InformationWeek

November 17, 1997

Security For Extranets

VPNs, digital certificates make the technology safer, popular

echnologies that secure extranets -- the future WANs of corporate America -- have moved out of the labs and into products.

Digital certificates, virtual private networks (VPNs), and smart cardsare available today from dozens of vendors. But can these tools help IT managers build safe, secure extranets so they can do business over the Internet?

Many think so, and are already deploying the technologies. VPNs, for example, are designed to establish secure tunnels over shared data networks-typically Internet Protocol-based networks like the Net.

When Kinko's Inc. began designing its network a few years ago, the Ventura, Calif., office services company had confidence in the technologies' theoretical capabilities but not in their implementation, says Jim Winsayer, manager of research and development. But, he adds quickly, "We do today."

Others agr ee. They say the benefits of extranets can justify the time and expense necessary to implement security. The idea is to open up networks so companies can tie existing systems with their business partners to improve the flow of information. "Traditionally, the only way to do that was with proprietary value-added networks and traditional electronic data interchange applications," says Andy Schwab, executive VP of TriNet Services Inc., a Cary, N.C., Internet services company that helps organizations with Web site design, systems integration, and security. "Those were very costly routes to use to get that kind of connectivity and information flow. Today, there are a wide range of solutions out there to provide different levels of security and trust."

Companies are discovering that using public, Internet-based communications can save big money. Kinko's, for example, estimates it would spend nearly $10 million a year to link all its stores to the corporate network via leased, frame-relay connections. Using ISD N and Internet services, the company expects to pay only about half that.

Internet services also can eliminate the need for other types of costly WAN connections, such as T1 lines. While a conventional T1 (1.5-Mbps) leased line between New York and Los Angeles costs about $8,500 a month, companies pay Internet service providers only about $2,400 a month for a T1 Internet link between the two.

Kinko's is building an extranet to provide Internet access for its customers as well as link its 830 stores to its corporate headquarters. Beta testing of the extranet is slated to start this month. Winsayer expects to begin the commercial rollout by the first quarter of next year.

To secure the WAN, the company is combining two relatively new but common technologies used in extranets-VPNs and digital certificates-as well as firewalls and encryption. Digital certificates will add a layer of security on top of Kinko's VPN; each store will authenticate itself via a digital certificate.

Each Kinko's store w ill also have an Ascend Pipeline router that supports VPN technology. These ISDN routers connect to local Internet Points of Presence (POPs). From there, the traffic is routed to the corporate network. The secure VPN tunnel carrying that traffic is terminated at a high-end Ascend router at Kinko's headquarters.

To take full advantage of the WAN, Kinko's had several requirements, including the ability to dynamically assign and track IP addresses. For this, it uses a server that supports Radius (Remote Authentication Dial-In User Service), a security protocol that enables controlled access to the network. The Radius server links with the Ascend Max TNT router, telling it to make a long-distance ISDN call to the Pipeline router at a store. The Max TNT then instructs the Pipeline router to connect to the Internet at a local POP. "That whole process will happen in less than a minute, so from an application perspective, it appears that every store is always online," Winsayer says.

Kinko's plans to support a number of intranet applications over its extranet; with its Web servers accessible to its field offices, employees will be able to get to sales data, historical trending, policies and procedures, and inventory information for supplies.

Perception Vs. Reality
From 1996 to 2000, spending on intranet and extranet technology will grow tenfold, to $1.1 billion a year, estimates the Tower Group. That growth rate, however, will depend on proven security technologies. Financial securities firms, for instance, will continue to transmit sensitive data over private networks until "there's a much higher confidence level that transactions sent over the Internet can be completely secure," says Lawrence Tabb, a senior analyst at the Newton, Mass., consulting firm.

Indeed, security is very much on the minds of IT managers. A report earlier this year from the Computer Security Institute and the FBI revealed that nearly half of 563 U.S. organizations surveyed had been attacked through the Internet, up from 37%.

But many wary IT managers want to use the Internet for key transactions if it can be made safe. In the fifth annual InformationWeek/Ernst & Young security survey (" Is It Safe? "), nearly three-quarters of the 556 U.S. IT managers questioned said they would use the Internet for more important transactions if security were enhanced.

Still, shoddy technology isn't the problem. "It's more of a perception," says the Tower Group's Tabb. "The technology is currently available to provide secure transactions over the public network."

Media attention to security breaches creates the perception that the Net isn't secure, so companies building extranets aren't taking security lightly. "We agonized over whether we should use two separate networks-one for our corporate use and one for customers," says Kinko's Winsayer.

A crack network design team spent months analyzing costs and reviewing the available technologies and other companies' extranet activities. The team, spe arheaded by chief engineer Kevin Kokoa, was able to convince Kinko's executives that a single network infrastructure was the way to go.

Despite protections offered by VPNs, digital certificates, and smart cards, most organizations have yet to implement extranets. The bigger issue, experts say, is integrating these products into a secure solution-no small task. For that reason, extranets carrying critical data are still far from the norm.

"I don't think a lot of corporations are saying they need an extranet strategy, but they are getting pressure from suppliers and business partners," says TriNet's Schwab. "Right now there are a lot of point products, and the integration is nontrivial."

Extranet advocates and naysayers alike offer this advice: Proceed with caution.

Ian Murphy, president and CEO of IAM/Secure Data Systems Inc. in Gladwynne, Pa., agrees with this advice. Murphy is a security consultant who has spent a long time learning to understand the behavior and mechanisms of computer hacker s. "VPNs haven't been tested-haven't been proven, at least to me-as satisfactory," he says. In another five years, Murphy thinks, VPNs and extranets "will be approaching usability. All the bugs will be worked out." Digital certificates, too, need testing, he says: "The structure is not set in stone, and it requires some form of standardization."

Digital certificates won't take off as typical security tools for another two to five years, says Jonathan Penn, a research analyst with Ferris Research Inc. in San Francisco. "It really is a new technology, so there isn't a lot of expertise out there," he says. "Everybody I know is looking at them, but they don't have an implementation plan."

But because VPNs and digital certificates haven't been put through the wringer, that doesn't mean companies should abandon the idea of an extranet. As with any new technology, start with a pilot implementation, a small group of users, and a few basic applications, experts say. As the bugs are worked out, the extranet ca n grow to accommodate more users and applications.

"It is the same idea as getting in a car and driving down the highway," Murphy says. "You ask yourself, `Have I done everything I can to protect myself from an accident? Is my car running well?'"

If you're satisfied with your answers, then you're set to try out an extranet.

See related story, " Three Types Of Online Security ."

Return to the Intranet/Extranet 100 menu