Welcome Guest. | Log In| Register | Membership Benefits

News

November 1, 1999

Printer ready
Printer ready
In Search Of More-Secure Extranets
continued....page 2 of 3

Related links:
  • sidebar: Extra Steps Can Protect Extranets

  • Network Policies Ease Management

  • Secure Minds, Not Bits
    • Instead, Ruesch decided on digital certificates, which serve as a legal signature and produce a binding confirmation of a business transaction. That makes it hard for users to repudiate an agreement later. They also serve as proof that people are who they say they are. Ruesch chose the Secure Extranets system from CyberTrust Solutions Inc., a GTE company. "We thought about VeriSign, but we had a relationship with GTE Internetworking, and the pricing is competitive," Szoc says.

    Ruesch went through an extensive planning process before implementing the system. Planners identified 10 key policy areas, hashed out details and a timetable, and then started building. "Every two weeks we did an internal release of RueschLink. We just let people bang on it," Szoc says.

    The developers created nine versions of RueschLink, launched a beta version in March, and unveiled a production version in April. Version 1.5 came out in June, and a bilingual version was introduced in September.

    Security is seen as a shared responsibility with customers. Ruesch issues a valid certificate and makes sure its software does the authorization. Each customer has an IT administrator who handles passwords and certificates.

    Even with the digital certificates, customers using the extranet need to provide client identification, a personal identification string, as well as a password that Ruesch dictates. Ruesch restricts access on a per-function basis for each company.

    Ruesch began to speed up its rollout last month, adding 15 clients per day with an average count of three users per client. So far, Szoc says, the company has 500 clients on board.

    Szoc is confident of Ruesch's use of digital certificates for its extranet. "This strengthens the site in the eyes of clients because this is something most vendors are getting into," he says. "It gives clients peace of mind knowing their transactions are secure. Individually signed certificates are irrefutable."

    The more complicated or sensitive the information, the more secure a company's business-to-business networks need to be. In addition to providing security for the initial applications, analysts say, companies also need to plan for growth. Within 18 months of starting an extranet project, most large companies will use the extranet to support at least 10 and in some cases dozens of secure intercompany applications, says Giga Information Group analyst Dan Merriman.

    A basic security measure includes verifying whether the people dialing in are who they say they are. The easiest approach is to require use of passwords.

    A more complex--but more secure--approach is using digital certificates and a public key infrastructure (PKI) to authenticate a user's identity, says Jeff Barnell, VP of technology for VPNet Technologies Inc., which develops virtual private network technology and services. "It works like a driver's license that you use to cash a check. You have to trust the Department of Motor Vehicles enough to know they issued this to so-and-so, and that that's enough to verify they are so-and-so," Barnell says.

    Digital certificates work the same way. A certificate authority vouches for the authenticity after both parties present ID to a registrar. With PKI infrastructure in place, authentication is taken care of.

    continued...page 3
    return to page 1


    Back to This Week's Issue
    Send Us Your Feedback
    Top of the Page