10.4 IP Networks | LANs to WANs: The Complete Management Guide

< Day Day Up >

The IP is part of a suite of protocols that form the basis of the Internet. The Internet is a “network of networks” consisting of millions of interconnected servers worldwide, all of which use IP. The Internet has been developing since 1969, largely without any blueprint and without central management. Instead, the Internet is composed of interlocking autonomous systems, each of which is separately managed. Systems interoperability is enforced through the use of globally accepted protocols recommended by the IETF.

The architecture of the Internet allows new types of services to be layered on top of existing protocols and for new protocols to be introduced without impacting the rest of the Internet. Numerous users can share the lines and equipment that compose the Internet. The distributed network of hundreds of thousands of routers moves the traffic along the various paths to their destination.

Although IP networks do not have integral QoS mechanisms in the same way as ATM, rudimentary QoS capabilities were long available in the IP packet header’s 8-bit precedence and type-of-service field. Precedence indicates the priority of data-packet delivery, which may range from 0 (lowest priority) for normal data to 7 (highest priority) for time-critical data applications. Type of service contains QoS information that determines how the packet is handled over the network. Packets can be assigned values that maximize throughput, reliability, or security and minimize monetary cost or delay. But these fields were long ignored and never really used on a wide scale.

Diff-Serv supersedes the original IP precedence/type-of-service specification for defining packet priority. Using the same 8-bit field, Diff-Serv works by categorizing IP packets into a small number of forwarding “classes.” It uses the 8 bits in the IP header of each packet to classify priority via “code points” that comprise a class-of-service system that eliminates the scalability limitations, complex policy statements, and management problems of other add-on QoS standards such as RSVP.

Virtually all new routers come with Diff-Serv support and have dedicated traffic-management capabilities. Also, end systems such as telephones or Windows clients and servers can mark the traffic by entering Diff-Serv values for expedited forwarding, assured forwarding, and best-effort forwarding. Although Diff-Serv does not completely address all QoS issues, it is an important step in achieving this long-term objective. By allowing traffic to be segmented by media type, data type, or even application, Diff-Serv opens the door to end-to-end enterprise-wide QoS.

10.4.1 Operating Characteristics

The fundamental operating characteristics of the Internet are that it is a distributed, interoperable, packet-data network. A distributed network has no-one central repository of information or control but is composed of an interconnected web of host computers, each of which can be accessed from virtually any point on the network. Routers throughout the network regulate the flow of data at each connection point and reroute data around points of congestion or failure. Even the name servers, which perform translations between IP addresses and plain language names, are distributed. Should one or more of these “domain name” servers fail, the others are still available to perform the translations.

Another feature of the Internet is the network access point (NAP). These are NAP peering points on the Internet through which traffic is routed between the major backbone providers and national ISPs. Among these NAPs are the Chicago NAP managed by SBC Ameritech, the New York NAP managed by Sprint, MAE East managed by WorldCom, and MAE West managed by SBC Pacific Bell. There are dozens of other NAPs where carriers interconnect with each other in private-peering arrangements. Traffic is usually brought into the NAP via high-speed links at speeds that vary from the DS3 rate of 45 Mbps to the OC-192 rate of 10 Gbps. If one of these NAPs goes out of service, traffic is redistributed among the other NAPs to keep the Internet in operation.

The Internet is interoperable in that it uses open protocols so that many different types of networks and facilities can be transparently linked together to allow multiple services to be provided to different users, regardless of what computing platform or operating system they may have. The Internet protocols can run over virtually any type of facility that can transmit data, including copper and fiber-optic circuits of telephone companies, coaxial cable of cable companies, and various types of wireless connections.

The Internet protocols can run over any kind of data network or service, including-Ethernet and token-ring LANs and frame relay and ATM WANs. The Internet also interconnects users of thousands of different local and regional networks, using many different types of computers. The interoperability of the Internet is made possible by the TCP/IP protocol, which defines a common structure for Internet data and for the routing of that data through the network.

In TCP/IP nets, the routes can remain stable for long periods until a change (e.g., link failure) triggers a new episode of route recalculation. The route chosen is based on optimizing the sum of static link metrics to give a “shortest” path, without considering the traffic involved. Although simple and effective, the single shortest path approach can lead to significant inefficiency if the actual traffic pattern does not match the resources chosen. This problem may be alleviated by sophisticated traffic engineering procedures.

