Network Computingwww.networkcomputing.com

Hear Ron Anderson's take on asynchronous collaboration tools (requires RealPlayer)

"Building a corporate intranet" is a broad topic. It's the kind of subject that forces us to look at many different infrastructure and security technologies, including VPNs (virtual private networks), firewalls, authentication methods, identity management and intranet applications, like collaboration tools, messaging software and portals. But even more important, this topic forces us to focus on big-picture items. How can we use technology to equip our co-workers to do their jobs better? How can we provide information to the right people when they need it to help them make better decisions? How can we foster an atmosphere of collaboration that helps diverse groups of people develop great ideas together?

We know that technology is important. Make a boneheaded decision about technology now and you'll suffer down the line, running the risk of derailing the project before it gets to its destination. The destination is what's important; the technology is simply a means to an end.

So as we talk about the technology behind the intranet, let's focus on the big picture.

Build on a Solid Foundation

Like a house, any successful intranet needs to be built on a solid foundation that includes robust methods for security, authentication and identity. A fully implemented intranet can expose your corporate jewels to the world, so do your homework and planning up-front. Don't worry; it's nothing you can't handle. We've covered the details of a number of technologies that underlie a corporate intranet (see "Web Links").

What are the big-picture considerations? Security includes technologies that help protect intranet services from internal and external attacks from the transport layer through the application layer. The transport layer tends to get the most attention, especially when you consider the two linchpins of security -- firewalls and VPNs. The aim of security is to keep the bad guys out and let the good guys in.

You could combine the firewall with VPN software and limit access to those systems that have been configured to access your intranet. That way, employees who take portable computers away from the office with the appropriate VPN software installed can gain access wherever they are, as long as they are using those company portables. This is a better solution, but it adds significant overhead in installing and maintaining software on remote systems, especially when you consider that many of your employees will want to use this from their home computers.

Then there is the issue of access for employees using whatever computer they happen to be sitting behind. Your users want to get at information via a Web browser, and they want that access from anywhere. Part of your job is to determine how realistic their desire is, and the other part is to figure out a way to make it happen given the resources at your disposal. Are there any business drivers to help you make this decision? Productivity gains are tough to measure, but if your people decide to spend 20 minutes at home working on an important proposal because you've given them the right tools, we think it makes a positive difference.

The question security-conscious technologists tend to ask is, "How can we protect our stuff?" Because the question is framed with a narrow focus, the answer is often restrictive to the point that the objective -- users gaining access -- is compromised. The question should be, "How can we supply safe access to users who need it?" Is it just semantics? Hardly. The way a question is framed goes a long way toward determining the direction the answer takes.

The other side of the security coin is authentication and identity management. Authentication services are ubiquitous, which is why we need to talk about them. In its simplest form, authentication involves a system challenging a user to supply a valid user name and password pair to gain access.

The decisions you make about authentication should help determine your firewall policies. Look into graded authentication such as that offered by Novell's Modular Authentication Service. Based on the strength of the authentication materials, from the low-end password authentication to high-end methods like certificates, tokens and biometrics, you give users access to different levels of information. That's graded authentication. When users do a password authentication from a computer on the floor of a trade show, they can access one set of information; when they do a password plus certificate plus biometric authentication from home, they get much broader access.

We won't even get into the basics -- such as reminding you that authentication transactions must be encrypted (anyone still using FTP? How about telnet or unencrypted POP or IMAP authentication?), preferably with a scheme that never requires the password, encrypted or otherwise, to travel across the wire. What we will focus on is the thing that drives users up the wall.

Too often, these credentials are stored on that single system and can be used only for a single purpose. The problem with this form of authentication is that your users need to access information that crosses all kinds of boundaries; they don't want to manage authentication credentials in multiple places, nor should you expect them to. If you think this is bad just within your company, when you factor in your users' experience on the Internet it feels 100 times worse.

Single-system authentication should go the way of the Model T. You can help send the single-system dinosaurs in your enterprise to oblivion by implementing an enterprisewide directory service, then by tying authentication for every system you manage into that directory. The LDAP is the key to making this work.

The major directory implementations as well as many individual applications now support LDAP authentication, though you may be faced with some key applications that don't support it. If that's the case, turn to your directory vendor first. Other businesses are in the same boat. Even though the application vendors sometimes turn a deaf ear, the directory vendors, like Netscape (America Online), Novell and Microsoft, are hearing about your need to integrate and simplify loud and clear.

Management of resources by identity helps ensure that your users have access to exactly the content they need, and it provides you with a mechanism to manage your ACLs (access-control lists) in a sane fashion. If you've ever managed NDS, you know the joy of managing ACLs based on a hierarchy of individual users, groups and OUs (organizational units). When a user changes jobs, moving his or her user object to the new OU automatically gives that user access to all the content granted to the OU and removes access to content assigned to the old OU.

Managing ACLs via a directory makes it easy to keep track of assignments and provides a single point of administration. But what if you're wedded to an application, such as PeopleSoft, that insists on managing its own ACLs? As long as the application has the option to point to your enterprise directory for authentication, user lookup and group membership, you're still ahead of the game since you don't need to manage another name space.