Skip to Content
Technical Articles

SNC Secured SAProuter vs LAN-to-LAN IPSec VPN Service

Remote working is more popular now than at any other time in modern history. There is no reason to believe that this trend is going anywhere. Security concerns raised by remote working has led to an increase in interest in SAProuters and land to land IP sec VPN services. Each solution has its pros and cons that an enterprise that allows remote workers does well to consider.

Creating a Land to Land IP Sec VPN Tunnel

Internet protocol security is frequently used when building secure VPN tunnels. This is a more advanced VPN protocol when compared to PPTP or L2TP. However, it is more complicated to set up. It is commonly used in circumstances where PPTP and L2TP VPN connections need to be blocked for security reasons. When a land to land VPN tunnel is created, traffic from Wi-Fi or land clients that are under the client-side router on the VPN will be directed to the server-side router of the VPN. Commonly used D2C VPN servers also utilize a form of enhanced SSL/TLS, “TLS is an updated and more secure version of SSL, and while VPN providers regularly use the term “SSL” to refer to their security certificates, you will often end up purchasing a more updated TLS certificate.”

The same TLS certs used to secure web traffic can be used for effective VPN routing providing a cryptographically secure connection between multiple parties.

IPsec provides security at the IP layer. It also offers a host of protocols that add additional layers of security via authentication and encryption. IP sec protocols are what define the cryptographic algorithms used when authenticating, encrypting, and decrypting packets. These are also the protocols that are needed to secure key management and key exchange.

If traffic is identified as being interesting, a security policy for the packets is triggered. When the packet is being sent, appropriate authentication or encryption is added to the packet. Conversely, if the packet is being received and it is deemed “interesting,” the host will verify that the incoming packet has the proper encryption or the proper authentication.

Next comes IKE phase one. This allows the two hosts to negotiate the policy sets they are using when sending secured information. They are verifying agreed-upon rules for authentication and encryption. From here, additional steps are taken to allow a host behind one gateway to communicate securely with the host behind another gateway. For example, steps are taken to allow the system in one branch of a company to securely connect to the system of the main office and vice versa. Tunnel mode is what is used to protect the traffic between the two networks on both ends.

As with all technology, for IP sec to be effective, it is important that the enterprise is using operational systems that are current, up-to-date, and have the most recent security patches. If they are using older systems that have an older version of IPsec, although it may appear that the information being transmitted is secure, the IPsec circuits are likely not keeping the data secure.

Protecting SAProuters against Remote Attacks

SAProuters serve as a reverse proxy between SAP landscapes and external networks. The SAProuter allows a business to have greater flexibility with their filtering policies and security connections to SAP systems. A SAProuter could be compared to a scalpel, whereas a network firewall is a sledgehammer, limiting the flexibility of an enterprise in transmitting essential information or giving authorized employees access to the information they need.

To be effective, a SAProuter must be properly configured. If not, organizations can be exposed to dangers that could compromise the security of their SAP servers. This can also be accomplished via a traditional B2C consumer grade software VPN router service

SAProuters work as an Internet facing proxy that allows direct access to SAP systems. As a result, it is a favored target of cyber criminals. A simple port scan against exposed IP’s can show if SAProuters are accessible on the standard 3299 port. If so, attackers will be able to send information requests to the SAProuter and get a schematic of the internal IP addresses from the details of the connected host in the response.

With the internal IP address scheme in hand, an attacker has free reign to scan in the internal network. They will use the SAProuter to send connection requests to the connected host. Based on the responses received, an attacker may be able to identify open ports for the SAP services the enterprise is using, as well as FTP, HTTP, SSH, and SMTP.

Once an attacker has gained this information, they may be able to connect to vulnerable services in the SAP servers going through the SAProuter. Once a connection is made, attackers are free to execute targeted exploits to attack the server. For example, if there is an authenticated SOAP request for the SAP host agent using port 1128, attackers might receive information on the operating system’s users. This information can then be used for a brute force attack or other attacks. Attackers are also free to send malicious payloads directly to SAP servers via the SAProuter.

When properly secured and when properly configured, SAProuters are able to mitigate the above-mentioned attacks. Proper configuration would include making sure that the route permission table, outlined in the saprouttab file, clearly identifies the source hosts that have permission to connect to particular services and target hosts. It is not advisable to use wildcards in route strings. S entries can be used for the saprouttab to block native connections. This is preferable to using P entries. KP and KT entries can be used to enforce SNC for connections.

Option G should be enabled for logging for SAProuters. Once this is accomplished, a SAProuter log can be monitored via an SAP Solution Manager. This will sound the alarm if there is a suspected attack. This would include things that might seem innocuous, such as accepted or rejected information requests, native connections, port scans, and connection requests.

Determining whether land to land IP sec VPN services or SNC secured SAProuters are best for your enterprise will require an evaluation of your current security needs. Many enterprises have found that using a VPN is cost effective, efficient, flexible, and provides the security needed.

You must be Logged on to comment or reply to a post.