Security in SAP Internet Transaction Server Landscapes

Session ID: AGS202Security in SAP Internet Transaction Server (ITS) Landscapes

Ralph Resech, SAP AG, Walldorf

The integrated ITS

How to attack a computer

The standalone ITS

© SAP AG 2005, SAP TechEd ’05 / AGS202 / 4

Agenda

How to attack a computerExploiting exported services Exploiting software accessing internet resourcesBy downloaded filesSummary


Agenda

How to attack a computerExploiting exported services Exploiting software accessing internet resourcesBy downloaded filesSummary


Exploiting Exported Services

If a computer runs a service for remote access it has to open a socket in “listening” state. This socket is bound to the IP address of the computer and to a service specific TCP or UDP port like

HTTP (port 80)HTTPS (port 443)FTP (port 21)NetBios-NS (port 137)

Everyone in the network can now access these services and try to misuse them by

producing a buffer overflow and inject his own code to the stackcheating around the authentication…


Packet Filtering

That’s where the Packet Filter (aka Firewall) can help you.

Packet Filter IP addressIP address

80HTTP

NetBios

FTP

Web Server


Agenda

How to attack a computerExploiting exported servicesExploiting software accessing internet resourcesBy downloaded filesSummary


Exploiting Software Accessing Internet Resources (I)

If you run a software on your computer that accesses internet resources like

Web browsersVideo or audio streaming softwareDownload or file sharing tools

you can be attacked by resources which are not executables.

By using bugs in the running software it is possible to take thesoftware to execute binary data in a file which for example appeared to be a jpeg picture.


Exploiting Software Accessing Internet Resources (II)

It’s best to configure your servers tonot access any internet resourceshave as less software running on it as possiblehave no route to the internet at all (if possible)


Agenda



By Downloaded Files

If you download software from the internet or install it from CDs with doubtable source you never know what exactly is done to your system.

Install only software from trusted sources


Agenda



Summary

Protect your servers with port filters

Don’t use servers to surf the internet

Have a virus scanner installed and up to date

Don’t install software which isn’t from a trusted source

Keep your software up to date (not only the operating system)

The integrated ITS


The standalone ITS


Agenda

The standalone ITSExample setup for the standalone ITSCommunication relationshipsSecuring standalone ITS installationsSummary


Standalone ITS in a Two-Level Setup (I)

Internet DMZ

WGates

AGates

Inner DMZ or intranet

Firewall Firewall

Applicationserver farm


Standalone ITS in a Two-Level Setup (II)

AdvantagesLow hardware demandEasy setup

DisadvantagesAGates and WGates are in the same network segmentThe simpler setup provides more attack points for hackers


Standalone ITS in a Three-Level Setup (I)

Internet Outer DMZ

WGates AGates

Inner DMZ

Firewall Firewall

Intranet


Firewall


Standalone ITS in a Three-Level Setup (II)

AdvantagesBetter separation of the componentsFull control of all communication relationships

DisadvantagesMore configuration More hardware needed

Things to rememberEach firewall configuration has to be differentThe different firewalls can also be interfaces of one firewall


Application Gateways

With an application gateway you canAuthenticate the user before he can access the applicationTerminate SSL Validate a service request / URL

Is access to the requested URL via the Internet permitted?Does the request contain no known exploits?Is the source of the request permitted (sender address)?

butIt may not be transparent to the applicationIt may introduce its own bugs


Additional Extensions

For additional security you canMonitor the landscape with an Intrusion Detection SystemUse encryption (SSL for the web server and SNC for AGate, WGate and backend system) Implement a NAT gateway e.g. in the first firewall

For additional high availability you canAdd another step containing load balancersHave each functional component at least twice


Agenda

The standalone ITSExample setup for the standalone ITS Communication relationshipsSecuring standalone ITS installationsSummary


Communication Relationships (I)

Browser to WGate

The browser connects to the Web server using the protocols HTTP or HTTPS.

The WGate runs as a plug in in the Web server.

You need to permit incoming connections on the TCP port 80 or 443

Browser

WG

ate

HTTP (TCP Port 80)HTTPS (TCP Port 443)

Webserver


Communication Relationships (II)

WGate to AGate

There are two ways of WGate – AGate communicationDirectly if your AGate is running as single processVia the Mapping Manager if you have multiple Agate processes

The protocol used between WGate and AGate is HTTP (not a native form of HTTP so you cannot connect a browser directly to the AGate)

You need to permit incoming connections on the TCP portssapavw00_<SID> + AGate number for each AGate process andsapavwmm_<SID> if you use the Mapping Manager

WGate AGate

Mmanager

TCP Ports sapavwmm_<SID>

AGate

and sapavw00_<SID>+ AGate number


Communication Relationships (III)

AGate to backend system

The AGate connects to the backend using the protocols DIAG or RFC.If you use a message server, the AGate connects to the message server first and then to one of your application servers. Otherwise your applicationserver is contacted directly.

You need to permit incoming connections on the TCP port sapms<SID> for the message server host and the TCP ports sapdpXX and SAPgwXX (with XX as system number) for all application server hosts

AGate

DIAG / RFC, TCP PortssapdpXX and sapgwXX

Message Server

Application Server

DIAG / RFC,TCP Port sapms<SID>


Agenda



ITS Services

ITS uses “services” to start new sessions

Services are started by accessing a URL like http://<hostname>/scripts/wgate/<servicename>/!