10.4.2 Addressing

When an end user sends information over the Internet, the data is first broken up into packets. Each of these packets includes a header, which indicates the point from which the data originates and the point to which it is being sent, as well as other information. TCP/IP defines locations on the Internet through the use of IP numbers. These numbers include four address blocks consisting of numbers between 0 and 256, separated by periods (e.g., 160.130.0.252).

Network managers can create subnets within the organization and devise their own IP addressing scheme. This conserves scarce IP addresses and aids in maintaining security. The private IP addresses are for internal use only and are never used on the public Internet because other organizations may be using the same IP addressing scheme on their subnets. A proxy server implements NAT to enforce this prohibition. NAT prevents external users on the Internet from being able to view the corporate network’s structure and IP addresses. Blocking this information severely limits the chances of attack from hackers via address spoofing.

In Figure 10.4, the proxy server gets a packet from station 135.112.56.52 for a destination on the public Internet. The address is rewritten so it appears to come from 194.70.71.5 and the packet is sent out with this address. When a reply packet comes back, it will be addressed to the public address 194.70.71.5. The proxy server maintains a database of outstanding requests and will look up the address of the station that made the original request. It then rewrites the address of the return packet to 135.112.56.52.

click to expand
Figure 10.4: The network address translation capability of a proxy server allows the creation of subnets with private IP addresses that are locally administered and never exposed to the public Internet. In addition to conserving scarce IP addresses, this capability enhances security by hiding the private IP addresses from public view over the Internet through the use of one or more public IP addresses.

Both static and dynamic address translations are supported by NAT. Static address translations explicitly map an external address to an internal address. For incoming packets that have not been specifically requested, such as e-mail, static mapping is used. With dynamic translations, a pool is allocated and each new IP address to be translated is dynamically mapped to another IP address from the pool in a round-robin fashion. This real-time assignment of IP addresses is implemented with the DHCP.

IP addressing for extranets that are shared by multiple organizations can be handled in one of two ways—do it yourself or subscribe to a managed extranet service. The easiest way is for all partners to subscribe to a managed extranet service and let the provider manage things. This arrangement allows partners to communicate and conduct transactions with each other in a secure and managed environment, without having to spend a lot of time and money implementing expensive premises-based routing, assigning a set of IP addresses, and deploying a firewall. Instead, these functions are the responsibility of the service provider. Internet users generally do not need to specify the IP address of the destination site because IP addresses can be represented by alphanumeric domain names such as fcc.gov or ibm.com. Domain name servers throughout the network contain tables that cross-reference these domain names with their underlying IP addresses. This capability is also applicable to intranets and extranets, enabling resources to be easily and quickly accessed without users having to know cumbersome IP addresses.

10.4.3 Services on the Internet

The actual services provided to end users through the Internet are defined not through the routing mechanisms of TCP/IP but depend instead on higher-level application protocols, such as HTTP, File Transfer Protocol (FTP), Network News Transport Protocol (NNTP), and Simple Mail Transfer Protocol (SMTP). Because these protocols are not embedded in the Internet itself, a new application-layer protocol can be operated over the Internet through as little as one server that transmits the data in the proper format. The utility of a service to users, however, increases as the number of servers that provide that service increases.

By the late 1980s, the primary Internet services included e-mail, Telnet, FTP, and Usenet news. E-mail, which is still the most popular Internet service, allows users to send text-based messages to each other using a common addressing system. Telnet allows Internet users to log into a host and access information and applications from a remote location. FTP allows users to download files from a remote host computer onto their own system. Usenet newsgroups enable users to post and review messages on specific topics. Since 1995, with the advent of graphical browsers, the World Wide Web (WWW) has become one of the most utilized services on the Internet.

The Web has two primary features that make it a powerful, full-service method of accessing information through the Internet. First, the client software, or Web browsers, can access multimedia information—a combination of text, audio, video, and images embedded in the same file—and provide access to all of the other major Internet services such as FTP, e-mail, and news through one standard interface.

