and destructive attacks still originate from within the organization.Likewise, because of the dependence on the network topology, a PF can only enforce a policy on traffic that traverses it.Thus, traffic exchanged among nodes in the protected network cannot be controlled.Distributed firewalls are host-resident security software applications that protect the enterprise network's servers and end-user machines against unwanted intrusion.They offer the advantage of filtering traffic from both the Internet and the internal network.This gap between processing and networking speeds is likely to increase, at least for the foreseeable future; while computers (and hence firewalls) are getting faster, the combination of more complex protocols and the tremendous increase in the amount of data that must be passed through the firewall has been and likely will continue to out pace Moore's law.There exist protocols, and new protocols are designed, that are difficult to process at the firewall, because the latter lacks certain knowledge that is readily available at the endpoints. Although there exist application-level proxies that handle such protocols, such solutions are viewed as architecturally “unclean” and in some cases too invasive.