fortinet security solutions for sap s/4hana
TRANSCRIPT
Fortinet Security Solutions for SAP S/4HANA
WHITE PAPER
Securing the Intelligent Enterprise
2
Table of Content1. ExecutiveSummary.......................................................................................................................................................4
2. Audience.........................................................................................................................................................................5
3. Introduction....................................................................................................................................................................5
4. WhatMakesSAPSoRelevant......................................................................................................................................6
4.1 High-LevelSummary..........................................................................................................................................6
4.2 SAPSoftwareIsMission-Critical.......................................................................................................................7
4.3 SAPIstheGorillaintheEnterpriseApplicationSoftwareMarket..................................................................7
4.4 SAPS/4andtheBenefitsofHANA...................................................................................................................7
4.5 TheRoleofCloudProviders..............................................................................................................................7
4.6 WhatDrivestheMarketToImplementSAPS/4HANA...................................................................................8
5. WhyFortinetSecurestheIntelligentEnterprise........................................................................................................8
6. HowSAPSystemsAreBeingAttacked........................................................................................................................10
6.1 High-LevelSummary...........................................................................................................................................10
6.2 OverviewofPublishedSAPSecurityUpdates.................................................................................................10
6.3 AnalysisofPublishedSAPSecurityUpdates...................................................................................................11
6.4 ACloserLookIntoTwoCurrentSAPThreats..................................................................................................11
6.4.1 Example1:10KBLAZE-RemoteCodeExecutionviaSAPRFCGateway............................................12
6.4.2Example2:SQLInjectionVulnerability....................................................................................................13
6.5 ExpandingtheSAPThreatLandscape.............................................................................................................14
6.5.1 CompromisedSAPSystemintheCloud...............................................................................................15
6.5.2SmartDevicesConnectedToSAPSystemsAreExposedToAttackers............................................15
7. HowFortinetProvidesHigherSecurityforSAP.........................................................................................................15
7.1 High-LevelSummaryofThisSection................................................................................................................15
7.2 SAPWell-ArchitectedSecurity..........................................................................................................................16
7.3 High-PerformanceIntrusionPreventionandContentInspection..................................................................16
7.4 SSLInspection......................................................................................................................................................17
7.5 HybridCloudSecurityContext...........................................................................................................................18
7.6 TheSAPWebDispatcherCase.........................................................................................................................19
7.7 SAPCompliance...................................................................................................................................................20
3
Table of Content8. FortinetReferenceArchitectureforSAP.....................................................................................................................22
8.1 High-LevelSummaryofThisSection................................................................................................................22
8.2 ReferenceArchitecturesforSAPS/4HANAinPublicCloud...........................................................................22
8.2.1 SAPS/4HANAonMicrosoftAzure...........................................................................................................22
8.2.2SAPS/4HANAonAmazonWebServices(AWS)....................................................................................23
8.2.3SAPS/4HANAonGoogleCloud..............................................................................................................23
8.3 ReferenceArchitectureforHybridEnvironment..............................................................................................26
9. ConclusionandActions.................................................................................................................................................26
9.1 TechnicalandOperationsApproachesToProtectingYourBusiness............................................................28
10. References......................................................................................................................................................................30
WHITE PAPER | Fortinet Security Solutions for SAP S/4HANA
4
Executive Summary With today’s challenges and economic climate, organizations leverage enterprise resource planning (ERP) to improve decision-making and integrate information from customers, supply chains, and vendors to gain competitive insights.
SAP is the world’s largest enterprise application software provider, a leader on the Gartner Magic Quadrant helping organizations with their digital commerce platforms sales and operations planning systems, integrating, consolidating, and generating insights into its critical processes.
As these systems contain data from finance, human resources, and proprietary information, their security is paramount, especially as cloud, mobile, and hyperscale technologies come into play, exposing more services to the internet and increasing the attack surface area.
Fortinet secures the Intelligent Enterprise running SAPFortinet,acybersecurityleader,helpsorganizationstocreateaholisticsecuritypostureacrossalltheirSAPlandscapestosecurethemfromintrusions.
Fortinetleveragesitsextensivethreatintelligence,astrongportfolio,andstate-of-the-artartificialintelligence(AI)andmachinelearning(ML)securitytoprovideaseamlesssecurityexperienceacrossyourSAPlandscapes.Itautomatessecuritycontrols,makingiteasiertomanage,respond,andautomatetheSecOpscapabilities.