Second, the Web incorporates a hypertext system that allows individual Web pages to provide direct links to other Web pages, files, and other types of information. Thus, complex services such as on-line shopping, news feeds, and interactive games can be provided through the Internet over a nonproprietary system. The Web is the foundation for virtually all of the new Internet-based services currently being developed.

10.4.4 Management

As noted, no single entity or organization governs the Internet. Not even the FCC has anything to say about how the Internet is run. Each facilities-based network provider that is interconnected with the global Internet controls only the operational aspects of its network. No one can even be sure about the exact amount of traffic that passes across the Internet, because each backbone provider can account only for its own traffic, and there is no central mechanism for these providers to aggregate their data.

Despite all this, the Internet does not operate in an environment of pure chaos. Certain functions, such as domain name routing, the issuing of IP addresses, and the definition of the TCP/IP protocol, must be coordinated, or traffic would never be able to pass seamlessly between different networks. With tens of thousands of different networks worldwide, it would be impossible to ensure technical and administrative compatibility if each network provider had to separately coordinate implementation issues with all other network providers.

These coordinating functions have traditionally been performed by an array of quasi-governmental, intergovernmental, and nongovernmental bodies. The United States government, in many cases, has handed over responsibilities to these bodies through contractual or other arrangements. In other cases, entities have simply emerged to address areas of need.

The broadest of these organizations is the Internet Society (ISOC), a nonprofit professional organization founded in 1992. ISOC organizes working groups and conferences and coordinates some of the efforts of other Internet administrative bodies. Internet standards are developed primarily through the IETF, an open international body mostly composed of volunteers. The work of the IETF is coordinated by the Internet Engineering Steering Group (IESG) and the Internet Architecture Board (IAB), both of which are affiliated with the ISOC. The Internet Assigned Numbers Authority (IANA) manages the root servers of the DNS to promote the stability and robustness of the Internet.

10.4.5 Intranets and Extranets

An intranet is a private TCP/IP network that usually supports the same protocols and services as the public Internet, including e-mail, news, chat rooms, and Web pages. An extranet is simply a private TCP/IP network that is shared between multiple companies. Businesses build intranets and extranets to improve communication, facilitate information distribution, broaden access to corporate resources, enable group scheduling, and provide a browser front end to various corporate databases and services.

Intranets

There are a number of practical reasons for setting up a corporate intranet, the biggest of which is to improve internal communications and facilitate decision making. For example, an intranet makes it possible for employees to access information without documents having to be printed and distributed in paper form. Posting the documents on a department Web site provides direct access to the information from any location, so employees can get what they need when they need it without involving anyone else. This empowers employees to make decisions on their own, without causing them to experience information overload.

Another reason to have an intranet is that it reduces the cost of internal operations. With employees able to access information directly, schedule conferences, collaborate with each other using automated tools, submit timesheets directly to accounting, and communicate across departmental boundaries with e-mail, chat, IP fax, and IP telephony, there is no need for a middle-management layer in the organization to act as the facilitating agent. The result is across-the-board improvements in productivity, as well as cost savings from streamlined business operations. The applications to do all this are very inexpensive, and the browsers are free. The protocols run over the existing corporate LAN and WAN, eliminating the need to invest in a separate network. The intranet’s rollout can be gradual, modular, and minimally disruptive.

The cross-platform nature of TCP/IP provides another reason to establish an intranet. Most organizations are heterogeneous on the client side, having a mix of Macintosh computers, UNIX workstations, Windows PCs, and even some OS/2 machines. Intranets are the easiest way to get these devices talking. Since all of the operating systems have TCP/IP stacks already built into them, the clients are “intranet ready,” requiring no extra costs to network them together. There may be additional costs associated with servers and routers, but these are often incremental expenses since these systems are typically already in place to support other applications on the LAN and WAN. Supporting an intranet is usually just a matter of taking advantage of the TCP/IP stacks already embedded in the operating systems of these devices.

Another facet of intranets is that they are fast—much faster than the public Internet. This is because a company is in sole control of such critical elements as the intranet’s bandwidth, technologies and protocols, and applications and devices. All of these elements impact performance. When an intranet is under the control of a single company, steps can be taken to optimize its performance and safeguard its integrity end to end. For example, a company can implement QoS mechanisms, traffic prioritization schemes, and network caching, as well as add bandwidth wherever it is needed and even partition it among the applications. This is not possible when relying on the public Internet, which has no central management authority to make these decisions and see that they are carried out. With an intranet, a company can push the envelope in terms of applications and make adjustments to ensure peak performance.

