Remote Connectivity for mySAP.com
Solutions over the Internet
Technical Specification
March 2001
Remote Connectivity for mySAP.com Solutions over the Internet
page
2
1
Introduction
SAP has embarked on a project to enable its customers to establish secure c
onnections to SAP over the
Internet for support purposes. Currently, SAP offers two alternative ways to connect to the Support Network
over the Internet:
SAProuter with Secure Network Communications (SNC) over the Internet
Internet Virtual Private Network
(VPN)
This document describes both alternatives and their technical specifications, and compares the two options.
If you read this document, you will have enough information to decide which option is better for your needs
and requirements. Both options pro
vide the level of security recommended when using a public medium like
the Internet. In other words, strong encryption will be employed for data that travels over the Internet.
2
Overview of Technical Setup
SAP has implemented a functional subset of the Remo
te Customer Support Network services in an Internet
DMZ (demilitarized zone) in SAP AG, Walldorf. With this infrastructure in place, the suite of Remote
Customer Support Network service offerings is accessible over the Internet.
SAProuter/SNC via Interne
t
Internet VPN
SNC secured SAProuter
–
SAProuter
connections are established between SAP and
the customer’s SAProuter to provide data
confidentiality and integrity services. These SNC
connections complement the leased lines in the
current SAPNet R/3 Front
end environment.
State
-
of
-
the
-
art encryption, authentication, and
access control technology will be employed. No
additional hardware compared to a leased
-
line
setup is required at either end of the connection.
(See diagram below).
Customers are required
to install a SAProuter
with an official, static IP address (DHCP
Addresses will
not
work) running SNC inbound
and outbound connection to SAP at their end of
the connection in a Demilitarized Zone. This
SAProuter must be accessible from the Internet.
All se
rvice connections between SAP and the
customer must be made over the respective
SAProuters.
Certificates needed are available on the SAP
Service Marketplace.
LAN
-
to
-
LAN IPSec VPNs are established between
SAP and the customer’s network to provide data
conf
identiality and integrity services. These VPNs
complement the leased lines in the current Remote
Customer Support Network environment. State
-
of
-
the
-
art encryption, authentication, and access
control technology will be employed. VPN
equipment is required at
both ends of the
connection. The VPN switch at customer’s side
must be reachable from the Internet. (See diagram
below).
Besides the VPN equipment (also called VPN
switch or VPN gateway), customers are also
required to install a SAProuter with an official
IP
address at their end of the connection. All service
connections between SAP and the customer must
be made over the respective SAProuters.
For the pilot project, access control and
authentication at the VPN gateways will be
regulated using static keys.
SAP will generate
these keys and provide them to the customer. In
future, certificate
-
based authentication is likely to
be utilized.
VPN access can also be achieved through a
telecommuncations provider. The provider will then
be connected to SAP’s VPN swi
tch, and the
provider can offer connections to customers over
the Internet. SAP will make a list of VPN
-
enabled
providers. This option is not covered in this
document. For more information, contact SAP.
Remote Connectivity for mySAP.com Solutions over the Internet
page
3
3
Diagrams and Infrastructure
Figure
1
-
SAProuter with SNC over Internet
Figure
2
-
Internet VPN
Remote Connectivity for mySAP.com Solutions over the Internet
page
4
Technical Requirements
SAProuter / SNC via Internet
Internet VPN
1.
Internet connection: recomme
nded
minimum bandwidth = 64 kbps
2.
SAProuter machine
3.
Official IP address (static) for the SAProuter
host.
4.
SAProuter installation package
5.
SAP SNC libraries and executables.
These may be downloaded from the SAP
Service Marketplace.
6.
A Demilitarized Zone at th
e customer site
with a minimal setup as described in the
networking section of the SAP Security
Guide, Parts 1
-
3 available in the Service
Marketplace at:
http://service.sap.com/SYSTEMMANAGEME
NT
Choo
se: Securi t y > Techni cal Track
> SAP Securi t y Gui de.
More i nformat i on on SNC connect i ons i s al so
avai l abl e i n t he SAP Servi ce Market pl ace.
7.
Since the host running the SAProuter
software is a full computer with operating
system, the security at the operati
ng system
level must be hardened in order to minimise
the risk of the machine being hacked from
the Internet. One recommendation will be for
example to run a C2 security level compliant
operating system. SAP takes no liability if the
security of the compan
y’s network is
compromised.
㠮
lther networking equipment (routers and
hubsF needed to form the network at the
customer’s premises (see Figure 1).
ㄮ
fnternet connection: recommended
minimum bandwidth = S4 kbps
㈮
pAmrouter machine
㌮
Two (2F official fm subnets. Th
ese fm
subnets are assigned to:
The public interface of the VPN bo.
Additionally, this IP subnet must be
routed in the Internet.
The customer’s SAProuter
㐮
ff the customer is operating any firewall(sF
to secure its fnternet connection, the
firewall(sF must
permit the edge smk
equipment to exchange fmsec packets
using their respective public interfaces (the
smk gateway may also serve as the
firewall). Specifically, the customer’s
firewall must allow ram port 500 (fhbF and
fm mrotocol 50 (bpmF
㔮
oecommended smk
equipment: kortel
Contivity N500 bxtranet pwitch or kortel
Contivity S00 bxtranet pwitch (with Pabp
encryptionF. Customers may also try to
connect using other fmsec compliant smk
equipment. The equipment must support
certain fmsec features (see Appendix A
⤠
that are mandatory to establish
communication with SAP’s VPN. SAP
cannot guarantee interoperability between
the kortel Contivity N500 bxtranet pwitch
慮搠
other
types of VPN equipment that the
customer elects to use instead. If you wish
to use other VPN e
quipment, contact SAP.
6.
Other networking equipment (routers and
switches / hubs) needed to form the
network at the customer’s premises (see
cigure 2F.
Remot
e Connectivity for mySAP.com Solutions over the Internet
page
5
3.1
Comparison of the Two Options
Property
SAProuter / SNC via Internet
Internet VPN
Hardware
requirements
Firewall + SAProuter host in DMZ
VPN switch + firewall + SAProuter host
(VPN and firewall may be the same box)
Software
SAProuter starting from NI version 35
SAPSECULIB can be obtained from the
Service Marketplace
N.A.
Network
addresses
(besides addre
ss
of Internet router,
firewall, …)
1 official static IP address for SAProuter
1 official static IP address for VPN switch +
1 official static IP address for SAProuter
host
Configuration
issues
Careful setup of saprouttab necessary for
security. Saprout
tab influences security
strongly as access is controlled via
saprouttab and firewall.
Careful setup of routing configuration in
VPN switch necessary for security.
Saprouttab influences security less strongly
as access is controlled via VPN switch,
SAProut
er software and firewall
Encryption
By software
By hardware
Encrypted data
TCP packets
Only the data stream between SAProuters
is encrypted
Encryption is handled on Application layer
(OSI network layer 7)
IPsec (IP packets)
Encryption is handled on IP
layer (OSI
network layer 3)
Minimum required
free
bandwidth
64 kbit/s but may work also with
32 kbit/s
64 kbit/s
Supported
services on SAP
side
All except FTP (files download)
All including FTP (files download)
Key management
Digital certificates be
ing requested via
Service Marketplace Public Key
Infrastructure (PKI)
Pre
-
shared keys provided by SAP, later
Public Key Infrastructure (PKI)
Key storage
In file system
In VPN switch
Operating system
SAProuter resides on a computer
therefore it is necessa
ry to harden the
security at the operating system level (for
example, C2 level OS) to minimize the risk
of the machine being hacked from the
Internet
VPN switch has a very small and limited
operating system, thus no additional
security hardening is requir
ed. The
SAProuter machine is not reachable from
the Internet, thus the risk of hacking is much
less. However, security hardening
measures at the SAProuter operating
system level are also recommended
Additional
expertise
SAProuter knowledge usually availa
ble,
SNC configuration requires additional
knowledge
VPN hardware requires special knowledge,
higher technical expertise
Standards
Based on SNC, SAP proprietary standard
Based on IPSec, well established industry
standard
Contributing to
costs
-
Firewall ha
rdware and software
-
Firewall administration costs
-
No additional license fee for security
library based on SECUDE
-
Firewall hardware and software
-
Firewall administration costs
-
Costs for VPN hardware and setup
Remote Connectivity for mySAP.com Solutions over the Internet
page
6
3.2
Terms and Conditions
1.
