Citrix or VPN?

This is a quick thought on the Citrix/VPN comparison question…
I would use a product such as Citrix in which an end user would use a secured browser session using SSL. VPN clients are still in use for remote encrypted access to the organization, but Citrix-type solutions are becoming more popular: this is because there is not a need to install a VPN client on the remote machine – this can reduce risk of vulnerability due to a mis-configuration of the VPN software on the client end. Besides ssl, digital certificates are also to be used with browser-based access to ensure authenticity of the target site.

In addition to the Citrix-type http/ssh technology, the remote devices would have encryption enabled on storage devices to protect data that is to be stored or transferred. A portable encryption device such as a handheld USB device that encrypts data and communications would be ideal.

If only VPN were to be used, the VPN clients would have split tunneling disabled to prevent any communications other than the encrypted connection to the organization’s intranet. If split tunneling were enabled, vulnerability would manifest, as a second channel would be opened to the outside internet. This would produce an “open hole” to the secure encrypted channel. In addition to the VPN solution, SecID token authentication would bring another layer of security to remote access.


The importance of an organizational security policy and an overview of its components

Steve Johns


Organizational security policy is a paramount subject in today’s organization. Since the advent of electronic communications and networks, private, public, government or non-profit organizations need firm information security practices to maintain a high level of continuity for business processes and information systems. Business continuity involves protecting information systems from usual hardware and software instances and, vitally, ensuring those systems are secure from inside and outside hazard.

Organizations must examine liability within electronic systems, and recognize the call for legal advocacy. The variable that is often the greatest risk to security is the end user. All users of electronic systems within an organization must complete training in proper use and liability within technology. At the conclusion of that end user’s training, he or she is to sign off on a statement of completion which acknowledges that employee’s participation, comprehension, and desire to comply with policy. Organizational policy will dictate, according to the business model, the type and frequency of training to comply with relevant law. If an employee should violate the security policy, the organization can be liable to relevant law; however with employee policy training in completion, the employee is liable and can be terminated or disciplined according to organizational rules. This process of mandating employee participation in policy training is recognized as due care on behalf of the organization, and due diligence as the organization has made “…a valid effort to protect others and continually maintain this level of effort” (Bowles, 2009).

Policy that defines security parameters within information systems must be implemented at the start of systems and network design and “…should extend from the core to all valid remote access sites” (Massiglia & Marcus, 2002). Effective security policy not only spans across hardware and software interfaces, but among every entity within the organization:

This is to be of the latest revision to ensure system compatibility and vulnerability resolution. All software (operating systems especially) are to be on a regular patching schedule and monitored with an enterprise suite; for example, Microsoft Systems Management Server (SMS). Anti-virus servers that control and distribute antivirus updates to all client nodes within the enterprise will ensure that each client node is compliant with the latest antivirus definitions to protect against any virus, worms, or other malware on both servers and end user nodes.

At the core network level, it is essential to implement a hardware-based firewall that contains network address translation (NAT) and port forwarding to ensure the discretion of internal IP addresses. VLAN tagging should be implemented on a number of switches to segregate IP traffic on the LAN and zoning security configuration within fiber channel storage networks.

At this level, security can be realized through policy that defines the type of data end users can access and install. This is often done through departmental policy, user organizational unit policy definitions, and VLAN tagging.

Often the greatest security risk, all end users are to be educated on organizational security policy, usually on a semi-annual or annual basis, with a sign-off at the completion of training. The training is to be simple for all end users to understand. Human resources will record user attendance within training.

Means of data access is to be controlled. For example, for remote telecommuters to access internal resources, one means of access is to be utilized such as Citrix or via VPN client, and all remote access is to be logged.

Routing can be used to segregate internal networks into subnets, and access lists can be used to filter traffic from specific networks, weather internal or external.

Organization security policy should be constructed in the manner of the security systems development life cycle, or SSDLC. Following the same methodology as the SDLC, the SSDLC focuses on the security of systems within the organization. It must be stressed that “implementing information security involves identifying specific threats and creating specific controls to counter those threats” (Whitman & Mattord, 2005). The SSDLC is designed to do this within the planning, design, installation, and administration of information systems. In effect, the SSDLC is to be part of the overall enterprise architecture and business plan from inception. The SSDLC is to be constructed of multiple steps:

Directed from upper management, this phase consists of an initial feasibility analysis to determine the need for security policy, and if the organization has the resources to conduct the project. After this assessment, problems, needs, and goals are examined.

Upon acquiring data from the investigation phase, a study of the data is undertaken. Existing security procedures are examined and legal issues and law is reviewed by the organization’s legal counsel to determine the plan’s compliance with law, and how this will affect the design of the developing security policy. Risk management is a large part of this stage, where an assessment of risk facing the organization is put into action.

Logical design
Based upon the previously acquired artifacts, the logical design is a blueprint of the security regulations and implementation of “key policies that influence later decisions” (Whitman & Mattord, 2005). Response to incidents is also planned at this stage for continuity and disaster recovery. The decision to outsource is usually decided at this stage.