Finally, setting up an intranet is a risk-free proposition. The underlying technologies and protocols that are used to implement corporate intranets have been in use on the public Internet for decades and have proved to be reliable and robust. Even when new capabilities are added, such as IP telephony and streaming video, which the original Internet was never intended to support, the protocols necessary for implementing these new capabilities are designed to work within the TCP/IP framework.

The decision to implement an intranet is relatively easy for large companies because they typically have the necessary components already in place. For example, they have LANs and use TCP/IP on the WAN to support e-mail, file transfers, remote database access, and other routine communications needs. They usually have the technical expertise to install and configure the necessary components—including a heterogeneous client base, plus servers, routers, switches, and gateways—and manage these and other network elements via an enterprise-level management system that also supports SNMP. They may also have people who implement and maintain client-server technology over LANs that also provide connectivity to legacy host systems. For these companies, it is relatively simple to add a graphical front end to this environment in the form of browsers and offer extra functionality, such as an SQL query capability, from Web servers distributed on the TCP/IP network.

Even for companies that do not already have an existing TCP/IP-based infrastructure, it does not take much to learn how to take advantage of Internet technology and adapt it for internal usage. These companies, as well as very small companies that lack any kind of technical expertise, can avail themselves of numerous vendors and service providers who are eager to educate potential customers on the benefits of corporate intranets and offer their own ideas concerning intranet implementation.

If a company does not want to build and run its own intranet, there are service providers that handle this as well. In fact, every aspect of designing, provisioning, and managing a corporate intranet can be outsourced to a carrier or third-party firm—including creating the intranet Web page, selecting the equipment and software, hosting one or more intranet Web sites, and procuring and managing the access and transport facilities of the network.

Critical to keeping an intranet running smoothly is IP address administration, which can become unwieldy as intranets lead to a proliferation of devices requiring IP addresses. Intranet-driven IP administration can be facilitated by DHCP software. For managers of large IP networks, DHCP reduces the work necessary to administer a large number of IP addresses by automatically assigning IP addresses to clients as they log on to the TCP/IP network.

Running on a server, the DHCP software also reclaims unused IP addresses and maintains a pool of reusable addresses. These features greatly simplify the workload of network managers, who would otherwise have to issue static IP addresses to every device on the network and manually assign an address to any device that is changed, moved, or added on the network. DHCP is also good for the organization because there is less chance of running out of IP addresses and having to justify the request for additional addresses.

Perhaps the most serious issue related to intranet implementation is security. Increasing the number of people who have access to important data or systems can make a company’s information technology infrastructure vulnerable to attack if the right precautions are not taken. A comprehensive security solution addresses internal as well as external threats and should include policies and procedures and the ability to monitor and enforce them, as well as robust security tools that work well together and do not leave any gaps in protection. The following basic functions are necessary for broad security coverage:

Access control software allows varying degrees of access to applications and data.
Secure transmission mechanisms like encryption prevent outside parties from intercepting, eavesdropping, or changing data sent over the network.
Authentication software validates that the information that appears to have been originated and sent by a particular individual was actually sent by that person.
Disaster recovery software and procedures assist in recovering data from a server that experiences a major fault.
Antivirus software detects and removes viruses before they cause problems.
Packet filtering controls what information can pass between internal subnets and between the intranet and Internet, on the basis of such criteria as source and destination addresses, specific applications, users or groups of users, and even time of day.
Intrusion detection identifies hacking attempts before they progress far enough to do any damage and closes off the port that has been breached.

The cost of developing a corporate intranet varies considerably on a case-bycase basis. Large companies can often build sophisticated intranets using existing TCP/IP networks, equipment, and management tools. In such cases, the intranet is treated as just another set of applications that is added to meet business needs. For such companies, the start-up cost for intranet development can be incremental.

The start-up cost for an intranet that supports 400 to 500 people can be as low as $25,000. This includes browsers for the client, a Web server, content development tools, and the communications hardware and software. The recurring cost of facilities and services can be obtained from the various carriers and compiled into an annual figure. Companies that do not have in-house technical expertise should also plan to spend 10% of the total start-up cost of equipment and software on integration services.

