Re: Extranet vs. VPN (was: Non-IPsec VPN products)

[marcvh () aventail com]

Crispin Cowan sed:
> So what's the difference between "extranet" and "VPN"? I always thought of
> "extranet" as "VPN to my remote locations" which is only barely
> distinguishable (at a technical/product level) from "VPN to my corporate
> partners."  The distinction appears to be what you use your VPN for, but the
> product remains the same.
>
> So what is the difference (in your terms) between an extranet and a VPN?


I agree that there's considerable overlap in the capabilities of VPNs
and Extranets, as well as the tools that can be used to build both.
I've seen them defined as "your intranet extended beyond the
boundaries of your company" but I tend to prefer examples to
definitions.


Let's see.  Suppose I'm a company and I have a corporate database
which is accessed by my employees sitting in our headquarters using
an application.

Suppose I want some employees from a branch office to be able to use
that same application to access the database, so I set up an encrypted
tunnel connecting their LAN to the headquarters LAN.  That's clearly a
VPN.

Suppose I also want remote employees (telecommuters, say) to be able
to use this application via their existing ISPs, so I set up some sort
of network-based dial-in.  That's remote access, and I'd call it a
type of VPN service.

Suppose I want to let employees access this database without needing
to use the application, so I build a web server which front-ends some
of the database.  That's one type of intranet service.

Suppose I decide I want to open that web server up, so that not just
employees but customers, suppliers, resellers, etc. can access part of
the database.  That's one type of extranet service.


Some practical differences between VPNs and Extranets are in the area
of requirements...

In a VPN, you often can exert a lot of control over the environment of
your users.  If you want, you can tell them they must use Win2K, they
must use a specific version of Outlook Express, they must not use a
router that does NAT, they must disable their ability to use other
network resources while connected to you, etc.  In an extranet such
restrictions may not be practical.

In a VPN, users generally expect high transparancy; they want their
VPN'd use of the network to work exactly the same way things work when
they are sitting at their desk on the LAN.  In an extranet, the users
likely don't have these expectations (because they don't have a desk
on your LAN.)


Anyway, don't know how much this helps; I'm sure other people see the
same thing a little differently.

-- 
Marc VanHeyningen                 marcvh () aventail com
Internet Security Architect
Aventail                          http://www.aventail.com/



_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards