Remote Connectivity for mysap.com Solutions over the Internet Technical Specification



Similar documents
Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Cisco Firewall. Overview

Secure Network Design: Designing a DMZ & VPN

Introduction to Security and PIX Firewall

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

Cornerstones of Security

Virtual Private Network and Remote Access

The BANDIT Products in Virtual Private Networks

CCNA Security 1.1 Instructional Resource

Virtual Private Network and Remote Access Setup

Configure an IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1

VPN. VPN For BIPAC 741/743GE

Security Technology: Firewalls and VPNs

VPN. Date: 4/15/2004 By: Heena Patel

Configuring IPsec VPN with a FortiGate and a Cisco ASA

Configuring a GB-OS Site-to-Site VPN to a Non-GTA Firewall

ISG50 Application Note Version 1.0 June, 2011

Secure Remote Monitoring of the Critical System Infrastructure. An Application Note from the Experts in Business-Critical Continuity

Case Study for Layer 3 Authentication and Encryption

Configuring an IPSec Tunnel between a Firebox & a Check Point FireWall-1

Netopia TheGreenBow IPSec VPN Client. Configuration Guide.

21.4 Network Address Translation (NAT) NAT concept

Chapter 4 Virtual Private Networking

z/os Firewall Technology Overview

Create a VPN on your ipad, iphone or ipod Touch and SonicWALL NSA UTM firewall - Part 1: SonicWALL NSA Appliance

ZyWALL 5. Internet Security Appliance. Quick Start Guide Version 3.62 (XD.0) May 2004

Computer Networks. Secure Systems

Fireware How To VPN. Introduction. Is there anything I need to know before I start? Configuring a BOVPN Gateway

Chapter 12 Supporting Network Address Translation (NAT)

Bridgit Conferencing Software: Security, Firewalls, Bandwidth and Scalability

Network Security Topologies. Chapter 11

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Monitoring Remote Access VPN Services

Introduction. Technology background

VNS3 to Cisco ASA Instructions. ASDM 9.2 IPsec Configuration Guide

Chapter 8 Virtual Private Networking

Technical Document. Creating a VPN. GTA Firewall to WatchGuard Firebox SOHO 6 TD: GB-WGSOHO6

GPRS / 3G Services: VPN solutions supported

IPsec VPN Security between Aruba Remote Access Points and Mobility Controllers

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

IPSec Pass through via Gateway to Gateway VPN Connection

GNAT Box VPN and VPN Client

Virtual Private Networks

VPN SECURITY. February The Government of the Hong Kong Special Administrative Region

IP Security. Ola Flygt Växjö University, Sweden

IBM enetwork VPN Solutions

SFWR ENG 4C03 Class Project Firewall Design Principals Arash Kamyab March 04, 2004

Release Notes. NCP Secure Entry Mac Client. Major Release 2.01 Build 47 May New Features and Enhancements. Tip of the Day

Introduction of Quidway SecPath 1000 Security Gateway

Virtual Private Networks

FortiOS Handbook IPsec VPN for FortiOS 5.0

VPN Configuration Guide. Dell SonicWALL

Chapter 5 Virtual Private Networking Using IPsec

CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC

Understanding the Cisco VPN Client

Technical papers Virtual private networks

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

- Introduction to PIX/ASA Firewalls -

IP Office Technical Tip

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Application Note: Onsight Device VPN Configuration V1.1

Cisco Which VPN Solution is Right for You?

Recommended IP Telephony Architecture

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Sonicwall Firewall.

How To Pass A Credit Course At Florida State College At Jacksonville

How To Industrial Networking

Polycom. RealPresence Ready Firewall Traversal Tips

Creating a VPN Using Windows 2003 Server and XP Professional

Release Notes. NCP Secure Entry Mac Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3. Known Issues

Virtual Private Network VPN IPSec Testing: Functionality Interoperability and Performance

WAN Routing Configuration Examples for the Secure Services Gateway Family

FortiOS Handbook - IPsec VPN VERSION 5.2.2

Chapter 32 Internet Security

VPN Configuration Guide. Juniper Networks NetScreen / SSG / ISG Series

VPN Solutions. Lesson 10. etoken Certification Course. April 2004

Gigabit SSL VPN Security Router

Other VPNs TLS/SSL, PPTP, L2TP. Advanced Computer Networks SS2005 Jürgen Häuselhofer

Objectives. Remote Connection Options. Teleworking. Connecting Teleworkers to the Corporate WAN. Providing Teleworker Services

Branch Office VPN Tunnels and Mobile VPN

Configure ISDN Backup and VPN Connection

Network Services Internet VPN

AN OVERVIEW OF REMOTE ACCESS VPNS: ARCHITECTURE AND EFFICIENT INSTALLATION

Viewing VPN Status, page 335. Configuring a Site-to-Site VPN, page 340. Configuring IPsec Remote Access, page 355

Broadband Firewall Router with 4-Port Switch/VPN Endpoint

Firewall Design Principles

Enterprise Security Management CheckPoint SecuRemote VPN v4.0 for pcanywhere

FL MGUARD TECHNICAL FAQS

TheGreenBow IPsec VPN Client. Configuration Guide Cisco RV325 v1. Website: Contact:

Chapter 10. Network Security

GB-OS. VPN Gateway. Option Guide for GB-OS 4.0. & GTA Mobile VPN Client Version 4.01 VPNOG

This section provides a summary of using network location profiles to identify network connection types. Details include:

VPN Solution Guide Peplink Balance Series. Peplink Balance. VPN Solution Guide Copyright 2015 Peplink

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.

Configuration Guide. How to establish IPsec VPN Tunnel between D-Link DSR Router and iphone ios. Overview

How To Balance Out The Power Of The Usg On A Network On A Pc Or Mac Mac 2.5 (For A Mac 2) On A 2G Network On An Ipnet 2.2 (For An Ipro) On An Un

Remote Access VPN Solutions

Digi Connect WAN Application Helper NAT, GRE, ESP and TCP/UPD Forwarding and IP Filtering

Transcription:

Remote Connectivity for mysap.com Solutions over the Technical Specification June 2009

Remote Connectivity for mysap.com Solutions over the page 2 1 Introduction SAP has embarked on a project to enable its customers to establish secure connections to SAP over the for support purposes. Currently, SAP offers two alternative ways to connect to the Support Network over the : SAProuter with Secure Network Communications (SNC) over the Virtual Private Network (VPN) This document describes both alternatives and their technical specifications, and compares the two options. If you read this document, you will have enough information to decide which option is better for your needs and requirements. Both options provide the level of security recommended when using a public medium like the. In other words, strong encryption will be employed for data that travels over the. 2 Overview of Technical Setup SAP has implemented a functional subset of the Remote Customer Support Network services in an DMZ (demilitarized zone) in SAP AG, Walldorf. With this infrastructure in place, the suite of Remote Customer Support Network service offerings is accessible over the. SAProuter/SNC via SNC secured SAProuter SAProuter connections are established between SAP and the customer s SAProuter to provide data confidentiality and integrity services. These SNC connections complement the leased lines in the current SAPNet R/3 Frontend environment. State-of-the-art encryption, authentication, and access control technology will be employed. No additional hardware compared to a leased-line setup is required at either end of the connection. (See diagram below). Customers are required to install a SAProuter with an official, static IP address (DHCP Addresses will not work) running SNC inbound and outbound connection to SAP at their end of the connection in a Demilitarized Zone. This SAProuter must be accessible from the. All service connections between SAP and the customer must be made over the respective SAProuters. Certificates needed are available on the SAP Service Marketplace. VPN LAN-to-LAN IPSec VPNs are established between SAP and the customer s network to provide data confidentiality and integrity services. These VPNs complement the leased lines in the current Remote Customer Support Network environment. State-ofthe-art encryption, authentication, and access control technology will be employed. VPN equipment is required at both ends of the connection. The VPN switch at customer s side must be reachable from the. (See diagram below). Besides the VPN equipment (also called VPN switch or VPN gateway), customers are also required to install a SAProuter with an official IP address at their end of the connection. All service connections between SAP and the customer must be made over the respective SAProuters. For the pilot project, access control and authentication at the VPN gateways will be regulated using static keys. SAP will generate these keys and provide them to the customer. In future, certificate-based authentication is likely to be utilized. VPN access can also be achieved through a telecommunication provider. The provider will then be connected to SAP s VPN switch, and the provider can offer connections to customers over the. SAP will make a list of VPN-enabled providers. This option is not covered in this document. For more information, contact SAP.

Remote Connectivity for mysap.com Solutions over the page 3 3 Diagrams and Infrastructure Public Interfaces (official IP addresses) Router Router Firewall SAProuter @ SAP (with SNC) SNC Tunnel (encrypted) SAProuter @ Customer (with SNC) Firewall SAP Corporate Network Customer's Internal Network R/3 System Figure 1 - SAProuter with SNC over Official IP address (not public) SAProuter @ SAP VPN Switch IPSec Tunnel (encrypted) VPN Switch SAProuter @ Customer Router Router Firewall Public Interfaces (official IP addresses) Firewall SAP Corporate Network Customer's Internal Network R/3 System Figure 2 - VPN

Remote Connectivity for mysap.com Solutions over the page 4 Technical Requirements SAProuter / SNC via 1. connection: recommended minimum bandwidth = 64 kbps 2. SAProuter machine 3. Official IP address (static) for the SAProuter host. 4. SAProuter installation package 5. SAP SNC libraries and executables. These may be downloaded from the SAP Service Marketplace. 6. A Demilitarized Zone at the customer site with a minimal setup as described in the networking section of the SAP Security Guide, Parts 1-3 available in the Service Marketplace at: http://service.sap.com/systemmanageme NT Choose: Security > Security in Detail > SAP Security Guides. More information on SNC connections is also available in the SAP Service Marketplace. 7. Since the host running the SAProuter software is a full computer with operating system, the security at the operating system level must be hardened in order to minimize the risk of the machine being hacked from the. One recommendation will be for example to run a C2 security level compliant operating system. SAP takes no liability if the security of the company s network is compromised. 8. Other networking equipment (routers and hubs) needed to form the network at the customer s premises (see Figure 1). VPN 1. connection: recommended minimum bandwidth = 64 kbps 2. SAProuter machine 3. Two (2) official IP subnets. These IP subnets are assigned to: The public interface of the VPN box. Additionally, this IP subnet must be routed in the. The customer s SAProuter 4. If the customer is operating any firewall(s) to secure its connection, the firewall(s) must permit the edge VPN equipment to exchange IPsec packets using their respective public interfaces (the VPN gateway may also serve as the firewall). Specifically, the customer s firewall must allow UDP port 500 (IKE) and IP Protocol 50 (ESP) 5. Recommended VPN equipment: SAP is using CISCO VPN equipment. Customers may also try to connect using other IPSec compliant VPN equipment. The equipment must support certain IPSec features (see Appendix A) that are mandatory to establish communication with SAP s VPN equipment. SAP cannot guarantee interoperability between SAP's CISCO VPN equipment and other types of VPN equipment that the customer elects to use instead. If you wish to use other VPN equipment, contact SAP. 6. Other networking equipment (routers and switches / hubs) needed to form the network at the customer s premises (see Figure 2).

Remote Connectivity for mysap.com Solutions over the page 5 3.1 Comparison of the Two Options Property SAProuter / SNC via VPN Hardware requirements Firewall + SAProuter host in DMZ Software SAProuter starting from NI version 35 Network addresses (besides address of router, firewall, ) Configuration issues SAPSECULIB can be obtained from the Service Marketplace VPN switch + firewall + SAProuter host (VPN and firewall may be the same box) SAProuter starting from NI version 35 1 official static IP address for SAProuter 1 official static IP address for VPN switch + 1 official static IP address for SAProuter host Careful setup of saprouttab necessary for security. Saprouttab influences security strongly as access is controlled via saprouttab and firewall. Encryption By software By hardware Encrypted data Minimum required free bandwidth Supported services on SAP side Key management TCP packets Only the data stream between SAProuters is encrypted Encryption is handled on Application layer (OSI network layer 7) 64 kbit/s but may work also with 32 kbit/s All except FTP (files download) Please note: NO access available to SAP internal systems! Digital certificates being requested via Service Marketplace Public Key Infrastructure (PKI) Careful setup of routing configuration in VPN switch necessary for security. Saprouttab influences security less strongly as access is controlled via VPN switch, SAProuter software and firewall IPsec (IP packets) Encryption is handled on IP layer (OSI network layer 3) 64 kbit/s Key storage In file system In VPN switch Operating system Additional expertise SAProuter resides on a computer therefore it is necessary to harden the security at the operating system level (for example, C2 level OS) to minimize the risk of the machine being hacked from the SAProuter knowledge usually available, SNC configuration requires additional knowledge All including FTP (files download) Pre-shared keys provided by SAP, later Public Key Infrastructure (PKI) VPN switch has a very small and limited operating system, thus no additional security hardening is required. The SAProuter machine is not reachable from the, thus the risk of hacking is much less. However, security hardening measures at the SAProuter operating system level are also recommended VPN hardware requires special knowledge, higher technical expertise Standards Based on SNC, SAP proprietary standard Based on IPSec, well established industry standard Contributing to costs - Firewall hardware and software - Firewall administration costs - No additional license fee for security library based on SECUDE - Firewall hardware and software - Firewall administration costs - Costs for VPN hardware and setup

Remote Connectivity for mysap.com Solutions over the page 6 3.2 Terms and Conditions 1. The customer is responsible for obtaining any and all approval(s) for importing and operating their equipment, as may be required by the respective local laws and regulations. The use of cryptographic software and hardware is regulated in some countries. 2. All costs for setting up the necessary infrastructure at the customer s premises is to be borne by the customer. 3. Both parties are responsible for securing their respective ends of the connection against unauthorized third party access.

Remote Connectivity for mysap.com Solutions over the page 7 Appendix A Mandatory IPSec Features (for the VPN option) Encapsulating Security Protocol (ESP) Key Exchange (IKE), with support of Diffie-Hellman Group 2 (1024 bits keys) Encryption Algorithm: Triples DES (3DES) Authentication Algorithm: HMAC-MD5 and HMAC-SHA1 Support for authentication using shared secrets, RSA digital signatures, and X.509 certificates Support for Diffie-Hellman Group 2 (keys of 1024 bits) Perfect Forward Secrecy Key exchanges using PKIs

Remote Connectivity for mysap.com Solutions over the page 8 Appendix B Remote Customer Support Network over the Connection Data Sheet Please complete and fax this data sheet to the SAP Network Hotline at +49 (180) 5 34 34 30 1. Customer Information Company: Customer No.: Contact person networking: Tel.: E-mail address: Fax: 2. Desired Connectivity Option [ ] SAProuter / SNC via [ ] VPN 3. Networking Information IP address of SAProuter computer Host name of SAProuter computer IP address of VPN switch (if applicable) Type of VPN switch: brand and model (if applicable) 4. Information About Your Connection Type of connection (mark one) [ ] Frame Relay [ ] ISDN [ ] Leased line [ ] X.25 [ ] Dial-up [ ] xdsl [ ] Other: Bandwidth of your connection (in kbps) % of current utilization of your bandwidth

Remote Connectivity for mysap.com Solutions over the page 9 5. Additional Observations You need official IP addresses for the computer on which the communication software SAProuter and the proxy for the remote access is installed (this also apply to the VPN switch). Private address spaces such as cannot be used. 10.0.0.0-10.255.255.255 172.16.0.0-172.31.255.255 192.168.0.0-192.168.255.255 If you do not have your own official IP addresses, obtain one from your Service Provider (ISP). If you have any of the following questions: How do I fill in the data sheet? How can I obtain an IP address? What type of software and hardware do I need to establish remote access? Questions on the use of a firewall What kind of costs can I anticipate? contact the consulting partner responsible for your area, or contact the SAP Network Hotline: Fax: +49 180 53 434 30 Tel.: +49 180 53 434 38

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information