Remote Connectivity for SAP Solutions over the Internet Technical Specification

Similar documents
SonicWALL Addendum. A Supplement to the SonicWALL Internet Security Appliance User's Guide

Configuration of an IPSec VPN Server on RV130 and RV130W

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the SonicWall Firewall.

A Technical Overview of the Lucent Managed Firewall

Virtual Private Cloud. User Guide. Issue 03 Date

FAQ about Communication

CONTENTS. vii. Chapter 1 TCP/IP Overview 1. Chapter 2 Symmetric-Key Cryptography 33. Acknowledgements

SAP NetWeaver 04 Security Guide. Network and Communication Security

VPN Ports and LAN-to-LAN Tunnels

Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance

HP Instant Support Enterprise Edition (ISEE) Security overview

Configuring VPN from Proventia M Series Appliance to NetScreen Systems

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Fortinet Firewall. Overview

Virtual Private Network. Network User Guide. Issue 05 Date

VPN Overview. VPN Types

TopGlobal MB8000 VPN Solution

Fundamentals of Network Security v1.1 Scope and Sequence

Manual Key Configuration for Two SonicWALLs

Configuring VPN from Proventia M Series Appliance to Symantec 5310 Systems

This version of the des Secure Enterprise MAC Client can be used on Mac OS X 10.7 Lion platform.

Release Notes. NCP Secure Enterprise Mac Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3.

How to Configure Forcepoint NGFW Route-Based VPN to AWS with BGP TECHNICAL DOCUMENT

WLAN Handset 2212 Installation and Configuration for VPN

CSCE 715: Network Systems Security

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

ZyWALL 70. Internet Security Appliance. Quick Start Guide Version 3.62 December 2003

Release Notes. NCP Secure Enterprise Mac Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3.

Easy To Install. Easy To Manage. Always Up-To-Date.

Syllabus: The syllabus is broadly structured as follows:

Table of Contents 1 IKE 1-1

Virtual Private Networks

Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP,

Numerics I N D E X. 3DES (Triple Data Encryption Standard), 48

Gigabit SSL VPN Security Router

Data Sheet. NCP Secure Enterprise Linux Client. Next Generation Network Access Technology

Security for VPNs with IPsec Configuration Guide Cisco IOS Release 12.4T

Hillstone IPSec VPN Solution

1100 Dexter Avenue N Seattle, WA NetMotion Mobility Architecture A Look Under the Hood

Alcatel OmniAccess 200 Series

VPN Tracker for Mac OS X

Monitoring Remote Access VPN Services

Configuration Summary

NCP Secure Enterprise macos Client Release Notes

VPN Tracker for Mac OS X

IPSec VPN Setup with IKE Preshared Key and Manual Key on WRVS4400N Router

Internet. SonicWALL IP Cisco IOS IP IP Network Mask

Configuration Guide. How to connect to an IPSec VPN using an iphone in ios. Overview

Firewalls, Tunnels, and Network Intrusion Detection

Data Sheet. NCP Secure Enterprise macos Client. Next Generation Network Access Technology

Prof. Shervin Shirmohammadi SITE, University of Ottawa. Security Architecture. Lecture 13: Prof. Shervin Shirmohammadi CEG

Virtual Private Networks (VPN)

Integration Guide. Oracle Bare Metal BOVPN

Greenbow VPN Client Example

iii PPTP... 7 L2TP/IPsec... 7 Pre-shared keys (L2TP/IPsec)... 8 X.509 certificates (L2TP/IPsec)... 8 IPsec Architecture... 11

Case 1: VPN direction from Vigor2130 to Vigor2820

Data Sheet. NCP Exclusive Remote Access Mac Client. Next Generation Network Access Technology

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL II. VERSION 2.0

BCRAN. Section 9. Cable and DSL Technologies

Site-to-Site VPN with SonicWall Firewalls 6300-CX

Configuring a Hub & Spoke VPN in AOS

Release Notes. NCP Android Secure Managed Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3.