Organization
Processes
Application
System
Environment
Awareness
User & Identity Management
Authentication & Single Sign-On
Roles & Authorizations
Custom Code Security
Security Governance
Risk Management
Regulatory Process Compliance
Data Privacy & Protection
Audit & Fraud Management
Security Hardening
Secure SAP Code
Security Monitoring & Forensics
Network SecurityOperating System & Database Security Client Security
Figure1SapSecureOperationsMap
WHITE PAPER | Fortinet Security Solutions for SAP S/4HANA
5
ThiswhitepaperprovidesinsightsintohowFortinetalignstothefivelayersoftheSAPSecureOperationsMapwithseveraldegreesofintegrationacrossthelayers.
FortinetprovidesadvancedsecurityforSAP,andwithitsnetworksecuritypedigree,Fortinethasafocusontheenvironmentlayer,providingin-depthattentioninnetworksegregation,webdispatchersecurity,andclientsecurity.
Inthispaper,wealsohighlightSAP’smostcommonattackvectors,andhowFortinet’sportfoliocanaddressthosevectorsbytakingapreventativeanddetectiveroleinSAPenvironments.
Therecommendationsandbestpracticescontainedhereinareusefulforstakeholdersinvolvedinthedesign,implementation,andsecurityofSAPsystems.
Audience Theintendedaudienceofthisdocumentis:
n ExecutiveandManagement– ChiefInformationSecurityOfficer(CISO)– HeadofITInfrastructure– LinesofBusinessManager– SAPProgramandSecurityManager
n TechnicalandOperations– SAPBasisConsultant– SAPSecurityArchitectorSAPSecurityAdministrator– SAPApplicationArchitect– RiskManagementandSecurityProfessionals
n AndotherswhohaveresponsibilitiesinthesecurityofSAPlandscape
TheauthorsofthedocumentassumethatreadershavesomeknowledgeofSAPandtheFortinetportfolio,alongwithsomesecurityandnetworkingexpertiseandagileapplicationdevelopment.
BecauseofthemassivenatureofSAPtechnologies,readersareencouragedtotakeadvantageofotherresources,includingthoselistedinthisdocument’sreferencesformoredetailedinformation.
Introduction ThisdocumentaimstopresentbestpracticesandrecommendationsforimplementingasecureSAPenvironment,includingSAPS/4HANA,afuture-readyenterpriseresourceplanning(ERP)systemwithbuilt-inintelligenttechnologies,includingAI,ML,andadvancedanalytics.S/4HANAtransformsbusinessprocesseswithintelligentautomationandrunsonSAPHANA—amarket-leadingin-memorydatabasethatoffersreal-timeprocessingspeedsandadramaticallysimplifieddatamodel.1
Problem Statement 1 – Why should you care?Today,newimplementationsofSAPsystems,SAPupgrades,conversionstoS/4HANA,etc.,arenotdeployedbydefaultinon-premisesdatacenters.“Domorewithless”hasbeenthechallengeforCIOsformanyyears,meaningtoprovidemoreITservicestotheenterprisewithareducedoratbeststableITbudget.ByoutsourcingITtocloudproviders,organizationscanfreebudgetandinvestpartsofthatbudgetintomoreinnovativetasksandprojects.
However,byaddingservicesfromthecloudorbymanaginghybridenvironments,enterprisesshifttheirattacksurface.Asaresult,theyhavetorethinksecurityseriouslytoensurecustomerdataandenterpriseinformationisprotected,anddataprivacypoliciesineachcountryconductingbusinessarerespected.
WHITE PAPER | Fortinet Security Solutions for SAP S/4HANA
6
Problem Statement 2 – Can you patch your SAP systems in time?SAPSecurityUpdatesareperiodicallyreleased.Customersarerecommendedtoimplementpatchespromptly.However,SAPsystems’uptimerequirementscreateaburdentotheSAPbasisteamtoupload,test,andvalidateeverySAPpatch.Security-drivennetworkingcanhelpmitigatemanyrisks.
Specificrecommendationsorregulationsregardingnetwork,operatingsystemorclientsecurity(infrastructuresecurity)arerelevant.Still,SAPdoesnotprovideanyrulesonhowSAPsystemscanpreventsecurityattackswithtoday’stechnologiesavailabletocybercriminals.Here’swhereFortinetaddsvaluetoensureasecureSAPenvironment.
