Some Unsolved Problems of Distributed System Management,
		as seen from Project Athena

		J. H. Saltzer, 19 April 1988







		1.  Making firewalls understandable to users.  When one of 35 file
		servers goes down temporarily, we can say that "server 18 will be off
		the air until 1300 hours," but that doesn't tell users what they can
		and can't do.  Arranging so that the firewalls correspond to
		user-visible entities is not at all systematic.


		2.  Assuring integrity of the operating system of a networked desktop
		computer.  How can a user be assured that the operating system of his
		or her workstation hasn't been tampered with, or simply reconfigured
		slightly to someone else's taste?  Theoretical analyses of this
		problem haven't been reduced to practice because they involve
		management-expensive activities such as visiting every workstation in
		order to do a system update.


		3.  Avoiding terrorism in shared data.  Using a shared program (or in
		some systems, even reading a shared file) exposes one to the
		possibility of a virus attack.  What is needed is a padded cell in
		which to run shared or imported programs, which limits the range of
		things they can touch and out of which they cannot escape.


		4.  Coordination of management between one site that has several
		thousand users and hundreds of other similar sites.  The problem is
		one of dealing with large numbers, for example in providing for
		authentication and forwarding of credentials.


		5.  Housecleaning, discarding, deallocating.  When a system has
		several thousand users receiving mail and storing files in dozens of
		on-line servers that provide for information sharing, it is extremely
		difficult to decide what data is valuable and what should be
		discarded.  When a user departs, some of that user's files may be in
		(occasional) use by an unknown community of other sharers.  And unless
		the administration is infallible, it will eventually happen that a
		user will not be deleted upon departure; as systems grow in size and
		span larger spaces and administrations, the traditional approach of
		occasionally scanning a list of users doesn't work.