SECURING SAP NETWEAVER DEPLOYMENTS WITH SAFE-T RSACCESS



Similar documents
SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

PAVING THE PATH TO THE ELIMINATION OF THE TRADITIONAL DMZ

SECURE YOUR DATA EXCHANGE WITH SAFE-T BOX

Data Security and Governance with Enterprise Enabler

HP ProLiant Essentials Vulnerability and Patch Management Pack Server Security Recommendations

Service Manager and the Heartbleed Vulnerability (CVE )

8. Firewall Design & Implementation

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

DMZ Gateways: Secret Weapons for Data Security

Firewall Environments. Name

Chapter 9 Firewalls and Intrusion Prevention Systems

Network Security Topologies. Chapter 11

Chapter 2 TOPOLOGY SELECTION. SYS-ED/ Computer Education Techniques, Inc.

Intro to Firewalls. Summary

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Firewall Configuration. Firewall Configuration. Solution Firewall Principles

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

Building A Secure Microsoft Exchange Continuity Appliance

CIT 480: Securing Computer Systems. Firewalls

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Reverse Shells Enable Attackers To Operate From Your Network. Richard Hammer August 2006

SAP WEB DISPATCHER Helps you to make decisions on Web Dispatcher implementation

Reverse Proxy for Trusted Web Environments > White Paper

Lesson 5: Network perimeter security

Proxy Server, Network Address Translator, Firewall. Proxy Server

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

SAP SECURITY AND AUTHORIZATIONS - RISK MANAGEMENT AND COMPLIANCE WITH LEGAL REGULATIONS IN THE SAP ENVIRONMENT

ENTERPRISE SESSION BORDER CONTROLLERS: SAFEGUARDING TODAY S AND TOMORROW S UNIFIED COMMUNICATIONS

CIT 480: Securing Computer Systems. Firewalls

12. Firewalls Content

Securing Internet Facing. Applications. Technical White Paper. configuration drift, in which IT members open up ports or make small, supposedly

What would you like to protect?

Chapter 7. Firewalls

WICKSoft Mobile Documents for the BlackBerry Security white paper mobile document access for the Enterprise

Application Note. Onsight Connect Network Requirements v6.3

IONA Security Platform

FIREWALLS & CBAC. philip.heimer@hh.se

SFWR ENG 4C03 Class Project Firewall Design Principals Arash Kamyab March 04, 2004

Owner of the content within this article is Written by Marc Grote

Firewall Design Principles

TECHNICAL NOTE 01/02 PROTECTING YOUR COMPUTER NETWORK

Achieving PCI Compliance Using F5 Products

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Cisco Virtualization Experience Infrastructure: Secure the Virtual Desktop

OPC & Security Agenda

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

Chapter 8 Security Pt 2

Application centric Datacenter Management. Ralf Brünig, F5 Networks GmbH Field Systems Engineer March 2014

Deploy Remote Desktop Gateway on the AWS Cloud

Networking for Caribbean Development

CAP, EAS AND IPAWS: INTRODUCING A DEFENSE-IN-DEPTH SECURITY STRATEGY FOR BROADCASTERS

DEPLOYMENT GUIDE Version 1.0. Deploying the BIG-IP Edge Gateway for Layered Security and Acceleration Services

CS5008: Internet Computing

IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT

The Secure Web Access Solution Includes:

White Paper Secure Reverse Proxy Server and Web Application Firewall

FileCloud Security FAQ

Table of Contents. 1 Overview 1-1 Introduction 1-1 Product Design 1-1 Appearance 1-2

Chapter 4 Firewall Protection and Content Filtering

Securing Corporate on Personal Mobile Devices

Security Technology: Firewalls and VPNs

Building a Systems Infrastructure to Support e- Business

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Technical Note. ForeScout CounterACT: Virtual Firewall

Internet Security Firewalls

Gateway Security at Stateful Inspection/Application Proxy

Blind as a Bat? Supporting Packet Decryption for Security Scanning

Firewall Design Principles Firewall Characteristics Types of Firewalls

Introduction to the Mobile Access Gateway

Interwise Connect. Working with Reverse Proxy Version 7.x

SonicWALL Clean VPN. Protect applications with granular access control based on user identity and device identity/integrity

March PGP White Paper. Transport Layer Security (TLS) & Encryption: Complementary Security Tools