AsalotofinformationaboutS/4HANAiscoveredinotherdocuments,thisdocumentwillfocusontheaspectsthatchangeduetoaFortinetSAPsecureimplementation.
Aspartofthisdocument,thefocuswillprimarilybeontheenvironmentandapplicationsecurityoftheSAPSecureOperationsMapwhilealsofocusingontheecosystemsurroundingit,includingsegmentation,webapplicationfirewall(WAF)security,andtherecommendednetworksecuritypractices.
Thispaper’sprimarygoalistopresentandpromoteanSAPsecureexecutionmodeltohelporganizationsadopttheSAParchitecturetodoitsecurely.Thesecondarygoalistoidentifyapplicablerisks,threats,andvulnerabilitiesfollowedbyrecommendationsforsecuritycontrolsandbestpracticesneededtosecureanSAPenvironment.
Section SummariesEachsectionwillstartwithasummarythatincludesthekeyfindings,alongwithexplanationsandreferenceswithineachsectiontobenefitahigh-levelreader.
What Makes SAP So Relevant
1.1 High-Level Summary
SAPcustomerswillhavetoconverttheirSAPsystemstoSAPS/4HANAby2027.2ThemajorityofSAPS/4HANAsystemswillbedeployedinthecloudatoneofthetopglobalhyperscalers(cloudproviders).3Fortinetiswell-positionedtoprovidehigher-levelsecurityforSAPsystems.Fortinet secures the Intelligent Enterprise running SAP—byprotectingallSAPdatageneratedbyedgedevices,endpointsystems,users,AI,applications,databases,third-partysystemsinmulti-cloudenvironments,andon-premises.
SAPistheworld’slargestproviderofenterpriseapplicationsoftware.SAPsoftwareisanintegratedsoftwaresuitethataddressesneedsfromallareasandorganizationswithinanenterprise.AllSAPsystemsaremission-criticalanddemandnodowntime.
Problem Statement 3 – SAP security baseline template provides no guidelines for infrastructure securityThelatestSAPSecurityBaselineTemplatepublishedinFebruary2020offersmanyrecommendationstosecureSAPsystemsmainlyregarding:
n SAPABAPApplicationServer
n SAPJavaApplicationServer
n SAPHANA
n Others,likeWebDispatcherorSAPGUI
Figure2ExtractfromSAPSecureBaselineTemplate–InfrastructureandNetworkSecurityarenotconsidered
WHITE PAPER | Fortinet Security Solutions for SAP S/4HANA
7
1.1 SAP Software Is Mission-Critical
WhatdrivescustomerstouseSAPsoftware?SAPsoftwareisanintegratedsoftwaresuitethataddressesneedsfromallareasandorganizationswithinanenterprise.SAPenhancesthecompetitivenessofenterprisesbymodernizingandtransformingprocessesintodigitalsolutions.ImplementationsofSAPsoftwarecantakebetweenfourmonthstoseveralyears.SAPsystemsarealwaysbusiness-critical,andmostofthetime,theyalsoaremission-critical;thus,downtimeisunacceptable.CustomerscanhavedozensifnothundredsofSAPsystemsdeployed.
1.2 SAP Is the Gorilla in the Enterprise Application Software Market
SAPistheworld’slargestproviderofenterpriseapplicationsoftware.Founded1972inGermany,SAPtodayisthelargestEuropeansoftwarecompanyanddeliversitsbusinesssolutionstomorethan400,000customersworldwide.SAPConcur,SAPSuccessFactors,SAPAriba,andseveralothersmalleracquisitionsaremajordriverstoSAP’scloudrevenuetoday.WhileSAPBusinessSuiteachievesthedominantpartofSAPrevenue,SAPS/4HANAisthesuccessorofSAPBusinessSuite.
92%oftheForbesGlobal2000areSAPcustomers.77%oftheworld’stransactionrevenuetouchesanSAPsystem.SAPisthegorillaintheenterpriseapplicationsoftwaremarketwithrevenuesof€27,6bninFY2019andmorethan100,000employees.4
1.3 SAP S/4 and the Benefits of HANA
SAPS/4HANAisSAP’ssuccessorofSAPBusinessSuite.Basedonasimplifieddatamodel,S/4HANAprovidesanimmediatebenefittothelineofbusiness(LOB)byimprovingproductivity.WhileS/4HANAoffersfasterandmoreflexibleprocessesatsignificantlylessITcosts,itsitsatthecoreofenterprisestoenablethemtoreachtheirnextlevelofdigitaltransformationbyusingembeddedartificialintelligence,real-timeanalytics,andmore.
