If we consider a network as an information system, we can clearly use the same policy criteria for a network as a system. Networks introduce significant technical issues that are not considered to be as important in information systems because they extend the physical domain of the information system over a physically distributed area. In a non networked system, we must trust the physical system, since violations of the system hardware cannot in general be compensated for. In a networked system, we have the potential to reduce our trust in remote systems.

The design of a policy for a secure computer network has been studied by several authors, [Cohen85-2] [Cornwell84] [Brand85] [Computer83] [Cohen87-2] [Cohen87-3] but no uniform opinion has arisen from amongst the crowd. The US DoD is currently in the process of developing criteria for the evaluation of trusted network designs [Brand85] [TNEC85] , and an annual workshop on the topic has been instigated.

The basic policies under consideration at this time are; the Bell-LaPadula [Bell73] , Biba [Biba77] , and Compartment [Klein83] policies in combination; the lattice [Denning75] and POset policies [Cohen87-2] ; and the concept of distributed domains [Cohen85-2] [Cohen87-3] . These basic policies were already covered in the chapter on operating systems. They have been extended for the network case to account for the hierarchical and distributed nature of administrative responsibility, the limitation of effects due to the takeover of limited subsets of network resources, and effects on risk analysis and administration in POset networks [Cohen87-2] . Example implementations have been developed [Cohen87-5] , but no provably secure system has yet been approved.

The POset policy is based on generalizing the 'read' and 'write' rights 'r' and 'w' to a single 'flow' right 'f' where:

(a f b) iff ((a w b) or (b r a)).

Because information flow is transitive in general purpose computer systems [Cohen84-2] [Cohen86] , information can be communicated to the transitive closure of information flow starting at its initial source. Given an access matrix, we can compute an effective access matrix which tells us the potential information effects of subjects on other subjects under transitivity. A simple example is given in figure 1. This result is not likely to be predicted by a typical security administrator, and automated tools for evaluating access matrices to generate equivalent effective matrices may be quite useful. Efficient algorithms for this evaluation are not hard to find.

An Access Matrix Effective Equivalent a b c d e f g h a b c d e f g h a f - - - f f - f a f f f f f f f f b f f - - - - f - b f f f f f f f f c - f f - - - f - c f f f f f f f f d f - f f f - - - d f f f f f f f f e f - f - f - - f e f f f f f f f f f - - - f - f - f f f f f f f f f f g f f - - - f f f g f f f f f f f f h f f f - - f - f h f f f f f f f f Figure 1 - An Access Matrix and its Effective Equivalent

To see the above conclusion more clearly, we follow a simple series of steps as follows:

(a f a) and (a f e) and (a f f) and (a f h) ;given (h f b) and (h f c) and (f f d) and (b f g) ;given (a f h) and (h f b) => (a f b) ;conclusion (a f h) and (h f c) => (a f c) ;conclusion (a f f) and (f f d) => (a f d) ;conclusion (a f b) and (b f g) => (a f g) ;conclusion thus (a f *) ;a flows to all (a f a) and (b f a) and (d f a) and (e f a) ;given (g f a) and (h f a) and (c f b) and (f f d) ;given (c f b) and (b f a) => (c f a) ;conclusion (f f d) and (d f a) => (f f a) ;conclusion thus (* f a) ;all flows to a (* f a) and (a f *) => (* f *) ;global communication

The POset structure is a reflexive, transitive, antisymetric, binary relation, and that this seems the most general structure we can use to guarantee restricted information flow.

(S,{f}): for all a,b,c in S,((a f a) ;reflexive

and (a f b) and (b f c) => (a f c) ;transitive

and (a f b) and (b f a) => (a = b)) ;antisymetric

The effective POset is formed by applying transitivity to information flow, and is easily displayed and examined in matrix form. This answers the question of reachability immediately without undue complexity to the observer. We call the effective POset a "Flow Control POset" (FCP). An example FCP is given in figure 2. Subjects can always be labeled so as to produce an upper triangular FCP matrix, since if there is no reordering of a non upper triangular matrix to an upper triangular matrix, there must be two entries 'x' and 'y' that are equivalent since (x f y) and (y f x). Every upper triangular boolean matrix maps into a POset, but not all upper triangular matrices map into an FCP. Finally, we note that completely independent subsets of a system can exist within a partial ordering, as in figure 2, and that many distinct yet equivalent FCPs can thus exist.

a b c d e f g a f - f f - f - b - f - f f f f c - - f - - - - d - - - f - f - e - - - - f f f f - - - - - f - g - - - - - - f Figure 2 - An FCP Example

The effects of domain collusion can be easily determined by ORing rows of any set of colluding domains to find their effective joint flow. As examples, the effects of; c, d, and g colluding; and of a and b colluding; are given in figure 3. We quickly see that a and b can collude to effect the entire example; while c, d, and g only have limited collusive effect.

c, d, and g collude a and b collude a b c d e f g a b c d e f g c - - f - - - - a f - f f - f - d - - - f - f - b - f - f f f f g - - - - - - f --------------------- --------------------- = f f f f f f f = - - f f - f f Figure 3 - The Effects of Two Collusions

We note that the POset is really a 'classification scheme' in this case, just as the Bell-Lapadula and Biba models are classification schemes. We may in practice have equivalent subjects in an actual system, but we must be aware of the fact that they are equivalent from a standpoint of our flow model which deals only with equivalence classes.

Transitivity effects of information flow over time make the determination of effects in a network that changes with time more complex than in the stationary case [Cohen86] , and automated administrative assistance appears to be the only rational manner in which this added complexity can be adequately handled. Distributed and hierarchical control have also been investigated, and effective means for limiting the management effects of individuals is feasible [Cohen87-2] [Cohen87-8] .

By using these mathematical bases, we may automatically evaluate configurations, equivalencies of domains, and the effect of collusions under a given configuration of a protection system with a flow relation. We may augment this basic capability with a set of rules that determine whether a given configuration is allowable given installation dependent parameters, and thus form a configuration evaluator tailored for a given application. We may form a dynamic analysis system by performing evaluations on configurations resulting from proposed moves, and reporting on the effects. Finally, we may augment this capability with a set of rules for proposing moves that are likely to be acceptable to the protection system while fulfilling desired information flow requirements. This may result in a provably correct automated administrative assistant for maintaining policy constraints in such a network.