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

GlobalSCAPE DMZ Gateway, v1. User Guide

Video Conferencing and Security

Secure VidyoConferencing SM TECHNICAL NOTE. Protecting your communications VIDYO

DMZ Network Visibility with Wireshark June 15, 2010

Chapter 4 Firewall Protection and Content Filtering

Unified Communications in RealPresence Access Director System Environments

Network Infrastructure Security Good Practice Guide. August 2009

Using Palo Alto Networks to Protect the Datacenter

FIREWALL POLICY DOCUMENT

DeltaV System Cyber-Security

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

WHITE PAPER NEXSAN TRANSPORTER PRODUCT SECURITY AN IN-DEPTH REVIEW

Payment Card Industry (PCI) Data Security Standard

Microsoft Systems Architecture 2.0 (MSA 2.0) Security Review An analysis by Foundstone, Inc.

Description: Objective: Attending students will learn:

Secure web transactions system

Secure Cloud-Ready Data Centers Juniper Networks

Transcription:

SECURING NETWEAVER DEPLOYMENTS A RSACCESS WHITE PAPER

SECURING NETWEAVER DEPLOYMENTS 1 Introduction 2 NetWeaver Deployments 3 Safe-T RSAccess Overview 4 Securing NetWeaver Deployments with Safe-T RSAccess 4.1 NetWeaver Standard 3-tier Deployment 4.1.1 Deployment Overview 4.1.2 Deployment Advantages 4.1.3 Deployment Disadvantages 4.1.4 The Advantages of Deploying Safe-T RSAccess 4.2 NetWeaver Dual DMZ Deployment 4.2.1 Deployment Overview 4.2.2 Deployment Advantages 4.2.3 Deployment Disadvantages 4.2.4 The Advantages of Deploying Safe-T RSAccess Conclusion 3 3 3 6 7 7 8 8 8 9

SECURING NETWEAVER DEPLOYMENTS 1. Introduction NetWeaver is 's integrated technology computing platform and is the technical foundation for many applications, for example my Business Suite and xapps. It provides the development and runtime environment for applications and can be used for custom development and integration with other applications and systems. The NetWeaver technology platform is a comprehensive integration and application platform that helps reduce the enterprise s total cost of ownership (TCO). It facilitates the integration and alignment of people, information, and business processes across organizational and technological boundaries. NetWeaver easily integrates information and applications from virtually any source, and ensures maximum reliability, security, and scalability, so the enterprise s mission-critical business processes run smoothly. More information on NetWeaver can be found at www.sap.com. 2. NetWeaver Deployments NetWeaver solutions are usually deployed in one of the following deployment architectures: Standard 3-tier deployment where all solution tiers (NetWeaver Gateway front-end, Web Server, NetWeaver Application servers, data base, etc) are located in the internal network. Second Secured NetWeaver deployment where the solutions tiers are split between two DMZ tiers (outer DMZ and Inner DMZ) and the internal network. 3. Safe-T RSAccess Overview RSAccess is Safe-T's Secure Front-End solution for securing the network from the outside. It removes the need to open any ports within the internal firewall and provides unmatched protection for enterprise data networks from the Internet and other public networks. RSAccess Secure Front-End solution is a two tier deployment: 1. External RSAccess Node installed in the DMZ segment 2. Internal RSAccess Node installed on a LAN segment The role of the external RSAccess node is to act as a front-end to all services published within the DMZ. It operates without the need to open any ports within the internal firewall and ensures that only legitimate session data can pass through into the LAN. It can be deployed in two main locations within the DMZ: The first is before the web/application front-ends, essentially replacing them completely. The second is after the web/application front-ends providing an additional layer of defense within the DMZ and preventing any attacks from being generated from within the front-end servers. The role of the internal RSAccess node it to pull the session data into the LAN from the external RSAccess node, authenticate it using a variety of mechanisms, scan it using various security techniques including an application firewall, and then pass it to the destination application server.