If a user is able to connect to your ITS he can start any service available on this ITS

To prevent users from using other services than those they should, you need to

Disable the service (from ITS 6.20 PL 13 on)Delete the .srvc files (earlier versions)

If you want to prevent the ITS from generating HTML pages from dynpros (e.g. error pages) you have to set ~generateDynpro to 0


Anonymous Logon

If you need your users to logon anonymously youHave to state a username / password in your service file. Don’t use URL parameters for username / passwordHave to make sure that this user is able to logon to your backend systemHave to restrict the privileges of this user to exactly the tasks an anonymous Internet user needsShould remember that everyone in the Internet receives this set of privileges by just navigating to your site Should keep in mind that someone might try to misuse this user’s privileges


ADM Instance

To secure your ADM instance you shouldMake sure it can’t be accessed from the InternetConsider using a separate WGate serverUse sophisticated passwords


Further Configuration Details

Further configuration detailsIf you want to provide only an IAC (Internet Application Component) you should set ~generateDynpro to 0 to prevent the ITS from generating normal dynpros if no template is foundSince it is possible to connect to different backend systems by stating connection details in the URL you must not allow access from your AGate server to any other R/3 than the one you want the ITS to connect to. To switch of this feature set Programs / AGate / DisableDynamicConnect to “1” in your ITS registry.Make sure that none of your servers is able to access internet resources (not even through a proxy)


Agenda



Security Recommendations for SAP ITS

Ensure your ITS installation is up-to-dateOnly enable required ITS services; remove/disable other servicesProtect technical users’ credentials for anonymous scenariosOnly permit required actions to technical users in the backendDisable ITS WebGUI and set ~generateDynpro to 0 Protect the ITS admin instance (ADM)Do not pass passwords via URL-parameter (~password) Protect the operation system (shares, …)Restrict access to the ITS 6.20 registryDo not run other services on the system hosting your ITS

The integrated ITS


The standalone ITS


Agenda

The integrated ITSExample setup for the integrated ITS Securing integrated ITS installationsSummary


What has Changed With the Integrated ITS

There is no WGate anymore (functionality is integrated in the Internet Communication Framework ICF)There is no AGate anymore (functionality is integrated in the application server)The Web server is now the ICM


SAP Web AS With Integrated ITS (I)

Client Network

Firewall

Backend System

Applicationserver


SAP Web AS With Integrated ITS (II)

Client Network

Firewall

Backend System


SAP WebDispatcher

Application Gateway

Firewall


SAP Web AS With Integrated ITS (III)

ClientNetwork Backend System


SAP WebDispatcher

ApplicationGateway

SAP WebDispatcher

ApplicationGateway

Hardware Load balancerFirewall FirewallFirewall

Hot Standby


Agenda



ICF Services

ICF services are started by accessing a URL like http://<hostname>/sap/bc/gui/sap/its/webguiIf a user is able to connect to your system he can start any service that is activated in the ICF (unless blocked by an application gateway)To prevent users from using other Services than they should you need to disable the service in SICF


SICF


SAP WebAS ABAP Security Recommendations (I)

Use encrypted communications (SNC / SSL)Check/set good password rules and session timeoutsProtect SAP WebAS ABAP standard users

sap*, ddic, earlywatch, sapcpic

Protect OS and DB users of the SAP systemRestrict authorizations to key transactions and resources like

Transaction SM59, SU01, SICF, SMICM, STRUST, …Table RFCDES

Tune authorizations for technical users to the minimum requiredEnable auditing and logging (also HTTP logging)


SAP WebAS ABAP Security Recommendations (II)

Only enable required HTTP services Do not enable the following services, except for testing purposes. See also SAP Note 517484:

/sap/public/info/sap/bc/echo/sap/bc/error

Do not enable the following services if present. See also SAP Note 626073:

/sap/bc/report/sap/bc/xrfc/sap/bc/FormToRfc


Agenda



Defense in Depth

No system can be made 100% secure due toHuman errors

In developmentDuring configurationDuring operations

Make one system as secure as possible will be too expensive

“Defense in Multiple Places” orDefense in Depth


Public Web:SAP Developer Network: www.sdn.sap.com Forums Internet Transaction ServerNetWeaver Developer‘s Guide: www.sdn.sap.com/sdn/developersguide.sdnSAP Service Marketplace:

http://service.sap.com/sap-itshttp://service.sap.com/securityhttp://service.sap.com/securityguide

Related Workshops/Lectures at SAP TechEd 2005UP204, SAP NetWeaver Application Server with Integrated ITS and SAP

NetWeaver `04 Updates, Lecture (1 hour)UP206, SAP User Interface Technologies, Lecture (1 hour)AGS105, Security Primer, Lecture (1 hour)AGS200, Increasing Infrastructure Security by using Application Gateways,

Lecture (2 hours)AGS209, Web Applications – Security Risk #1, Lecture (1 hour)

Further Information


Questions?

Q&A


Please complete your session evaluation.

Be courteous — deposit your trash, and do not take the handouts for the following session.

Feedback

Thank You !


Copyright 2005 SAP AG. All Rights Reserved

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or registered trademarks of IBM Corporation.Oracle is a registered trademark of Oracle Corporation.UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc.JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. MaxDB is a trademark of MySQL AB, Sweden.SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.

The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG.This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments, and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note that this document is subject to change and may be changed by SAP at any time without notice.SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intent or gross negligence.The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages.

Documents

Security in SAP Internet Transaction Server Landscapes