S/4HANAisanarchitecturalredesignofSAP’straditionalapplicationarchitecturebasedonSAPR/3from1992.AlthoughS/4HANAwasdevelopedtoachievemaximumbenefitofSAPHANA—High-PerformanceAnalyticalAppliance—italsosupportstraditionaldatabasemanagementsystems(DBMS)likeOracle,DB/2,MSSQL,Sybase,etc.
SAPHANAisanin-memory,column-orientedDBMSthatallowsreal-timeOLTPandOLAPoperationsinasinglesystem,thusavoidingtheneedforadditionaldatawarehousesystemsthatenabledataminingonOLTPdata.Suchdatawarehousesystemsarenotcapableofscreeningreal-timedata.SAPHANAhasthatcapabilityduetoitsabilitytostoredatain-memoryandincolumns.Scale-outsystemsofSAPHANAcanspanupto16nodesandholdupto24TBofdatain-memoryforasingleSAPsystem.
1.4 The Role of Cloud Providers
MajorcloudproviderslikeAmazonWebServices,MicrosoftAzure,GoogleCloud,AlibabaCloud,andothersofferdedicatedservicesforSAPusers.SAPcanbedeployedintheircloudstooffloadcostsofrunningon-premisessystemsintothecloudandpaybyOPEXinsteadofCAPEX.However,manycustomerswillpreferahybridmodel,wherethemajorityofSAPsystemswillruninthecloudandwherededicatedproductionsystemsremainon-premises.
Nomatterwhichmodelisselected,theneedforhighersecurityfordataofmission-criticalsystemsisincreasingastheattacksurfaceshiftswhenmovingtothecloud.5
SAPannouncedaGo-To-Marketagreementin2019andreneweditsstrategicpartnershipwithMicrosoft-ProjectEmbrace.6EmbraceprovidesMarket-ApprovedJourneys(MAJ)tocustomers,givingthemaneasypathtoupgradetheirSAPsystemstoS/4HANAonMicrosoftAzure.MicrosoftalsobecamearesellerofSAPCloudPlatformonAzure.
Also,GoogleisheavilyinvestingtotakeSAPcustomerstotheirGoogleCloud.InJune2020,GoogleopenedupanewdatacenterinFrankfurt,Germany,thatisplannedtoexclusivelyhostSAPcustomersprovidingallthebenefitsofacloud.7
CloudprovidersmakeiteasytomigrateSAPsystemsfromon-premisestothecloud,promisinglowerTCO.Therefore,customershavetodecidewhethertocontinuedeployingapplicationsintheirowndatacentersormovethemtothecloudtofreeresourcesupformoreinnovativetasks,resultinginfasterdigitaltransformationandincreasedcompetitivenessfortheenterprise.Itisnotaneasydecisionwhenconsideringthatmyriadnetworksecuritysolutionsmustbedeployed.
WHITE PAPER | Fortinet Security Solutions for SAP S/4HANA
8
1.1 What Drives the Market To Implement SAP S/4HANA
SAPannouncedthatstandardsupportforSAPBusinessSuitewouldendby2027.Bythatdate,allcustomerswillhavetobeconvertedtoSAPS/4HANAunlesstheyprefertopayapremiumfortheirSAPsupportfees.ConvertingoldsystemstoS/4HANAisnotnecessarilystraightforward.Thistypeofprojectrequirescarefulplanningandconsultingexpertise,aswellassignificantbudgettoexecuteintime.
ThemajorityofS/4HANAsystemsareexpectedtomovetothecloudatoneofthecloudprovidersmentionedin4.5above.Fortinetiswell-positionedtoprovideahigherlevelofsecurityforSAPsystems.Fortinet secures the Intelligent Enterprise running SAP—byprotectingallSAPdatageneratedbyedgedevices,endpointsystems,users,AI,applications,databases,third-partysystemsinmulti-cloudenvironments,andon-premises.