SECURING NETWEAVER DEPLOYMENTS RSAccess Secure Front-End solution provides the following layers of security protection: 1. User Authentication RSAccess also provides the ability to authenticate users accessing applications it front-ends (publishes). Authentication can be done using a variety of mechanisms a. Authentication via the organization s LDAP or Active Directory systems. b. Authentication using Open ID / SAML - RSAccess enables authenticating either registered users or ad-hoc users using the user s existing personal social network credentials including all common social networks, such as Facebook, Google, Live ID, etc. In addition RSAccess can also perform additional validations such as security questions (name of 1st pet, etc) after the user is authenticated by the social network provider. The validation questions can be verified by RSAccess itself or any other 3rd party data base. The combination of the social network authentication with the additional validation, provides a unique three-way authentication mechanism. Which in addition to being more convenient for the user, provides high levels of security, and also greatly reduces the operational complexity of organizations, as there is no longer a need to store and manage large numbers of user credentials. 2. Block Layer 3 and Layer 4 level attacks the main benefit of Safe-T s unique technology, which allows passing session data into the internal network without opening any inbound ports on the internal firewall, is that it allows the complete blocking of any network or Layer 4 based attacks such as port scanning, ICMP scanning, TCP bases attacks, etc. 3. Block Application level attacks In case a hacker attempts to generate an application level attack such as application exploits, malware, etc, to traverse the pair of RSAccess nodes, the attack will be blocked by RSAccess s built-in application firewall. RSAccess built-in application firewall inspects and controls incoming traffic on the application layer to detect and mitigate attacks of RFC manipulation, viruses, Trojans, and malware both on clear channels and encrypted channels such as HTTPS. 4. Prevent hacking attempts into RSAccess The external RSAccess node does not run any application in order to handle incoming sessions, but rather it utilizes Safe-T s unique listener technology. This means that it is not possible to hack into and take control of the external RSAccess itself to initiate attacks. For more information on Safe-T RSAccess, read the Safe-T RSAccess white paper

SECURING NETWEAVER DEPLOYMENTS 4. Securing NetWeaver Deployments with Safe-T RSAccess 4.1 NetWeaver Standard 3-tier Deployment 4.1.1 Deployment Overview The NetWeaver standard 3-tier deployment is the best practice deployment when security is less of a concern for the organization. In this deployment all the solution tiers (NetWeaver Gateway front-end, Web Server, NetWeaver Application servers, data base, etc) are located in the internal network and communicate with the organization s user directory (e.g. Active Directory) or IdP (Identity Provider) which is also located within the LAN. Such a deployment serves all users internal (registered) users, external (registered) users, and external guests. Idp External User and Guests Internal User Reverse Proxy NetWeaver Gatway Web Server Business Suite DMZ Internal Network Figure 1 - NetWeaver Standard 3-tier Deployment In order to allow external users and external guests to access the Business Suite, the internal firewall must allow passing HTTPS traffic (TCP 443) from the Internet into the NetWeaver solution. 4.1.2 Deployment Advantages The main advantage of this deployment model is its simplicity since all of the solution components are deployed in the same network segment. This means that no cross-networking is required and that all servers are physically located in the same place, ensuring no latency in traffic flows between the tiers. 4.1.3 Deployment Disadvantages The main disadvantages of this deployment are directly derived by its simplicity and centralistic approach. Since all of the solution tiers are located in the LAN, the internal firewall must allow passing HTTPS traffic (TCP 443) from the Internet into the NetWeaver Gateway residing in the LAN. Opening this port is essential in order for the external users and guests to be authenticated and

SECURING NETWEAVER DEPLOYMENTS served content from the LAN itself, essentially gaining access to the LAN. If any of these users is an attacker, this deployment model provides a very simple means of gaining access to the organization s most confidential data. 4.1.4 The Advantages of Deploying Safe-T RSAccess As can be seen in figure 2 below, when RSAccess is deployed in conjunction with the NetWeaver Standard 3-tier deployment, the external RSAccess node is placed before the internal firewall s external interface replacing the reverse-proxy and the RSAccess internal node is placed after internal firewall s LAN interface. Idp External User and Guests Internal User Safe-t RSAccess External Safe-t RSAccess Intarnal NetWeaver Gatway Web Server Business Suite DMZ Internal Network Figure 2 - Deploying RSAccess with NetWeaver Standard 3-tier Deployment In this deployment, the pair of RSAccess nodes handle all sessions generated from the external users and guests directed to the NetWeaver Gateway, essentially working as a DMZ Front-end. Thanks to the RSAccess solution, it is now possible to close the HTTPS port on the firewall, as the internal RSAccess will now be opening an outbound port from the LAN to the external RSAccess. The benefits of deploying the RSAccess solution in this deployment include: Improved data security by completely closing the solution required ports in the internal firewall that can be exploited by external hackers. Mitigation of application level attacks passing through the DMZ security layers targeting the solution. Unaffected performance, with end users completely unaware of the background communications processes. Replacing the DMZ reverse proxy which requires opening ports and which is susceptible to attacks.

