The design principle of restricting local autonomy only where necessary for global robustness has led to a scal- able Internet. Unfortunately, this scalability and capacity for distributed control has not been achieved in the mech- anisms for specifying and enforcing security policies. This shortcoming must be overcome if end-to-end security mech- anisms (such as IPsec or TLS) are to ever replace solutions of short-term convenience such as firewalls. The STRONGMAN (for Scalable TRust Of Next Gener- ation MANagement) system offers three new approaches to scalability, applying the principle of local policy enforce- ment complying with global security policies. First is the use of a compliance checker to provide great local auton- omy within the constraints of a global security policy. Sec- ond is a mechanism to compose policy rules into a coherent enforceable set, e.g., at the boundaries of two locally au- tonomous application domains. Third is the "lazy instan- tiation" of policies to reduce the amount of state that en- forcement points need to maintain. We demonstrate the use of these approaches in the de- sign, implementation, and measurements of a distributed firewall. Our experiments show that, under certain cir- cumstances, performance can improve over the traditional- firewall approach.