Why Fortinet Secures the Intelligent Enterprise Fortinet,thenumberonecybersecurityleaderwithmorethan20yearsofhistoryprotectingassets,optimizingcontentdelivery,detectingmaliciousactors,andmitigatingthreats,sawarisingintheattackstargetingSAPsystems.Asthesesystemsareoneofthemostcriticalassetsoforganizations,Fortinetdecidedtosecurethoselandscapes.
ByapplyingtheFortinetunifiedportfolio,organizationscanhaveaconsistentsecurityframeworkforSAPacrossmultiplelocationsandregions.LeveragingtheSecurityFabric,abroad,integrated,andautomatedcybersecurityframework,itweavestogetheralloperationalandtechnicalsecurityfacets,creatingaconsistentstructuretotheSAPsecuritylandscape’sneeds.
AsdataisthenewoilandSAPsystemscontainconfidentialdata,Fortinetprovidescapabilitiesaddressingthedata’slineage,providingconfidentiality,integrity,andavailability.Fortinetcapabilitiesindatalossprevention(DLP),preventingexfiltrationofdata,andintegrationwithleadingvendorsaspartoftheSecurityFabriccreateauniquevalueindatasecurity,asitconsolidatesitinasinglepaneofglass.
Figure3FortinetSecurityFabricDiagram
OpenEcosystem
Fabric Management Center
Adaptive Cloud Security
Security-DrivenNetworking
Zero TrustAccess
FortiGuardThreat Intelligence
FORT I OS
SOCNOC
WHITE PAPER | Fortinet Security Solutions for SAP S/4HANA
9
Thesingle-pane-of-glassmanagementenabledbytheFortinetportfolioprovidesacompleteandconsolidatedviewacrossvariousnetworkedges.Itsimplifiesoperationsandprovidesnetworkwidesecurity,visibility,andanalytics,ineveryenvironment,centralizingoperationsforcomplexlandscapessuchasSAP,deliveringscale,performance,andresiliencyforSAP.
AsSAPsystemsarebecomingmoreprevalentinthecloud,Fortinethasintegratednext-generationfirewalls(NGFWs)thatcanbedeployedincloudenvironmentssupportingthemajorityofthecloudproviders.Customerscanleverageconsistentmultilayersecurityprotection,automation,anddeepintegrations,nomatterhowmanycloudstheyadoptandprovideprotectiontotheSAPecosystemandbeyond.
FortinetreducesthetimetodeployS/4HANAwithprepackagedInfrastructure-as-Codetemplates,enablingtheorganizationtobemoreagile,adoptDevOpsbestpractices,andprovide360protectiontotheSAPlandscape.
FortinetwantstoacceleratethesecurityinyourSAPecosystembyprotectingallSAPdatageneratedbyedgedevices,endpointsystems,users,AI,applications,databases,third-partysystemsinmulti-cloudenvironments,andon-premises.Fortinetwillprovideanintegratedexperiencetoensurethatyourcriticalassetsstayprotectedandempoweryoutofocusonyourcorebusiness.
About FortinetFortinet(NASDAQ:FTNT)securesthelargestenterprise,serviceprovider,andgovernmentorganizationsaroundtheworld.Fortinetempowersitscustomerswithintelligent,seamlessprotectionacrosstheexpandingattacksurfaceandthepowertotakeonever-increasingperformancerequirementsoftheborderlessnetwork—todayandintothefuture.OnlytheFortinetSecurityFabricarchitecturecandeliversecuritywithoutcompromisetoaddressthemostcriticalsecuritychallenges,whetherinnetworked,application,cloud,ormobileenvironments.Fortinetranksnumberoneinthemostsecurityappliancesshippedworldwideandmorethan450,000customerstrustFortinettoprotecttheirbusinesses.
Fortinetistheonlysecurityleadertodevelopandbuildcustomsecurityprocessingunit(SPU)technologytoofferthebestperformanceandcostvalueintheindustrywithaSecurityComputeRatingthatrangesbetween3to47xtheperformanceofothersoftwareapproaches.EachdayFortinetFortiGuardLabsusesoneofthemosteffectiveandprovenAIandMLsystemsintheindustrytoprocessandanalyzemorethan10billionevents,sendingactionablereal-timethreatintelligencetocustomers.ThecombinationofFortiOS,purpose-builtSPUtechnology,andAI-poweredthreatintelligenceshowcasestheFortinetcommitmenttocybersecurityinnovationandexcellence.