Physical design
The implementation of the physical information systems and appliances is based upon the previously-architected logical design. Many system architectures can be presented at this stage and a final architecture agreed upon. Outside vendor support and consulting can be a positive element to determining the right systems to fit the desired security policy.

As with the traditional SDLC, this stage includes purchasing the information systems, installation, configuration, and testing of those systems as well as administrator and operator training.

Maintenance and change
Within an environment where threats are continuous and new threats happen frequently, it is essential that security systems are diligently updated and monitored. Updates should include anti-virus, router and switch firmware updates, storage system firmware updates, wireless access point monitoring, and all access log auditing. This is an endless process that will ensure organizational security of information systems and data. Disaster recovery testing can be a part of this phase, and should be executed on a regular schedule.

Security policy is the means of ensuring organizational compliance to local, state, and federal law. It also is due diligence on behalf of the organization in preventing breach of security-related practices by employees and contractors. With globalization of business and electronic commerce and ever-present threat to data, a well planned and rigorously executed security policy will enable an organization to remain compliant within law, and ensure business continuity.

Massiglia, P., Marcus, E. (2002). Information Techologies for Disaster Recovery. The Resilient Enterprise. p.229. Veritas.

Whitman, M., Mattord, H. (2005). The Security Systems Development Life Cycle. Principles of Information Security. p.23. Thomson.

Bowles, B. (2009). Legal, Ethical, & Professional Issues in Information Security. Chapter 3. [Lecture notes] [PowerPoint]. Denver, Colorado: Regis University. Enterprise Information Assurance.

Types of Encryption

diskThere are numerous kinds of encryption to protect electronic data. Using various algorithms, encryption supports numerous communication methodologies. Examined here are a few popular means of encryption used today.


This cryptographic algorithm, a federal information processing standard, is used within government for protecting data within non-classified environments. Designed to replace legacy encryption methods such as DES and 3DES, AES has been approved for use by “the Secretary of Commerce as the official federal governmental standard”, and the selection thereof has included “…the U.S. government, private industry, and academia” (Whitman & Mattord, 2005). Experts tout that to compromise AES security would take over 4 quintillion years to accomplish. How this encryption works is by converting a block of 128-bit text to 128-bit encrypted, otherwise known as cipher text, by using one of three key strengths: 128, 192, or 256-bit keys. The algorithm behaves in a different manner within each key size. So, “…the increasing key sizes not only offer a larger number of bits with which you can scramble the data, but also increase the complexity of the cipher algorithm” (Allman, 2002).

The algorithm is not truly symmetric in contrast to the predecessor, DES, and repeats it core in numerous periods depending on the key size. Known as rounds, these loop repetitions within the cipher “complete pre-round and post-round operations” (Allman, 2002).

A symmetric cipher – based form of encryption, Blowfish symmetric cipher is popular for protecting electronic documents, PDF’s, and compressed archives. Used within electronic transfer over the internet or locally on a workstation, Blowfish uses a pass phrase key for encryption and decryption of data. This is a 64-bit that both encrypts and decrypts at 64 bit chunks. Blowfish can be used to verify the sender of the message, “…or that the message is unaltered; however, you cannot prove these things to anyone else without revealing your key.” (McBride & Matthew, 2004).

A free form of encryption, Blowfish is unpatented and license-free. Used in numerous business applications and operating systems such as Linux as well as the popular TiVo DVR product, this type of symmetric cipher has not yet been cracked according to most cryptographers.

Digital Certificate

A mainstay in hypertext transfer security, the digital certificate is an electronic document that contains identification of an entity; such as a web page, by storing a key value about the identification of that entity. Often registered by a third party such as a digital certificate provider such as Verisign, known as a certificate authority, the certificate will provide a means of proving the identity of the entity, or site, to the requestor. According to PC Magazine, there are four general uses for digital certificates: secure (SSL & https) web connections, web client authentication, signing and encrypting email, and software publishing (PC Magazine, 1999).

The digital certificate contains a digital signature which uses the certificate for verification. The certificate contacts the certificate authority (CA) database, or repository, in which it is hosted: from that database the site is verified. Two such types of certificates are used today: PGP (Pretty Good Privacy) and X.509v3 from the Telecommunications Union (ITU-T).


The Secure Socket Layer was developed by Netscape to provide secure channels for browser communication over the internet. Within a client-server connection, the server controls the secure connection by sending a signal to the browser client that a secure connection is necessary. A public key would be sent by the client, and this has to match the public key found by the server, which sends a certificate for the client’s authentication. When verified by the client, the SSL connection is established.


McBride, M. (2004). Securing Communications and Files. Searcher. Vol. 12 Issue 5, p46.

Allman, S. (2002). Encryption and security: the Advanced Encryption Standard. How it Works.Vol. 47. P26

Pleas, K. (1999). Certificates, Keys, and Security. PC Magazine Vol. 18. Issue 8.

A fix for government snooping?

From NPR:
Soon after the attacks of Sept. 11, 2001, the government began collecting reams of phone records and other personal information on millions of people in hopes of finding some sort of pattern of suspicious behavior that would reveal unknown terrorists.
That technique, known as data mining, hasn’t been the silver bullet officials had hoped it would be, and privacy advocates say it is an affront to Americans’ civil liberties, since they have no way of knowing who is looking at their personal information or whether the person looking is actually authorized to see it.
A small start-up company in California’s Silicon Valley claims to have a partial solution.
“Most people in America believe you can either fight terrorism — i.e., identify and get the terrorists — or you can protect our civil liberties — i.e., make sure the government isn’t looking at our personal information when they are not allowed to,” says Palantir Technologies CEO Alex Karp. “And that dichotomy used to be true. We’ve found a way to tag information so the only people who can see it are those who are allowed to see it, so it takes care of that problem.”
‘Squishy’ Rules On Who Can Snoop Where
As a general rule, intelligence agencies in this country draw the line at the border. The FBI, with the proper warrant, can collect information on people in the U.S. The CIA and National Security Agency are banned from collecting information on Americans inside the continental U.S. Instead, they are supposed to focus overseas, though there are exceptions to that. For example, the agencies can say that they thought the connection was foreign. The squishiness of the rules has long worried privacy advocates.
“For example, right now it is perfectly legal, without question, for the government to collect every telephone call, every e-mail, every communication in the world — as long as it can claim credibly some part of the communication contains a person outside the United States,” says Fred Cate, the director of the Center for Applied Cybersecurity Research at Indiana University. “And that’s a problem.”
Data Trail
Karp says Palantir provides a partial remedy because it tags the information so that intelligence agencies are only allowed to see the information that they are legally allowed to see.
I spent a recent morning with Palantir’s director of engineering, Bob McGrew. We walked to Palantir’s offices in downtown Palo Alto, Calif., and ran simple errands along the way. He bought a cup of coffee. He withdrew some cash out of a nearby ATM. And while those might seem like two perfectly innocuous stops, they could, in a terrorism investigation, have been signaling much more.
In the span of 10 minutes, McGrew had left quite a data trail — just as we all would. Starbuck’s had a record of the coffee he had purchased. His credit card company had a record of what he had spent and where. His bank knew that he had taken $100 from his account. And, had McGrew been under suspicion, all that information may well have been gathered together to try to get a sense of his habits and associates.
If I had also bought a coffee and grabbed some cash from the very same ATM and perhaps phoned McGrew, my information might well have been vacuumed up as well. And it is those degrees of separation — the information collected on people who might have the slightest connection to a suspect (even an accidental connection) — that also keeps privacy advocates up at night.
Exactly What’s Collected Is Uncertain
Part of the problem is that it isn’t clear what kinds of information the government is gathering. Certainly, intelligence agencies are using government databases with tax records and property titles as part of their search. Treasury Department databases, which track money flows, are undoubtedly in the mix, too. What hasn’t been revealed is the kind of corporate databases that are included. The assumption is that credit card transactions and maybe purchasing habits are vacuumed up too, but so far the government hasn’t said as much. The possibilities are endless, because each and every day, we are all leaving little data trails that are easy to pick up.
“To this day, after studying this for more than seven years, it still isn’t clear to me what they are collecting,” says Jim Dempsey of the San Francisco privacy group the Center for Technology and Democracy.
Privacy Control
Privacy advocates also worry about a more basic problem: the misuse of all this personal information. Two months ago in Massachusetts, law enforcement officials were found to be snooping into the lives of local celebrities. They poked around New England Patriots quarterback Tom Brady’s personal information just because they were curious. So they looked up his address and whether he was a gun owner; they did this 968 times.
McGrew claims that what happened to Brady wouldn’t have happened if law enforcement had been using Palantir’s system because of its privacy control. “When some of these officials were looking at Tom Brady’s data, they would be leaving a trail. It is all captured in a log that you don’t need to be a technical guy to understand,” he says. “A compliance officer or a civil liberties group would be able to see exactly who was looking at what information.”
He says the accountability is built in.
That’s an important claim given that the FBI, CIA, Defense Department and New York Police Department have all started using Palantir’s software in recent months to analyze their intelligence data. Privacy advocates have long said that one way to protect civil liberties is to create a way of knowing precisely who is looking at the information. That, in and of itself, creates a disincentive for misuse.
A Need For Oversight?
Former FBI agent Mike German says accountability is a start, but intelligence agencies won’t be able to invent their way out of the data mining problem. German, who is now with the ACLU, says the rules governing private information need to be beefed up.
“There has to be intensive oversight,” he says. “And there have to be ramifications when someone violates the policies that protect the rights of innocent people whose information is collected. It is very unclear now what protects people’s privacy once it’s collected anywhere along the chain — whether it is a state or local police officer collecting it, whether it is the FBI collecting it or whether it is the intelligence community.”
That’s something Congress, not Palantir, will have to fix.
Eduardo Tijerino (Mr_Ed) wrote:
“The land of the free and the home of the brave?”
As Luther Norman pointed out the quality of our freedom has been so compromised that “You can’t bloody well call a country that wants to do that free!”
When we consider that the Bushites pushed through the inacurately named Patriot Act, in part, by scaring the gullible majority into thinking that our security is much more precious than our freedom. I think it’s time that we dropped the last line from the Star Spangled Banner & jumped straight to “Play Ball”