Wondering what the "extra" is in extranets? At heart, the concept refers to extending your intranet by adding extra links to key trading partners, be they customers, dealers, distributors, suppliers or contractors.
The real extra is in the payback, says Mary Cronin, professor of management at Boston College's department of strategic management and operations. Using your intranet to change the way you deal with trading partners may be the single most strategic thing you can achieve with your intranet investment.
Setting up extranets usually involves considerable management-level coordination due to the risks associated with providing partners access to your business data. Assuming you have identified trusted trading partners willing to do business online, how do you implement an extranet?
One or more of the trading partners host on their computers the principal applications, databases and documents required by all partners. Typically, this arrangement is characterised by a duelling firewalls topology, in which companies provide each other with secure, tunnelled access (i.e., secure associations involving network-level packet encryption) to their respective intranets over the public Internet.
Countrywide Home Loans in the US, for example, has established a Web-based extranet application, based on Netscape's server and security products, that enables its bank and mortgage broker partners to access loan-processing and financial databases. The application, called Platinum Lender Access, lets banks complete mortgage applications, check account histories and interest rates and track loan status online.
Chances are you already have most, if not all, of the basic ingredients needed to add extranet functionality, including Web servers, proxy servers and firewalls.
The most fundamental component of an extranet, however, is the pool of business information you want trading partners to access.
You may, for example, choose to provide customers with access to your online purchasing and inventory systems to track the status of their orders or allow engineering contractors real-time access to CAD/CAM specifications and drawings.
Providing partners with such access may be as simple as adding them to the relevant applications' authorised access control lists.
In other words, extranets are usually logical overlays, defined only by access privileges and routing tables, on today's intranet and Internet infrastructure rather than new physical networks in their own right.
But a single Web server hanging out in cyberspace does not an extranet make. Extranets usually connect two or more pre-existing intra-nets, each of which may consist of anywhere from a handful to scores of internal Web sites.
As you and your trading partners get deeper into each others' business processes you will probably want to provide access to a wider range of database documents and other resources on your respective intranets. These shared resources can then serve as the basis for coordination and collaboration among internal and external personnel.
You and your extranet partners should consider adopting a common Web-based application environment, such as Lotus Development's Domino, Netscape's SuiteSpot or OpenText's LiveLink, that provides capabilities such as distributed libraries, bulletin boards, messaging, workflow, calendaring, newsgroups and database/document access. You can scarcely build a viable extranet without strong collaboration tools, so you should explore groupware-like functionality in earnest.
Control by proxy
As your intranet funnels more traffic to and from extranets, you and your trading partners may find it prudent to set up proxy servers, also called application-level gateways. These nodes sit between your intranet and the extranet, intercepting and consolidating internal users' requests for external Web pages (such as those residing on trading partners' sites), caching frequently accessed pages and controlling outbound access to services at the application level.
Proxy servers - available from the likes of Netscape, Microsoft and other Internet software vendors - can help you prevent redundant extra netpage or file downloads from bogging down your intranet. By presenting a single corporate-wide IP address to the outside world, proxy servers can also help protect intranet servers from hackers.
You can configure proxy servers flexibly in keeping with your extranet requirements. You may choose to implement one centralised proxy, one for each intranet/extranet service category (such as HTTP, File Transfer Protocol telnet, Secure Sockets Layers, and Usenet/Network News Transfer Protocol), one for each region, or one for each trading partner connected to your intranet. Most commercial browsers provide users with the ability to direct various types of traffic to various proxies.
Firewalls are typically installed at the intranet's perimeter and, with their close cousins encrypting routers, usually serve as a company's sentinel or secure gateway to extranets and the Internet. Proxy servers are usually situated on the intranet side of firewalls because their prime function is to serve internal users rather than filter inbound traffic from the Internet or extranet.
Knowledge is power
Firewalls often perform application-level proxy services, similar or identical to those just described, in addition to such core functionality as filtering and blocking packets at the network layer. Firewalls look at inbound and outbound packets' source and destination addresses, as well as the services being requested, and grant or deny access accordingly.
Firewalls keep casual Internet/extranet users away from precious company data, limit legitimate users to selected applications and databases, allow network administrators to monitor outbound communications, and produce a detailed audit trail of all successful and attempted log-ons.
One of the most critical decisions you'll have to make in setting up your extranet is determining what data to make available to your partners. Ideally you would perform a thorough risk analysis, weighing the costs and benefits of hosting and securing sensitive business data in various locations prior to making hosting decisions.
Your firewall, routers, Web servers and brow-sers will need to support two types of security services - authentication and encryption - in order to support high-volume extranet business transactions.
The first rule of extranets is "trust but verify". When you provide a trusted partner with access to your intranet, you need to be able to authenticate their every network transaction, including log-ons, communications sessions, resource requests and e-mail messages - even down to the packet level.
Today's authentication products allow companies to spoof proof their networks inside and out, verifying the origin and integrity of resource requests files, messages, packets, sessions, software modules and network nodes. Secure tokens, digital signatures, certification authorities, credentials servers, biometrics and other advanced authentication technologies make it possible to secure access to the intranet and all networked information resources.
More and more authentication vendors are incorporating open standards into their products, enabling them to work with a range of third-party firewalls, communications gateways, applications and e-mail systems. Many authentication products use a mixture of public-key cryptographic techniques - such as RSA Data Security's Public Key Cryptography Standards - and secret-key technologies, such as Data Encryption Standard (DES) ciphers, to support user authentication along with secure key exchange and encryption, tamper-proofing and non-repudiation services.
Many authentication products also support mutual authentication, a critical feature for secure intranets and extranets which enables client and server software modules - or two Web-servers communicating over the extranet - to verify each other's authenticity prior to establishing a connection or association.
