Remote Connectivity for mySAP.com Solutions over the Internet

bunchlearnedNetworking and Communications

Oct 30, 2013 (3 years and 9 months ago)

100 views























Remote Connectivity for mySAP.com
Solutions over the Internet

Technical Specification


March 2001























Remote Connectivity for mySAP.com Solutions over the Internet


page
2






1

Introduction

SAP has embarked on a project to enable its customers to establish secure c
onnections to SAP over the
Internet for support purposes. Currently, SAP offers two alternative ways to connect to the Support Network
over the Internet:



SAProuter with Secure Network Communications (SNC) over the Internet



Internet Virtual Private Network
(VPN)

This document describes both alternatives and their technical specifications, and compares the two options.
If you read this document, you will have enough information to decide which option is better for your needs
and requirements. Both options pro
vide the level of security recommended when using a public medium like
the Internet. In other words, strong encryption will be employed for data that travels over the Internet.

2

Overview of Technical Setup

SAP has implemented a functional subset of the Remo
te Customer Support Network services in an Internet
DMZ (demilitarized zone) in SAP AG, Walldorf. With this infrastructure in place, the suite of Remote
Customer Support Network service offerings is accessible over the Internet.


SAProuter/SNC via Interne
t

Internet VPN



SNC secured SAProuter


SAProuter
connections are established between SAP and
the customer’s SAProuter to provide data
confidentiality and integrity services. These SNC
connections complement the leased lines in the
current SAPNet R/3 Front
end environment.
State
-
of
-
the
-
art encryption, authentication, and
access control technology will be employed. No
additional hardware compared to a leased
-
line
setup is required at either end of the connection.
(See diagram below).



Customers are required
to install a SAProuter
with an official, static IP address (DHCP
Addresses will
not

work) running SNC inbound
and outbound connection to SAP at their end of
the connection in a Demilitarized Zone. This
SAProuter must be accessible from the Internet.
All se
rvice connections between SAP and the
customer must be made over the respective
SAProuters.



Certificates needed are available on the SAP
Service Marketplace.




LAN
-
to
-
LAN IPSec VPNs are established between
SAP and the customer’s network to provide data
conf
identiality and integrity services. These VPNs
complement the leased lines in the current Remote
Customer Support Network environment. State
-
of
-
the
-
art encryption, authentication, and access
control technology will be employed. VPN
equipment is required at

both ends of the
connection. The VPN switch at customer’s side
must be reachable from the Internet. (See diagram
below).



Besides the VPN equipment (also called VPN
switch or VPN gateway), customers are also
required to install a SAProuter with an official

IP
address at their end of the connection. All service
connections between SAP and the customer must
be made over the respective SAProuters.



For the pilot project, access control and
authentication at the VPN gateways will be
regulated using static keys.

SAP will generate
these keys and provide them to the customer. In
future, certificate
-
based authentication is likely to
be utilized.



VPN access can also be achieved through a
telecommuncations provider. The provider will then
be connected to SAP’s VPN swi
tch, and the
provider can offer connections to customers over
the Internet. SAP will make a list of VPN
-
enabled
providers. This option is not covered in this
document. For more information, contact SAP.


Remote Connectivity for mySAP.com Solutions over the Internet


page
3






3

Diagrams and Infrastructure




Figure
1

-

SAProuter with SNC over Internet






Figure
2

-

Internet VPN

Remote Connectivity for mySAP.com Solutions over the Internet


page
4






Technical Requirements


SAProuter / SNC via Internet

Internet VPN

1.

Internet connection: recomme
nded

minimum bandwidth = 64 kbps

2.

SAProuter machine

3.

Official IP address (static) for the SAProuter
host.

4.

SAProuter installation package

5.

SAP SNC libraries and executables.

These may be downloaded from the SAP
Service Marketplace.

6.

A Demilitarized Zone at th
e customer site
with a minimal setup as described in the
networking section of the SAP Security
Guide, Parts 1
-
3 available in the Service
Marketplace at:
http://service.sap.com/SYSTEMMANAGEME
NT

Choo
se: Securi t y > Techni cal Track

> SAP Securi t y Gui de.

More i nformat i on on SNC connect i ons i s al so
avai l abl e i n t he SAP Servi ce Market pl ace.

7.

Since the host running the SAProuter
software is a full computer with operating
system, the security at the operati
ng system
level must be hardened in order to minimise
the risk of the machine being hacked from
the Internet. One recommendation will be for
example to run a C2 security level compliant
operating system. SAP takes no liability if the
security of the compan
y’s network is
compromised.



lther networking equipment (routers and
hubsF needed to form the network at the
customer’s premises (see Figure 1).





fnternet connection: recommended
minimum bandwidth = S4 kbps



pAmrouter machine



Two (2F official fm subnets. Th
ese fm
subnets are assigned to:



The public interface of the VPN bo.
Additionally, this IP subnet must be
routed in the Internet.



The customer’s SAProuter



ff the customer is operating any firewall(sF
to secure its fnternet connection, the
firewall(sF must

permit the edge smk
equipment to exchange fmsec packets
using their respective public interfaces (the
smk gateway may also serve as the
firewall). Specifically, the customer’s
firewall must allow ram port 500 (fhbF and
fm mrotocol 50 (bpmF



oecommended smk

equipment: kortel
Contivity N500 bxtranet pwitch or kortel
Contivity S00 bxtranet pwitch (with Pabp
encryptionF. Customers may also try to
connect using other fmsec compliant smk
equipment. The equipment must support
certain fmsec features (see Appendix A

that are mandatory to establish
communication with SAP’s VPN. SAP
cannot guarantee interoperability between
the kortel Contivity N500 bxtranet pwitch
慮搠
other

types of VPN equipment that the
customer elects to use instead. If you wish
to use other VPN e
quipment, contact SAP.