Fortune 100 companies with worldwide locations that must be tied into the intranet can expect to pay quite a bit more, especially if they intend to offer a high level of interactivity, engage in electronic commerce, and Web-enable various business processes. Here, security is extremely important and constitutes a significant cost to factor into the budget. Such companies should plan to spend at least $10 million.

As companies put together budgets for intranet development and management, eventually they will have to address the issue of return on investment (ROI), as they typically do for any other major capital expenditure. The extent to which this can be done with any degree of accuracy often depends on how the proposed intranet will be used.

For example, if the intranet will be used to publish staff handbooks, telephone directories, forms, office notices, and other administrative documentation, the annual cost of printing, distributing, updating, and storing these materials contributes to the ROI of the intranet. Although harder to quantify, there is also the significant cost of staff time for filing, updating, and referring to paper-based material that would also be eliminated. A publishing application can garner an annual ROI of as much as 30%. Other applications, such as database access and inventory management, may yield 70% and 50% annual returns, respectively. Reliance on electronic publishing would improve overall productivity, which is a “soft-dollar” benefit that can be used to cost-justify the intranet, especially when the intranet includes a search engine or SQL query capability that allows users to key in on desired information quickly.

If the company plans to use the intranet for transaction processing, ROI can be fairly easy to calculate. For example, the company can post all of its business forms on the intranet, including various health insurance forms, travel authorization and expense reimbursement forms, vacation schedule forms, worker’s compensation forms, 401K plan forms, and purchase order forms—just to name a few. These and other forms can be called up on the intranet with a browser, filled in by the employee, and sent to the appropriate department via e-mail. Employees need not waste time tracking down the paper forms they need and, since the employee-supplied information is submitted in electronic form, departments can process it faster and readily integrate it into various databases. The savings in time and improved form processing constitutes another element that can be factored into the intranet’s return on investment.

Corporate intranets are changing businesses in a profound way. They empower employees by providing them with a high degree of autonomy, encouraging creativity, enhancing decision making, and improving productivity. The result is that the company improves customer service and responds more effectively to changing market conditions.

Increasingly, PBX vendors are recognizing the importance of providing customers-with easier and more economical ways of supporting VoIP and, in the process, helping them transition to voice and data convergence. Vendors provide solutions with the flexibility to support voice, video, and data traffic over the Internet, intranets, extranets, public-switched networks, and ATM. When used as a gateway, such systems convert voice traffic to packets for reliable transmission over IP networks. The QoS for each call is monitored, so that if the IP network’s performance is not acceptable for voice or fax calls, the switch will reroute the call over an alternative network, if available.

Enterprises with a large number of telecommuters and mobile professionals can opt for a VoIP solution that supports remote log-in so these employees can have the same capabilities as their desktop telephone sets, including hold, call forward, transfer, speed dial, and conference, as well as multiple call appearances and call displays on their laptop computers while working remotely. Such systems offer the means for remote users to log into the corporate switch so they can take advantage of all these features and work virtually from any location. Remote users can also have access to voice mail.

This solution can even be applied to call center operations, helping companies take full advantage of their data networks by delivering call signaling and phone features to a call center agent’s PC through an IP connection. Among other things, this allows agents working at home to provide the same high level of customer care as agents working in a traditional call center environment. For the company, the solution lowers the cost of support operations and helps them attract qualified staff by offering them the means to work at home.

Network management vendors are offering tools that help IT administrators and network managers monitor voice and data traffic performance on IP nets. These tools provide call monitoring, adaptive voice and data traffic prioritization, QoS, bandwidth management, and accounting and billing metrics for voice-related traffic over IP networks.

Network managers can even monitor information such as callers and destinations, call duration, time-of-day distribution, and associated costs. Voice and data traffic are dynamically prioritized in real time, on the basis of actual bandwidth availability at the circuit level. Voice sessions can be accounted and billed for according to factors such as priority, user type, and time of day. Corporations can use these detailed accounting features to bill-back departments, while service providers may use them to bill customers on a per-use and/or priority basis.

