Security in SAP Internet Transaction Server Landscapes
-
Upload
shesadri-nath -
Category
Documents
-
view
51 -
download
0
Transcript of Security in SAP Internet Transaction Server Landscapes
Session ID: AGS202Security in SAP Internet Transaction Server (ITS) Landscapes
Ralph Resech, SAP AG, Walldorf
The integrated ITS
How to attack a computer
The standalone ITS
© SAP AG 2005, SAP TechEd ’05 / AGS202 / 4
Agenda
How to attack a computerExploiting exported services Exploiting software accessing internet resourcesBy downloaded filesSummary
© SAP AG 2005, SAP TechEd ’05 / AGS202 / 5
Agenda
How to attack a computerExploiting exported services Exploiting software accessing internet resourcesBy downloaded filesSummary
© SAP AG 2005, SAP TechEd ’05 / AGS202 / 6
Exploiting Exported Services
If a computer runs a service for remote access it has to open a socket in “listening” state. This socket is bound to the IP address of the computer and to a service specific TCP or UDP port like
HTTP (port 80)HTTPS (port 443)FTP (port 21)NetBios-NS (port 137)
Everyone in the network can now access these services and try to misuse them by
producing a buffer overflow and inject his own code to the stackcheating around the authentication…
© SAP AG 2005, SAP TechEd ’05 / AGS202 / 7
Packet Filtering
That’s where the Packet Filter (aka Firewall) can help you.
Packet Filter IP addressIP address
80HTTP
NetBios
FTP
Web Server
© SAP AG 2005, SAP TechEd ’05 / AGS202 / 8
Agenda
How to attack a computerExploiting exported servicesExploiting software accessing internet resourcesBy downloaded filesSummary
© SAP AG 2005, SAP TechEd ’05 / AGS202 / 9
Exploiting Software Accessing Internet Resources (I)
If you run a software on your computer that accesses internet resources like
Web browsersVideo or audio streaming softwareDownload or file sharing tools
you can be attacked by resources which are not executables.
By using bugs in the running software it is possible to take thesoftware to execute binary data in a file which for example appeared to be a jpeg picture.
© SAP AG 2005, SAP TechEd ’05 / AGS202 / 10
Exploiting Software Accessing Internet Resources (II)
It’s best to configure your servers tonot access any internet resourceshave as less software running on it as possiblehave no route to the internet at all (if possible)
© SAP AG 2005, SAP TechEd ’05 / AGS202 / 11
Agenda
How to attack a computerExploiting exported servicesExploiting software accessing internet resourcesBy downloaded filesSummary
© SAP AG 2005, SAP TechEd ’05 / AGS202 / 12
By Downloaded Files
If you download software from the internet or install it from CDs with doubtable source you never know what exactly is done to your system.
Install only software from trusted sources
© SAP AG 2005, SAP TechEd ’05 / AGS202 / 13
Agenda
How to attack a computerExploiting exported servicesExploiting software accessing internet resourcesBy downloaded filesSummary
© SAP AG 2005, SAP TechEd ’05 / AGS202 / 14
Summary
Protect your servers with port filters
Don’t use servers to surf the internet
Have a virus scanner installed and up to date
Don’t install software which isn’t from a trusted source
Keep your software up to date (not only the operating system)
The integrated ITS
How to attack a computer
The standalone ITS
© SAP AG 2005, SAP TechEd ’05 / AGS202 / 16
Agenda
The standalone ITSExample setup for the standalone ITSCommunication relationshipsSecuring standalone ITS installationsSummary
© SAP AG 2005, SAP TechEd ’05 / AGS202 / 17
Standalone ITS in a Two-Level Setup (I)
Internet DMZ
WGates
AGates
Inner DMZ or intranet
Firewall Firewall
Applicationserver farm
© SAP AG 2005, SAP TechEd ’05 / AGS202 / 18
Standalone ITS in a Two-Level Setup (II)
AdvantagesLow hardware demandEasy setup
DisadvantagesAGates and WGates are in the same network segmentThe simpler setup provides more attack points for hackers
© SAP AG 2005, SAP TechEd ’05 / AGS202 / 19
Standalone ITS in a Three-Level Setup (I)
Internet Outer DMZ
WGates AGates
Inner DMZ
Firewall Firewall
Intranet
Applicationserver farm
Firewall
© SAP AG 2005, SAP TechEd ’05 / AGS202 / 20
Standalone ITS in a Three-Level Setup (II)
AdvantagesBetter separation of the componentsFull control of all communication relationships
DisadvantagesMore configuration More hardware needed
Things to rememberEach firewall configuration has to be differentThe different firewalls can also be interfaces of one firewall
© SAP AG 2005, SAP TechEd ’05 / AGS202 / 21
Application Gateways
With an application gateway you canAuthenticate the user before he can access the applicationTerminate SSL Validate a service request / URL
Is access to the requested URL via the Internet permitted?Does the request contain no known exploits?Is the source of the request permitted (sender address)?
butIt may not be transparent to the applicationIt may introduce its own bugs
© SAP AG 2005, SAP TechEd ’05 / AGS202 / 22
Additional Extensions
For additional security you canMonitor the landscape with an Intrusion Detection SystemUse encryption (SSL for the web server and SNC for AGate, WGate and backend system) Implement a NAT gateway e.g. in the first firewall
For additional high availability you canAdd another step containing load balancersHave each functional component at least twice
© SAP AG 2005, SAP TechEd ’05 / AGS202 / 23
Agenda
The standalone ITSExample setup for the standalone ITS Communication relationshipsSecuring standalone ITS installationsSummary
© SAP AG 2005, SAP TechEd ’05 / AGS202 / 24
Communication Relationships (I)
Browser to WGate
The browser connects to the Web server using the protocols HTTP or HTTPS.
