S 5.125 Protection of communication with SAP systems
Initiation responsibility: IT Security Officer, Head of IT
Implementation responsibility: Administrator
An SAP system communicates with SAP clients, browsers, applications and other SAP systems using the local network. Data is also exchanged between the SAP system components. In both cases, data requiring protection is transmitted. This not only includes the data used by the users for authentication (e.g. user names and passwords, SSO tickets, and SAPSSO2 cookies), but also business data processed by the functions called.
For this reason, it is necessary to decide whether any and, if so, which protection mechanism will be used to secure communications. The communication methods can mainly be divided into the following classes:
- RFC communication:
In this case, the data is transmitted as plain text. Protocols based on RFC, for example the DIAG protocol used by SAPgui clients, compress the data. However, compression is not a protection mechanism. In addition, it is possible to disable compression. - HTTP-based communication:
The data is transmitted as plain text. - TCP/IP communication:
The data is transmitted as plain text.
When transmitting data worthy of protection to and from SAP systems, the data should be encrypted. Various methods can be used to protect the data. It is therefore necessary to decide which method is the most favourable in terms of the costs and benefits. The decision must be documented so that it can be understood later.
Use of IPSec
IPSec provides general security for communication at the IP level: All data packets are encrypted and their integrity is protected. One advantage of this method is that no changes must be made to the configuration at the SAP system level, since IPSec protection is configured at the operating system level.
If SAP systems are operated in networks containing only computers running Windows (Windows 2000 and higher), IPSec is available as a standard component and is also available at no additional cost (for licenses, for example). However, its configuration needs to be administrated. Additional information can be found in S 5.90 Use of IPSec under Windows.
When using IPSec, the communications both of the ABAP stack and the Java stack are protected.
Use of SNC
Communication within an SAP system can be protected using SNC (Secure Network Communications). Note, though, that SNC is only a standardised interface and it is necessary to purchase, license, and install SNC-compliant protection libraries separately (also referred to as an SNC libraries, SNC modules, or SNC implementations).
SNC offers different levels of protection. However, it mainly offers components for authentication and encryption. Different algorithms are used for authentication and encryption depending on the SNC library. SNC provides general security for communications at the SAP system level.
When purchasing SNC implementations, the following must be taken into consideration:
- Which algorithms are offered? It must be ensured that the product offers adequately secure algorithms with adequate key lengths. Using proprietary and unpublished encryption procedures should be avoided.
- What is the price and license model? Large companies or government agencies may incur significant costs in this regard.
- Authentication for SNC is performed outside of the SAP system. How are the SNC users administrated? Do the users need to be administrated using a separate tool or can their administration be integrated into an existing administration structure (e.g. an LDAP server or Windows Active Directory)?
There are SNC implementations available from SAP free of charge that can be used in Windows. Here, there is a choice of an NTLM-based variant only offering authentication and a Kerberos-based variant supporting authentication and encryption.
SNC provides protection both for ABAP stack communication and for Java stack communication, but protection must be configured separately for each stack.
Sources of SAP documentation on the SNC configuration can be found in S 2.346 Use of the SAP documentation.
Use of SSL
The use of SSL is generally recommended for all HTTP-based accesses. This also applies to the internal communication between the components of the SAP system and to other components that provide SSL security (e.g. for LDAP access).
Since SSL uses encryption mechanisms but SAP does not provide encryption mechanisms as a standard component, because different countries have different export/import restrictions, the encryption library (SAP Cryptographic Library, SAP Cryptolib) must be installed additionally. It must be noted that SSL support must be installed separately for the ABAP stack and the Java stack.
SSL negotiates the protection method to be used dynamically between the communication partners. For this reason, weak methods should be removed from the list of allowed methods (this list is referred to as the cipher suite).
References to detailed instructions for the installation and configuration of SSL can be found in S 2.346 Use of the SAP documentation.
Review questions:
- Is the communication from and to SAP systems secured appropriately?
- Is there comprehensible documentation as to which protection mechanisms are used to transmit data worthy of protection from and to SAP systems?
- SNC (Secure Network Communications) for communication from and to SAP systems: Are secure algorithms with sufficiently long keys used?