Providing secure extranet and partner access is one of the more difficult things to do from a security perspective. The issue really boils down to a question of control. In general, you don't have control over your extranet partners systems and yet they have access to your systems. This puts your network at risk.
The traditional method of providing authentication of partners and remote customers has been via VPN connections and either certificates or pre-shared keys. While this is an effective solution, it still leaves your network susceptible to risk -- even if a system is authenticated and using the VPN, a virus can still spread to your network. As a result, I have found myself more and more often recommending remote control solutions utilizing either Microsoft Terminal Services or Citrix MetaFrame to allow extranet partner access to resources. This allows you to provide all of the services, including authentication, to your extranet partner while leaving your network completely insulated from the partner system. In fact, when using Citrix Secure Gateway the extranet partner accesses your network using a Web browser, allowing you to reduce the amount of ports you need to open in your firewall. The traffic is also completely proxied by the Secure Gateway, further ensuring that your network is secured from partner systems you can't control.
This was first published in December 2004