Everything is new in May („Alles neu, macht der Mai“) is a saying originating from an ancient German folk song. It often finds application, if you feel the need for change and innovation. So, let’s take advantage of the *momentum that spring brings and tackle a few delayed security projects within your SAP landscape 🙂
SAP Security (annoying but important)
You are reading this because you know, SAP environments are no longer boring mainframe applications that nobody understands and which are managed by gray eminences and operated in silos besides other systems within the organizations IT infrastructure. Today SAP integrates itself more deeply than ever and often carries the most important company data. A good reason to think about deeper protection of this important infrastructure. SAP systems are complex and there is always enough to adjust and keep up to date.
Problem is that often things are running “as is” because it works. Securing standards would mean efforts and in doubt costs. In addition, there is the ignorance of many SAP admins who cannot take care of all Security related issues, simply due to their other responsibilities. Understandable!
The Python scripts used as part of the session named “SAP Gateway to Heaven” at #OPCDE2019 more known under the Onapsis name “10KBLAZE” once again served as a kind of wake-up call for the SAP community.
*Since the release of the Alert (AA19-122A) of the Cybersecurity and Infrastructure Security Agency (CISA) / US-CERT in early May, there has been some discussion around the topic of securing SAP Message Server and SAP Gateway. The “vulnerabilities” addressed here are not bugs but the result of a bad system configuration and/or weak network protection.
Although this belongs to the categories SAP baseline security and system hardening, many companies were affected (and still are) as they lack implementation due to time, cost or convenience reasons. Anyone who has been negligent in the areas of SAP RFC gateway and message server security should, therefore, take action immediately.
Every organization who heavily relies on SAP should have a dedicated SAP Security Team supporting the SAP Basis. These people should be well trained and experienced in IT Security and able to transport and translate this experience into the “SAP language” thus providing interfaces to existing security solutions. It’s a fulltime job to maintain the secure operation of SAP landscapes and make sure to be compliant with existing regulations or introduce state of the art IT security measures.
It became clear how important the following topics were 10 years ago and still are:
- It depends on people, build a security team that can also cover SAP security!
- Secure your (W)LAN using 802.1x and PKI (Secure authentication and network access control) to restrict access to “managed” devices only (makes things much harder for the bad guys)
- Implement network segmentation and make use of firewalls to control and restrict network access to all SAP applications
- This requires identification of affected systems that “communicate” with your SAP systems. This is never just only an “SAP project”. It takes time, it needs network knowledge, a communication matrix and if there is no documentation available – you need more time to create and analyze traces and monitor traffic first.
- Prevent access to the internal message server port tcp/39nn for unknown clients
- Make use of Secure Network Communication (SNC) to ensure the authentication of communication peers, integrity protection and encryption for DIAG and RFC
- Enforce Quality of Protection (QoP) “Level3 – Privacy” for SNC
- Re-think handling of passwords, disable them whenever possible and get rid of password hashes in your DB.
- Only use the latest encryption- and signature algorithms and to avoid old cipher-sets or depreciated TLS versions for your ICM.
- Maintain whitelists for your SAP Message Server and Gateway
- The ACLs should ensure that not everyone is allowed to call everything for convenience, but explicitly only the applications or servers are activated, which should have access.
- Secure the internal communication between the server components using TLS
(SAP Note 2040644)
…just to name a few.
Digitally signed SAP Notes starting from 2020
Starting next year, SAP will only provide digitally signed SAP Notes.
This ensures the integrity and authenticity of the content and avoids the risk of implementing malicious code. This is done within the SAP system using an updated version of SAPCAR, starting from version 7.20 or higher. It’ recommended to update your systems with the latest SAPCAR version which comes bundled with the public key for validating software signatures from SAP.
Even though there is no direct dependency to your CommonCryptoLib (I personally would prefer if SAP would combine both components) you should perform a spring cleaning and check your SAP landscape environment for using the most current version of this very important TLS, SNC, SSF, SPNEGO library. Especially due to some very important fixes, we highly recommend the usage of CommonCryptoLib 8.5.27 or higher – more details can be found in SAP Note 2767917.