Case Study: How Cisco IT Uses Extranets to Connect Global Partners to Cisco

This case study describes the Cisco Internet Services Group's managed extranet service, which Cisco IT provides for Cisco internal clients that need extranet connectivity for their partners. The Cisco global network is a leading-edge enterprise environment that is one of the largest and most complex in the world. Cisco customers can draw on Cisco IT's real-world experience in this area to help support similar enterprise needs.

Challenge

A guiding strategy for Cisco Systems@ is to focus on the core business and outsource context activities to partners. For example, Cisco manufactures in-house for new product introductions only—to work out the details—and then engages a manufacturing partner for ongoing work. "Partners provide world-leading expertise and economies of scale that keep our costs low and margins higher," says Henry White, senior manager of IT infrastructure.

To outsource ongoing functions such as manufacturing, engineering, finance, technical support, and advanced network services, Cisco needs secure, affordable connectivity between its own network and partner sites. Before shipping a product, for example, a manufacturing partner would need to access the Cisco Enterprise Resource Planning system to validate the unit configuration and test status and another Cisco system to print shipping labels.

The Cisco IT Internet Services Group (ISG) began developing an extranet strategy in 1998. "Our mission is to provide secure extranet access to internal Cisco resources," says Julie Nordquist, IT project manager for the ISG. Some companies address this challenge by duplicating all the resources that partners need and placing them in a secure network connected to the Internet behind a firewall in what's called a "demilitarized zone," or DMZ.

The extranet strategy is needed to address three types of connectivity requirements. One is partner access to the Cisco network. Another is Cisco access to these customer Extranet networks, for remote troubleshooting and support. A third is reciprocal network access between Cisco and its partners.

Today, the Cisco extranet network provides a secure, highly available connection to the Cisco intranet for companies that supply Cisco with manufacturing, software development, and call center functions, as well as financial, legal, fulfillment, marketing, and publications services. About 30 percent of the company’s extranet partners provide manufacturing services and are fully integrated into Cisco supply chain applications and processes.

Connectivity

Depending on each partner’s requirements for reliability, bandwidth, support, and cost, Cisco ISG deploys one of three types of extranet connections: leased line, site-to-site VPN, or user-based VPN.

Leased Line

For leased-line connectivity, ISG offers either dual frame relay leased lines with load balancing, or one leased line as the primary link and Basic Rate ISDN as the backup depending on performance, reliability and cost requirements. Cisco ISG manages this service, and provides three different service levels for each Extranet link: Platinum, Gold, and Silver. The Platinum service level typically is provided for partners that need around-the-clock service or provide critical or real-time functions, such as direct fulfillment or outsourced “priority one” (P1) technical support. The Gold service level usually is provided for partners that need critical support during business hours only, and Silver is for partners needing noncritical (best-effort) support during business hours only. ISG bills its Cisco internal clients for support costs according to the service level.

Site-to-Site VPN

In 2002 Cisco IT began providing VPN connectivity over the internet as an alternative to leased line Extranet access. This VPN technology significantly reduces the costs of extranet connectivity because it eliminates monthly circuit costs. Since VPN has been offered as an alternative Extranet option, the ratio of requests for VPN connectivity compared to leased line has risen to 5-to-1.

User-Based VPN

Before Cisco IT provided VPN Extranet options for partners, mobile partners had no real options for connecting to Cisco intranet resources. Now, when mobile individuals need secure access to the Cisco intranet, Cisco ISG sets up a user-based VPN. Extranet access is therefore tied to the individual instead of a particular site. The sponsoring client works with the partner to sign a network connection agreement, and, in addition, the individual user signs a nondisclosure agreement. After the administrative details have been completed, the extranet team provides the partner user with authentication software to connect to a VPN concentrator dedicated for extranet use. The user-based VPN is a popular approach to disaster contingency. For example, if the ordinary extranet connection becomes unavailable to a partner providing technical support, the user-based VPN provides an alternative way to access the network from either an active Internet connection or a completely different location. Currently, user-based VPNs are available in the United States and the Asia Pacific region.

Interconnect Model

With the interconnect model, a partner connects through its own corporate LAN, which interconnects with the Cisco LAN . Firewalls at each side protect each company’s respective resources. Partners can connect from any desktop on their LANs. By contrast, with the remote LAN model, they are limited to desktops that are physically connected to the remote LAN. Some sites incorporate both topologies. This flexibility is helpful, for example, if a manufacturing partner’s buyer wants to access buying information from her own desk instead of walking to the product manufacturing area in the warehouse.

