Platform Security: "Insecure SAP system interfaces: an underestimated risk."
-------------------------------------------------------------------------------------
How confident are you that your SAP systems are sufficiently protected against cyberattacks? In our experience, it's far too often the case that companies fail to pay the requisite attention to analyzing and securing their SAP system interfaces. These include RFC connections, SAP Gateway, and extended ST01 traces, along with considerations of their relevance, criticality, and potential defects.
As you take the steps necessary to secure your landscape, the suite module SAST Interface Management can provide you with optimal support. It's capable of evaluating multiple systems, creating a comprehensive interface overview in graphical or tabular format, and categorizing the flaws it finds.
-------------------------------------------------------------------------------------
Für Informationen auf Deutsch, sprechen Sie uns gerne an: sast@akquinet.de
2. SAST SOLUTIONS: Our suite at a glance.
- 2 -
Modular design. Individual possibilities.
3. Basic thoughts about SAST Interface Management
- 3 -
Our Goals
Get Clean: Supporting interface cleanup.
Securing the SAP Gateway using tailor-made ACLs.
Determining exact authorization values for interface users by long-term trace.
Eliminating security risks due to improper configuration.
Stay Clean: Maintaining a clean and safe operating condition.
4. Overview of SAST Interface Management functionality
- 4 -
Overview
Basic analysis of RFC, HTTP, TCP / IP, trusted RFC, SSO2 and remote database connections.
Gaining data from the RFC call analysis for the optimal design of RFC authorizations under
security aspects.
Creation / completion of RFC interface authorizations, revision of trust relationships between
the systems.
Support in the administration of the SAP Gateway through creating secure ACL files.
An long-term trace of interface authorizations ensures that authorization values can be
determined for interface users.
5. Benefits from SAST Interface Management
- 5 -
Benefits
Monitoring and analysis of all systems can be done from a single point of entry system.
Complete analysis of the RFC interfaces leads to an inventory that is presented in graphic and tabular
form thus enriched with risk classification information.
All results of the analysis can be recalled at any time. This simplifies the processing and cleaning of the
interfaces thus ensuree clean working conditions.
In the sense of an efficient risk management, the output of the analysis results is possible after various
categories, from system type through system group to protection requirement classification, It provides
direct specifications for the adjustment / adaptation of the RFC authorizations.
ACL files of the SAP Gateway can be generated and used directly.
Helps to restrict program access and secure access to the SAP Gateway.
Based on gateway logging files, default values can be determined and used to directly generate the ACL
files reginfo, secinfo and prxyinfo.
6. Analysis of RFC Interfaces
- 6 -
RFC connections analysis of
Single systems
System groups
System landscapes
Depending on your analysis needs, both the incoming and also outgoing RFC connections
can be viewed and then all results stored in a list for later use.
7. Reporting of RFC Connections
- 7 -
Differentiated output of the results according to RFC connection types as well as
inbound and outbound connections.
Consideration and display of special connections:
Remote database connections
SSO2 Logon tickets
Trusted RFC connections
Aggregation of analysis results after:
System types (development-, quality assurance- and production systems)
Classification of protection requirements
System groups for comparing system types (ERP, CRM, NetWeaver)
8. Reporting of RFC Interfaces
- 8 -
Graphical display of incoming and / or outgoing connections to the central analysis system.
9. Reporting of RFC Interfaces
- 9 -
Tabular output of system and connection data.
10. Reporting of RFC Interfaces (Example)
- 10 -
Evaluating called RFC functions, an analysis of existing RFC authorizations can be performed
and then improvement suggestions for optimization are displayed:
From the results a worklist can be created in order to clean and secure the RFC connections
step by step using only the authorizations necessary.
11. ACL files SAP Gateway
- 11 -
Using SAST INTERFACE MANAGEMENT, proposals for the security control files of the
SAP Gateway (reginfo, secinfo, prxyinfo) can be determined on basis of the gateway logs’
statistical data.
For this purpose, the activation of the gateway logging and the evaluation of the log files for suitable periods
(e.g. 3 months) is necessary for obtaining most accurate data on all connections used.
!
12. Long-term trace of interface permissions
- 12 -
Based on the long-term trace data of SAST INTERFACE MANAGEMENT, correct authorization
values for the interfaces are determined.
In conjunction with SAST ROLE MANAGEMENT, correct roles for all interface users can be
generated using the traced data.