The customer is responsible
for obtaining any and all approval(s) for importing and operating their
equipment, as may be required by the respective local laws and regulations. The use of cryptographic
software and hardware is regulated in some countries.
2.
All costs for setting up the
necessary infrastructure at the customer’s premises is to be borne by the
customer.
3.
Both parties are responsible for securing their respective ends of the connection against unauthorized
third party access.
Remote Connectivity for mySAP.com Solutions over the Internet
page
7
Appendix A
Mandatory IPSec Features (for the I
nternet VPN option)
Encapsulating Security Protocol (ESP)
Authentication Header (AH)
Internet Key Exchange (IKE), with support of Diffie
-
Hellman Group 2 (1024 bits keys)
Encryption Algorithm: Triples DES (3DES)
Authentication Algorithm: HMAC
-
MD5 and HMAC
-
SHA1
Support for authentication using shared secrets, RSA digital signatures, and X.509 certificates
Support for Diffie
-
Hellman Group 2 (keys of 1024 bits)
Perfect Forward Secrecy
Key exchanges using Internet PKIs
Remote Connectivity for mySAP.com Solutions over the Internet
page
8
Appendix B
Remote Customer Support Netw
ork over the Internet
Connection Data Sheet
Please complete and fax this data sheet to the SAP Network Hotline at +49 (180) 5 34 34 30
1. Customer Information
Company:
Customer No.:
Contact person networking:
Tel.:
E
-
mail address:
Fax:
2.
Desired Internet Connectivity Option
[ ] SAProuter / SNC via Internet
[ ] Internet VPN
3. Networking Information
IP address of SAProuter computer
Host name of SAProuter computer
IP address of VPN switch (if applicable)
Type of VPN swi
tch: brand and model (if applicable)
4. Information About Your Internet Connection
Type of Internet connection (mark one)
[ ] Frame Relay
[ ] ISDN
[ ] Leased line
[ ] X.25
[ ] Dial
-
up
[ ] xDSL
[ ] Other:
Bandwidth of your Internet con
nection (in kbps)
% of current utilization of your Internet bandwidth
Remote Connec
tivity for mySAP.com Solutions over the Internet
page
9
5. Additional Observations
You need official Internet IP addresses for the computer on which the communication software
SAProuter and the proxy for the remote access is installe
d (this also apply to the VPN switch).
Private address spaces such as
10.0.0.0
-
10.255.255.255
172.16.0.0
-
172.31.255.255
192.168.0.0
-
192.168.255.255
cannot be used.
If you do not have your own official IP addresses, obtain one from your Inter
net Service Provider (ISP).
If you have any of the following questions:
How do I fill in the data sheet?
How can I obtain an IP address?
What type of software and hardware do I need to establish remote access?
Questions on the use of a firewall
What kind o
f costs can I anticipate?
contact the consulting partner responsible for your area, or contact the SAP Network Hotline:
Fa: +49 180 53 434 30
Tel.: +49 180 53 434 38
Enter the password to open this PDF file:
File name:
-
File size:
-
Title:
-
Author:
-
Subject:
-
Keywords:
-
Creation Date:
-
Modification Date:
-
Creator:
-
PDF Producer:
-
PDF Version:
-
Page Count:
-
Preparing document for printing…
0%
Comments 0
Log in to post a comment