1 / 20

Building an Effective Extranet

Building an Effective Extranet. Sumner Blount Product Manager Netegrity. Products and Services for e-Business. Publicly traded (NASDAQ: NETE) 4 Years of experience providing security products and services to over 400 firms 1998 Revenues: $5 million

zeke
Download Presentation

Building an Effective Extranet

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Building an Effective Extranet Sumner Blount Product Manager Netegrity

  2. Products and Services for e-Business • Publicly traded (NASDAQ: NETE) • 4 Years of experience providing security products and services to over 400 firms • 1998 Revenues: $5 million • Industry leader in secure user management market

  3. Key Issues in Extranets • Directories - how to track and manage users, whether they are employees, partners, or customers. • Security - how to limit access to sensitive information to properly authorized people. • Integration - how to integrate the security model with the directory infrastructure • Scalability - how to support huge numbers of users and policies • Extensibility - to meet unique needs of each environment

  4. Current Directory Situation “On average, a corporate user name appears in 16 different places, each of which must be administered” - PC Week, 7/21/97 “The average Fortune 1000 company has 181 directories, and 42% synchronize their directories manually” - Forrester, 7/14/98 Other Apps HR Email Partners Name: Org: Title: Salary: Name: Company: Security: Name: etc,etc…. Name: Email:

  5. Directories: What’s the Payback?The cost of doing nothing Dir-1 Dir-2 ..... Dir-n $ $$$ $$ Config Admin Training Maintenance $$$ $$ $ $ $$$ $$ $ $$$ $$ Total: Lots of $$$$$$$’s

  6. ROI: The Cost of Redundant Directory Administration An example of directory administrative costs: • Assumptions: • Directories: 6 • Users: 25,000 • Turnover: 20% • Edit time: 15 min Source: The Burton Group

  7. Key Issue: Extranet SecurityWhy is it so critical? • Your “family jewels” are heavily exposed! Your business information and processes could be your competitive advantage • Partner relationships are dynamic - today: your partner. Tomorrow: your competitor • Your partner companies are multi-faceted - one division might be a partner, another a competitor.

  8. Web content…. Web content…. Web content…. Web content…. Web content…. Web content…. • Combinations (“AND”) • Fallbacks (“OR”) Extranet Authentication • Flexible authentication schemes • Basic • Certs • Tokens • Forms • Custom • Authentication “levels” for easier single sign-on • Authen. methods associated with resource security Employees Partners Customers Requirements:

  9. Extranet Access Control • Provide Higher-level abstraction than ACLs • Provide permissions on sub-page objects • Allows easy personalization of content • Requires: both static and dynamic permissions • Provide Policies attached to any directory object • Integrate access control with business logic

  10. Users Privileges Users Privileges Users Privileges The Traditional Approach Hundreds of eCommerce Apps. Separate Directories and Access Controls Millions ofUsers MultipleLog-ons OrderStatus Log-on BillingStatus Log-on Claims Log-on

  11. Application Servers Directory Servers Web Servers Authentication Servers The Result:Disparate technologies make sites difficult to navigate & manage

  12. Web Servers Application Servers Authentication Servers Directory Servers The Solution:Secure User Management Policy Server Controlling access for hundreds of applications and millions of users

  13. SiteMinder: Secure User Management • Centralized access control • Single sign-on • Full, native directory integration • Distributed user management SiteMinder is a secure user management system that provides...

  14. SiteMinder Architecture Users Application Servers Custom Applications Resources WebServer(s) ISAPI or NSAPI HTTP, SSL Web Agent Encrypted TCP Employees Partners Customers • Web Agent: • URL • HTML Page • Active Server Pages • Application Server Agents • Application rights • Custom Agents: • Client-Server Apps SiteMinderPolicy Server(s) Directory Service(s) LDAP, ADSI, ODBC

  15. SiteMinder Authorization • Based on Access Control Rules & Policies • Rule = Action + Resource + Time + <Active Rule> • Policy = Rule(s) + Directory Object + Response + <Active Policy> • The user’s DN from authentication maps to the correct policy • Policies can be bound to any directory object or “ou” • Policies can be bound to any attribute search constraint • The Active Rules and Policies API provide integration of business logic with authorization decisions.

  16. Native Directory Integration User and Group information NT Domain Netscape Directory Novell NDS • All user + group information is obtained from directory • Policy info can also be stored in LDAP directory • Support for Directory “Chaining” SiteMinderPolicy Server

  17. App Server Non-HTTP Application (early 99) IIS (NT) Netscape (NT,UNIX) SiteMinder Single Sign-On Firewall Web Agent Web Agent App Agent Custom Agent RADIUS Services Policy Server

  18. WebServer WebServer WebServer Web Agent w/Cache Web Agent w/Cache Web Agent w/Cache Policy Server w/Cache Policy Server w/Cache Policy Server w/Cache Directory Server Directory Server Extranet Scalability: Load Distribution and Replication/Failover Requests from web server can be distributed across Policy Servers Requests from Policy Servers can be distributed across Directory Servers Replication

  19. Extranet ExtensibilitySAFE: Secure Access Framework for Enterprises Custom interfaces Custom Agents Policy Mgt. interface Agent Interface SiteMinderPolicy Engine DirectoryServices Interface(LDAP, ADSI) Other Directories AuthorizationInterface AuthenticationInterface RADIUSInterface Policy Extensions Auth. Methods RADIUS Clients

  20. Summary • Corporate extranets are experiencing very high growth • The key requirements for extranet deployments are: • A central model for managing all access • Native directory integration • Distributed & delegated user management • Single Web Sign-on • Scalable to millions of users

More Related