The Fully Connected Corporation
Stephen Catanzano & Kirsten Henderson
This technology brief will help you create a strategy for implementing the above technologies, document the key components of an optimized, secure solution, and configure typical applications.
Companies face increasingly competitive situations that require them to achieve higher levels of productivity while reducing costs. Some of the ways businesses are working to meet this requirement include establishing partnerships with suppliers and complementary vendors, maintaining contact with customers, and distributing more information to employees. Facilitating communication among these players, and providing essential information from anywhere at any time, are critical to timely decisions and streamlined business processes.
The key to success today is not distributing information far and wide, but allowing users to access that information -- without exposing the corporate network to security risks. The three access technologies that companies are using to facilitate communication and extend the reach of information include remote, Internet, and Intranet access.
Remote access is the ability to access information on the corporate LAN remotely. Internet access can be provided to the corporate customer via a dial-up service, modem redirect on a remote access server, or via a dedicated leased line attached to a local Internet point of presence. Intranet access involves the implementation of Internet technologies like web servers and browsers within an organization rather than in the form of an external connection to the global Internet. These three types of access work together to connect business players to the right information. Now is the time for MIS directors to explore remote, Internet, and Intranet access technologies as part of an effort to increase corporate efficiency.
Developing A Strategy For Success
Many companies begin by forming a committee dedicated to exploring opportunities that are consistent with the strategic direction of their firms. Whether you have one cross-functional committee or many departmental committees, it is important to determine your strategic objective. Depending on your initiative, rate of technology adoption, and corporate culture, you can implement one or all three of the following technologies.
Remote Access Strategy
If you have traveling workers and/or telecommuters, or if you are considering moving to such a model, you should consider implementing a remote access solution. Remote node is the best way to give employees remote corporate LAN access. Another method, known as remote control, requires that a dedicated PC be linked to the corporate LAN and subject to access and control by another, remote PC. The basic equipment requirements for remote node access are a dedicated remote access server and the software that runs on the client PC. The remote access server should support the different protocols on the corporate LAN including IP and IPX, and the client software should be available for different operating systems including Windows, MAC, and OS/2. For more information on remote control and remote node, please read Shiva's white paper entitled Using Remote Node with Remote Control on that topic. To optimize your remote access connection, please consult Shiva's white paper on End-to-End Optimization. Both papers are available on Shiva's web site at www.shiva.com.
The corporate Internet strategy has two components:
A. Providing Internet access for employees. There are many reasons to provide Internet access for your employees. These include obtaining market and competitive research, accessing updated industry news and information, and assembling large networks of diverse people from the business community. For example, the e-mail component of the Internet provides an alternative to voice-based communication with customers, OEMs, and partners. The key criteria for determining the nature of your firm's Internet commitment include the size of the company, the number of people accessing the Internet, and the types of applications they want to use.
B. Using the Internet or World Wide Web to make information about your company available to the public. A home page -- also called a web site -- enables companies to promote their products and services on-line to a huge audience of prospective customers that may access information relating to those products and services on demand. Maintaining a web site is less costly than mailing bulky product catalogs, and customers waste less time manually sifting through volumes of directories.
Opening up your corporation to the Internet does introduce additional security risks. Fortunately a variety of viable security options are available. This critical subject is addressed in depth below.
While the Internet defines the standards-based technologies available for communicating via the global network of networks, the Intranet applies these technologies within the organization via the corporate LAN. In this environment, all of the Internet's benefits can be applied to the corporate LAN by using Internet tools. For instance, since the Internet is based on standards, the infrastructure setup is simple. The classic one-to-many IS problem is solved with the help of Internet technologies on the LAN. Intranet deployment involves developing a private, secure network based on a web server available for use by employees, partners, and other parties.
Web servers send and receive e-mail, compile data and feedback, and can encrypt messages, depending on the level of security that the web server supports. Companies deploy them on their LANs so employees can access corporate newsletters, updates on company events, corporate phone books, and benefit policies, for example.
Virtually any information that has been published on paper can easily be made available on the web server using the HTML language. If you decide to deploy multiple web servers at your corporate site, you will probably want to hire an HTML expert. If you just want to maintain a web site for public use, many Internet service providers (ISPs) will provide this service for you.
