Assignment 4.

1 reference monitor
By Kamran Alkan 09/31/2018

A reference monitor is an access control concept of an abstract machine that mediates all
accesses to objects by subjects.
A reference monitor concept defines a set of design requirements on a reference validation
mechanism, which enforces an access control policy over subjects’ (e.g., processes and users)
ability to perform operations (e.g., read and write) on objects (e.g., files and sockets) on a
system. –The reference monitor enforces 3 major principles:
The reference validation mechanism must always be invoked (complete mediation). If this were
not the case, then it would be possible for an entity to bypass the mechanism and violate the
policy that must be enforced.
The reference validation mechanism must be tamperproof (tamperproof). In the model, it is
impossible for a penetrator to attack the access mediation mechanism such that the required
access checks are not performed and authorizations not enforced.
The reference validation mechanism must be small enough to be subject to analysis and tests, the
completeness of which can be assured (verifiable). This must be the case, since if the mechanism
could be demonstrated to be flawed, then it would not enforce the policy.
According to Computer security handbook these requirement stiff. It is however a powerful tool
that provides great guidance in implementation.
Any secure or trusted system must obviously meet the first two requirements. The “analysis and
testing” of the reference monitor provides evidence of assurance. The third requirement
engenders trust by providing assurance that the operational system meets its requirements.

System

The system I have chosen is a small business network that is providing wireless access to
network clients. System comprises of comprised of one (1) server running Windows 2012R2
operating system acting as the domain controller, and providing Domain Name Services (DNS),
Dynamic Host Control Protocol (DHCP) services, and Active Directory (AD) Services, one
Cisco ASA series firewall, A Cisco Wireless LAN controller, one (1) server running Windows
2012R2 operating system acting as the read-only domain controller, and providing Domain
Name Services (DNS), Dynamic Host Control Protocol (DHCP) services, and Active Directory
(AD) Services for wireless clients in the DMZ.

The client workstations are running Windows 7 Operating System configured as members to the
AD, and user profiles reside locally on the individual workstations. Resources, privileges, and
access are provided to the users via AD security groups, file access policies, and Group Policy
Objects (GPO’s).
Internet access is provided through a many to one Network Address Translation via a Cisco layer
3 switch, which is connected to a Cisco ASA Firewall Appliance, managing security services.
All Microsoft and internet accessibility are managed on a single network with Wi-Fi capabilities
for guest users, segmented on separate network operating on separate Virtual Local Area
Network (VLAN).

Reference Monitor

A trusted computing base (TCB) consists of all protection mechanisms within a computer
system –including hardware, firmware, and software – that are responsible for enforcing a
security policy. The network was designed to protect the most sensitive data that resides with in
“System” in this case the Domain Controller and Files that reside on the network. Read Only
Domain Controller will have read access to the domain controller to be able to provide services
to the wireless clients. These layers are assigned to objects in the reference model. The figure
below describes the layers in which the system is modeled.

The inner most circle would be considered the most sensitive of data, protected by subsequent
rings to the outermost layer of the network. In the example of the network, the Domain controller
server would be considered the most sensitive, read only domain controller would have less
sensitive while the internet is treated as untrusted network. The TCB monitors process and
ensures that the system is operating correctly and maintains security policies. The functions are
listed below;

1. I/O Operations
2. Execution of domain switching
3. Memory Protection
4. Process Activation
Within the system are hardware and software of gate keepers that control access to the higher
security layers. The firewall control access between the 3 zones – the wired network, wireless
network and the ISP, switching segregates the application specific data.

Active directory environment also controls access to resources/files within our system.
The AD manages users authentication and authorization to files based on GPOs. The higher
privilege a user has the lower root level systems, logs, hardware etc. it can access. This provides
the ability to be able to segregate users according to roles or groups such as finance, engineering
etc.
References

Retrieved from https://pdfs.semanticscholar.org/c93c/234c9a7698038caf317a97405c53144bf354.pdf

Retrieved from http://www.dtic.mil/dtic/tr/fulltext/u2/a423529.pdf

Gregg, Michael, 4 FEB, 2013, CISSP Exam Cram: Security Architecture and Models. Retrieved June 16,
2017 from http://www.pearsonitcertification.com/articles/article.aspx?p=1998558&seqNum=3 Lewis,
Rob, 5 JAN 2016 The Reference Monitor - A Necessary Security Mechanism. Retrieved June 16, 2017
from https://www.peerlyst.com/posts/the-reference-monitor-a-necessary-security-mechanism
Bosworth, S., Kabay, M.E., & Whyne, E. (2014). Computer security handbook. Hoboken, NJ: John Wiley
& Sons.