SAP has embarked on a project to enable its customers to establish secure connections to SAP over the Internet for support purposes. Currently, SAP offers two alternative ways to connect to the Support Network over the Internet:
SAP has implemented a functional subset of the Remote Customer Support Network services in an Internet DMZ (demilitarized zone) in SAP AG, Walldorf. With this infrastructure in place, the suite of Remote Customer Support Network service offerings is accessible over the Internet.
SAProuter/SNC via Internet |
Internet VPN |
- SNC secured SAProuter – SAProuter connections are established between SAP and the customer’s SAProuter to provide data confidentiality and integrity services. These SNC connections complement the leased lines in the current SAPNet R/3 Frontend environment. State-of-the-art encryption, authentication, and access control technology will be employed. No additional hardware compared to a leased-line setup is required at either end of the connection. (See diagram below).
- Customers are required to install a SAProuter with an official, static IP address (DHCP Addresses will not work) running SNC inbound and outbound connection to SAP at their end of the connection in a Demilitarized Zone. This SAProuter must be accessible from the Internet. All service connections between SAP and the customer must be made over the respective SAProuters.
- Certificates needed are available on the SAP Service Marketplace.
|
- LAN-to-LAN IPSec VPNs are established between SAP and the customer’s network to provide data confidentiality and integrity services. These VPNs complement the leased lines in the current Remote Customer Support Network environment. State-of-the-art encryption, authentication, and access control technology will be employed. VPN equipment is required at both ends of the connection. The VPN switch at customer’s side must be reachable from the Internet. (See diagram below).
- Besides the VPN equipment (also called VPN switch or VPN gateway), customers are also required to install a SAProuter with an official IP address at their end of the connection. All service connections between SAP and the customer must be made over the respective SAProuters.
- For the pilot project, access control and authentication at the VPN gateways will be regulated using static keys. SAP will generate these keys and provide them to the customer. In future, certificate-based authentication is likely to be utilized.
- VPN access can also be achieved through a telecommuncations provider. The provider will then be connected to SAP’s VPN switch, and the provider can offer connections to customers over the Internet. SAP will make a list of VPN-enabled providers. This option is not covered in this document. For more information, contact SAP.
|
Property |
SAProuter / SNC via Internet |
Internet VPN |
Hardware requirements |
Firewall + SAProuter host in DMZ |
VPN switch + firewall + SAProuter host (VPN and firewall may be the same box) |
Software |
SAProuter starting from NI version 35
SAPSECULIB can be obtained from the Service Marketplace |
N.A. |
Network addresses (besides address of Internet router, firewall, …) |
1 official static IP address for SAProuter |
1 official static IP address for VPN switch + 1 official static IP address for SAProuter host |
Configuration issues |
Careful setup of saprouttab necessary for security. Saprouttab influences security strongly as access is controlled via saprouttab and firewall. |
Careful setup of routing configuration in VPN switch necessary for security. Saprouttab influences security less strongly as access is controlled via VPN switch, SAProuter software and firewall |
Encryption |
By software |
By hardware |
Encrypted data |
TCP packets
Only the data stream between SAProuters is encrypted
Encryption is handled on Application layer (OSI network layer 7) |
IPsec (IP packets)
Encryption is handled on IP layer (OSI network layer 3) |
Minimum required free bandwidth |
64 kbit/s but may work also with
32 kbit/s |
64 kbit/s |
Supported services on SAP side |
All except FTP (files download) |
All including FTP (files download) |
Key management |
Digital certificates being requested via Service Marketplace Public Key Infrastructure (PKI) |
Pre-shared keys provided by SAP, later Public Key Infrastructure (PKI) |
Key storage |
In file system |
In VPN switch |
Operating system |
SAProuter resides on a computer
therefore it is necessary to harden the security at the operating system level (for example, C2 level OS) to minimize the risk of the machine being hacked from the Internet |
VPN switch has a very small and limited operating system, thus no additional security hardening is required. The SAProuter machine is not reachable from the Internet, thus the risk of hacking is much less. However, security hardening measures at the SAProuter operating system level are also recommended |
Additional expertise |
SAProuter knowledge usually available, SNC configuration requires additional knowledge |
VPN hardware requires special knowledge, higher technical expertise |
Standards |
Based on SNC, SAP proprietary standard |
Based on IPSec, well established industry standard |
Contributing to costs |
- Firewall hardware and software
- Firewall administration costs
- No additional license fee for security library based on SECUDE
|
- Firewall hardware and software
- Firewall administration costs
- Costs for VPN hardware and setup
|
