If you are not using something then it is better to deactivate it or leave it inactive in front end component application gateways.

The trick is to limit the attack surface at the network port level and then use the application logic of the available ports to restrict what can be done with them if they must be open.

Opening DB ports from server LAN to Client LAN is not a good example of this. But you should harden your DBs anyway. Same goes for OS systems as they might trust each other beyond SAP and use other ports for that.

DR is always a tricky thing (how to automate securely). There are some clever ways of doing this if you accept that it is pushed from SAP and monitored by the SAP system.

You should only mirror to data centers whom you trust and in the SAP world it is not realistic to encrypt the DB.

Cheers,

Julius

Hi Julius,

I would slightly disagree here. Usually you will have firewalls between different protection zones, this could be only the zones you listed, however it is not uncommon and sometimes even required that you also have firewalls to split networks for prod and dev/cons systems to better control the traffic and the access to the prod systems. Especially for systems holding credit card data, this may even be required by standards. Often you will also find similiar setups for sensitive systems like HR systems. I completely agree however, that for an SAP ABAP systems having a firewall between the R3 system and the DB systems is not very helpful from a security point of view.

BTW: there are some recommendations from SAP to this regards in the security guides. Especially with regards to the placement of firewalls there is also some info here.

Kind regards,

Patrick

Hi Patrick,

I slightly agree with you that some control is gained by network zones for PROD / QAS / DEV systems, but the moment you have an STMS transport system, CTS+, SOLMAN monitoring, CUA / IDM, master data replication, central etc then the RFC / SAPGui / Gateway / http ports will be open between the zones anyway.

So you have a considerably slightly higher maintenance effort for the firewalls, networks and switches with only marginally slightly better control of segments (e.g. for "zoning" in gateway ACLs it is useful).

😉

Cheers,

Julius

Hi Julius,

as alway with security, there is no one size fits all. It depends for instance on your workforce If you have a high number of consultants working on Dev and Q, in many cases you want them not to get onto your prod systems.

However this is not the only reason. Usually a system has not only the STMS connectivity for the chain but is interconnected to other systems as well. Just one (real life) example from the past. A customer did copy his prod system to Q and then did some testing in there. However they simply forgot to reconfigure the service connections to let thempoint to the other Q systems and left them pointing to the other prod systems. As there have not been any firewalls in place, thoses connections did work. You can now guess what happened.

The reason you may want to split the zones for prod and dev often is not for the single system but really to have no business connectivity between the systems of the different zones to avoid the above, be it intentionally or by accident.

I'm with you, that if you have only one DEV/Q/Prod line with no other connectivity requirements, setting up different network zones for this may be a bit of an overkill. However I have not seen a customer so far, that had such a setup.

Regards,

Patrick

Normally the basis folks have a "cheat sheet" of things to do before and after system copies. Killing jobs, deactivating SCOT, etc should be on that list regardless of the network zoning, particularly if the ports for ALE and smpt are open.

Yes, I agree that whether or not the ports will be open at that point in time (still / again) depends on whether the effort and discipline involved fits the organization and possibly regulatory requirements (which I was not aware of).

Best rather not to have Credit Card data at all..  🙂

Cheers,

Julius