Philosophy:

Philosophy:

Copyright(c), 1990, 1995 Fred Cohen - All Rights Reserved

The study of information network protection begins with the fundamental issue of what an information network is. We view an information network as an attempt to make many information systems operate together as if they were a single information system, with all the advantages of physical distribution, fault tolerance, survivability, increased performance, etc., and none of the problems of the individual systems. Actual information networks fall short of these ideals, but it is likely that they will eventually fulfill many of these goals, and quite possibly surpass them.

Many consider a network a set of communications equipment used to communicate between information systems. Thus, the network is responsible for reliable transmission and reception of symbolic representations. The rational for this perspective is that information system protection, which is based on operating system techniques, is a distinct problem from communications systems protection, which is based on cryptographic techniques; and that the protection of information networks can be adequately covered by partitioning the problem and solving it in parts. This provides substantial complexity reduction, and thus has a notable advantage. Another school of thought is that an information network consists of the combination of the communicating information systems and the communications equipment used to communicate between them. The rational for this viewpoint is that the interaction between information systems and communication systems is sufficiently complex that partitioning the problem may allow significant problems to 'fall through the crack' [Brand85] . Distributed systems introduce more complexity than loosely connected networks because of the intimacy of the relationship between computers, and because current implementations are still in their infancy. It will be a while before these issues become clear.

We will take the perspective that harmful effects may come from the communications media, the methods used to communicate over that media, the topological structure of the network, and the information systems in the network. The methods used to communicate over the media are usually called 'protocols', while the topological structure of the network is usually described in terms of the connectivity of the information systems, and is called the 'topology'. Information systems in a network are generally called 'nodes', and connections between nodes are generally called 'links'.

To simplify analysis, we partition information systems, by virtue of their protection capabilities, into two classes. 'Trusted computing bases' (TCBs) are defined as those information systems that properly enforce the protection policies of interest. 'Untrusted computing bases' (UCBs) are defined as those information systems that are not TCBs. Similarly, we partition the communications media into two classes; one being a trusted media in which the physical media is protected from any attacks of interest to the policy by virtue of its physical properties and/or other protection measures taken for this purpose; and the other being untrusted media, which encompass all media that aren't trusted media.

The field of network protection is quite new, and we feel compelled to include a disclaimer about the future applicability of information in this section, lest the transitive effects of its potentially transient content might corrupt future researchers.