Extranets

An extranet is a network that is shared among multiple organizations, usually strategic business partners, that are given controlled access to select information and applications. The extranet is based on the TCP/IP suite of protocols and provides the same capabilities as the public Internet but with security features and access privileges that guard against unauthorized entry.

Businesses build extranets to improve communication among key constituents, facilitate information distribution, broaden access to each other’s resources, enable group scheduling, and provide a browser front end to various corporate databases to expedite inventory tracking, supply-side management, and invoicing. Extranets have become the means through which companies engage in business-to-business (B2B) e-commerce on a global basis, while reaping the added benefits of reduced operational costs, improved productivity, and timely response to changing market conditions.

Extranets can also be made accessible to the general public, providing customers-with secure access to certain types of data. Banks, brokerage houses, and other financial institutions, for example, provide customers with secure access to their extranets to check on the status of their accounts. Delivery services, such as Federal Express and UPS, give customers access to their extranets to check on the delivery status of their packages. Airlines, hotels, and resorts provide extranet access to allow customers to place reservations on-line.

Among the advantages of establishing an extranet is that it provides self-service opportunities for constituents, who can order products directly, get immediate answers to their inquiries, and solve product-related problems by looking through a database. In some cases, an extranet can be used to allow customers to configure and price the products they want before placing the order electronically.

In turn, companies can serve constituents at a very low cost—24 hours a day, 7 days a week. Cost savings come from reductions in sales and support staff and the elimination of dedicated lines and services. In fact, an extranet allows an organization to create the equivalent of a corporate WAN with global reach but without the cost of leased lines. Like corporate intranets, an extranet uses the same hardware, software, protocols, and development tools as the public Internet.

In many cases, the same staff that maintains the corporate intranet also maintains the extranet, since the knowledge and skills to do both are not significantly different. The real challenges are in securing and managing the extranet, since the cooperation of several companies is necessary. Ensuring interoperability between the different systems, databases, and applications of the participants also merits technical expertise.

Before designing an extranet, the hub company needs to develop a document that discusses the network architecture, the goals of the architecture, and the system specifications that will support those goals. This document should be shared with partners for their input, since they will be the primary “customers” making the decision to join the extranet.

Before committing any resources to the extranet project, the hub company should determine what resources it already has that can be leveraged or redeployed. This could save on capital equipment costs and shorten the time to service cutover. A more realistic baseline budget can then be established for the project.

When building an extranet, personnel decisions should be made before resources are committed. There will be staff turnover to contend with and, as the extranet evolves, each person’s responsibilities may increase or change. It must be determined early on how extra resources will become available when needed, in what time frame, and in a way that will not erode confidence in the project among partners.

It is recommended that performance criteria be drawn up for the extranet and acceptance criteria developed that will satisfy management and partners that the job has been completed within specifications. In some cases, it might be worthwhile to offer an SLA to partners, governing such key areas as application performance, network availability, and response time to repair. An SLA could become a further inducement for partners to join the extranet.

If the resources of the hub company are constrained, consideration should be given to outsourcing extranet setup and management to an integrated communications provider (ICP). Since 24/7 monitoring is the responsibility of the ICP, there is no need for the hub company to have a support facility of its own, which is a critical requirement for the smooth functioning of an extranet. The ICP handles security with a combination of authentication and filtering techniques, the use of security protocols, and firewalls—all of which can be difficult and time consuming for organizations to set up and manage by themselves. By outsourcing extranet management, the hub company can save a substantial amount of money in start-up costs and free up IT staff to meet other business needs. Other reasons to outsource the extranet include the following:

Faster extranet development;
Easier integration of new technologies and capabilities;
The availability of best-of-breed equipment and higher-speed lines than a company cannot otherwise afford;
The availability of a wider range of expertise;
QoS guarantees;
Continuous network management and faster response to problems;
One-stop service and support.

Extranet management is a natural extension of systems management, except users are allowed to pass the firewall. Extranets present special management problems because they allow access to information systems that are normally considered private, including inventory databases, order entry and accounting systems, and product configuration and pricing tools. As with any network-based information system, there are management requirements to contend with, including the following:

Configuring new users and adding new nodes;
Setting up and changing access controls in response to changing needs;
Ensuring that system security works properly;
Adding new software and features to satisfy changing business requirements;
Ensuring that information systems, applications, and links continue to work properly.