The WGate runs as a plug in in the Web server.
You need to permit incoming connections on the TCP port 80 or 443
Browser
WG
ate
HTTP (TCP Port 80)HTTPS (TCP Port 443)
Webserver
© SAP AG 2005, SAP TechEd ’05 / AGS202 / 25
Communication Relationships (II)
WGate to AGate
There are two ways of WGate – AGate communicationDirectly if your AGate is running as single processVia the Mapping Manager if you have multiple Agate processes
The protocol used between WGate and AGate is HTTP (not a native form of HTTP so you cannot connect a browser directly to the AGate)
You need to permit incoming connections on the TCP portssapavw00_<SID> + AGate number for each AGate process andsapavwmm_<SID> if you use the Mapping Manager
WGate AGate
Mmanager
TCP Ports sapavwmm_<SID>
AGate
and sapavw00_<SID>+ AGate number
© SAP AG 2005, SAP TechEd ’05 / AGS202 / 26
Communication Relationships (III)
AGate to backend system
The AGate connects to the backend using the protocols DIAG or RFC.If you use a message server, the AGate connects to the message server first and then to one of your application servers. Otherwise your applicationserver is contacted directly.
You need to permit incoming connections on the TCP port sapms<SID> for the message server host and the TCP ports sapdpXX and SAPgwXX (with XX as system number) for all application server hosts
AGate
DIAG / RFC, TCP PortssapdpXX and sapgwXX
Message Server
Application Server
DIAG / RFC,TCP Port sapms<SID>
© SAP AG 2005, SAP TechEd ’05 / AGS202 / 27
Agenda
The standalone ITSExample setup for the standalone ITS Communication relationshipsSecuring standalone ITS installationsSummary
© SAP AG 2005, SAP TechEd ’05 / AGS202 / 28
ITS Services
ITS uses “services” to start new sessions
Services are started by accessing a URL like http://<hostname>/scripts/wgate/<servicename>/!
If a user is able to connect to your ITS he can start any service available on this ITS
To prevent users from using other services than those they should, you need to
Disable the service (from ITS 6.20 PL 13 on)Delete the .srvc files (earlier versions)
If you want to prevent the ITS from generating HTML pages from dynpros (e.g. error pages) you have to set ~generateDynpro to 0
© SAP AG 2005, SAP TechEd ’05 / AGS202 / 29
Anonymous Logon
If you need your users to logon anonymously youHave to state a username / password in your service file. Don’t use URL parameters for username / passwordHave to make sure that this user is able to logon to your backend systemHave to restrict the privileges of this user to exactly the tasks an anonymous Internet user needsShould remember that everyone in the Internet receives this set of privileges by just navigating to your site Should keep in mind that someone might try to misuse this user’s privileges
© SAP AG 2005, SAP TechEd ’05 / AGS202 / 30
ADM Instance
To secure your ADM instance you shouldMake sure it can’t be accessed from the InternetConsider using a separate WGate serverUse sophisticated passwords
© SAP AG 2005, SAP TechEd ’05 / AGS202 / 31
Further Configuration Details
Further configuration detailsIf you want to provide only an IAC (Internet Application Component) you should set ~generateDynpro to 0 to prevent the ITS from generating normal dynpros if no template is foundSince it is possible to connect to different backend systems by stating connection details in the URL you must not allow access from your AGate server to any other R/3 than the one you want the ITS to connect to. To switch of this feature set Programs / AGate / DisableDynamicConnect to “1” in your ITS registry.Make sure that none of your servers is able to access internet resources (not even through a proxy)
© SAP AG 2005, SAP TechEd ’05 / AGS202 / 32
Agenda
The standalone ITSExample setup for the standalone ITS Communication relationshipsSecuring standalone ITS installationsSummary
© SAP AG 2005, SAP TechEd ’05 / AGS202 / 33
Security Recommendations for SAP ITS
Ensure your ITS installation is up-to-dateOnly enable required ITS services; remove/disable other servicesProtect technical users’ credentials for anonymous scenariosOnly permit required actions to technical users in the backendDisable ITS WebGUI and set ~generateDynpro to 0 Protect the ITS admin instance (ADM)Do not pass passwords via URL-parameter (~password) Protect the operation system (shares, …)Restrict access to the ITS 6.20 registryDo not run other services on the system hosting your ITS
The integrated ITS
How to attack a computer
The standalone ITS
© SAP AG 2005, SAP TechEd ’05 / AGS202 / 35
Agenda
The integrated ITSExample setup for the integrated ITS Securing integrated ITS installationsSummary
© SAP AG 2005, SAP TechEd ’05 / AGS202 / 36
What has Changed With the Integrated ITS
There is no WGate anymore (functionality is integrated in the Internet Communication Framework ICF)There is no AGate anymore (functionality is integrated in the application server)The Web server is now the ICM
© SAP AG 2005, SAP TechEd ’05 / AGS202 / 37
SAP Web AS With Integrated ITS (I)
Client Network
Firewall
Backend System
Applicationserver
© SAP AG 2005, SAP TechEd ’05 / AGS202 / 38
SAP Web AS With Integrated ITS (II)
Client Network
Firewall
Backend System
Applicationserver farm
SAP WebDispatcher
Application Gateway
Firewall
© SAP AG 2005, SAP TechEd ’05 / AGS202 / 39
SAP Web AS With Integrated ITS (III)
ClientNetwork Backend System
Applicationserver farm
SAP WebDispatcher
ApplicationGateway
SAP WebDispatcher
ApplicationGateway
Hardware Load balancerFirewall FirewallFirewall
Hot Standby
© SAP AG 2005, SAP TechEd ’05 / AGS202 / 40
Agenda
The integrated ITSExample setup for the integrated ITS Securing integrated ITS installationsSummary
© SAP AG 2005, SAP TechEd ’05 / AGS202 / 41
ICF Services
ICF services are started by accessing a URL like http://<hostname>/sap/bc/gui/sap/its/webguiIf a user is able to connect to your system he can start any service that is activated in the ICF (unless blocked by an application gateway)To prevent users from using other Services than they should you need to disable the service in SICF
© SAP AG 2005, SAP TechEd ’05 / AGS202 / 42
SICF
© SAP AG 2005, SAP TechEd ’05 / AGS202 / 43
SAP WebAS ABAP Security Recommendations (I)
Use encrypted communications (SNC / SSL)Check/set good password rules and session timeoutsProtect SAP WebAS ABAP standard users
sap*, ddic, earlywatch, sapcpic
Protect OS and DB users of the SAP systemRestrict authorizations to key transactions and resources like
Transaction SM59, SU01, SICF, SMICM, STRUST, …Table RFCDES
Tune authorizations for technical users to the minimum requiredEnable auditing and logging (also HTTP logging)
© SAP AG 2005, SAP TechEd ’05 / AGS202 / 44
SAP WebAS ABAP Security Recommendations (II)
Only enable required HTTP services Do not enable the following services, except for testing purposes. See also SAP Note 517484:
/sap/public/info/sap/bc/echo/sap/bc/error
Do not enable the following services if present. See also SAP Note 626073:
/sap/bc/report/sap/bc/xrfc/sap/bc/FormToRfc
© SAP AG 2005, SAP TechEd ’05 / AGS202 / 45
Agenda
The integrated ITSExample setup for the integrated ITS Securing integrated ITS installationsSummary
© SAP AG 2005, SAP TechEd ’05 / AGS202 / 46
Defense in Depth
No system can be made 100% secure due toHuman errors
In developmentDuring configurationDuring operations
Make one system as secure as possible will be too expensive
“Defense in Multiple Places” orDefense in Depth
© SAP AG 2005, SAP TechEd ’05 / AGS202 / 47
Public Web:SAP Developer Network: www.sdn.sap.com Forums Internet Transaction ServerNetWeaver Developer‘s Guide: www.sdn.sap.com/sdn/developersguide.sdnSAP Service Marketplace:
http://service.sap.com/sap-itshttp://service.sap.com/securityhttp://service.sap.com/securityguide
Related Workshops/Lectures at SAP TechEd 2005UP204, SAP NetWeaver Application Server with Integrated ITS and SAP
NetWeaver `04 Updates, Lecture (1 hour)UP206, SAP User Interface Technologies, Lecture (1 hour)AGS105, Security Primer, Lecture (1 hour)AGS200, Increasing Infrastructure Security by using Application Gateways,
Lecture (2 hours)AGS209, Web Applications – Security Risk #1, Lecture (1 hour)
Further Information
© SAP AG 2005, SAP TechEd ’05 / AGS202 / 48
Questions?
Q&A
© SAP AG 2005, SAP TechEd ’05 / AGS202 / 49
Please complete your session evaluation.
Be courteous — deposit your trash, and do not take the handouts for the following session.
Feedback
Thank You !
© SAP AG 2005, SAP TechEd ’05 / AGS202 / 50
Copyright 2005 SAP AG. All Rights Reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or registered trademarks of IBM Corporation.Oracle is a registered trademark of Oracle Corporation.UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc.JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. MaxDB is a trademark of MySQL AB, Sweden.SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.
The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG.This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments, and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note that this document is subject to change and may be changed by SAP at any time without notice.SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intent or gross negligence.The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages.