Tips to secure your extranets

1.) Isolation
Perhaps the most important step you can take when designing an extranet is to protect the network from itself. You're likely used to managing a firewall environment using the screened subnet approach with three zones: a private network, a public network and a DMZ. (For more on this, read my article, Choosing the right firewall topology.) The goal of this strategy is to isolate systems with differing levels of public access from each other. The same is true with an extranet; you need to isolate extranet systems from both the public network and the private network. You certainly don't want to expose sensitive internal systems to your business partners carte blanche. When you design your extranet, keep in mind that you want to expose only the information assets required for successful partnership.

2.) Strong authentication
The second key component of a secure extranet is the use of strong authentication techniques. Where possible, extranets should implement some form of two-factor authentication. The most likely solution where a human is involved in the authentication process is the use of a key fob token approach, such as RSA's SecurID or Secure Computing's SafeWord. If extranet communications take place between unattended servers, consider the use of digital certificates to provide an added level of confidence in the authentication process.

3.) Granular access controls
Granular access controls are essential to the secure operation of complex extranets. If your organization must interact w

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security for the midmarket Locking down security in the move to electronic medical records A CIO's advice for implementing single sign-on solutions Options for outsourcing security grow, offer IT budget savings Network access control: Pointers for getting the knack of NAC Stopping malware viruses from attacking Web 2.0 technology Virtual servers no escape from IT security management concerns Unified communications: Securing access to OCS Unified communications security: How safe is it? Risk assessment frameworks easy to employ Midmarket regulatory compliance management: Don't let your guard down Information security management for the midmarket Using key risk indicators to sell your information security program IT security spending a bright spot in '09, with more growth predicted Gartner: Vetting security of third-party partners in five steps Locking down security in the move to electronic medical records Security and risk management in the midmarket Identity and access management planning guide for the midmarket Information systems management for the midmarket CIOs share advice on doing more with less Get smart about patching security vulnerabilities A CIO's advice for implementing single sign-on solutions

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

ith a number of different suppliers, customers, vendors and business partners, you need to take steps to enforce the principle of least privilege. The ideal scenario, of course, is to implement isolation to such a degree that extranet clients get access to a network zone that only contains resources they are authorized to access. However, the more complicated your extranet, the less likely it is that this approach is practical. Therefore, you should complement your strong authentication controls with granular authorization controls. Administrators should configure access lists in a manner that limits the access of each extranet client to those specific resources necessary for the partnership.

4.) Encryption
Finally, extranets should make use of available encryption technology. By nature, extranets involve sharing sensitive organizational data over the Internet. Ensure that extranet clients make use of virtual private network (VPN) technology that provides strong encryption for data in transit over these unsecured networks. Also, ensure that both the VPN solution (both client and server hardware and software) and the encryption algorithm they use meet your security requirements.

Remember, the security controls outlined in this article are merely a starting point for a secure extranet design. You need to complement these controls with policies and other mechanisms that comprise basic security best practices. For example, your extranet agreements should clearly specify the security configuration standards for systems that connect to the extranet. You wouldn't want to implement the technical controls described in this tip only to have them defeated by a poorly managed user workstation that's infected by a virus!

About the author
Mike Chapple, CISSP is an IT Security Professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles including the CISSP Prep Guide and Information Security Illuminated.

This tip originally appeared on SearchSecurity.com.