6.

Other networking equipment (routers and
switches / hubs) needed to form the
network at the customer’s premises (see
cigure 2F.


Remot
e Connectivity for mySAP.com Solutions over the Internet


page
5






3.1

Comparison of the Two Options

Property

SAProuter / SNC via Internet

Internet VPN

Hardware
requirements

Firewall + SAProuter host in DMZ

VPN switch + firewall + SAProuter host
(VPN and firewall may be the same box)

Software

SAProuter starting from NI version 35

SAPSECULIB can be obtained from the
Service Marketplace

N.A.

Network
addresses
(besides addre
ss
of Internet router,
firewall, …)

1 official static IP address for SAProuter

1 official static IP address for VPN switch +
1 official static IP address for SAProuter
host

Configuration
issues

Careful setup of saprouttab necessary for
security. Saprout
tab influences security
strongly as access is controlled via
saprouttab and firewall.

Careful setup of routing configuration in
VPN switch necessary for security.
Saprouttab influences security less strongly
as access is controlled via VPN switch,
SAProut
er software and firewall

Encryption

By software

By hardware

Encrypted data

TCP packets

Only the data stream between SAProuters
is encrypted

Encryption is handled on Application layer
(OSI network layer 7)

IPsec (IP packets)

Encryption is handled on IP

layer (OSI
network layer 3)

Minimum required
free

bandwidth

64 kbit/s but may work also with

32 kbit/s

64 kbit/s

Supported
services on SAP
side

All except FTP (files download)

All including FTP (files download)

Key management

Digital certificates be
ing requested via
Service Marketplace Public Key
Infrastructure (PKI)

Pre
-
shared keys provided by SAP, later
Public Key Infrastructure (PKI)

Key storage

In file system

In VPN switch

Operating system

SAProuter resides on a computer

therefore it is necessa
ry to harden the
security at the operating system level (for
example, C2 level OS) to minimize the risk
of the machine being hacked from the
Internet

VPN switch has a very small and limited
operating system, thus no additional
security hardening is requir
ed. The
SAProuter machine is not reachable from
the Internet, thus the risk of hacking is much
less. However, security hardening
measures at the SAProuter operating
system level are also recommended

Additional
expertise

SAProuter knowledge usually availa
ble,
SNC configuration requires additional
knowledge

VPN hardware requires special knowledge,
higher technical expertise

Standards

Based on SNC, SAP proprietary standard

Based on IPSec, well established industry
standard

Contributing to
costs

-

Firewall ha
rdware and software

-

Firewall administration costs

-

No additional license fee for security
library based on SECUDE

-

Firewall hardware and software

-

Firewall administration costs

-

Costs for VPN hardware and setup

Remote Connectivity for mySAP.com Solutions over the Internet


page
6






3.2

Terms and Conditions

1.

The customer is responsible

for obtaining any and all approval(s) for importing and operating their
equipment, as may be required by the respective local laws and regulations. The use of cryptographic
software and hardware is regulated in some countries.

2.

All costs for setting up the

necessary infrastructure at the customer’s premises is to be borne by the
customer.

3.

Both parties are responsible for securing their respective ends of the connection against unauthorized
third party access.

Remote Connectivity for mySAP.com Solutions over the Internet


page
7






Appendix A

Mandatory IPSec Features (for the I
nternet VPN option)




Encapsulating Security Protocol (ESP)



Authentication Header (AH)



Internet Key Exchange (IKE), with support of Diffie
-
Hellman Group 2 (1024 bits keys)



Encryption Algorithm: Triples DES (3DES)



Authentication Algorithm: HMAC
-
MD5 and HMAC
-
SHA1



Support for authentication using shared secrets, RSA digital signatures, and X.509 certificates



Support for Diffie
-
Hellman Group 2 (keys of 1024 bits)



Perfect Forward Secrecy



Key exchanges using Internet PKIs

Remote Connectivity for mySAP.com Solutions over the Internet


page
8








Appendix B


Remote Customer Support Netw
ork over the Internet

Connection Data Sheet


Please complete and fax this data sheet to the SAP Network Hotline at +49 (180) 5 34 34 30


1. Customer Information

Company:

Customer No.:

Contact person networking:


Tel.:




E
-
mail address:

Fax:



2.

Desired Internet Connectivity Option



[ ] SAProuter / SNC via Internet




[ ] Internet VPN



3. Networking Information

IP address of SAProuter computer


Host name of SAProuter computer


IP address of VPN switch (if applicable)


Type of VPN swi
tch: brand and model (if applicable)




4. Information About Your Internet Connection

Type of Internet connection (mark one)

[ ] Frame Relay

[ ] ISDN

[ ] Leased line

[ ] X.25

[ ] Dial
-
up

[ ] xDSL

[ ] Other:

Bandwidth of your Internet con
nection (in kbps)


% of current utilization of your Internet bandwidth




Remote Connec
tivity for mySAP.com Solutions over the Internet


page
9







5. Additional Observations

You need official Internet IP addresses for the computer on which the communication software
SAProuter and the proxy for the remote access is installe
d (this also apply to the VPN switch).

Private address spaces such as


10.0.0.0
-

10.255.255.255


172.16.0.0
-

172.31.255.255


192.168.0.0
-

192.168.255.255

cannot be used.

If you do not have your own official IP addresses, obtain one from your Inter
net Service Provider (ISP).

If you have any of the following questions:



How do I fill in the data sheet?



How can I obtain an IP address?



What type of software and hardware do I need to establish remote access?



Questions on the use of a firewall



What kind o
f costs can I anticipate?

contact the consulting partner responsible for your area, or contact the SAP Network Hotline:

Fa: +49 180 53 434 30

Tel.: +49 180 53 434 38