Security

ISIS works closely with the Cisco Information Security group to ensure the security of extranet connections. “A chief challenge is that we can’t control our partners’ perimeter security,” says Michelle Koblas, manager of Corporate Information Security. “If we open our network to partners that don’t have adequate security, we have opened a back door into our environment.” Potential risks that the groups work together to mitigate include denial-of-service (DoS) attacks, spreading of viruses, hop-off threats, and the possibility that Cisco might not be informed when partner employees are terminated, for example.

The Cisco Information Security group takes a three-pronged approach to these challenges: legal measures, access restrictions, and enforcement. The legal tactic is to require extranet partners to sign two agreements. One is a non-disclosure agreement that each individual must complete. The other is a company-wide network connection agreement that stipulates expected user behavior and security policies that the partner organizations are expected to enforce.

Access restrictions include the following:

Firewall permissions: Cisco firewalls between the partner and Cisco limit machine-to-machine access at the protocol level. Use of access control lists (ACLs) in routers enables Cisco to establish network-to-network connectivity, both per-host and per-service. Currently, partners enforce their own restrictions on incoming traffic to their networks.

Web proxy: Firewalls restrict traffic by host or by port: A partner that has access to a particular host can generally take advantage of any service on that host, including Web, FTP, or Telnet. The Cisco Information Security group is investigating the use of Web proxy features of the Cisco CSS 11500 Series Content Services Switch to filter access on a per-URL basis.

Sandbox infrastructures: To protect against partners “hopping off” a host they are authorized to access to one they are not, Cisco has implemented what is called a sandbox infrastructure. That is, partners can work on the host for which they are authorized, but that host is restricted from initiating traffic to other hosts or networks.

Authentication and authorization: Cisco provides authentication and authorization at the host and application layers. The Cisco Information Security group is investigating ways to regularly validate authorized employees with partners so that employees who have left the project, for example, no longer have access.

Finally, Cisco enforces extranet security with a combination of intrusion detection systems, occasional physical audits of partner environments, and periodic ACL reviews to ensure that partners still need access to the same hosts and services. “We follow what we call a ‘defense in-depth’ model,” says Koblas. “That is, we implement as much security as possible—not just at the network level but also the host and application levels.”

Results

Currently, ISIS supports about 200 extranet connections globally, about half of those in the United States and about a third of them used for manufacturing. “In 1999, approximately 40 percent of Cisco product was manufactured at extranet sites,” says White. “Since 2000, the proportion has risen to 75 percent.”

Cisco has experienced measurable business benefits from its extranet. “The extranet has changed the way we do business by providing our partners with access to real-time data,” says Nordquist. “Our partners’ ability to access purchase orders in real-time, for example, accelerates product introduction.” In fact, ISIS recently received recognition from the Cisco Finance group for its contribution to a record-setting Days Sales Outstanding (DSO), a measure of how quickly a company collects receivables. “Our extranet was instrumental in allowing Cisco to hit 32 DSO, an unprecedented accomplishment,” says White. “Our ability to achieve this metric of financial health is directly attributable to using world-leading finance partners, and the extranet is the linchpin of those partnerships.”

The Cisco extranet also frees in-house Technical Assistance Center (TAC) employees to apply their expertise to more challenging cases while passing along routine cases to partners. “Some 80 percent of TAC cases are Web-generated,” says White. “The extranet gives us the flexibility to assign them to the best partner for that particular challenge.”

Among the greatest beneficiaries of the extranet is the Cisco manufacturing organization. “Before taking on a task, the Cisco manufacturing organization considers whether a partner can do it more efficiently, at less cost, or with higher quality,” says White. “If so, we give them an extranet connection to the internal resources they need.”

Next Steps

ISIS anticipates that an ever-larger portion of extranet connections will be VPN-based. To further extend cost savings to more critical partner activities, such as an outsourced TAC, Cisco is looking at ways to provide Platinum-level service using VPN technologies. Low-cost VPN connectivity with high priority support will render a partner’s location irrelevant. “With access to Cisco network resources and processes, a partner in Scotland or Malaysia can manufacture products with the same quality we do here, without any incremental setup time,” says White. “The extranet truly has made a difference in our ability to manufacture high-quality products at low cost.”