At least maybe I can avoid Perry's wrath for an off topic post :-). At 15:01 1/23/96 -0500, Perry E. Metzger wrote:
You can't "firewall" every machine -- the act is meaningless. A Firewall is a filter designed to protect you from bugs in the setup or implementation of the software on the machines on the inside. What would it mean for a machine to have "firewall software" in the operating system? Systems already attempt to prevent unauthorized access -- the reason you have firewalls is because that software is sometimes buggy. "Firewall software" in the OS is a meaningless concept.
Perry
I agree that firewalling every machine would be extreemly difficult with Unix based systems (including MSDOS and MacOS) because so many usefull hacker tools are available from root and everyone has access to root. With systems that provide better isolation, it becomes possible to dedicate the network interface to the protection domain which is running the firewall code. You also need to divide up the administration so the direct user does not break that isolation. BTW, IBM's VM/370 (and successors) has good isolation and could probably perform in this role. Other systems such as KeyKOS (http://www.webcom.com/~agorics/) and EROS (http://www.cis.upenn.edu/~eros) certainly could. ----------------------------------------------------------------- Bill Frantz Periwinkle -- Computer Consulting (408)356-8506 16345 Englewood Ave. frantz@netcom.com Los Gatos, CA 95032, USA