Everything you always wanted to know about extranets*: but were afraid to ask

These secure managed networks are becoming increasingly popular with large corporations and service providers - and the variations are endless

When the automobile industry decided to set up a network that would link suppliers, manufacturers, designers and engineers, it first considered using the Internet. But industry leaders quickly shot down that idea after deciding security was not tight enough for the mission-critical applications crucial to their businesses.

Instead, the Automotive Industry Action Group teamed with Telcordia Technologies (then Bellcore) and various communications companies to develop the Automotive Network Exchange (ANX), which has since become the world's leading business-to-business extranet.

Following remote access and intranets, extranets are the future of virtual private network (VPN) applications. They are a tool that combines a salesperson, call center, catalog and technician into a single package that is available around the clock. Extranets connect a company's employees, customers and suppliers, allowing secure communication and business dealings to occur. And the consensus today is that all companies - both service providers and enterprises - can't afford to ignore the fast-growing extranet arena.

"If you want to stay in business, you must offer more than just a product," says Sheila Bacon, director of Internet value-added services for Sprint. "Everyone will expect you to offer Web-based interaction, and any business that does not pay attention to this trend will be left behind."

The extranet pioneers

Extranet has multiple definitions. For example, some identify them as secure Web sites that are available to customers and the people with whom they trade, says Bryan Whittle, Telcordia's general manager for the ANX. "[The ANX] is a managed network environment, and trading partners put applications on top of it," he says.

The ANX provides everything industry leaders were looking for - a business-quality TCP/IP-based network linking automotive suppliers to each other and to automakers over one connection, Whittle says (Figure 1).

First, the extranet allows trading partners to choose their service provider. ANX trading partners can subscribe to the network through any one of five so-called certified service providers, which oversee the day-to-day ANX transportfunction. These carriers have undergone extensive evaluations of their own networks' service features, performance, security, reliability, trouble handling, customer care, interoperability, business continuity and disaster recovery.

MCI WorldCom recently became the fifth carrier to win certified service provider status, joining AT&T, EDS, Bell Canada and Ameritech - all of which offer mandated levels of reliability, security, maintenance and performance. If a trading partner is having a problem with data transmission, it notifies its certified service provider, which is obligated to track the problem until it is resolved.

As the ANX overseer, Telcordia tracks feedback from trading partners and makes business and technical changes as needed, Whittle explains.

The ANX also includes extensive security measures, including an IP security (IPSec) device and firewalls. The IPSec device allows for the authentication of data sent between trading partners. It can encrypt messages and assure data integrity, which guarantees that the packet's contents have not been changed.

Currently, partners use passwords to access information, but Whittle says plans call for digital certification to be deployed later this year. Passwords can be confusing and unmanageable because businesses must use a separate password for partner, but a single digital certificate can be used for all transactions.

Recent research shows that when it comes to mission-critical applications, businesses want high levels of security and service quality, Whittle says. "Some people try to derive extranets over the public Internet by putting security on the end, and that may be OK for some," he says. "The automotive industry's decision was that the Internet did not have the reliability or performance or security or accountability that they needed."

Today, about 160 trading partners subscribe to the ANX and an additional 200 or so are under contract to sign up for the service. An additional 500 or so companies are doing due diligence on their contracts and business cases and are expected to subscribe over time.

The public network extranet

While Internet security may not have been considered up to par when the ANX was formed in 1994, new advancements today are giving service providers the confidence to offer extranets over the public network.

Extant, a carrier's carrier based in Columbus, Ohio, currently is working to set up a nationwide extranet over which competitive local exchange carriers (CLECs) can exchange information, widen their footprints and compete on a more even playing field with the larger carriers in the industry.

Designed with the company's ExtantNET software, the network will allow CLECs to determine what type of services community partners have available, examine pricing and time frames for services and look at applications in sales and marketing. A customer care module, a corporate library of information and a business intelligence section also will be included in addition to a community section that allows partners to advertise to each other (Figure 2).

"There's a commonality of issues for the CLEC community," says Jane Jones, managing director of sales and marketing for Extant. "We saw a serious need to help those people that did not have the funds, to put them on an even playing ground with the big guys."

But Extant isn't stopping there. The company also plans to wholesale software to CLECs and ISPs, allowing them to offer extranets to their customers using the ExtantNET software. On a third level, Extant plans to enter the applications arena, using its software to design industry-specific applications.

Since hiring its first sales person April 1, the company has signed Coast to Coast Communications in Detroit as its first community partner. Jones says about 25 other CLECs are planning to subscribe, and about 10 of those should be customers within the next few months.

Using a standard browser, customers can access Extant's extranet through any ISP. The extranet is protected through a secure connection that turns into an encrypted line once the user signs on.

Also offering extranet service through the public Internet is CyberTrust Secure Extranets. Recently spun off as an independent business unit of GTE, CyberTrust currently maintains extranet networks for Bank One, Wells Fargo, Deutsche Telekom and Telecom Italia.

CyberTrust provides companies with an end-to-end extranet solution, including needs assessment, architecture and design, planning and implementation, evaluation of security policies and procedures and installation of equipment.

"We're the intelligence, the smarts, the know-how," says Michael Yaffe, marketing manager for CyberTrust. "We do the consulting if need be, the needs assessment and provide the hardware or the products - the general core technologies that make this work."

The company has relationships with industry partners to align customers with the vendors that can fulfill their needs, says Ann Marie Beasley, product line manager for CyberTrust.