These duties usually fall within the traditional domain of system administration but are made slightly more difficult when they involve multiple organizations. For the extranet to yield the anticipated benefits to all participants, managers must ensure that the right information is available to the right constituents, that frequently changing information—such as product prices, catalogs, and inventory—are kept up to date, and that all supporting systems function properly.

Management of a multi-company extranet usually is the responsibility of the largest organization, which acts as the “hub.” This company encourages its suppliers, sales channels, and other partners to join the extranet for mutual benefit and assists the others in configuring their information systems, routers, and firewalls. In addition, the hub company may arrange for dedicated access lines and dial-up service providers to access the extranet. To get inexperienced companies up to speed on using the extranet to optimal advantage, the hub company may also offer consulting services and on-line training.

Although extranets are extensions of corporate intranets and usually allow access via the global Internet, sensitive business data can be kept private via the use of a firewall, which may use a number of strategies—including packet filtering and intrusion detection—to keep private data and resources off limits. If implemented properly, extranets provide access to appropriate information while effectively securing other data from the general public, as well as from strategic partners, on a selective basis.

Security is problematic when applied to extranets for reasons that have nothing to do with the technologies for controlling access. The real challenge comes from the fact that the extranet involves partners whose relationships are dynamically changing and complex. Today’s partners may become tomorrow’s competitors, and a partner may be both a competitor and a partner simultaneously. If an extranet system does not permit dynamic changes in access control, there is the possibility of sensitive information getting into the wrong hands, which cannot simply be called back.

There are several key requirements to securing information on an extranet. First, the identity of an individual wishing to access the extranet should be authenticated. This process is complicated when employees or business partners access information from multiple computers and, often, from remote locations over the Internet. Users should be able to authenticate from a Web browser, with no client software requirements. In addition, there are often hundreds of Web servers in a large enterprise, and users need access privileges for each server they access. This can lead to many problems: Users must remember passwords for many servers, administrators need to manage the access controls for each individual server, and many separate entries must be added or removed when a user’s access privileges change or when employees join or leave the company. A security solution that lets the organization manage access controls for all of these servers centrally and presents users with a single sign-on to the Web space can greatly simplify security management, as well as enhance the user’s experience.

Once a user’s identity has been authenticated, access privileges should be determined. An authenticated user does not necessarily have permission to access resources. Security policies should explicitly grant access rights to Web resources. An access control decision function must establish whether requests for specific information should be granted or denied. Administration is complicated if access controls must be configured at each Web server, and it is difficult to construct a comprehensive picture of a user’s privileges in the Web space if an administrator must consult each Web server’s configuration information. A centralized authorization framework greatly simplifies administration.

Large extranets will require that certain management tasks be delegated. It is often necessary to delegate the management of security and privileges for certain information resources to either the individual or group responsible for maintaining them. An effective security system should facilitate secure delegation of permissions to ease the management burden.

Another important concern with any security management solution is how easy it is to implement and administer. For any security solution to be effective, it should integrate easily with the organization’s existing infrastructure and be easy to administer. Any complexities in security management increase the possibility of human errors, make the extranet difficult to navigate, and expose the extranet to attack or misuse.

Within the context of the extranet, security and content management are closely interrelated; after all, security is about protecting information. Content management is a critical issue with extranets because the owner has virtually no control over the information once it is downloaded and has no idea of its ultimate destination and how the information is really being used.

For example, extranets lend themselves to the aggregation of tactical information, which can have strategic value. This can become a threat if content control and the time value of information are not considered part of the security equation. While production figures for a specific month are considered tactical information and may help partners that are supplying raw materials to the assembly line, 3 months of production information may be of strategic value to another partner that is also a competitor. Therefore, the same information should not be made available in the same form to all partners.

An extranet is the only situation where a firm exposes its most proprietary information to a semi-open audience. Sound content management entails never assuming that the target user at the partner organization will be the final user of that information. While the success of the partnership is certainly important, and ease of communication is inherent to achieving that success, it must be recognized that failure can come from revealing too much information. It is therefore necessary for content owners to implement information security systems that permit content control and dynamic changes to minimize exposure to risk.

< Day Day Up >