- Using a World-Wide Network (the Internet)
- Smaller than the Internet, Bigger than a LAN (Intranets and Extranets)
- Where To From Here?
- The Least You Need to Know
Smaller than the Internet, Bigger than a LAN (Intranets and Extranets)
Intranets and extranets were created as a natural evolution from the public Internet. They reflect the desires of organizations to leverage the value of the widely accessible Internet with the need to communicate with employees and various associates in a secure way.
It helps to describe the features that are common to the Internet, intranets, and extranets. The most basic similarities between these networks are
They are all built using TCP/IP protocols. These protocols define rules for such things as how messages are routed on the network and what types of services are supported.
They use the same methods of identifying computers and users on the network. Names are organized in a hierarchy referred to as the domain name system (DNS) and numerical representations of those names are referred to as IP addresses. (DNS and IP addresses are discussed later in this chapter.)
Because they use the same protocols and naming methods, the different types of networks can use the same network-ready applications (such as Web browsers and email), security methods, and system administration tools.
Differences Between the Internet, Intranets, and Extranets
If the Internet, intranets, and extranets sound similar, you might wonder what it is that makes them different. The truth is that from a technology standpoint, these types of networks are pretty much the same. The primary differences come from the way that the networks are used. Following is an explanation of how the Internet, intranets, and extranets differ:
The Internet The Internet is a "wide-open" network, made up of many public and private networks joined together. The vast majority of resources on the Internet are intended for public access. Users can view Web pages, send email, and access FTP sites associated with thousands of organizations all over the world.
Intranets An intranet is a private network that is controlled by a business or organization. It is intended for company business and is generally inaccessible to the outside world. Usually, people within the company communicate with each other using many of the same tools used on the Internet: Web browsers, network administration tools, and various collaborative programs.
Extranets An extranet is actually an intranet (privately maintained) that extends its network to remote users, suppliers, or other businesses or organizations with which it wants to collaborate. To extend outside of the company intranet, extranets often enable people from these outside organizations to connect to the intranet using secure connections over the public Internet. Extranet secure connections are accomplished with what are called Virtual Private Networks (VPNs).
Virtual private networks (VPN), for securely connecting to private networks over public networks, are described in Chapter 11, "Linking Your Home and Office Networks."
The Domain Name System
The domain name system (DNS) ensures that the computers on the Internet have unique names and IP (Internet Protocol) addresses. Domain names are organized in a hierarchy that is probably familiar to you by now; these days, it seems that every business has a .com (dot-com) Internet address that conforms to the DNS.
Well, that .com is just one of many top-level domain names. Each top-level domain name represents a category of domains under which many individual domain names exist. For example, following are some top-level domain names you might be familiar with:
.com Includes commercial domains, such as large corporations, wholesalers, and small businesses.
.gov Includes many U.S. government domains.
.org Includes various kinds of organizations.
.edu Includes educational institutions, particularly colleges and universities.
.net Includes organizations associated with computer networks, such as Internet service providers.
Because the first top-level domains were created for companies, government agencies, and universities in the United States, as organizations from other countries joined the Internet, top-level domains were added for each country. Following are some examples of top-level country domains:
jp for Japan
uk for United Kingdom
ca for Canada
de for Germany
Network Solutions, Inc. (http://www.networksolutions.com/) is where you can register for a domain name. That company allows registration of .com, .net, and .org domains (and it shares that responsibility with several other companies such as Register.com). Instead of contacting Network Solutions, you can often have the Internet service provider (ISP) you choose obtain a domain name for you. (Look in your local phone book to find ISPs that serve your area.) Before you can register the domain, you will need contact information from your ISP anyway.
Here are a few statistics about domain names (courtesy of Network Solutions):
Of the .com, .net, and .org domains, 77% are .com, 15% are .net, and 8% are .org.
Although there has been a lot of talk about people "squatting" on domain names (that is, registering them with the assumption that someone else will pay them for it), 80% of the people purchasing domain names purchase only one, while another 10% purchase only two.