Most companies introduce the Intranet as a pilot before implementing a full blown Internet solution. For example, a dedicated web server could be established on one part of the LAN, or at a single site to address a certain issue -- such as storing and reviewing resumes. User feedback could be compiled and utilized to design the strategy for implementing an Intranet company-wide.
Key Internet Components
Outlined below are the components you will want to consider when implementing remote, Internet, and Intranet access.
- Ubiquitous TCP/IP Deployment. Since Internet communications are primarily built on TCP/IP, the corporate LAN protocol must include an IP application that is installed on every desktop and remote computer.
- Web Browser. The web browser is a desktop viewer that allows the user to access information provided on the web server. It provides the user-friendly interface that is critically important to Internet technology acceptance. The browser runs on top of the IP stack and communicates with the server using the industry standard Point-to-Point protocol (PPP). This valuable software should be installed on every desktop and remote computer.
- Web Server. There are many different web servers on the market today. A web server is a Unix- or Windows-based application that runs on a Sun Sparc Workstation (Unix), Windows NT, or Silicon Graphics personal computer system to name a few. Web server software ranges in functionality from simply displaying information to providing secure, encryption-based transactions. The most secure servers use Secure Sockets Layer (SSL) technology.
- Remote Access Server. A multi-protocol remote access server such as the Shiva LanRover links remote users to corporate resources, Intranet applications, and Internet access via analog or ISDN phone lines. An array of communication ports is required as most companies deploy one port per 8-10 dial-in users. The remote access server should support the multiple protocols deployed on the typical corporate LAN. The LanRover supports IP, IPX, NetBEUI, LLC, and Appletalk protocols.
- Client Dial-in Software. In order to establish seamless connections, remote dial-in client software should be installed on remote user PCs. Shiva's award-winning client software, ShivaRemote, is available for unlimited distribution with all Shiva LanRovers. Since end users operate heterogeneous computing environments, the remote access client should be available for different operating systems. ShivaRemote is available for Windows, Mac, and OS/2 environments. The client software initiates the call, negotiates the connection, and terminates the connection when the remote session is over.
- Internet Connection Device. A router, like the ShivaIntegrator 200, is necessary to connect the corporate site to an Internet Service Provider (ISP). The Internet Connection device typically provides IP and IPX protocol support and IP packet level filtering.
- Leased Line Connection. There are several ways to connect a corporation to the Internet. For purposes of this white paper, we will discuss the dedicated leased line solution. Any ISP that provides service to the corporate market will be able to arrange for a leased line connection through the local telephone company. Leased line connections are available in the following speeds: 56Kbps, fractional T1; 128Kbps, 256Kbps, 384Kbps, 512Kbps or a full T1 at 1.544Mbps or E1 at 2.048Mbps. The choice of bandwidth depends on the amount of activity between the corporation and the Internet Service Provider also known as a point of presence. It is easy to upgrade dedicated service as your access needs grow.
- CSU/DSU. A CSU/DSU connects to the leased line router and determines the speed and type of connection. For instance, depending on the CSU/DSU, a connection could be 56Kbps, fractional T1, or full T1/E1. Your local reseller or ISP can provide the CSU/DSU that best meets the bandwidth demands of your organization.
- Firewall Security. Internet connectivity creates new security needs. A firewall is typically Unix- or Windows NT-based software that filters IP addresses at the application level, screening out unwanted users. There are many firewalls on the market today; we recommend the Eagle Firewall from Raptor Systems because of its easy-to-use graphical user interface and flexible authorization options.
A proper combination of the three access technologies will assure public and private access to local and remote resources. Regardless of the strategy or combination of technologies you choose, security is critically important. The following discussion identifies the different types and levels of security available for remote, Internet, and Intranet access.
Placing a series of security layers on a network is the best approach, beginning with the Internet connection device that connects the corporate site with the ISP or local point of presence (POP). The device, or router, forms the connection and screens out unwanted users from the network. Screening routers use packet filtering to verify the source and destination of every packet sent to the network. A screening router allows the network manager to set a series of criteria that every packet must filter through. The criteria is based on the source address, destination address, source port, destination port, and type of packet. Each criteria is set to permit or deny packets from the network. In the ShivaIntegrator 200, filters can be nested, which means that one protocol filter can call another previously defined filter. This powerful mechanism greatly simplifies filter configuration and maintenance. Separate filters can also be set up for input and output traffic, giving considerable flexibility.