For example, if a customer has VPN needs, CyberTrust can pair that customer with a leading service provider with that capability, Yaffe adds.

Certifiably secure

CyberTrust and Extant pride themselves on offering high-level security using digital certificates to keep unwanted users out and critical information safe. Digital certification - "basically an unbreakable lock" - is the highest level of security currently employed in extranets, says Karl Fox, director of network security with Extant. A digital certificate is located on the desktop and requires a user to type in an authenticating phrase or set of characters before being allowed access, he says. The secure sockets layer (SSL) protocol then transmits information about the pass phrase, which is used to verify the user, he adds.

Certificates provide privacy, authenticate the sender, ensure integrity of the data being exchanged and provide non-repudiation, making it impossible for a sender to deny that he sent the information, CyberTrust's Beasley says. Certificates also play a role in access control, regulating who can access which pieces of information.

Yaffe compares digital certificates to electronic passports and likens the verifying codes that accompany data sent with a certificate to an electronic signature (Figure 3). The certificates also allow companies to see who has accessed the network, when and for how long, allowing for targeted advertising or distinct promotions.

Digital certificates have a zero false positive rate, meaning no one else could possibly log on as the user, says Steve Neruda, senior manager of network security for Extant.

Companies have other means of security at their disposal when information does not require such tight protection. Extant, for example, uses various security levels. Low-level information usually is encrypted and accessible with a password, but a digital certificate would be unnecessary, Fox says. Passwords are out of the question for higher-level data, he adds, because they are guessable and can be passed around.

For proprietary and other mission-critical information, Extant uses security systems that guard on at least two levels. One such solution is Security Dynamics' SecurID, a credit card-type device from which a user must enter a user name and number to gain access to information. "Security is always a trade-off between resources and convenience, and we want to be convenient," Fox says.

Less secure networks

Extranets also play an important function in the exchange of less critical information. Sprint uses such networks internally for various operations.

Because Sprint's extranet does not involve critical applications, the company protects transactions using firewalls, a less secure means of protection than digital certificates, says Jack Tozier, Sprint's group manager of e-business product management. "The information is essentially SSL-server encrypted and has the capability for secure tunneling," he says. "We have not begun using digital certification and encryption. If we were to go to fiscal exchange, we would employ those."

One Sprint extranet links employees to Sprint's credit card issuer and behind-the-scenes merchant activity, allowing personal expense reports to be processed more efficiently. Monthly credit card charges are sent electronically to Sprint employees, who can submit the files as online expense reports, Tozier says.

Because Sprint processes about 1000 expense report transactions a day through Web applications, the extranet has been a time saver and a cost saver. The system also is linked to payroll, allowing employees to get reimbursement information for out-of-pocket expenses submitted directly to the payroll system, Tozier adds.

Another Sprint extranet enables employees to update their human resources profiles online; that information then is shared with the company that produces Sprint's business cards. The cards are printed based on information that was entered by employees, creating faster turnaround and cutting down on errors, says Sprint's Bacon.

In July, Sprint introduced the Sprint Customer Gateway program, which uses extranets to let some of its large account teams interact with major customers, Tozier says. In the network, Sprint's account teams can collaborate with their customers, exchanging information about business transactions.

The same extranet also allows customers to collaborate with Sprint on orders and order status and, in some cases, on design requests and network design tools. Customers can propose and submit ideas to Sprint engineers, who can work with the design on the secure network, Tozier says. The network is available 24-hours and boosts Sprint's customer service capabilities.

Tozier recommends extranets for companies that are looking to be premier players in the business trading community. Companies that have many suppliers, components or financial areas can begin to open up their systems selectively and securely with the use of extranets, he says.

Companies that use extranets can reduce operating costs and extend their reach across the value chain, Bacon says. "We're talking about creating new kinds of ecosystems that are applicable to any kind of industry. It's actually joining business processes together in a virtual community to solve mutual business problems."

Affordability and the future of extranets

As the use of extranets continues to grow, industry representatives agree that saving money is one of the biggest draws for service providers and enterprise customers.

The ExtantNet software will allow CLECs to manageably create and maintain extranets for end users, says Jones of Extant. "It would be a minor fraction of the kind of money they're having to spend for their [operations support systems]," she says.

And according to CyberTrust's Yaffe, the implementation of a secure extranet will lead to a 40% reduction in help desk calls - the estimated percentage that accounts for lost log-ins and passwords.

Companies also stand to save tens of millions of dollars just by strengthening their inventory control systems and cutting down on lost or stolen data, Yaffe says. "It's something that you can't afford to live without. You have to look at what it will enable you to do, as compared to what you're doing now. The return on investment is really tenfold."

As for the ANX, "We've found in practice that trading partners can save up to 60% of connection cost by consolidating mission-critical applications onto a single connection," Telcordia's Whittle says. Companies also can increase basic savings by optimizing business processes. "The [automobile] industry could save $1 billion a year by improved processes," he adds.

The buzz surrounding extranets is beginning to make its way across various industries. Jones predicts the networks will play an important role in the emerging "business-class Internet," while Bacon says extranets will be used by many because they are not tied to any one industry.

Recent talks with people in the steel, health care and home appliance industries lead Whittle to believe there is a place for the ANX in the future.

"Over time, our vision of ANX service is for it to become the premier business-to-business managed communications infrastructure," he says. "We're committed to making sure the automotive industry stake is preserved and, at the same time, enabling other industries to fully participate in the benefits."