Chapter 8 Information Technology

Junos Security. Chapter 8: IPsec VPNs Juniper Networks, Inc. All rights reserved. Worldwide Education Services

How to Configure a Site-To-Site IPsec VPN to the Amazon AWS VPN Gateway

VPNs and VPN Technologies

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Packet Tracer - Configure and Verify a Site-to-Site IPsec VPN Using CLI

Sample excerpt. Virtual Private Networks. Contents

Cryptography and Network Security Chapter 16. Fourth Edition by William Stallings

NCP Secure Entry macos Client Release Notes

VPN Tracker for Mac OS X

Certified SonicWALL Security Administrator (CSSA) Instructor-led Training

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Configuring VPNs in the EN-1000

Set Up a Remote Access Tunnel (Client to Gateway) for VPN Clients on RV016, RV042, RV042G and RV082 VPN Routers

VNS3 IPsec Configuration. VNS3 to Cisco ASA ASDM 9.2

Index. Numerics 3DES (triple data encryption standard), 21

VPN Configuration Guide. NETGEAR FVS318v3

Identify the features of network and client operating systems (Windows, NetWare, Linux, Mac OS)

Module Overview. works Identify NAP enforcement options Identify scenarios for NAP usage

SonicWALL IKE/IPSec Implementation FAQ

NCP Secure Enterprise macos Client Release Notes

Cryptography and Network Security. Sixth Edition by William Stallings

VPN Auto Provisioning

User Manual. SSV Remote Access Gateway. Web ConfigTool

Cisco IOS Firewall Authentication Proxy

Firepower Threat Defense Site-to-site VPNs

Sample Business Ready Branch Configuration Listings

Configuring IPsec and ISAKMP

CS 356 Internet Security Protocols. Fall 2013

VNS3 IPsec Configuration. VNS3 to Cisco ASA ASDM 5.2

Microsoft Privacy Protected Network Access: Virtual Private Networking and Intranet Security

Configuring LAN-to-LAN IPsec VPNs

HikCentral V.1.1.x for Windows Hardening Guide

Broadband Firewall Router with 4-Port Switch/VPN Endpoint

NetVanta Series Quick Start Guide L2-13B May Network Diagram. Unpacking and Inspecting the System. Unit.

Securing Networks with Cisco Routers and Switches

CSE 565 Computer Security Fall 2018

VPN and IPsec. Network Administration Using Linux. Virtual Private Network and IPSec 04/2009

Network Security CSN11111

Transcription:

Remote Connectivity for SAP Solutions over the Technical Specification June 2006

Remote Connectivity for SAP Solutions over the page 2 1 Introduction SAP offers secure connections over the for support purposes. Currently, two alternative ways are available to connect to the Support Network over the : SAProuter with Secure Network Communications (SNC) over the Virtual Private Network (VPN) This document describes both alternatives and their technical specifications, and compares the two options. If you read this document, you will have enough information to decide which option is better for your needs and requirements. Both options provide the level of security recommended when using a public medium like the. In other words, strong encryption will be employed for data that travels over the. 2 Overview of Technical Setup SAP has implemented a functional subset of the Remote Customer Support Network services in an DMZ (demilitarized zone) in SAP AG, Walldorf. With this infrastructure in place, the suite of Remote Customer Support Network service offerings is accessible over the. SAProuter/SNC via SNC secured SAProuter SAProuter connections are established between SAP and the customer s SAProuter to provide data confidentiality and integrity services. These SNC connections complement the leased lines in the current SAPNet R/3 Frontend environment. State-of-the-art encryption, authentication, and access control technology will be employed. No additional hardware compared to a leased-line setup is required at either end of the connection. (See diagram below). Customers are required to install a SAProuter with an official, static IP address (DHCP Addresses will not work) running SNC inbound and outbound connection to SAP at their end of the connection in a Demilitarized Zone. This SAProuter must be accessible from the. All service connections between SAP and the customer must be made over the respective SAProuters. Certificates needed are available on the SAP Service Marketplace. VPN LAN-to-LAN IPSec VPNs are established between SAP and the customer s network to provide data confidentiality and integrity services. These VPNs complement the leased lines in the current Remote Customer Support Network environment. State-ofthe-art encryption, authentication, and access control technology will be employed. VPN equipment is required at both ends of the connection. The VPN switch at customer s side must be reachable from the. (See diagram below). Besides the VPN equipment (also called VPN switch or VPN gateway), customers are also required to install a SAProuter with an official IP address at their end of the connection. All service connections between SAP and the customer must be made over the respective SAProuters. For the pilot project, access control and authentication at the VPN gateways will be regulated using static keys. SAP will generate these keys and provide them to the customer. In future, certificate-based authentication is likely to be utilized. VPN access can also be achieved through a telecommuncations provider. The provider will then be connected to SAP s VPN switch, and the provider can offer connections to customers over the. SAP will make a list of VPN-enabled providers. This option is not covered in this document. For more information, contact SAP.