TheFortinetflagshipenterprisefirewallplatform,FortiGate,isavailableinawiderangeofsizesandformfactorstofitanyenvironmentandprovidesabroadarrayofnext-generationsecurityandnetworkingfunctions.TheFortinetmarketpositionandsolutioneffectivenesshavebeenwidelyvalidatedbyindustryanalysts,independenttestinglabs,businessorganizations,andmediaoutletsworldwide.FortinetisproudtocountthemajorityofFortune500companiesamongitssatisfiedcustomers.
FortinetisheadquarteredinSunnyvale,California,ownsa200,000squarefootmanufacturingassemblyandoperationscenterinUnionCity,California,andhasofficesaroundtheglobe.Foundedin2000byKenXie,thevisionaryfounderandformerpresidentandCEOofNetScreen,Fortinetisledbyastrongmanagementteamwithdeepexperienceinnetworkingandsecurity.
Fortinettechnologiescansecurethedemandingneedsofanyorganizationandhelpdrivedigitalinnovationfromwithin.
WHITE PAPER | Fortinet Security Solutions for SAP S/4HANA
10
How SAP Systems Are Being Attacked
1.1 High-Level Summary
SecuringSAPsystemsisbecomingmoreandmorerelevantintoday’sworld.Thethreatlandscapeisconstantlyexpanding,anditdoesnotstopatSAPsystems.Itexposescompaniesofallsizesandindustriestotheriskofcyberattackswithsevereconsequencessuchasdataleaksordamagetothecompany’sreputation.
SomeofthevulnerabilitiesofSAPsystemshavebeengivenwell-knowncodenamessuchasRECONor10KBLAZE.Besidestheseknownvulnerabilities,easy-to-useexploitsarefoundontheinternetandusedbythreatactorswithoutmuchknowledgeofSAP.
Everymonth,SAPpublishessecurityadvisoriesaboutcurrentvulnerabilitiesorbugsthatcouldendangertheentireSAPlandscape.ThesenotesshouldbeimplementedintheSAPsystemsatregularintervalstoensuresecureoperationandoftenrequiressystemdowntime.
ThissectiondiscusseshowSAPsystemsarebeingattacked,thetypeofdatathatisexposed,andhowmodernarchitecturecanpreventattacksonSAPsystems.
1.2 Overview of Published SAP Security Updates
DuetothesizeandcomplexityofSAPsoftware,SAPcarriesoutnumeroustests,validations,andchecksforcompliancewithprogrammingguidelinesbeforeanewsoftwarecomponentisreleased.
Nevertheless,therearealwaysvulnerabilities,withoutknowingwhereandwhichonesarecurrentlyintheSAPcode.Thesevulnerabilitiesexistamongotherlargesoftwareprovidersthatoffercomplexsoftware.Itissimilar,forexample,withMicrosoftWindowsorevenLinuxasarepresentativeoftheopen-sourcecommunity.
Let’stakeacloserlookattheSAPSecurityUpdates.ThechartbelowshowsthenumberofvulnerabilitiesthatSAP8hasclosedpermonthbetweenMay2019andMay2020.
Low
Medium High
Hot News
SAP SECURITY NOTES12-MONTH PERIOD
25
20
15
10
5
0May 19 Jun 19 Aug 19 Sep 19 Oct 19 Nov 19 Dec 19 Jan 20 Feb 20 Mar 20 Apr 20 May 20Jul 19
12
1
6
2
4
1
6
1
6
1
9
4
4
1
7
4
1
1
9
11
11
1
11
3
1
11
2
1
5
6
11
5
16
5
5
4
1
10
Figure4SAPSecurityNotesoveroneyear
WHITE PAPER | Fortinet Security Solutions for SAP S/4HANA
11
Duringthisperiod,atotalof182vulnerabilitieswereclosed.ThevulnerabilitiesaredividedintofourdifferenttypesofSAPSecurityNotes,basedontheirCommonVulnerabilityScoringSystem(CVSS)score:
1.1 Analysis of Published SAP Security Updates
RelatedtotheperiodfromMay2019toMay2020,Figure6showsthatmostvulnerabilitiesareratedmedium.TheyareusuallyfixedduringtheregularimportofnewSAPSupportPackageStacksalongwiththoseoftypeLow,High,
Security Note Priority CVSS v3 Base Score
Low 0.1–3.9
Medium 4.0–6.9
High 7.0–8.9
HotNews 9.0–10.0
Table1SAPSecurityNoteCVSStranslation
andHotNews.