A second layer of security can be applied to the application and presentation layers of the OSI model, through the use of a firewall. Firewalls allow the organization to protect corporate IP addresses from the outside world and prevent unwanted users from obtaining access. A hierarchical list of filtering criteria called Proxy Daemons are established to examine incoming connection requests. Each request is subject to preset authorization rules based on both time and type of access. The Eagle firewall from Raptor comes with the SecureConnect management facility that includes suspicious activity monitoring and alerts, multiple types of encryption and authentication, and proxy software. Some firewalls known as firewall gateways will extend from the application layer to the packet layer, providing a more robust solution. However, even with a firewall gateway, experts recommend at least two tiers of security.
Remote access also opens the network to potential security breaches. Security features of the Shiva LanRover include passwords, user authentication, dial back, and compatibility with third-party security devices. Since the remote user needs a specific authorized user name and password to log into the network, this type of access is considered less risky than that posed by Internet traffic.
Note: Some ISP's are promoting the use of dedicated Internet access at the corporate site as a way to also do remote access. This is a viable solution for corporations that may want to reduce their investment in hardware or maintenance costs. This solution does introduce a security risk unless the solution uses Virtual Private Networking. VPN provides an encrypted tunnel from the client to the corporate site. At the corporate site a firewall is still recommended.
There are at least five corporate access applications that can been identified. The WebRover Stack from Shiva Corporation allows the organization to perform all of these functions at the security level they are comfortable with. The WebRover provides a complete, single solution for remote, Internet, and Intranet access. The high performance Shiva LanRover remote access server and the ShivaIntegrator 200 Internet connection device are at the core of this solution. Raptor Eagle Firewall software is available for added security and peace of mind.
- LAN-based employees connect to the Internet.
- Remote Employee multi-protocol access to Corporate LAN, private internal web server or Intranet, and the Internet.
- Remote Partner multi-protocol access to dedicated web server or Intranet.
- Provision of public web services to the outside world. Single Protocol remote access to public web server through the Internet Service Provider. Corporate web site is accessible to anyone on the world wide web.
- Multi-protocol remote access to public LAN. Public users without Internet service can access public web site, as well as Demonstration programs and other applications for public use. Selective Internet access for remote users can also be provided via this application.
Scenario 1: LAN based employee connects to the Internet
Task: A corporate site with about 90 employees including telecommuters wants to benefit from the wealth of Internet information, including industry news, market data, and competitive information.
Solution: Internet Access
Depending on the number of users and the size of the company there are multiple ways to provide Internet access.
|Number of Users||Access Type||Solution/Options|
|1 - 10||Dial up access over analog||Any browser that has a dialer application including Netscape's Personal Edition and Windows '95|
|1 - 20||Dial up access over Basic Rate ISDN||Browser with a dialer that supports ISDN or a dedicated router that supports 1 or 2 BRI channels|
|10-50||Dial out from a Corporate Network over analog or ISDN||Shiva LanRover remote access server supports dial out|
|50 and up||Dedicated service, always available from the network||Full time router and connection to the Internet via no dialing ISDN, leased line (56k, fractionalT1 or T1/E1)|
Since this scenario site has over 90 users that will be accessing the Internet, a dedicated leased line is the best solution. This application requires an Internet connection device -- in this case, the Shiva Integrator 200, which is part of the WebRover Stack. Most dedicated services come in bandwidths of 56Kbps, 128Kbps, 256Kbps, 384Kbps, 512Kbps or a full T1 at 1.544Mbps (or E1). Your ISP will help you secure the leased line connection. The CSU/DSU you choose will determine the connection speed and type that you need.
Scenario 2: Secure Employee Remote Access to corporate LAN, private network, and Internet
Task: A global organization that wants to provide remote and Internet access to traveling workers and a significant telecommuting population. All of the core business information and processes are on the multi-protocol corporate LAN, and employees need access to them anywhere any time. In addition to files and databases, the organization would like employees to have access to other types of private information like medical insurance benefits, 401K updates, stock quotes, the employee handbook, etc. The organization wants to ensure that the information meant only for employees is secure, while giving access to the important information on the Internet.