SECURING NETWEAVER DEPLOYMENTS 4.2 NetWeaver Dual DMZ Deployment 4.2.1 Deployment Overview To ensure the security and protection of the NetWeaver solution, recommends using a dual DMZ deployment, splitting the solutions tiers between the DMZs and internal network segments. This deployment, ensures that the security protection provided by the solution s protocols and functions (SSL, SNC, authentication, and authorization) cannot be misused, and that there is a lower possibility of attacking the solution s components. Idp External User and Guests Reverse Proxy NetWeaver Gatway Web Server Business Suite Outer DMZ Inner DMZ Internal Network Figure 3 - NetWeaver Dual DMZ Deployment As can be seen in figure 3 above, the NetWeaver and business suite solutions is split between the security zones: Outer DMZ The reverse-proxy makes sure that requests are not directly passed through to the desired resource, but are handled by the NetWeaver Gateway s own cache. If internal content is required, the gateway communicates with the Web Server in the inner DMZ. Inner DMZ The Web server resides receives requests from the gateway in the outer DMZ and serves content. If additional content in required from the internal network, the Web server communicates with the Business Suite application servers in the internal network. Internal Network the internal network holds the solution s application servers and IdP and authentication services. 4.2.2 Deployment Advantages Splitting the NetWeaver solution between the outer DMZ, internal DMZ, and the LAN offers the following advantages: Reduced network load all external content is served from the DMZ/s which means the internal network is free to serve only internal users. Increased protection the application servers, database servers, and the user management systems have increased protection and are only accessible by authorized users or resources.

SECURING NETWEAVER DEPLOYMENTS No guest access to internal network since public content is now served from the DMZs and not from the LAN (as in the standard deployment model), guests are blocked from accessing the LAN and any sensitive data stored in it. 4.2.3 Deployment Disadvantages While splitting the NetWeaver and Business Suite between the DMZs and the LAN offers advantages, it has a serious security disadvantage. In this deployment the NetWeaver Gateway is deployed in the DMZ, making it susceptible to attacks and breaches. This creates a potentially serious breach of security, as attackers can utilize the gateway to launch attacks on the company s internal resources over the HTTP channel traversing into the LAN. 4.2.4 The Advantages of Deploying Safe-T RSAccess As can be seen in figure 4 below, when RSAccess is deployed in conjunction with the NetWeaver dual DMZ deployment, the external RSAccess node is placed within the outer DMZ replacing the reverse-proxy and the RSAccess internal node is placed in the internal DMZ. In addition the deployment of RSAccess allows migrating the NetWeaver gateway into the inter DMZ. Web Server Idp External User and Guests Safe-t RSAccess External Safe-t RSAccess Intarnal NetWeaver Gatway Business Suite Outer DMZ Inter DMZ Internal Network Figure 4 - Deploying RSAccess with NetWeaver Dual DMZ Deployment In this deployment, the pair of RSAccess nodes handle all sessions generated from the external users and guests directed to the NetWeaver Gateway, essentially working as a Front-end in the outer DMZ. Thanks to the RSAccess solution, it is now possible to close the HTTPS port on the firewall located between the two DMZ segments, as the internal RSAccess will now be opening an outbound port from the inner DMZ to the external RSAccess.

SECURING NETWEAVER DEPLOYMENTS The benefits of deploying the RSAccess solution in this deployment include: Improved data security by completely closing the solution required ports in the outer DMZ s firewall that can be exploited by external hackers. Mitigation of application level attacks passing through the DMZ security layers targeting the solution. Unaffected performance, with end users completely unaware of the background communications processes. Replacing the DMZ reverse proxy which requires opening ports and which is susceptible to attacks. Increasing the NetWeaver gateway s security by migrating it into the inner DMZ segment.. Conclusion In conclusion, we saw that organizations deploy NetWeaver and Business Suite solutions in a variety of architectures, each with its benefits and challenges. While the deployments different in architecture, they have a common security challenge where sensitive data can be compromised by external attackers. By deploying RSAccess in conjunction with the deployments, organizations can now continue to expose their solutions to the organization s external users and guests while ensuring the highest level of security and reducing costs. To learn more about how to integrate RSAccess with your environment please go to - http://www.safe-t.com/rsaccess/. 2014 Safe-T Data Ltd. All Rights Reserved. Safe-T and all other Safe-T product and service names are registered trademarks of Safe-T Data in the U.S. and other countries. All other trademarks and names are the property of their respective owners.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information