Extranets have been a part of corporate networks in one form or another for years. But a number of forces have combined to make them more affordable, more capable, and more easily accessible.
These forces include the explosive growth of the Internet and the resulting Web-enabled enterprise applications, combined with the burgeoning popularity of business-to-business (B2B) e-commerce. Even smaller businesses can leverage the commodity of the Internet to create an inexpensive extranet.
Simply put, an extranet is a private physical or virtual network between two or more organizations. It provides a secure link between those organizations so they can exchange business data in real time and access each other's enterprise applications through their respective user interfaces. Extranets also provide private links into corporate systems for remote users who may use private or public networks for access.
Although the infrastructure is in place courtesy of the Internet, planning and implementing an extranet requires a lot of work. You have to select an approach, choose a technology, and perform the installation, testing, and ongoing maintenance. This adds up to a huge investment in time and technology, and making the wrong move can lead to little or no return.
Pick a Flavor
Extranets come in two basic flavors: private networks and virtual private networks (VPNs). Private networks are simple extensions of corporate intranets to include the network of a partner organization. This usually means running a leased line (T1, T2, or T3) between the corporate networks to support the sharing of data, Web pages, e-mail, or any other network-enabled service.
Once the extranet is in place, all entities (print servers, file servers, Web servers, application servers, and so on) within one organization have access to the same entities within the other. Most organizations, however, place a layer of security on their corporate networks as well as their extranets to limit the partner organization's access to certain entities. You wouldn't want another company having access to your benefits information housed on a server in human resources, for instance.
The same way private networks leverage leased lines, VPNs leverage the Internet. In the VPN scenario, one or many organizations can share information through sophisticated encryption and authentication software that exchanges private data between one or more partner organizations connected by the Internet or another public network. The encryption software ensures prying eyes can't peek into private TCP/IP packets sent between companies.
VPNs are a low-cost alternative to the private leased-line extranets, which could cost thousands per month. They also let any partner organization with an Internet connection become part of the VPN simply by installing the proper VPN software.
In the early days, companies used in-house communication servers and modem banks to communicate with dial-in clients. As time progressed, most companies found the cost of 24/7 support, maintenance, and constantly upgrading the equipment was just too high.
It makes more sense in terms of the economies of scale for ISPs to maintain all the dial-in connections at the point-of-presence rather than for each company to maintain its own set of equipment and phone connections. It's also more economical for ISPs to maintain larger backbone pipes than for each organization to maintain smaller and underutilized pipes. By using VPNs, companies can outsource most of the expense and hassle associated with creating dial-in connections to support remote users.
The connection of business partners is also less of a hassle with VPNs. Rather than leasing lines to support a connection with a customer or supplier, you simply use your existing Internet connection to route VPN traffic between enterprise networks.
Pick a Use
Whether you opt for a private network or a VPN extranet, you get two basic benefits: Web-enabled access to partner systems and real-time information exchange. Both bring tremendous opportunity.
Web-enabled access gives partner organizations access to enterprise systems through Web-enabled applications. For example, an auto-parts supplier may expose its inventory system through a Web-enabled application to its customers connected via their extranet, meaning only for their use. By using this system, customers know which parts are on-hand and can place an order directly into the parts supplier's sales systems. This is known as supply-chain or B2B integration, and the business benefit over the traditional paper approach is obvious.
In other applications, a company may use its extranet-delivered, Web-enabled application to support customer-service activities such as problem reporting and resolution. Other uses would include tax and financial reporting, and project collaboration between companies.
In the real-time exchange of information, the extranet acts as an application-integration pipe that carries messages in real time between applications residing within different organizations. The integration is more tightly coupled than it is in the Web-enabled approach because it takes end users out of the picture. The movement of information is typically event-driven and transparent to the end user. For instance, in our supply-chain example, a customer system would automatically query the inventory system and also automatically place an order if the item is available. This process would take less than a second. Ultimately, this is the idea behind e-business, or the ability to do all business electronically and in real time.
Setting up an Extranet
Virtual private networks are quickly becoming the extranet of choice as businesses look to the Internet to support private computer-to- computer connections. The privacy part is achieved by establishing an IP tunnel, or private path through the Internet. There are two types of architectures for establishing an IP tunnel: client-initiated or client-transparent.
Client-initiated VPNs require tunneling software for the clients and VPN servers (VPN gateways). The VPN gateway resides either at the central site (company headquarters) or at the ISP's point-of-presence (POP) serving the central site. The client, which could be a laptop in a hotel room, for instance, initiates the IP tunnel by establishing a private connection to the VPN gateway. Client-initiated VPNs use authentication mechanisms, such as a user ID and password or digital certificates, to ensure security. They can also use encryption to hide the packets from those who may bother to look. We'll discuss that later. Once the tunnel is active, the ISP no longer controls the connection; the VPN solution takes over.