SAPSecurityNotesoftypeHotNewsshouldalwaysbeimportedimmediatelysincetheyimposeaseriousthreattothesystem.WithnotesoftypeHigh,youmustweightheadvantagesofapplyingthemasquicklyaspossibleversusimportingthemwith
Code Injection,12%
Cross-Site Scripting, 8%
Denial of Service, 8%
Information Disclosure,13%
Missing Authorization, 4% Missing
Authorization Check, 13%
SQL Injection, 13%
Other, 29%
Attack Vectors - SAP Security Note - May 2020
Low, 3%
Medium, 62%
High, 17%
Hot News, 18%
Ranking – SAP Security Notes 12-month period
Figure5AttackVectorsSAPSecurityNoteMay2020 Figure6SAPVulnerabilityRankingMay20192020
thenextSAPSupportPackageStack,basedonthesystemlandscapeandvulnerabilityexposure.Thus,anSAPsystemdirectlyaccessedfromtheinternetmustbepatchedwithahigherpriorityduetoitshigherexposuretopotentialattacks.
Figure5aboveshowstheattackvectors.Oneofthemainvulnerabilitiesisthedisclosureofinformation,whichcouldhelpanattackerfindtherighttoolorattackpoint.Also,SQLinjectionsallowanattackertoreadpartsofthedatabaseandviewdatathatisnotintendedforthatuser.AnotherpossibilityistoinjectcodeintotheSAPsystem,whichcouldleadtoaremotecodeexecution.
1.2 A Closer Look Into Two Current SAP Threats
Inthischapter,wenowdiveintotwoSAPthreats,oneofthemcodenamed10KBLAZE,theotherisaSQLinjection.Bothhadveryhighattentionbecausethevulnerabilitieswereemerging,simple,andpresentedhighthreatstoSAPdataandsystems.
Thefirstexampleundercodename10KBLAZEisathreatthatcontainsachainofmultiplevulnerabilities.OneofthemisanunauthenticatedremotecodeexecutionintheSAPRFCGateway.ThesecondexampleisanSQLinjectionintheSAPUDDI(UniversalDescription,Discovery,andIntegration)ServiceapplicationoftheSAPNetWeaverJava.
Byexploitingthesevulnerabilities,aninternalorexternalattackercanescalatetheirprivilegesandobtainsensitivetechnicalandbusiness-relatedinformationstoredinthevulnerableSAPsystem.
WHITE PAPER | Fortinet Security Solutions for SAP S/4HANA
12
1.1.1 Example 1: 10KBLAZE - Remote Code Execution via SAP RFC Gateway
Thisvulnerability,alsoknownas10KBLAZE,isacurrentthreatforSAPsystems,takenupbyvariouscomputermagazines.9ItdiscoveredvulnerableSAPapplicationscouldbecompromisedbyaremote,unauthenticatedattackerwhoonlyhadnetworkaccesstothesystem(withoutrequiringavalidSAPuserIDandpassword).Forexample,thiscouldbethevisibilityofaportontheinternet.TheattackercangainunrestrictedaccesstoSAPsystems,enablingthemtocompromisetheplatformwithallitsinformation,changeorextractthisinformation,orshutdownthesystem.
ApresentationattheApril2019OperationforCommunityDevelopmentandEmpowerment(OPCDE)cybersecurityconferencedescribesSAPsystemswithinsecureconfigurationsexposedtotheinternet.Inoneofthesessions,itshowedthatmore than 3,280 SAP GatewayswereexposedtotheinternetonPort3300and3301TCP.Also,more than 9,209 SAP Router and 1,981 Message ServerwithPort39xxshouldonlybeintendedforinternaluse.10
Browser
RFC Client
...
SAP GUI
SAP Router
Client
DMZ Server
Server
Firewall
Hostname sap-server
Instance No.00
8000 (HTTP)
ICM
D V E
3200 (RFC-DIAG)
ABAP-Dispatcher
ABAPMS
3600 / 3900 (MSG)GW
3300 (RFC)
Figure7ExampleSAPCommunicationDiagram
TheSAPGateway(GW),theSAPRouter,andtheSAPMessageServer(MS)werenotoptimallyconfiguredinsecurityordeployedatasuboptimallocation.
