Andrew is a distributed computer system at Carnegie-Mellon University. It currently consists of a network and 15 servers which are collectively called Vice, 400 UNIX workstations (Virtues), and about 1200 users. It will ultimately increase in size to somewhere between 5000 and 10,000 workstations.
The main security considerations are secrecy and integrity. Denial of service is not fully addressed, but Section 8 of the paper discusses Andrew’s protection against the overconsumption of network bandwidth, disk storage, and CPU cycles. Compared to the TCSEC [1] Andrew is a C1 system that comes close to C2 except that it only partially satisfies the C2 auditing requirement.
Satyanarayanan starts by describing a set of assertions that must be true (although they are not all true yet) for Andrew’s security to be effective. These assertions are mainly concerned with limiting access to the servers and workstations to trusted personnel and using encryption to protect the privacy and integrity of network communications. The paper goes on to describe the various system mechanisms used to implement Andrew’s security policy. The secure remote procedure call mechanism is described along with the distributed authentication service. File protection in Vice is based around access lists. Andrew uses both positive and negative access rights. Access rights are applied at the directory level so that all files in the same directory have the same protection.
Turning to the workstations, the paper discusses how their UNIX security interacts with that of Vice and also how the Vice security is made available to Virtue users. Encryption for authentication and secure communications is based on DES. To get adequate speeds, the developers need a hardware implementation, and the current status of their work to develop such hardware is discussed in Section 9. Section 11 discusses the need for this hardware in order to make it practical to use diskless workstations (which require encrypted paging over the network).
PCs access the system via a server whose function is to interface PCs to Vice by acting as a surrogate, so normal file security applies. The main vulnerability is the clear link between PC and server, but that could easily be solved.
Finally, the author presents a summary of the risks involved, a review of related work, and a review of changes made to Andrew since the system was described in this paper.
This interesting paper is well worth reading. Not only does it describe mechanisms but it looks at the implications of adopting them.