How to Secure Your SAP router
When you read this news, you will see information pertaining to security notes that were made in May 2013, as well as those that were made before that date that are still open in a number of customer installations. There is an underlying security vulnerability that is named throughout the publications. One example is the RSA conference in Singapore that took place in June 2013 from Alexander Polyakov The State of SAP Security 2013: Vulnerabilities, Threats and Trends.
In your Internet connected DMZ, you will see at least one SAP router installation running.
The purpose of this blog is to give an overview of the instructions on how to secure your SAP router. I look forward to your comments and support in improving this documentation.
- It is recommended by SAP that you upgrade all active SAP routers ASAP
- Encrypt the communications channel to SAP support by activating SNC
- Limit connectivity by using saprouttab/an access control list
Your SAP router is a completely independent and compatible software. It can be updated without modifying other parts of the kernel. In most cases, active SAP router installations happen on servers that are not the application server of a APAP system. As a result, it is the recommendation of SAP that you use the latest release throughout the system.
If you visit: http://service.sap.com/patches, you should find \release 7.20 and 7.21. You can do this by using the search feature. It is assumed that release 7.20 will work in most cases.
For an explanation on how to update the SAP router, see note 1921693.
Warning: You can update the saprouttab without restarting your SAP router. (Option – N). However, active connections will be disabled while executables are being replaced.
Do not rely on the RSECNOTE / EWA or the application systems recommendations found in the solution manager of the SAP to tell whether or not your SAP router installations are current. This is because both of these tools are only able to access the kernel version (disp+work) into the ABAP system.
As a result, it is up to you to do the leg work to find the outdated SAP router installation. An option would be to configure the SAP solution manager so that it is able to manage SAP router installations. If you have done that, use the transaction SOLMAN_SAPROUTER as a way of identifying installations that can be identified by the SAP Solution Manager.
These notes provide security information on the most recent version of the SAP router:
- Note 182-0666 outlines possible remote code execution for the SAP router. It details how attackers could take advantage of the SAP router with the goal of taking control of an SAP application. They may be able to view, delete, or change data.
- Note 166-3732 outlines a possible disclosure of information connected to the SAP router. This vulnerability could allow an attacker to learn information pertaining to the SAP router’s connections. This possibility exists if the SAP router is used to facilitate communication with the Internet and if the “-n” option is used during startup.
This information could be used by nefarious individuals to create specialized attacks versus the application server.
- If you look at note 189-5350, you are going to see recommendations on how to securely configure the SAP router.
- If you look at note 185-3140, you will see the reasons why SAP recommends that you do not use the: https://itelligencegroup.com/us/local-blog/sap-hosting-local-blog/outsourced-sap-remote-administration-vs-managed-hosting/ option of the router.
- If you look at note 48243, you will learn the steps needed to integrate the SAP router into your firewall.
- Option –n will allow you to update the saprouttab without needing to restart your SAP router.
- Option –S is for changing the default port
- Entry page of the SAP router
- Create a Route Permission Table
- Getting Started with SAProuter – Tutorials (great breakdown with videos)
- Step-by-Step Procedure for SAP Router SNC Configuration (technical guide)
- SAProuter – SNC or VPN? (explaining the difference)
When you look at these documents together, additional activities are proposed, including:
- Changing the default port
- Using the SAP router password with SAP support
Update June 2014: You may be interested in learning about the newly released option to change the SAP router password for SAP support throughout your entire system with just one step.
In times past, you needed to change passwords for each system on an individual basis. Depending on the number of systems that you run, this could become a time-consuming nightmare that would make it unlikely that you would follow through with this security procedure.
Now, all that is required is for you to find the checkbox located in the Service Connection settings that is called “Apply the Changes to All the Systems That SAP Router Is Assigned to.” If you use this option, you will be able to reset the password throughout the entire system. As a side note, if you are using additional SAP routers, you will still be required to set the password individually for each individual SAP router.
Are you using SAP solution manager 7.1? If so, you may have additional options available to you that will allow you to both manage and monitor your SAP router.
Please reference note 188-6060 as well as the accompanying wiki and blog that explain how you can set up and configure your System Monitoring using the SAP Solution Manager version 7.1 for your SAP router.
As I mentioned at the outset, we are interested in any additional documentation, tips, or suggestions that you may have when it comes to addressing security issues for SAP routers. If you have any questions, comments, or recommendations that you feel could be useful, we would love to hear from you in the comments section below. Please include any charts, graphs, or infographics that will make it easier for readers to understand the information that you are presenting.