SECURING SAP NETWEAVER DEPLOYMENTS WITH SAFE-T RSACCESS

Transcription

1 SECURING NETWEAVER DEPLOYMENTS A RSACCESS WHITE PAPER

2 SECURING NETWEAVER DEPLOYMENTS 1 Introduction 2 NetWeaver Deployments 3 Safe-T RSAccess Overview 4 Securing NetWeaver Deployments with Safe-T RSAccess 4.1 NetWeaver Standard 3-tier Deployment Deployment Overview Deployment Advantages Deployment Disadvantages The Advantages of Deploying Safe-T RSAccess 4.2 NetWeaver Dual DMZ Deployment Deployment Overview Deployment Advantages Deployment Disadvantages The Advantages of Deploying Safe-T RSAccess Conclusion

3 SECURING NETWEAVER DEPLOYMENTS 1. Introduction NetWeaver is 's integrated technology computing platform and is the technical foundation for many applications, for example my Business Suite and xapps. It provides the development and runtime environment for applications and can be used for custom development and integration with other applications and systems. The NetWeaver technology platform is a comprehensive integration and application platform that helps reduce the enterprise s total cost of ownership (TCO). It facilitates the integration and alignment of people, information, and business processes across organizational and technological boundaries. NetWeaver easily integrates information and applications from virtually any source, and ensures maximum reliability, security, and scalability, so the enterprise s mission-critical business processes run smoothly. More information on NetWeaver can be found at 2. NetWeaver Deployments NetWeaver solutions are usually deployed in one of the following deployment architectures: Standard 3-tier deployment where all solution tiers (NetWeaver Gateway front-end, Web Server, NetWeaver Application servers, data base, etc) are located in the internal network. Second Secured NetWeaver deployment where the solutions tiers are split between two DMZ tiers (outer DMZ and Inner DMZ) and the internal network. 3. Safe-T RSAccess Overview RSAccess is Safe-T's Secure Front-End solution for securing the network from the outside. It removes the need to open any ports within the internal firewall and provides unmatched protection for enterprise data networks from the Internet and other public networks. RSAccess Secure Front-End solution is a two tier deployment: 1. External RSAccess Node installed in the DMZ segment 2. Internal RSAccess Node installed on a LAN segment The role of the external RSAccess node is to act as a front-end to all services published within the DMZ. It operates without the need to open any ports within the internal firewall and ensures that only legitimate session data can pass through into the LAN. It can be deployed in two main locations within the DMZ: The first is before the web/application front-ends, essentially replacing them completely. The second is after the web/application front-ends providing an additional layer of defense within the DMZ and preventing any attacks from being generated from within the front-end servers. The role of the internal RSAccess node it to pull the session data into the LAN from the external RSAccess node, authenticate it using a variety of mechanisms, scan it using various security techniques including an application firewall, and then pass it to the destination application server.

4 SECURING NETWEAVER DEPLOYMENTS RSAccess Secure Front-End solution provides the following layers of security protection: 1. User Authentication RSAccess also provides the ability to authenticate users accessing applications it front-ends (publishes). Authentication can be done using a variety of mechanisms a. Authentication via the organization s LDAP or Active Directory systems. b. Authentication using Open ID / SAML - RSAccess enables authenticating either registered users or ad-hoc users using the user s existing personal social network credentials including all common social networks, such as Facebook, Google, Live ID, etc. In addition RSAccess can also perform additional validations such as security questions (name of 1st pet, etc) after the user is authenticated by the social network provider. The validation questions can be verified by RSAccess itself or any other 3rd party data base. The combination of the social network authentication with the additional validation, provides a unique three-way authentication mechanism. Which in addition to being more convenient for the user, provides high levels of security, and also greatly reduces the operational complexity of organizations, as there is no longer a need to store and manage large numbers of user credentials. 2. Block Layer 3 and Layer 4 level attacks the main benefit of Safe-T s unique technology, which allows passing session data into the internal network without opening any inbound ports on the internal firewall, is that it allows the complete blocking of any network or Layer 4 based attacks such as port scanning, ICMP scanning, TCP bases attacks, etc. 3. Block Application level attacks In case a hacker attempts to generate an application level attack such as application exploits, malware, etc, to traverse the pair of RSAccess nodes, the attack will be blocked by RSAccess s built-in application firewall. RSAccess built-in application firewall inspects and controls incoming traffic on the application layer to detect and mitigate attacks of RFC manipulation, viruses, Trojans, and malware both on clear channels and encrypted channels such as HTTPS. 4. Prevent hacking attempts into RSAccess The external RSAccess node does not run any application in order to handle incoming sessions, but rather it utilizes Safe-T s unique listener technology. This means that it is not possible to hack into and take control of the external RSAccess itself to initiate attacks. For more information on Safe-T RSAccess, read the Safe-T RSAccess white paper

