The concept of a periphery can be stretched to refer to most security problems. There are at least two kinds of periphery: physical and logical. The following comments apply to both.

The moat metaphor initially suggests that the bad guys are outside and that they might send signals that would confuse gullible software inside the castle. Certainly there is much software inside designed to keep and dispense information to requestors and this software is often written as if no one would ever ask it to do anything improper. This metaphor suggests a signal exclusion strategy, rather along the lines of firewalls.

But are all the bad guys outside? The periphery is often charged with keeping programs inside from exporting sensitive data. This is a signal confinement strategy.

A few remarks about the physical periphery.

The most obvious and relevant interface between intranet and the outside is usually some sort of firewall. Yet I will not speak much about that here for I am not an expert in firewall strategy.

Many companies attempt to limit or prohibit digital connections between internet and the intranet other than thru firewalls. Phone connections on some campuses are non-standard in order to limit casual connections of inside computers to the outside. This has inconvenienced many legitimate users who bring computers into the building. Ricochet modems and 802.11b have made a serious dent in this bulwark. Indeed these threaten the very model of moat security.

In IP tunneling, small trusted software viably extends a network to discontiguous sites. Tunneling software just as firewall software must run on a secure invulnerable base. Perhaps IP tunneling is a better model for access to the intranet from home computers.


Firewalls seem mainly to limit the signals to certain protocols, perhaps mistaking form for content. E-mail is usually passed perhaps under the assumption that it was created by a human who, after all, is necessarily trusted. You let e-mail thru for the same reason that you let voice phone signals in and out. Yet programs can send and receive e-mail.

Firewalls prohibit many IP protocols such as circuits that might carry X-windows signals, not on the basis of whose data they carry but more on the basis that it would be convenient for the breaker. This more often inconveniences those with legitimate external needs.

The Logical Periphery

The factory patent describes one of several ways that capability security can be used to establish regimes with limited and well known connections in and out. Signals over these allowed connections are all processed by known software in charge of the regime integrity. This, I believe, is in the spirit of city-style security in contrast with moat security. Java provides fundamental support for this strategy. More than one published communications protocol can extend the periphery of such a regime beyond the confines of one machine. The core of Corba, properly implemented, may suffice here.


In viable security schemes, I think, a security periphery is needed with software at the portals that is responsible for the integrity and secrecy of the software and data within. This software must be cognizant of the security and integrity requirement of the regime.