You may trust your trading partners completely but still have cold feet about transmitting sensitive business information to them over the Internet. This makes encryption essential for full-bore extranet commerce.
Encryption is supported by several of the security technologies discussed previously including DES, Kerberos, SSL, S/MIME, and SET. Extranet users will probably employ all or most of these techniques, depending on the object being encrypted. DES typically encrypts and decrypts files for network transmission and storage. Kerberos typically encrypts a complete communications session between distributed LAN client and server applications.
SSL encrypts communications sessions between Web browsers and servers. S/MIME encrypts e-mail body parts and attachments and SET encrypts credit card numbers and other sensitive information on electronic-commerce transactions.
Jibber jabber encryption
One specialised type of encryption that comes in handy on extranets is tunnelling because it enables companies to build secure virtual private networks (VPN) over the Internet. Tunnelling refers to the technique of encrypting packets so they can be transmitted confidentially over an insecure virtual circuit, such as an Internet TCP/IP connection.
There are no breakaway winner standards in the tunnelling protocol sweepstakes.
Lack of widely accepted tunnelling standards has limited the ability of trading partners to establish Internet-based VPNs between their respective firewalls and Internet service providers.
Of course, you can't set up an extranet without the services of one or more Internet service providers. ISPs are ramping up to support extranets by providing customers with end-to-end security through a combination of encrypting and tunnelling routers, firewalls and browsers.
UUNet Technologies recently introduced VPN services, dubbed ExtraLink, that support network layer encryption through Cisco's Internetwork Operating System 11.2 encrypting routers, and secure remote dial-up network access from 845 worldwide points of presence.
"All customer traffic is encrypted end-to-end as part of a UUNet-managed service," says Jay Jonekait, the company's vice-president of extranet services. The service can be deployed in conjunction with customers' existing firewalls. User authentication is supported through secure hand-held challenge-and-response tokens, such as those from token industry leader Security Dynamics Technologies.
UUNet's extranet services include performance guarantees of at least 99.9 per cent availability for customers with 12 or more sites, and no more than 150 milliseconds end-to-end transport delay over the wide-area connection. Trading partners can each be billed separately for the traffic they load onto a UUNet-managed extranet, according to Jonekait.
Some Internet service providers take it a step further, offering to host the applications and data that trading partners want to share.
Ultimately, it doesn't much matter whether you shoulder the task of extending your intranet to trading partners or leave the driving to someone else. Reaching the decision to use your intranet as a platform on which to build strategic links to partners is what counts.
Although Professor Cronin dislikes the term extranets (" 'Extra' makes them sound superfluous," she says), extending your intranet to key trading partners should make it possible to change everything from marketing plans to product development initiatives to customer support systems - the core of your business.
That will make your network extraordinary.
Snap-On Tools in Wisconsin is an extranet success story Netscape profiles on its home page. Snap-On's extranet is used to deliver information to 4000 US dealers.
Since December 1996, Snap-On has provided dealers with password-protected, browser-based access to company product catalogues, promotional data, news items, reference materials and discussion groups. These applications run on Netscape's Enterprise Server, Proxy Server, News Server and Mail Server software which have been installed on servers on Snap-On's intranet.
Snap-On's extranet provides a forum for dealers to share tips on business practices such as cash management and selling techniques, and to feed their comments and concerns to the vendor.
"Our extranet enables us to disseminate information to our dealers in a more timely and efficient manner," says Bob Gingras, manager of electronic commerce at Snap-On, in the Netscape write-up. "We wanted to provide our dealers with a reliable and consistent information resource that would function 24 hours a day." Previously, the company communicated with dealers via regular postal mailings.
Although many companies view extranets as extensions of their intranet, in some cases it pays to have a third party host the applications and data to be shared among trading partners.
Enter the airwall
Externally hosted extranets are called on to support everything from electronic commerce to online product catalogues and electronic data interchange. The extranet service provider's computers remain outside the firewalls of the respective trading partners, minimising partners' exposure to unauthorised data access, tampering and theft.
Besides Internet service providers, other companies catering to this market include business-to-business online services such as Industry.Net, TradeCompass, TechnologyNet and Valu.Net. These firms provide subscription-based electronic commerce within various vertical-market segments, providing a means whereby buyers and sellers, who may never meet physically, can conduct business in a managed environment.
One security advantage of externally hosted extranets, according to Ken Lewis, program manager for electronic commerce at EDS, is the introduction of an "airwall" - lack of direct virtual and physical connectivity between trading partners' intranets.
EDS provides such a service for a consortium of 40 US agricultural chemical companies that use a Web-based extranet to support EDI electronic funds transfer, inventory overstock resale and shipment tracking.
In the past year, leading software vendors, systems integrators and network service providers have begun positioning their Internet/intranet offerings for extranet applications. Netscape has incorporated Secure Sockets Layer authentication and encryption features into its Web browser and server products, and much of the industry has followed suit to create a de facto electronic-commerce security standard.
Leading router and firewall vendors now support industry-standard tunnelling - packet encryption and encapsulation - technologies in their products making it possible for two or more companies to establish secure virtual private networks over the Internet.
InfoTEST International is developing an experimental extranet called Enhanced Product Realisation (EPR) for electronic-commerce and supply-chain applications. InfoTEST's backers - including Caterpillar, Hewlett-Packard, IBM, Sandia National Laboratories, Sprint and Texas Instruments - will link their intranets securely using route-based IP encryptors.
When implemented in the coming year, EPR will allow InfoTEST members to provide secure access to shared information resources, such as complex structured and unstructured information.