Remote Connectivity for SAP Solutions over the page 3 3 Diagrams and Infrastructure Public Interfaces (official IP addresses) Router Router Firewall SAProuter @ SAP (with SNC) SNC Tunnel (encrypted) SAProuter @ Customer (with SNC) Firewall SAP Corporate Network Customer's Internal Network R/3 System Figure 1 - SAProuter with SNC over Official IP address (not public) SAProuter @ SAP VPN Switch IPSec Tunnel (encrypted) VPN Switch SAProuter @ Customer Router Router Firewall Public Interfaces (official IP addresses) Firewall SAP Corporate Network Customer's Internal Network R/3 System Figure 2 - VPN

Remote Connectivity for SAP Solutions over the page 4 Technical Requirements SAProuter / SNC via 1. connection: recommended minimum bandwidth = 64 kbps 2. SAProuter machine 3. Official IP address (static) for the SAProuter host. 4. SAProuter installation package 5. SAP SNC libraries and executables. These may be downloaded from the SAP Service Marketplace. 6. A Demilitarized Zone at the customer site with a minimal setup as described in the networking section of the SAP Security Guide, Parts 1-3 available in the Service Marketplace at: http://service.sap.com/systemmanageme NT Choose: Security > Technical Track > SAP Security Guide. More information on SNC connections is also available in the SAP Service Marketplace. 7. Since the host running the SAProuter software is a full computer with operating system, the security at the operating system level must be hardened in order to minimise the risk of the machine being hacked from the. One recommendation will be for example to run a C2 security level compliant operating system. SAP takes no liability if the security of the company s network is compromised. 8. Other networking equipment (routers and hubs) needed to form the network at the customer s premises (see Figure 1). VPN 1. connection: recommended minimum bandwidth = 64 kbps 2. SAProuter machine 3. Two (2) official IP subnets. These IP subnets are assigned to: The public interface of the VPN box. Additionally, this IP subnet must be routed in the. The customer s SAProuter 4. If the customer is operating any firewall(s) to secure its connection, the firewall(s) must permit the edge VPN equipment to exchange IPsec packets using their respective public interfaces (the VPN gateway may also serve as the firewall). Specifically, the customer s firewall must allow UDP port 500 (IKE) and IP Protocol 50 (ESP) 5. Recommended VPN equipment: Nortel Contivity 1500 Extranet Switch or Nortel Contivity 600 Extranet Switch (with 3DES encryption). Customers may also connect using any other IPsec compliant VPN equipment for example CISCO (PIX or router with VPN IOS), Checkpoint FW-1, LINUX FreeSwan, SonicWall, Watchguard etc. The equipment must always support certain IPsec features (see below Appendix A) that are mandatory to establish communication with SAP s VPN. 6. Other networking equipment (routers and switches / hubs) needed to form the network at the customer s premises (see Figure 2).