5 SECURING NETWEAVER DEPLOYMENTS 4. Securing NetWeaver Deployments with Safe-T RSAccess 4.1 NetWeaver Standard 3-tier Deployment Deployment Overview The NetWeaver standard 3-tier deployment is the best practice deployment when security is less of a concern for the organization. In this deployment all the solution tiers (NetWeaver Gateway front-end, Web Server, NetWeaver Application servers, data base, etc) are located in the internal network and communicate with the organization s user directory (e.g. Active Directory) or IdP (Identity Provider) which is also located within the LAN. Such a deployment serves all users internal (registered) users, external (registered) users, and external guests. Idp External User and Guests Internal User Reverse Proxy NetWeaver Gatway Web Server Business Suite DMZ Internal Network Figure 1 - NetWeaver Standard 3-tier Deployment In order to allow external users and external guests to access the Business Suite, the internal firewall must allow passing HTTPS traffic (TCP 443) from the Internet into the NetWeaver solution Deployment Advantages The main advantage of this deployment model is its simplicity since all of the solution components are deployed in the same network segment. This means that no cross-networking is required and that all servers are physically located in the same place, ensuring no latency in traffic flows between the tiers Deployment Disadvantages The main disadvantages of this deployment are directly derived by its simplicity and centralistic approach. Since all of the solution tiers are located in the LAN, the internal firewall must allow passing HTTPS traffic (TCP 443) from the Internet into the NetWeaver Gateway residing in the LAN. Opening this port is essential in order for the external users and guests to be authenticated and

6 SECURING NETWEAVER DEPLOYMENTS served content from the LAN itself, essentially gaining access to the LAN. If any of these users is an attacker, this deployment model provides a very simple means of gaining access to the organization s most confidential data The Advantages of Deploying Safe-T RSAccess As can be seen in figure 2 below, when RSAccess is deployed in conjunction with the NetWeaver Standard 3-tier deployment, the external RSAccess node is placed before the internal firewall s external interface replacing the reverse-proxy and the RSAccess internal node is placed after internal firewall s LAN interface. Idp External User and Guests Internal User Safe-t RSAccess External Safe-t RSAccess Intarnal NetWeaver Gatway Web Server Business Suite DMZ Internal Network Figure 2 - Deploying RSAccess with NetWeaver Standard 3-tier Deployment In this deployment, the pair of RSAccess nodes handle all sessions generated from the external users and guests directed to the NetWeaver Gateway, essentially working as a DMZ Front-end. Thanks to the RSAccess solution, it is now possible to close the HTTPS port on the firewall, as the internal RSAccess will now be opening an outbound port from the LAN to the external RSAccess. The benefits of deploying the RSAccess solution in this deployment include: Improved data security by completely closing the solution required ports in the internal firewall that can be exploited by external hackers. Mitigation of application level attacks passing through the DMZ security layers targeting the solution. Unaffected performance, with end users completely unaware of the background communications processes. Replacing the DMZ reverse proxy which requires opening ports and which is susceptible to attacks.

