OSS+Configuring+VPN

OSS Configuring VPN Introduction

SAP has embarked on a project to enable its customers to establish secure connections to SAP over the Internet for support purposes. Currently, SAP offers two alternative ways to connect to the Support Network over the Internet: • •

SAProuter with Secure Network Communications (SNC) over the Internet Internet Virtual Private Network (VPN)

Overview of Technical Setup

SAP has implemented a functional subset of the Remote Customer Support Network services in an Internet DMZ (demilitarized zone) in SAP AG, Walldorf. With this infrastructure in place, the suite of Remote Customer Support Network service offerings is accessible over the Internet. SAProuter/SNC via Internet Internet VPN • SNC secured SAProuter – SAProuter • LAN-to-LAN IPSec VPNs are connections are established between established between SAP and the SAP and the customer’s SAProuter to customer’s network to provide data provide data confidentiality and confidentiality and integrity services. integrity services. These SNC These VPNs complement the leased lines connections complement the leased in the current Remote Customer Support lines in the current SAPNet R/3 Network environment. State-of-the-art Frontend environment. State-of-the-art encryption, authentication, and access encryption, authentication, and access control technology will be employed. control technology will be employed. VPN equipment is required at both ends No additional hardware compared to a of the connection. The VPN switch at leased-line setup is required at either customer’s side must be reachable from end of the connection. (See diagram the Internet. (See diagram below). below). • Besides the VPN equipment (also called • Customers are required to install a VPN switch or VPN gateway), SAProuter with an official, static IP customers are also required to install a address (DHCP Addresses will not SAProuter with an official IP address at work) running SNC inbound and their end of the connection. All service outbound connection to SAP at their connections between SAP and the end of the connection in a customer must be made over the Demilitarized Zone. This SAProuter respective SAProuters. must be accessible from the Internet. • For the pilot project, access control and All service connections between SAP authentication at the VPN gateways will and the customer must be made over be regulated using static keys. SAP will the respective SAProuters. generate these keys and provide them to • Certificates needed are available on the the customer. In future, certificate-based SAP Service Marketplace. authentication is likely to be utilized.

•

Diagrams and Infrastructure

Figure 1 - SAProuter with SNC over Internet

VPN access can also be achieved through a telecommuncations provider. The provider will then be connected to SAP’s VPN switch, and the provider can offer connections to customers over the Internet. SAP will make a list of VPNenabled providers. This option is not covered in this document. For more information, contact SAP.

Figure 2 - Internet VPN Comparison of the Two Options

Property Hardware requirements

SAProuter / SNC via Internet Firewall + SAProuter host in DMZ

Internet VPN VPN switch + firewall + SAProuter host (VPN and firewall may be the same box) Software SAProuter starting from NI version 35 N.A. SAPSECULIB can be obtained from the Service Marketplace Network 1 official static IP address for 1 official static IP address for VPN addresses SAProuter switch + 1 official static IP address for (besides address SAProuter host of Internet router, firewall, …) Configuration Careful setup of saprouttab necessary Careful setup of routing configuration issues for security. Saprouttab influences in VPN switch necessary for security. security strongly as access is Saprouttab influences security less controlled via saprouttab and firewall. strongly as access is controlled via VPN switch, SAProuter software and firewall Encryption By software By hardware Encrypted data TCP packets IPsec (IP packets) Only the data stream between Encryption is handled on IP layer

SAProuters is encrypted (OSI network layer 3) Encryption is handled on Application layer (OSI network layer 7) 64 kbit/s but may work also with 64 kbit/s 32 kbit/s

Minimum required free bandwidth Supported All except FTP (files download) All including FTP (files download) services on SAP side Key managementDigital certificates being requested via Pre-shared keys provided by SAP, later Service Marketplace Public Key Public Key Infrastructure (PKI) Infrastructure (PKI) Key storage In file system In VPN switch Operating systemSAProuter resides on a computer VPN switch has a very small and therefore it is necessary to harden the limited operating system, thus no security at the operating system level additional security hardening is (for example, C2 level OS) to required. The SAProuter machine is minimize the risk of the machine not reachable from the Internet, thus being hacked from the Internet the risk of hacking is much less. However, security hardening measures at the SAProuter operating system level are also recommended Additional SAProuter knowledge usually VPN hardware requires special expertise available, SNC configuration requires knowledge, higher technical expertise additional knowledge Standards Based on SNC, SAP proprietary Based on IPSec, well established standard industry standard Contributing to • Firewall hardware and • Firewall hardware and software costs software • Firewall administration costs • Firewall administration costs • Costs for VPN hardware and • No additional license fee for setup security library based on SECUDE

Why VPN over SNC

In this project Internet VPN was selected over SNC for the following reason VPN using IPsec is industry standard and have better encryption FTP is not possible with SNC. Requirement

• • • • • •

•

•

Internet connection: recommended minimum bandwidth = 64 kbps SAProuter machine Official IP address (static) for the SAProuter host. SAProuter installation package SAP SNC libraries and executables. These may be downloaded from the SAP Service Marketplace. A Demilitarized Zone at the customer site with a minimal setup as described in the networking section of the SAP Security Guide, Parts 1-3 available in the Service Marketplace at: http://service.sap.com/SYSTEMMANAGEMENT Choose: Security > Technical Track > SAP Security Guide. More information on SNC connections is also available in the SAP Service Marketplace. Since the host running the SAProuter software is a full computer with operating system, the security at the operating system level must be hardened in order to minimise the risk of the machine being hacked from the Internet. One recommendation will be for example to run a C2 security level compliant operating system. SAP takes no liability if the security of the company’s network is compromised. Other networking equipment (routers and hubs) needed to form the network at the customer’s premises (see Figure 1).