Client-transparent VPNs, in which the tunnel is transparent to the client, require VPN-enabled access servers or routers at the ISP's POP. In this scenario the client contacts the access server (via a dialup connection, for example), which authenticates and recognizes the client, and determines the proper VPN gateway for the client connection. The access server then establishes a tunnel between the client and the VPN gateway to create a direct connection.
There are advantages and disadvantages to each approach. The client-initiated approach requires special VPN software on the client side to establish the secure connection with the VPN gateway. But because you don't need special software on the ISP side, you can use any ISP to establish a connection. The client-transparent approach requires no special software on the client, but it does require special VPN software at the ISP, so you can only use ISPs that are set up to manage your VPN. Most major ISPs offer VPN services for an additional fee.
The Proper Protocol
Once you've decided which of the two approaches works best for you, you have to select a protocol. Then you can select the hardware and software solutions that work best with your selections.
The VPN tunneling standards on the market today include Point-to-Point Tunneling Protocol (PPTP) from Microsoft and Layer Two Forwarding (L2F) from Cisco. The technologies differ only in the way they wrap PPP packets.
PPTP tunnels wrap PPP packets in IP, and they can be client-initiated or client-transparent. As you may have guessed from its Microsoft origin, PPTP is a Windows NT- and Windows 2000-only solution. In fact, both a client and tunnel server for PPTP were shipped in Windows NT 4.0 and Windows 2000, and a Windows 95/98/2000 client is available.
L2F requires support in access servers or routers, so the ISP has to support this service within its infrastructure. This approach is primarily a client-transparent solution, but L2F provides features such as authentication for tunnel endpoints that PPTP doesn't offer.
The best standard is still one standard, though, and Microsoft and Cisco have reached a middle ground on their competing protocols in Layer Two Tunneling Protocol (L2TP). L2TP offers the best of PPTP and L2F, including Secure IP (IPSEC, covered next) to coordinate encryption between endpoints. This protocol supports multiple concurrent tunnels, as well. Most VPN software and hardware vendors support L2TP, but a few support their proprietary protocol solutions. As a rule, support for de facto standards should be high on your list.
Also high on your list should be security for your VPN extranet solution. In the world of VPNs, and extranets in general, security is an important issue because you must protect the information flowing over the Internet or even over private networks.
When you think about security you need to consider privacy, authorization, and integrity. You can address all these issues through encryption and digital keys.
Security services don't come without overhead, though. They require more processing power, special hardware, and network bandwidth than direct unsecured Internet connections. The only way around VPN security overhead is to move to a private network infrastructure, which, as we mentioned, typically costs more to implement and maintain.
In the world of VPNs, IPSEC is the security standard of choice for most vendors, and you should look for it when you select VPN products. IPSEC is a group of protocols described by the Internet Engineering Task Force (IETF). Mandatory to this specification is the notion of protocol authentication, privacy, and data integrity at the IP or kernel level. IPSEC uses two optional IP headers: Authentication Header (AH), which supports authentication and data integrity, and Encapsulating Security Payload (ESP), for privacy. IPSEC presents design goals for a top-level, component-oriented structure rather than detailing specific encryption algorithms of key-exchange methodologies.
IPSEC, the standard, works with three basic areas to secure the IP protocol: Encryption Algorithms, Authentication Algorithms, and Key Management. These components define the entire architecture of a security scheme, making the IPSEC structure insensitive to changing authentication and encryption algorithms.
This covers most of the technology issues you need to consider. But before you even attempt to bring an extranet into your organization, you need to do some heavy planning. It helps to follow a list:
Typically, moving from step 1 to step 5 could take as long as a year, perhaps more, depending on the complexity of your enterprise and state of affairs. You're most prone to mistakes in selecting the wrong architecture and enabling technology, so it pays to learn as much as you can.
There are three types of VPN configurations: special-purpose devices made up of two or more network interfaces, pure software solutions that run over the transport layer, and a hybrid of both.
When you approach VPNs as a hardware solution, you need to focus on the VPN gateway. The gateway is a networking device that provides encryption and authentication services to any number of servers behind it. Typically, VPN gateways exist with a firewall between the VPN users and servers, and the Internet. This device can route VPN packets over the Internet to other gateways, encrypting and de-encrypting inbound and outbound packets.
The network interface facing the Internet, or other public (untrusted) network, is known as the backside. The interface looking inward, toward the intranet, is known as the red side. To the end user the connection is that of a dedicated link. Besides some "bursty" performance from time to time, which is normal for the Internet, VPN extranets are completely transparent to users and applications.