My PhD work was in the area of parallel systems. Specifically, it was in the area of developing program development systems (compilers) for distributed memory, multi-processors. Unfortunately for me, it was pretty clear by the time I graduated that such computers and programming models where not going to take the world by storm. But looking at the world as a sea of distributed processors did influence my thinking in my next phase of life where we were developing firewalls.
At the time (mid nineties) firewalls where strictly border devices. Maybe an organization had a firewall protecting themselves from the outside unknowns, but it was clear that network connectivity and complexity was rapidly increasing. The number of network security enforcement devices within a single organization or within a set of cooperating organizations would only grow. Therefore, with the Centri firewall, we took the view of firewalls as elements in a distributed memory machine that we were compiling for. The user specified a global security policy. They also specified the target architecture, and Centri compiled the appropriate configurations to enforce the policy (assuming there was a sufficient density of network enforcement points). Solsoft takes a similar point of view. Researchers from AT&T also too a generation view with their Firmato and Fang firewall tool kits.
Once we were acquired by Cisco, Centri was not long for this world, but our compiler view of network security policy lived on in Cisco Secure Policy Manager (CSPM) which targetted PIX and IOS devices instead of Centri enforcement points. CSPM lived on for about 5 years, but was too far ahead of its time. The majority of our customers 1) had existing devices with existing configurations that they believed in and 2) wanted the option of a simplistic view where they could manage each device independently. In addition, there were some base technology problems with CSPM that were never adequately addressed.
Today the reality of complex, dynamic network environments is well upon us, but the predominate management model is that of configuring (programming) each network enforcement device independently (hopefully guided by some higher level security policy). My technical direction now is guided by the analysis model. Rather than having a compilation/generation model, we are working on tools that take the set of device configurations and make some determinations about how well they fit with the global policy intent. In many ways this has more technical difficulties than the distributed compilation model. There are many ways to program the same concept. The compiler only has to generate one of them. The analyzer must understand all options.
The analyzer gives the end user much freedom. He can apply an analyzer to an installed base of network device configurations. He can use an analyzer to help guide the evolution of these network device configurations. Perhaps eventually, the analyzer will evolve into a generator. However, this is more of a end-user psychological acceptability issue than a technical issue.