Perhaps the most complex extranet companies are building today follows the secured intranet access model. This is an extranet that allows business partners, or roving employees, direct entry onto the company's intranet via the Internet.

Yours, mine and ours

A secured intranet access application usually requires the use of a virtual private network (VPN). VPNs create an encrypted tunnel between the client and server over a public network, such as the Internet. They are especially useful if a wide range of transactions, such as e-mail, HTML and telnet, needs to be protected and if connections will bounce from server to server.

It also is possible to give users direct access to your intra-net without involving the Internet. For instance, you can use a dial-up infrastructure, but the higher cost associated with maintaining this negates much of the return on investment (ROI) benefits of using an extranet.

You also can contract with a private IP network carrier such as Infonet Services Corp. or Sprint Communications Co. Using a private IP network will give you service and performance guarantees, but again it would cost more than allowing your business partners to use their own Internet connections (see related story, page 15).

Extranet developers who allow access to the intranet from the Inter-net will want to be able to restrict access to the extranet in all sorts of ways, allowing different services for customers vs. suppliers and one vendor vs. another, for example.

The secured intranet access model is seeing its heaviest acceptance among large multinational corporations that have been using dial-up infrastructures. For example, Hudson's Bay Co., a 400-plus department store chain in Canada, is developing an extranet that allows suppliers to log on daily to existing sales systems and gather details on how much of their product has been sold. This wasn't possible with Hudson's dial-up network because the cost of providing secure, high-speed lines to every supplier was simply too high and the task of implementing a security scheme that limited the information each supplier could see was too difficult.

At least 300 vendors will be serviced by this extranet, says Robert Kijak, communications planner for Hudson's Bay, in Toronto. And the extranet could be expanded to handle electronic commerce, particularly for vendors that aren't trading partners on Hudson's existing EDI systems.

"The idea is to use the public network. Most people already have a dedicated high-speed line to the Internet,'' Kijak says. He notes that the extranet will reduce people, equipment and management costs associated with the dial-up environment and improve service.

Money model

The second model - the electronic commerce extranet - is relatively common. It uses the same sort of security and network architectures as a business-to-consumer electronic commerce site but often is developed specifically for business-to-business commerce transactions. So it can use the Secure Sockets Layer (SSL) protocol for encrypting and decrypting communications between server and client session by session. SSL use also may be enhanced with digital certificates, which provide strong authentication and nonrepudiation.

This extranet is popular with two groups of companies. The first comprises small to midsize businesses that do not use EDI with their business partners but still want the benefits of electronic commerce. In particular, they're looking for the cost savings involved with ordering electronically, as well as the ability to invoice electronically and tie the transactions into accounting and purchasing systems.

The second group comprises companies that want to augment existing EDI systems with Web-based commerce to trade electronic information with partners too small to use EDI. However, when the electronic commerce model is used as a replacement for EDI, this extranet will probably need a VPN.

Yanking EDI for a Web-based extranet is a rarity but may become more common. All eyes are watching the Automotive Industry Action Group (AIAG), which will oust old, awkward and expensive EDI with a trading partner extranet called Automotive Network eXchange (ANX).

ANX will handle traditional EDI-types of data exchanges between trading partners, as well as e-mail, CAD exchange, groupware and other applications. Some 40,000 automotive manufacturers and suppliers will trade via ANX, says Robert Moskowitz, cochairman of the IETF's IP Security working group and former chairman of the AIAG's ANX security group at Chrysler Corp.

A specialized model

The third model, for specialized applications, probably is one of the most common methods of building an extranet because it doesn't require a whole lot of security planning and poses little risk to a company's internal network. Access from the application to the intranet is limited or nonexistent. A common security method for the specialized model is basic authentication. When more privacy is required, these extranets may use SSL and stronger authentication.

Examples of the specialized-application model abound. Many technology companies use it to communicate with service contract customers, and it's popular for extranets aimed at a company's dealers. A specialized application actually can get quite complex, as is the case at Ingram Micro, Inc., a multibillion dollar distributor of computer products in Santa Ana, Calif. The com-pany uses a specialized-application extranet to let registered computer dealers place and monitor orders. In essence, the www.ingrammicro. com site is a Web front end to legacy mainframe order entry systems. Virtually any sales transaction that can be done by a call center employee on a terminal can now be done over the Web, Ingram Micro officials say.

Implementing SSL and basic authentication - unencrypted passwords and IDs - made security between the browser and the Web server a minimal hassle and expense. The hard part was creating Java-based applications that interface with the data and application stored on the mainframe, In-gram application developers say.

The benefits have been tremendous. Ingram's customers can get up-to-the-minute pricing, place orders and check order status, without Ingram carrying the cost of a call center employee. And because all of Ingram's customers prefer using the Web rather than the telephone, customer satisfaction has improved. Another example of the specialized-application model is an extranet built by the Defense Advanced Research Projects Agency (DARPA). The extranet, dubbed Extranet for Security Professionals (ESP), allows committees that develop government policies to work online.

Prior to ESP, committees could take years and spend millions of dollars on creating policies, working through in-person meetings, faxes and phone calls. Today, committee members simply log on with digital certificates over an SSL connection and attend virtual meetings. They can even create agents that sniff out information of interest and provide alerts that can be immediately broadcast to all members. "The ESP makes so much sense. It's a simple and affordable way of doing business in the 21st century,'' asserts Matt Donlon, director of DARPA's Security & Intelligence Office, in Washington, D.C. In fact, one policy professional estimated that DARPA would save $1.5 million on its policy-creation project alone, based on internal ROI evaluations that factored in savings of time, airfare and other associated expenses.

Specialized applications can even be easier to create. Some are simple, password-protected Web sites that are placed outside the firewall. This does not refer to a business-to-consumer site that uses basic authentication to collect demographic data. In contrast, an extranet's goal is to restrict access to a specific set of known users.

For example, the CEOlink site bills itself as "a private community on the Web'' for members of The Council of Growing Companies. The CEOlink extranet, at www.ceolink.org, offers information on business management issues, chat sessions, and data and resources such as a "government watch'' to council members, who are CEOs of fast-growing, entrepreneurial companies.

"CEOlink supplies information to complement its annual conference in a cost-effective way. The things on the site are unique, and we are constantly putting new information on it that the council is not publishing in any other way,'' says Mark Towler, the council's Web site developer and president of Phase 2 Development Corp., of Oklahoma City.

The extranet is a boon to the Coun-cil in numerous ways. It is a draw for new members; an easy, cost-effective way for the organization to provide a forum for CEOs to exchange ideas; and keeps the organization in its members' minds. Plus, those who log on do so of their own accord, so they get just the information they want and not unsolicited e-mails.

The last model - the simple, password-protected extranet - is by far the easiest to create with the least amount invested in security. That also makes it the least secure kind of extranet available and not a good choice when sensitive data will be passed between business partners.

If you build it

A word of caution: Every extranet is not a success story, as one clothing manufacturer discovered after spending several thousands of dollars developing Web sites for its distributors. After the launch, the company found that its effort had flopped: Few customers visit the sites, even though they are attractive, speedy and well-organized.

Two lessons can be learned from this. If a company's business partners are not already heavily using e-mail and Web technologies, an extranet may not be the right service for them. And even if they are using those services, the extranet must provide a compelling reason to log on. It must, for example, offer exclusive and important information and a faster, cheaper way to order products or invoice products sold. It must solve an existing business problem or open a new business opportunity. For most companies, an extranet does just that. And it does it faster, cheaper and better than any competing technology to date.

Bort is the coauthor of Building an Extranet, published by John Wiley & Sons.