Remote Connectivity for mySAP.

com Solutions over the Internet

Technical Specification
June 2009

Remote Connectivity for mySAP.com Solutions over the Internet

page 2

1 Introduction
SAP has embarked on a project to enable its customers to establish secure connections to SAP over the Internet for support purposes. Currently, SAP offers two alternative ways to connect to the Support Network over the Internet: SAProuter with Secure Network Communications (SNC) over the Internet Internet Virtual Private Network (VPN) This document describes both alternatives and their technical specifications, and compares the two options. If you read this document, you will have enough information to decide which option is better for your needs and requirements. Both options provide the level of security recommended when using a public medium like the Internet. In other words, strong encryption will be employed for data that travels over the Internet.

2 Overview of Technical Setup

SAP has implemented a functional subset of the Remote Customer Support Network services in an Internet DMZ (demilitarized zone) in SAP AG, Walldorf. With this infrastructure in place, the suite of Remote Customer Support Network service offerings is accessible over the Internet.

SAProuter/SNC via Internet

SNC secured SAProuter SAProuter connections are established between SAP and the customers SAProuter to provide data confidentiality and integrity services. These SNC connections complement the leased lines in the current SAPNet R/3 Frontend environment. State-of-the-art encryption, authentication, and access control technology will be employed. No additional hardware compared to a leased-line setup is required at either end of the connection. (See diagram below). Customers are required to install a SAProuter with an official, static IP address (DHCP Addresses will not work) running SNC inbound and outbound connection to SAP at their end of the connection in a Demilitarized Zone. This SAProuter must be accessible from the Internet. All service connections between SAP and the customer must be made over the respective SAProuters. Certificates needed are available on the SAP Service Marketplace.

Internet VPN
LAN-to-LAN IPSec VPNs are established between SAP and the customers network to provide data confidentiality and integrity services. These VPNs complement the leased lines in the current Remote Customer Support Network environment. State-ofthe-art encryption, authentication, and access control technology will be employed. VPN equipment is required at both ends of the connection. The VPN switch at customers side must be reachable from the Internet. (See diagram below). Besides the VPN equipment (also called VPN switch or VPN gateway), customers are also required to install a SAProuter with an official IP address at their end of the connection. All service connections between SAP and the customer must be made over the respective SAProuters. For the pilot project, access control and authentication at the VPN gateways will be regulated using static keys. SAP will generate these keys and provide them to the customer. In future, certificate-based authentication is likely to be utilized. VPN access can also be achieved through a telecommunication provider. The provider will then be connected to SAPs VPN switch, and the provider can offer connections to customers over the Internet. SAP will make a list of VPN-enabled providers. This option is not covered in this document. For more information, contact SAP.

Remote Connectivity for mySAP.com Solutions over the Internet

page 3

3 Diagrams and Infrastructure

Public Interfaces (official IP addresses)

Internet Internet Router SAProuter @ SAP (with SNC) Internet Router SAProuter @ Customer (with SNC)

SNC Tunnel (encrypted)

Firewall

Firewall

SAP Corporate Network

Customer's Internal Network

R/3 System

Figure 1 - SAProuter with SNC over Internet

Official IP address (not public)

SAProuter @ SAP

VPN Switch IPSec Tunnel (encrypted)

VPN Switch SAProuter @ Customer

Internet Internet Router Internet Router

Firewall

Public Interfaces (official IP addresses)

Firewall

SAP Corporate Network

Customer's Internal Network

R/3 System

Figure 2 - Internet VPN

Remote Connectivity for mySAP.com Solutions over the Internet

page 4

Technical Requirements

SAProuter / SNC via Internet 1. 2. 3. 4. 5. Internet connection: recommended minimum bandwidth = 64 kbps SAProuter machine Official IP address (static) for the SAProuter host. SAProuter installation package SAP SNC libraries and executables. These may be downloaded from the SAP Service Marketplace. A Demilitarized Zone at the customer site with a minimal setup as described in the networking section of the SAP Security Guide, Parts 1-3 available in the Service Marketplace at: http://service.sap.com/SYSTEMMANAGEME NT Choose: Security > Security in Detail > SAP Security Guides. More information on SNC connections is also available in the SAP Service Marketplace. Since the host running the SAProuter software is a full computer with operating system, the security at the operating system level must be hardened in order to minimize the risk of the machine being hacked from the Internet. One recommendation will be for example to run a C2 security level compliant operating system. SAP takes no liability if the security of the companys network is compromised. Other networking equipment (routers and hubs) needed to form the network at the customers premises (see Figure 1).

Internet VPN 1. 2. 3. Internet connection: recommended minimum bandwidth = 64 kbps SAProuter machine Two (2) official IP subnets. These IP subnets are assigned to: The public interface of the VPN box. Additionally, this IP subnet must be routed in the Internet. The customers SAProuter 4. If the customer is operating any firewall(s) to secure its Internet connection, the firewall(s) must permit the edge VPN equipment to exchange IPsec packets using their respective public interfaces (the VPN gateway may also serve as the firewall). Specifically, the customers firewall must allow UDP port 500 (IKE) and IP Protocol 50 (ESP) Recommended VPN equipment: SAP is using CISCO VPN equipment. Customers may also try to connect using other IPSec compliant VPN equipment. The equipment must support certain IPSec features (see Appendix A) that are mandatory to establish communication with SAPs VPN equipment. SAP cannot guarantee interoperability between SAP's CISCO VPN equipment and other types of VPN equipment that the customer elects to use instead. If you wish to use other VPN equipment, contact SAP. Other networking equipment (routers and switches / hubs) needed to form the network at the customers premises (see Figure 2).

6.

5.

7.

8.

6.

Remote Connectivity for mySAP.com Solutions over the Internet

page 5

3.1 Comparison of the Two Options

Property
Hardware requirements Software

SAProuter / SNC via Internet

Firewall + SAProuter host in DMZ SAProuter starting from NI version 35 SAPSECULIB can be obtained from the Service Marketplace

Internet VPN
VPN switch + firewall + SAProuter host (VPN and firewall may be the same box) SAProuter starting from NI version 35

Network addresses (besides address of Internet router, firewall, ) Configuration issues

1 official static IP address for SAProuter

1 official static IP address for VPN switch + 1 official static IP address for SAProuter host

Careful setup of saprouttab necessary for security. Saprouttab influences security strongly as access is controlled via saprouttab and firewall. By software TCP packets Only the data stream between SAProuters is encrypted Encryption is handled on Application layer (OSI network layer 7)

Careful setup of routing configuration in VPN switch necessary for security. Saprouttab influences security less strongly as access is controlled via VPN switch, SAProuter software and firewall By hardware IPsec (IP packets) Encryption is handled on IP layer (OSI network layer 3)

Encryption Encrypted data

Minimum required free bandwidth Supported services on SAP side Key management

64 kbit/s but may work also with 32 kbit/s All except FTP (files download) Please note: NO access available to SAP internal systems! Digital certificates being requested via Service Marketplace Public Key Infrastructure (PKI) In file system SAProuter resides on a computer therefore it is necessary to harden the security at the operating system level (for example, C2 level OS) to minimize the risk of the machine being hacked from the Internet

64 kbit/s All including FTP (files download)

Pre-shared keys provided by SAP, later Public Key Infrastructure (PKI) In VPN switch VPN switch has a very small and limited operating system, thus no additional security hardening is required. The SAProuter machine is not reachable from the Internet, thus the risk of hacking is much less. However, security hardening measures at the SAProuter operating system level are also recommended VPN hardware requires special knowledge, higher technical expertise Based on IPSec, well established industry standard Firewall hardware and software Firewall administration costs Costs for VPN hardware and setup

Key storage Operating system

Additional expertise Standards Contributing to costs

SAProuter knowledge usually available, SNC configuration requires additional knowledge Based on SNC, SAP proprietary standard Firewall hardware and software Firewall administration costs No additional license fee for security library based on SECUDE

Remote Connectivity for mySAP.com Solutions over the Internet

page 6

3.2 Terms and Conditions

1. The customer is responsible for obtaining any and all approval(s) for importing and operating their equipment, as may be required by the respective local laws and regulations. The use of cryptographic software and hardware is regulated in some countries. 2. All costs for setting up the necessary infrastructure at the customers premises is to be borne by the customer. 3. Both parties are responsible for securing their respective ends of the connection against unauthorized third party access.

Remote Connectivity for mySAP.com Solutions over the Internet

page 7

Appendix A Mandatory IPSec Features (for the Internet VPN option)

Encapsulating Security Protocol (ESP) Internet Key Exchange (IKE), with support of Diffie-Hellman Group 2 (1024 bits keys) Encryption Algorithm: Triples DES (3DES) Authentication Algorithm: HMAC-MD5 and HMAC-SHA1 Support for authentication using shared secrets, RSA digital signatures, and X.509 certificates Support for Diffie-Hellman Group 2 (keys of 1024 bits) Perfect Forward Secrecy Key exchanges using Internet PKIs

Remote Connectivity for mySAP.com Solutions over the Internet

page 8

Appendix B Remote Customer Support Network over the Internet Connection Data Sheet
Please complete and fax this data sheet to the SAP Network Hotline at +49 (180) 5 34 34 30

1. Customer Information
Company: Contact person networking: Tel.: E-mail address: Fax: Customer No.:

2. Desired Internet Connectivity Option

[ ] SAProuter / SNC via Internet [ ] Internet VPN

3. Networking Information
IP address of SAProuter computer Host name of SAProuter computer IP address of VPN switch (if applicable) Type of VPN switch: brand and model (if applicable)

4. Information About Your Internet Connection

Type of Internet connection (mark one) [ ] Frame Relay [ ] ISDN [ ] Leased line [ ] X.25 [ ] Dial-up [ ] xDSL [ ] Other: Bandwidth of your Internet connection (in kbps) % of current utilization of your Internet bandwidth

Remote Connectivity for mySAP.com Solutions over the Internet

page 9

5. Additional Observations
You need official Internet IP addresses for the computer on which the communication software SAProuter and the proxy for the remote access is installed (this also apply to the VPN switch). Private address spaces such as 10.0.0.0 172.16.0.0 - 10.255.255.255 - 172.31.255.255

192.168.0.0 - 192.168.255.255 cannot be used. If you do not have your own official IP addresses, obtain one from your Internet Service Provider (ISP). If you have any of the following questions: How do I fill in the data sheet? How can I obtain an IP address? What type of software and hardware do I need to establish remote access? Questions on the use of a firewall What kind of costs can I anticipate? contact the consulting partner responsible for your area, or contact the SAP Network Hotline: Fax: +49 180 53 434 30 Tel.: +49 180 53 434 38