Anton J Aylward <anton @
>The difference is that the Ptolemaic model was wrong in that it was
>theoretically inadequate. The UNIX model isn't wrong, it isn't even
>inadequate; its lack of application to the networking interface was
Adequate with respect to _what_ ?? That's the question.
While the alleged Unix protection model may be adequate for something,
I argue that it's inadequate for a firewall because it does not
enforce a *mandatory* protection in the classic sense. It isn't always
invoked, it isn't tamperproof, and it is bypassable.
This is *not* a slam on Unix or its builders: just an observation that
we're trying to make it do something it wasn't designed to do.
The firewall is the first commercial device I know of that really,
really needs mandatory access controls. Mandatory controls are
designed to resist attacks by overtly malicious people that really
know what they're doing. They work because they draw explicit
boundaries that *no* software should cross. The kernel doesn't get
caught in this problem of yielding to good guys who are really bad
guys playing a masquerade.
com secure computing corporation