Remote Connectivity for SAP Solutions over the page 5 3.1 Comparison of the Two Options Property SAProuter / SNC via VPN Hardware requirements Firewall + SAProuter host in DMZ Software SAProuter starting from NI version 35 SAPSECULIB can be obtained from the Service Marketplace Network addresses (besides address of router, firewall, ) Configuration issues VPN switch + firewall + SAProuter host (VPN and firewall may be the same box) 1 official static IP address for SAProuter 1 official static IP address for VPN switch + 1 official static IP address for SAProuter host Careful setup of saprouttab necessary for security. Saprouttab influences security strongly as access is controlled via saprouttab and firewall. N.A. Encryption By software By hardware Encrypted data Minimum required free bandwidth Supported services on SAP side Key management TCP packets Only the data stream between SAProuters is encrypted Encryption is handled on Application layer (OSI network layer 7) 64 kbit/s but may work also with 32 kbit/s All except FTP (files download) Digital certificates being requested via Service Marketplace Public Key Infrastructure (PKI) Careful setup of routing configuration in VPN switch necessary for security. Saprouttab influences security less strongly as access is controlled via VPN switch, SAProuter software and firewall IPsec (IP packets) Encryption is handled on IP layer (OSI network layer 3) 64 kbit/s Key storage In file system In VPN switch Operating system Additional expertise SAProuter resides on a computer therefore it is necessary to harden the security at the operating system level (for example, C2 level OS) to minimize the risk of the machine being hacked from the SAProuter knowledge usually available, SNC configuration requires additional knowledge All including FTP (files download) Pre-shared keys provided by SAP, later Public Key Infrastructure (PKI) VPN switch has a very small and limited operating system, thus no additional security hardening is required. The SAProuter machine is not reachable from the, thus the risk of hacking is much less. However, security hardening measures at the SAProuter operating system level are also recommended VPN hardware requires special knowledge, higher technical expertise Standards Based on SNC, SAP proprietary standard Based on IPSec, well established industry standard Contributing to costs - Firewall hardware and software - Firewall administration costs - No additional license fee for security library based on SECUDE - Firewall hardware and software - Firewall administration costs - Costs for VPN hardware and setup

Remote Connectivity for SAP Solutions over the page 6 3.2 Terms and Conditions 1. The customer is responsible for obtaining any and all approval(s) for importing and operating their equipment, as may be required by the respective local laws and regulations. The use of cryptographic software and hardware is regulated in some countries. 2. All costs for setting up the necessary infrastructure at the customer s premises is to be borne by the customer. 3. Both parties are responsible for securing their respective ends of the connection against unauthorized third party access.

Remote Connectivity for SAP Solutions over the page 7 Appendix A Mandatory IPSec Features (for the VPN option) Encapsulating Security Protocol (ESP) Key Exchange (IKE), with support of Diffie-Hellman Group 2 (1024 bits keys) Encryption Algorithm: Triples DES (3DES) Authentication Algorithm: HMAC-MD5 and HMAC-SHA1 Support for authentication using shared secrets, RSA digital signatures, and X.509 certificates Support for Diffie-Hellman Group 2 (keys of 1024 bits) Key exchanges using PKIs

Remote Connectivity for SAP Solutions over the page 8 Appendix B Remote Customer Support Network over the Connection Data Sheet Please complete and fax this data sheet to the SAP Network Hotline at +49 (180) 5 34 34 30 1. Customer Information Company: Customer No.: Contact person networking: Tel.: E-mail address: Fax: 2. Desired Connectivity Option [ ] SAProuter / SNC via [ ] VPN 3. Networking Information IP address of SAProuter computer Host name of SAProuter computer IP address of VPN switch (if applicable) Type of VPN switch: brand and model (if applicable) 4. Information About Your Connection Type of connection (mark one) [ ] Frame Relay [ ] ISDN [ ] Leased line [ ] X.25 [ ] Dial-up [ ] xdsl [ ] Other: Bandwidth of your connection (in kbps) % of current utilization of your bandwidth

Remote Connectivity for SAP Solutions over the page 9 5. Additional Observations You need official IP addresses for the computer on which the communication software SAProuter and the proxy for the remote access is installed (this also apply to the VPN switch). Private address spaces such as 10.0.0.0-10.255.255.255 172.16.0.0-172.31.255.255 192.168.0.0-192.168.255.255 cannot be used. If you do not have your own official IP addresses, obtain one from your Service Provider (ISP). If you have any of the following questions: How do I fill in the data sheet? How can I obtain an IP address? What type of software and hardware do I need to establish remote access? Questions on the use of a firewall What kind of costs can I anticipate? contact the consulting partner responsible for your area, or contact the SAP Network Hotline: Fax: +49 180 53 434 30 Tel.: +49 180 53 434 38

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback