Integrating Security in a Large Distributed System
Andrew is a distributed computing environment that is a synthesis of the
personal computing and timesharing paradigms. When mature, it is expected
to encompass over 5000 workstations spanning the Carnegie Mellon University
campus. This paper examines the security issues that arise in such an environment
and describes the mechanisms that have been developed to address them.
These mechanisms include the logical and physical separation of servers
and clients, support for secure communication at the remote procedure call
level, a distributed authentication service, a file-protection scheme that
combines access lists with Unix mode bits, and the use of encryption as
a basic building block. The paper also discusses the assumptions underlying
security in Andrew and analyzes the vulnerability of the system. Usage
experience reveals that resource control, particularly of workstation CPU
cycles, is more important than originally anticipated and that the mechanisms
available to address this issue are rudimentary.