250 ;;Quote: security violations are: unauthorized release of information, modification of information, and denial of resource usage

250+;;Quote: Andrew does not guarantee resource denial; e.g., flooding network with packets has no clear solution

250 ;;Quote: security in Andrew depends on physically secure servers, trusted superusers, and trusted software; no user software allowed

252 ;;Quote: an Andrew protection domain is a user or a group of users with an owner; owner prefixed to group name

252 ;;Quote: Andrew uses unique ids for users and groups; never reassigned since used in many tables; user and group names are easily changed Quote: an audit trail for superusers must be on a non-erasable medium

252 ;;Quote: identify Andrew superusers by membership in System:Administrators; provides audit trail by user id and simple revocation of privileges

253 ;;Quote: avoid using a single entry in a protection domain to stand for a group of users; limited accountability

254 ;;Quote: a connection in Andrew has 4 security levels; HeadersOnly prevents new requests but not release and modify; AuthOnly for secure channels

256 ;;Quote: Andrew's authentication procedure depends on a shared, encrypted handshake key; randomized to prevent replay attacks

257 ;;Quote: Andrew uses authentication tokens to prove identity; like a capability; established by secret and clear tokens

257+;;Quote: Andrew will adopt Kerberos' authentication procedure; for standardization

259 ;;Quote: Unix password files do not authenticate the system to the user

259+;;Quote: Unix password files assumes physically secure communication

260 ;;Quote: authentication server replicated in every Andrew server; all but one are read-only; propagate changes over secure lines

261 ;;Quote: access list contains a 32-bit mask of positive and negative rights; unioned with group rights in 1 scan; negative overrides positive

261+;;Quote: use negative access rights for rapid and selective revocation of rights to sensitive objects

262 ;;Quote: access rights for directories; restrict access to a file by linking to a private directory

271 ;;Quote: use hardware-supported DES for encryption; Andrew currently uses xor-encoding to exercise code and force decryption

277 ;;Quote: an Andrew cell is an autonomous system with its own security, file servers, and administration; user must be authenticated for each cell