OSS Configuring VPN

Introduction

SAP has embarked on a project to enable its customers to establish secure connections to SAP over the Internet for support purposes.
Currently, SAP offers two alternative ways to connect to the Support Network over the Internet:

 SAProuter with Secure Network Communications (SNC) over the Internet

 Internet Virtual Private Network (VPN)

Overview of Technical Setup

SAP has implemented a functional subset of the Remote Customer Support

Network services in an Internet DMZ (demilitarized zone) in SAP AG,
Walldorf. With this infrastructure in place, the suite of Remote Customer
Support Network service offerings is accessible over the Internet.

SAProuter/SNC via Internet Internet VPN

 SNC secured SAProuter – SAProuter connections are established  LAN-to-LAN IPSec VPNs are established between SAP and the
between SAP and the customer’s SAProuter to provide data customer’s network to provide data confidentiality and integrity
confidentiality and integrity services. These SNC connections services. These VPNs complement the leased lines in the current
complement the leased lines in the current SAPNet R/3 Remote Customer Support Network environment. State-of-the-art
Frontend environment. State-of-the-art encryption, encryption, authentication, and access control technology will be
authentication, and access control technology will be employed. VPN equipment is required at both ends of the
employed. No additional hardware compared to a leased-line connection. The VPN switch at customer’s side must be
setup is required at either end of the connection. (See diagram reachable from the Internet. (See diagram below).
below).
 Besides the VPN equipment (also called VPN switch or VPN
 Customers are required to install a SAProuter with an official, gateway), customers are also required to install a SAProuter with
static IP address (DHCP Addresses will not work) running SNC an official IP address at their end of the connection. All service
inbound and outbound connection to SAP at their end of the connections between SAP and the customer must be made over
connection in a Demilitarized Zone. This SAProuter must be the respective SAProuters.
accessible from the Internet. All service connections between
SAP and the customer must be made over the respective
 For the pilot project, access control and authentication at the
SAProuters. VPN gateways will be regulated using static keys.
generate these keys and provide them to the customer. In future,
 Certificates needed are available on the SAP Service certificate-based authentication is likely to be utilized.
Marketplace.

 VPN access can also be achieved through a telecommuncations

provider. The provider will then be connected to SAP’s VPN
switch, and the provider can offer connections to customers over
the Internet. SAP will make a list of VPN-enabled providers. This
option is not covered in this document. For more information,
contact SAP.

Diagrams and Infrastructure

Figure 1 - SAProuter with SNC over Internet

Figure 2 - Internet VPN

Comparison of the Two Options

Property SAProuter / SNC via Internet Internet VPN

Hardware requirements Firewall + SAProuter host in DMZ VPN switch + firewall + SAProuter host (VPN and firewall may
 be the same box)

Software SAProuter starting from NI version 35 N.A.

SAPSECULIB can be obtained from the Service Marketplace

Network addresses (besides 1 official static IP address for SAProuter 1 official static IP address for VPN switch + 1 official static IP
address of Internet router, address for SAProuter host
firewall, …)

Configuration issues Careful setup of saprouttab necessary for security. Saprouttab Careful setup of routing configuration in VPN switch necessary
influences security strongly as access is controlled via for security. Saprouttab influences security less strongly as
saprouttab and firewall. access is controlled via VPN switch, SAProuter software and
firewall

Encryption By software By hardware

Encrypted data TCP packets IPsec (IP packets)

Only the data stream between SAProuters is encrypted Encryption is handled on IP layer (OSI network layer 3)
Encryption is handled on Application layer (OSI network layer
7)

Minimum required free 64 kbit/s but may work also with 64 kbit/s
bandwidth 32 kbit/s

Supported services on SAP All except FTP (files download) All including FTP (files download)
side

Key management Digital certificates being requested via Service Marketplace Pre-shared keys provided by SAP, later Public Key
Public Key Infrastructure (PKI) Infrastructure (PKI)

Key storage In file system In VPN switch

Operating system SAProuter resides on a computer VPN switch has a very small and limited operating system,
therefore it is necessary to harden the security at the thus no additional security hardening is required. The
operating system level (for example, C2 level OS) to minimize SAProuter machine is not reachable from the Internet, thus the
the risk of the machine being hacked from the Internet risk of hacking is much less. However, security hardening
measures at the SAProuter operating system level are also
recommended

Additional expertise SAProuter knowledge usually available, SNC configuration VPN hardware requires special knowledge, higher technical
requires additional knowledge expertise

Standards Based on SNC, SAP proprietary standard Based on IPSec, well established industry standard

 Firewall hardware and software  Firewall hardware and software

Contributing to costs  Firewall administration costs  Firewall administration costs

 No additional license fee for security library based  Costs for VPN hardware and setup
on SECUDE

Why VPN over SNC

In this project Internet VPN was selected over SNC for the following reason
VPN using IPsec is industry standard and have better encryption
FTP is not possible with SNC.

Requirement

 Internet connection: recommended

minimum bandwidth = 64 kbps
 SAProuter machine
 Official IP address (static) for the SAProuter host.
 SAProuter installation package
 SAP SNC libraries and executables.
These may be downloaded from the SAP Service Marketplace.
 A Demilitarized Zone at the customer site with a minimal setup as described in the networking section of the SAP Security
Guide, Parts 1-3 available in the Service Marketplace at: http://service.sap.com/SYSTEMMANAGEMENT Choose: Security >
Technical Track
> SAP Security Guide.
More information on SNC connections is also available in the SAP Service Marketplace.
 Since the host running the SAProuter software is a full computer with operating system, the security at the operating system
level must be hardened in order to minimise the risk of the machine being hacked from the Internet. One recommendation will
be for example to run a C2 security level compliant operating system. SAP takes no liability if the security of the company’s
network is compromised.
 Other networking equipment (routers and hubs) needed to form the network at the customer’s premises (see Figure 1).