7 SECURING NETWEAVER DEPLOYMENTS 4.2 NetWeaver Dual DMZ Deployment Deployment Overview To ensure the security and protection of the NetWeaver solution, recommends using a dual DMZ deployment, splitting the solutions tiers between the DMZs and internal network segments. This deployment, ensures that the security protection provided by the solution s protocols and functions (SSL, SNC, authentication, and authorization) cannot be misused, and that there is a lower possibility of attacking the solution s components. Idp External User and Guests Reverse Proxy NetWeaver Gatway Web Server Business Suite Outer DMZ Inner DMZ Internal Network Figure 3 - NetWeaver Dual DMZ Deployment As can be seen in figure 3 above, the NetWeaver and business suite solutions is split between the security zones: Outer DMZ The reverse-proxy makes sure that requests are not directly passed through to the desired resource, but are handled by the NetWeaver Gateway s own cache. If internal content is required, the gateway communicates with the Web Server in the inner DMZ. Inner DMZ The Web server resides receives requests from the gateway in the outer DMZ and serves content. If additional content in required from the internal network, the Web server communicates with the Business Suite application servers in the internal network. Internal Network the internal network holds the solution s application servers and IdP and authentication services Deployment Advantages Splitting the NetWeaver solution between the outer DMZ, internal DMZ, and the LAN offers the following advantages: Reduced network load all external content is served from the DMZ/s which means the internal network is free to serve only internal users. Increased protection the application servers, database servers, and the user management systems have increased protection and are only accessible by authorized users or resources.

8 SECURING NETWEAVER DEPLOYMENTS No guest access to internal network since public content is now served from the DMZs and not from the LAN (as in the standard deployment model), guests are blocked from accessing the LAN and any sensitive data stored in it Deployment Disadvantages While splitting the NetWeaver and Business Suite between the DMZs and the LAN offers advantages, it has a serious security disadvantage. In this deployment the NetWeaver Gateway is deployed in the DMZ, making it susceptible to attacks and breaches. This creates a potentially serious breach of security, as attackers can utilize the gateway to launch attacks on the company s internal resources over the HTTP channel traversing into the LAN The Advantages of Deploying Safe-T RSAccess As can be seen in figure 4 below, when RSAccess is deployed in conjunction with the NetWeaver dual DMZ deployment, the external RSAccess node is placed within the outer DMZ replacing the reverse-proxy and the RSAccess internal node is placed in the internal DMZ. In addition the deployment of RSAccess allows migrating the NetWeaver gateway into the inter DMZ. Web Server Idp External User and Guests Safe-t RSAccess External Safe-t RSAccess Intarnal NetWeaver Gatway Business Suite Outer DMZ Inter DMZ Internal Network Figure 4 - Deploying RSAccess with NetWeaver Dual DMZ Deployment In this deployment, the pair of RSAccess nodes handle all sessions generated from the external users and guests directed to the NetWeaver Gateway, essentially working as a Front-end in the outer DMZ. Thanks to the RSAccess solution, it is now possible to close the HTTPS port on the firewall located between the two DMZ segments, as the internal RSAccess will now be opening an outbound port from the inner DMZ to the external RSAccess.

9 SECURING NETWEAVER DEPLOYMENTS The benefits of deploying the RSAccess solution in this deployment include: Improved data security by completely closing the solution required ports in the outer DMZ s firewall that can be exploited by external hackers. Mitigation of application level attacks passing through the DMZ security layers targeting the solution. Unaffected performance, with end users completely unaware of the background communications processes. Replacing the DMZ reverse proxy which requires opening ports and which is susceptible to attacks. Increasing the NetWeaver gateway s security by migrating it into the inner DMZ segment.. Conclusion In conclusion, we saw that organizations deploy NetWeaver and Business Suite solutions in a variety of architectures, each with its benefits and challenges. While the deployments different in architecture, they have a common security challenge where sensitive data can be compromised by external attackers. By deploying RSAccess in conjunction with the deployments, organizations can now continue to expose their solutions to the organization s external users and guests while ensuring the highest level of security and reducing costs. To learn more about how to integrate RSAccess with your environment please go to Safe-T Data Ltd. All Rights Reserved. Safe-T and all other Safe-T product and service names are registered trademarks of Safe-T Data in the U.S. and other countries. All other trademarks and names are the property of their respective owners.