In the United States, California recorded the most domain name registrations as of April, 2000, followed by New York, Florida, Texas, and Illinois.
For U.S. cities, New York has recorded the most domain name registrations, followed by Los Angeles, San Francisco, Chicago, and Miami as of April, 2000.
Of the businesses registering for domain names in the first quarter of 2000, attorneys led the list, followed by computer software companies, Internet service companies, real estate companies, and advertising agencies and counselors.
Of the countries outside the United States registering the most domain names, Canada leads the way, followed by the United Kingdom, Korea, France, Italy, and Japan.
Check This Out
To find out if a domain name is available, go to http://www.networksolutions.com/ and type the name you are interested in into the Search for domain name box, choose a domain (.com, .net, or .org), and click Go. Few common words or phrases are available any more in the .com domain.
Assigning Domain Names
After an organization is assigned a domain name under a top-level domain, it is within the organization's control to organize and name all its computers under that domain name. For example, for a commercial domain named handsonhistory, the domain name is
Any computers within that domain can either be added directly to the domain name or to additional subdomains. For example, computers named decoys and baskets might be called decoys.handsonhistory.com and baskets.handsonhistory.com. Or, you might add a subdomain of crafts and have the computers named decoys.crafts.handsonhistory.com and baskets.crafts.handsonhistory.com.
Assigning IP Addresses
The IP address is used to actually communicate with a computer on the Internet. Domain names are translated into IP addresses before requests to communicate with a computer are made (either a DNS server or a list of names/addresses on your computer usually does the actual translation).
The IP address is made up of four numbers (from 0 to 255), separated by dots. Each number is referred to as an octet because it consists of 8 bits. A bit is the smallest unit of information to a computer, with each bit representing either a 0 or a 1. So, if you understand binary numbers, you will know that all 8 bits set as 0 represent the number zero and all 8 bits set to 1 represents the number 255. Other combinations of 0s and 1s create other numbers between 0 and 255.
The following is an example of an IP address:
Because any given organization usually has many computers, every organization is usually given a set of IP addresses to assign to its computers. Originally this set of numbers was associated with a Class of addresses (Class A, B, or C) each containing a different number of host (i.e. computer) addresses; address classes are discussed in the next section. Because IP addresses were running out, and the class system rarely resulted in the right number of addresses being assigned, a new method referred to as Classless Inter-Domain Routing (CIDR) is now being used. CIDR is discussed later in this chapter.
IP Address Classes
The four parts of each IP address actually represent two logical parts. The first logical part of each IP address represents a subnetwork, and the other part represents a particular computer on that subnetwork. The trick is that, depending on the network class, the parts of each address that represent the network and computer change.
A Class C network address contains up to 256 host addresses (the last of the four octets). A Class B network contains 65,536 host addresses (the last two of the four octets). A Class A network contains more than 16 million host addresses (the last three of the four octets). Remember, each octet represents numbers from 0 to 255, so you multiply 256 x 256 to get the number of Class B hosts and 256 x 256 x 256 to get the number of Class A hosts.
Needless to say, this was a fairly inefficient way of assigning addresses. In fact, whole Class A and Class B addresses are no longer assigned. Now you need to make a case for the number of IP addresses your organization gets.
IP addresses are running out, requiring that some tricks be used (such as assigning IP addresses dynamically as needed) until the next generation of the Internet is put in place. The next generation of the Internet (IPv6) has a virtually limitless number of IP addresses and uses six octets instead of the current four octets. (IPv6 is described in Chapter 16, "To the Internet and Beyond.")
Classless Inter-Domain Routing (CIDR)
Besides being wasteful for allocating addresses (a single class A, B, or C network number rarely fit an organization), IP classes were also inefficient when it came to handling Internet routing tables. Routing tables are lists of information that are stored on each router on the Internet so that it knows which networks to route packets to. The information that routers needed to do their job was getting to be too much. To improve this situation, Classless Inter-Domain Routing (CIDR) was adopted.
CIDR is similar to, but more flexible than assigning IP addresses. Using a different form of notation, IP address networks containing from 32 to about 524,000 host addresses can be assigned. A CIDR IP address uses a slash (/) followed by a number from 13 to 27 to indicate how many bits in the IP address reflect the network. Here is an example of a CIDR IP address:
Here, the first 16 bits (that is, first two dot-separated numbers, 123.45) represent the network number and the next 16 bits (that is, the last two dot-separated numbers, 67.89)reflect the host number. Wondering how many host computer could be in a network, based on the number following the slash? Here are the number of hosts you could have in each CIDR network:
By assigning only the number of IP addresses to an ISP that the ISP needs, and having that ISP use the addresses in a single geographic area, routing becomes more efficient. Think of how zip codes work with the postal service. A zip code directs a letter to a particular post office that handles a particular geographic area. Imagine if letters sent to one zip code actually were destined for places all over the country. Each post office would require multiple routes within each zip code that routed letters again to distance places. That's how IP addressing often worked before CIDR. With CIDR, after a router knows how to locate the ISP's network, the ISP can manage the routing to all the computers on its nearby network.
Domain Names and IP Addresses in Intranets and Extranets
That was a quick description of how Internet names and addresses work, but you might wonder how that relates to intranets and extranets. In terms of host names, most intranets and extranets organize their computers under the company's domain name. However, if a computer from the Internet tries to contact a computer on the company intranet, in most cases the company's firewall will refuse that request (depending on how security is set up). A firewall is a specially configured computer that is there to monitor what information can travel in and out of the company's Intranet. (Firewalls are described in Chapter 14, "Securing Your Fortress.")
As for IP addresses, a special set of IP addresses is reserved to be used by any intranet. Because most or all the computers on the private part of a company's network might not be reachable from the Internet due to security constraints, this same set of IP addresses can be used by all intranets. Internet routers know that these addresses are never accessible from the Internet.
Check This Out
As with domain names, you can also obtain IP addresses through your ISP. If you would like to obtain your own IP addresses, however, you can do so by contacting the American Registry for Internet Numbers (http://www.arin.net/).
Opening up a company's network to the Internet can be dangerous (in terms of security) and can also hurt performance (if the whole world can access your network, it can slow network traffic within your company.) At the same time, however, Web browsers and Internet protocols can be great tools to include on a company's network. You can publish company manuals in HTML or use Web-based teleconferencing tools, for example.
Someone creating a network for a private company needs to consider the following:
Security measures (discussed later in this chapter) are needed to protect company information, such as financial data and strategic planning information.
For employees to get their jobs done, companies need to have the capability to manage and protect the performance and reliability of their networks.
An intranet is one way of allowing network connectivity within a company, at the same time protecting those resources from the outside world. In general, an intranet is a private network that uses the same software and hardware components as those involved in running the Internet. Although a small company, housed in the same location, can get by with one or two LANs connected together, a larger company might need to interconnect many separate networks from diverse locations. A well-planned intranet might be the answer.
With an intranet, a company can build its network using well-known, well-tested Internet protocols and tools. Employees don't need special knowledge to set up or use the network. Information can be shared using common applications, with a Web browser typically acting as the centerpiece of the user interface.
Security for Intranets
With an intranet, a company can manage network resources and determine the level of security with which it is comfortable. In many cases, this means secure local area networks (LANs) and wide area networks (WANs) connected to the outside world in a limited fashion through mechanisms known as firewalls.
Even if you have only a small LAN, it doesn't mean you are safe from hacker attacks and security breaches. If the information on your network is important to you, many of the same security techniques used in intranets might be useful for your LAN. See Chapter 14 for information on security techniques.
For example, you might want to allow the engineering and human resources departments to have access to some company databases, but not allow the departments to access each other's LAN.
If more stringent security measures are required within the intranet, a variety of encryption techniques are available to keep particularly sensitive information from any but the intended parties (examples are encryption techniques used to secure email messages). Basic levels of security can be enforced using standard password protection requiring that a user log in to establish identity before gaining access to services that are restricted.
Using an intranet, relevant and timely company data can be distributed to employees quickly and efficiently. The network can also serve as a means for collaboration on projects through file sharing, for example. The following are some ways of effectively using an intranet within a company:
Employee services Intranets can be used for online company phone directories, bulletin boards, company policy documents, and information on corporate locations and internal services.
Conferencing Intranets can offer software that supports video conferencing, audio conferencing, online chats, whiteboards (a window that appears on everyone's screen in the conference that everyone can draw on), and application sharing. These features can be used together so employees at different locations can hear and see the same information.
Project management tools Scheduling tools, workflow software, project timelines and a variety of other tools that chart the productivity of a project can be shared on an intranet.
Libraries Online libraries can be maintained so that documents that are relevant to engineers, marketers, sales, and management are easily accessible within the intranet.
Databases Databases of sales data, financial information, inventory, and various kinds of analysis can be selectively made available to employees on the intranet.
Web pages Instead of just sending memos, employees can publish appropriate information on Web pages in HTML format. This might include technical discussions of a project, company activities, or just something personal that an employee may want to share with others.
Anything that can be done on the Internet can also be done on a company intranet. One big difference in how you set up services, however, is that Internet servers will be outside your firewall, although intranet servers will be behind it. You want critical company data to be behind the firewall and public data to be outside of it. It is up to each company to implement the policies to decide how the intranet is to be used and to allocate the computing and network resources to support those policies.
An extranet extends the concept of intranets outside of a single company to other companies, agencies, or individuals that need to collaborate with the company on an ongoing basis.
One factor that typically characterizes an extranet is the way in which it extends the company intranet. Those who are connecting from outside the intranet are usually doing so over a public network (in particular, the Internet). Although this can result in some performance hits, it can be a cost-effective solution because inexpensive Internet connections are widely available.
The extranet requires some special security considerations. To ensure that corporate computing assets are safe, off-site users typically use such techniques as encryption or tunneling (discussed at the end of this chapter) to keep their communications secure. In general, extranets are less expensive than creating and maintaining leased lines. A company has to pay extra for lines that are leased from local phone companies to carry its data, while it only has to pay for a connection to the Internet to use the Internet to carry its data. However, a major drawback of extranets is that the performance of the network is out of the hands of the local company. For that reason, applications that require real-time response, such as banking and airline reservation applications, might not get the performance they need by communicating over the Internet.
For many applications, an Internet connection from a high-speed modem is quite acceptable for extranets. These are applications that, in case the network is temporarily congested, can wait a few extra seconds for a response. The following are some items a company might want to offer its partners on an extranet but not make available to the general public:
Wholesale pricing lists
Project plans and milestones
Inventory availability information
Special partner/dealer programs, including discounts, sales incentives, and promotions
Company internal contact information
Marketing reports and studies
Product support literature, including technical support databases
Building Security into an Extranet
Because important company assets are being exposed outside the boundaries of the corporate intranet, special attention needs to be paid to security issues. That attention will be focused on the following factors:
Remote users are who they say they are.
Connections between the remote users and the intranet are secure.
The scope of the information and resources available to the remote user are limited.
To verify the identity of a remote user, the first line of defense is still a username and password. When a system administrator sets up a company's computer network, users are typically given individual user accounts with passwords. When a more rigorous identification is necessary, digital certificates can be required. A digital certificate more stringently establishes the identity of the user. A digital certificate can also satisfy the second item listed previously by enabling the two parties in the communication to establish an encrypted communication session.
Establishing certificates was once an expensive and complicated job. Now there are ways for a company to be its own certificate authority (CA) and issue digital certificates. Companies such as VeriSign (http://www.verisign.com/) can help you manage your own digital certificates.
When it comes to the third item listed previously, a company can use the same measures to secure its resources against unauthorized access from its extranet partners as it does against unauthorized access from employees within the company. Access to secure LANs can be blocked using firewalls and password protection can be used to protect sensitive data.
As with access to resources by employees within an intranet, a company needs to set up security standards and performance requirements for its extranet. By doing this properly, a company can provide the information its partners need in a timely manner and still protect other computing resources.