There are two basic schools of thought in the modeling of network protection. In one school of thought, a 'security perimeter' is used to differentiate between trusted and untrusted portions of the network. The portions of systems within the perimeter are strictly trusted to enforce the network policy, while those portions outside the perimeter are not trusted [Brand85] .
The fundamental problem with this model of network protection is that it treats a trusted computer network (TCN) as if it were a TCB, and thus places complete trust in all systems in the network. Since the security perimeter may be physically separated, this model depends on the infallibility of remote physical security measures to assure local protection. In addition, communications lines that are outside the security perimeter must be protected by cryptographic techniques, and these techniques must be completely trusted as well. The concept of placing complete trust in a set of connected systems is quite difficult to justify considering that any single trusted individual could completely take over such a network. It would make much more sense to prohibit complete takeover without many trusted individuals colluding. Furthermore, proving that the interactions between computers in a network cannot cause protection problems may be quite complex without the ability to at least partially separate the protection ramifications of one system from another.
A far more sensible model of protection is to assume that some number of trusted individuals will eventually become corrupt, and then to design the system so that the effect of the predicted corruption will yield an acceptable loss [Cohen85-2] [Cohen87-2] [Cohen87-8] . In this model, physical systems are mapped into domains in the POset, with TCBs able to cover multiple domains and UCBs able to cover only single domains. By configuring a network, we can arbitrarily limit the maximum effects of information leaks and corruptions due to any individual or collusion of individuals. Proof of correctness in POset networks of this type is also very simple because purely physical methods can be used to assure that information flows only in proper directions between machines.
The translation of these models into implementation involves methods for mapping the above mathematics into reality. Considerable efforts in this area have been undertaken, and a prototype network has been implemented [Cohen87-5] . The basic techniques involve mapping UCBs into single domains, and TCBs into multiple domains, and the use of unidirectional flow components and coding theory as a method for assuring information flow properties of networks. We typically use flow control matrices within TCBs to specify the flow relation between pairs of domains, and restrict the ability to modify the configuration by a set of administratively imposed and system enforced rules.
Recent experiments with POset based networks have taken the form of limited functionality TCB file servers which mediate interactions between UCBs. Limited functionality is advantageous because it reduces the complexity of TCB design and implementation, and doesn't require that the hardware of the TCB have a kernel and user mode with separate instruction sets and registers. Three PC based implementations have been completed as of this time, the last being fully implemented and tested in less than one day. It appears that the limited functionality TCB for network mediation is a very practical and low cost option.