Extranet security

1.) Isolation
Perhaps the most important step you can take when designing an extranet is to protect the network from itself. You're likely used to managing a firewall environment using the screened subnet approach with three zones: a private network, a public network and a DMZ. (For more on this, read my article, Choosing the right firewall topology.) The goal of this strategy is to isolate systems with differing levels of public access from each other. The same is true with an extranet; you need to isolate extranet systems from both the public network and the private network. You certainly don't want to expose sensitive internal systems to your business partners carte blanche. When you design your extranet, keep in mind that you want to expose only the information assets required for successful partnership.

2.) Strong authentication
The second key component of a secure extranet is the use of strong authentication techniques. Where possible, extranets should implement some form of two-factor authentication. The most likely solution where a human is involved in the authentication process is the use of a key fob token approach, such as RSA's SecurID or Secure Computing's SafeWord. If extranet communications take place between unattended servers, consider the use of digital certificates to provide an added level of confidence in the authentication process.

((Content component not found.)) 3.) Granular access controls
Granular access controls are essential to the secure operation of complex extranets. If your organization must interact with a number of different suppliers, customers, vendors and business partners, you need to take steps to enforce the principle of least privilege. The ideal scenario, of course, is to implement isolation to such a degree that extranet clients get access to a network zone that only contains resources they are authorized to access. However, the more complicated your extranet, the less likely it is that this approach is practical. Therefore, you should complement your strong authentication controls with granular authorization controls. Administrators should configure access lists in a manner that limits the access of each extranet client to those specific resources necessary for the partnership.

4.) Encryption
Finally, extranets should make use of available encryption technology. By nature, extranets involve sharing sensitive organizational data over the Internet. Ensure that extranet clients make use of virtual private network (VPN) technology that provides strong encryption for data in transit over these unsecured networks. Also, ensure that both the VPN solution (both client and server hardware and software) and the encryption algorithm they use meet your security requirements.

Remember, the security controls outlined in this article are merely a starting point for a secure extranet design. You need to complement these controls with policies and other mechanisms that comprise basic security best practices. For example, your extranet agreements should clearly specify the security configuration standards for systems that connect to the extranet. You wouldn't want to implement the technical controls described in this tip only to have them defeated by a poorly managed user workstation that's infected by a virus!

About the author
Mike Chapple, CISSP is an IT Security Professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles including the CISSP Prep Guide and Information Security Illuminated.

Rate this Tip To rate tips, you must be a member of SearchNetworking.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Shifting defenses and dynamic perimeters challenge network security Compliance in a virtualized world: Server virtualization and NAC security Securing the new network architecture: Security for distributed, dynamic networks How to configure Windows Server 2008 advanced firewall MMC snap-in Security across network boundaries with Secure Mobile Architecture USB storage devices: Two ways to stop the threat to network security Network security: Using unified threat management (UTM) Network security: Empower users without endangering IT Network analysis -- Enhancing security assessments VPN security: Hiding in plain sight, using network encryption Network Architecture and Topology How to achieve server virtualization in your network How to implement VLAN switches across wireless LAN (WLAN) links Are there 802.11n wireless network range extenders to boost my signal? IPsec VPN connection models: Site-to-site and client-to-site Network evaluation and roadmap The essential guide for upgrading your network Affordable IPv6 upgrades are possible -- unless you wait How can I prevent collisions on my network? Compliance in a virtualized world: Server virtualization and NAC security What makes a WAN different from a LAN and MAN? Network Architecture and Topology Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Broadband over Power Line  (SearchNetworking.com) bus network  (SearchNetworking.com) daisy chain  (SearchNetworking.com) forest-and-tree model  (SearchNetworking.com) loose coupling  (SearchNetworking.com) master  (SearchNetworking.com) master/slave  (SearchNetworking.com) mesh network  (SearchNetworking.com) star network  (SearchNetworking.com) tree network  (SearchNetworking.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.