Solution: Remote, Intranet, and Internet access with security firewall
Set up the Shiva LanRover on your network for employee remote access. Employees will be able to dial in to the site and connect to the network with their dial-in client. Once connected, users become a node on the network and can access all of the same resources as though they were at the office -- including the private web server and the Internet. The LanRover prevents unwanted users from gaining access to the corporate network through the use of user name, password, and other security options.
Here's how to proceed: Configure a web server on your corporate LAN to house private information for employees and install a web browser on remote PCs. Users can find important corporate information easily with the browser, and the organization doesn't have to worry about mailing catalogs and binders each time they are updated. The firewall makes sure the employee is the only user that has access to the segment of the LAN where the private web server resides.
Scenario 3: Secure Partner Access to Dedicated Web Server on partner LAN
Task: The corporation has an extensive network of resellers, suppliers, and customers. The printing, mailing, and human resource expenses associated with communicating with these partners on a regular basis have become overwhelming. The corporation wants to simultaneously provide current information to these important contributors and facilitate communication with them. As information is communicated to this expanded network of people, the corporation will effectively extend the reach of its products, services, and corporate message.
Solution: Remote and Intranet Access
Install a dedicated remote access server and web server at the corporate site, and provide partners with ShivaRemote or ShivaPPP dial-in software for their remote PCs along with a web browser. The dedicated servers ensure that information intended for partners will only be accessed by partners. Configuring the firewall behind the partner remote access server restricts partners from accessing the sensitive information on the corporate network.
Scenario 4: Provision of Public Web Services to outside world
Task: Now that LAN-based and remote employees have been using the Internet, they realize that their company is at a competitive disadvantage because it does not have a web site to display information for the general public. Other companies use this avenue to announce and advertise products, provide end-user product support, post bulletins, and generally enhance their image.
Configure a web server on the corporate LAN in front of the firewall. Public end users all over the world with Internet service will be able to view information about your company at any time by dialing in to their ISP and accessing the web server through the ShivaIntegrator 200. Visitors to the site can be prompted to provide information, download software, and even provide feedback and comments via e-mail. The public web site provides an avenue to communicate with end users and to gather important information about your customers.
While it is beneficial for end users to learn about your company, it could be catastrophic if competitors gained access to private information on the corporate network. Two levels of security prevent public users from entering the corporate LAN. The first level of security is in the ShivaIntegrator 200 router in which packet layer IP filtering restricts users based on their type of IP address. The firewall provides the second level of security at the application layer of the OSI by examining the actual IP address of the visitor.
Scenario 5: Ubiquitous Access to Public LAN
Task: Not all users have Internet service. There are some potential customers or vendors that would like access to the web site on the public LAN, but also access to demonstration programs or other public information on the LAN that might involve other protocols.
Place a Shiva LanRover on the public LAN, in front of the firewall. This will allow the organization to give out the phone number for the LanRover and the Shiva dial-in client to potential customers or partners without Internet service, so they can access information on the public LAN. This configuration also allows the network manager to give selective Internet access to employees or users. The firewall will prevent these users from accessing the corporate LAN, and the LanRover security ensures that only authorized users can dial in to the public LAN.
The Shiva WebRover Stack provides a complete, secure solution for all of your corporate access needs.
As the private corporation converges with the public technology of the Internet, information and communication become abundantly available to local and remote employees, partners, and customers. Each of the above application scenarios demonstrate productivity gains by allowing employees to work from any location and gain access to valuable corporate and public resources. Suppliers, partners, and customers are easily and securely sharing information while improving their organizations.
To date, this phenomenon has primarily manifested itself in the world of high tech, where companies are working with partners, suppliers, and customers to provide seamless, high-performance access solutions for other corporations, non-profit organizations, government institutions, and educational facilities. As the Internet becomes a larger, more pervasive force, all segments of the business community will come to depend on its information-rich resources. Where the corporation meets the Internet, WebRover Stack is the solution.