TheSAPGatewayandtheSAPMessageServerarepartofeverySAPsystemandwereinsecurelyconfiguredinthepastbymanyadministratorsforpurposesofconvenience.TheSAPGatewayhandlescommunicationbetweenSAPandnon-SAPapplications;SAPMessageServerhandlescommunicationbetweenSAPapplicationserversandtheirusers.
AnSAPRouterisrequiredtoprovideSAPEnterpriseSupportaccesstoSAPcustomersystemsforsupportpurposes,allowingcustomerstoaccessandimplementSAPnotesorobtainthelatestsecurityinformationfromSAP.Inotherwords,theSAPRouterisaprogramthathelpstoconnectSAPsystemswithexternalnetworks.TheSAPRouterrequiresinternetaccessand,therefore,isexposedtopotentialattackers.
WHITE PAPER | Fortinet Security Solutions for SAP S/4HANA
13
Incombination,FortinetprovideshighersecuritytoprotectSAPRouterandSAPcomponentsonthenetworklayer(EnvironmentLayeronSecureOperationsMap)beforeanattackercanaccesstheSAPsystem.
How 10KBLAZE compromises SAP components to gain access and controlTherearetwopossibilitiestoattackSAPsystemsunderthis10KBLAZEthreat.EitheruseanupstreamSAPRouteroraccesstheSAPMessageServermonitorport.
InthefirstcaseregardinganattackviatheSAPRouter,aconfigurationvulnerabilityisused.ThisvulnerabilityallowstheSAPRoutertobeusedasaproxytoaccesstheSAPsystem.ItoccurswhentheSAPRouteriseitherdeployedlocallyontheSAPsystemorasystembelongingtotheSAPsystemsintheinternalcorporatenetwork.InmostconfigurationsofSAPsystems,theSAPRouterhasdirectaccesstotheSAPRFCGateway.Undertheseconditions,attackerscanmisusetheSAPRouterasaproxy.Theattackers’requeststhenappeartothegatewayasiftheywerecomingdirectlyfromtheSAPRouterandshouldbeallowedtopassthrough.Inthiscase,attackersbypassanyaccesscontrollists(ACLs).
Inthesecondcase,attackersrequireaccesstoanunprotectedmonitorport(39xx)ofanSAPMessageServer.AttackerscanaddamalicioussystemtotheSAPSystem’strustlist—withouttherequirementtologinwithapasswordorotherproperauthentication.ThetamperedtrustlistallowsattackerstobypassthegatewayACLfromtheirsystemandaccessthegatewaydirectly.
Havingexploitedeitheroneoftheabovevulnerabilities,furtherknownattacksagainsttheSAPGatewaycanbecarriedout.Forexample,sendingoperationsystem(OS)commandstostartcompromisingtheentiresystem.
How remote code execution worksTheSAPRFCGatewaycanexecuteOScommandsontheserverwhereitsownOSprocessisrunning,andthisisanintendedfunctionalityandnotavulnerability.Onereasonisthe“tp”commandthatcanbecalledfromanyotherserverwithintheSAPtransportlandscape.Inatypicalscenario,theSAPSystemAdministratorwouldexecutepredefinedremotecommandsonly,viaTransactionSM49orSM69.
AnACLfilecontrolstheexecutionsandvalidatesiftheprogramisallowedtobeexecutedbytheuserfromthespecificuserhostintherequest.TheACLfileistheonly“authentication”fortheRFCGateway.Often,theACLfilecontainsaveryvagueorablankconfigurationsothatanattackercanfakeaninternalsystemtobypassthisACLandexecuteanycommandtheywant.Thisscenariowillleadtounauthenticatedremotecodeexecution.
ThefirstsolutionwastoconfigurethesecuritymechanismsimplementedbySAPmanyyearsagosothattheycouldalsofulfilltheirfunctionasprotectionagainstunauthorizedaccess.ButnotonlytheSAPsystemsassuchcanprotectagainstthreats.AnotherpossibilitytopreventfutureattacksistoconnectafirewallinfrontoftheSAPports,whichareconnectedtotheinternettoruncorresponding intrusion detection system (IDS)and intrusion prevention system (IPS)rulestodetectandblockanattackbeforeitispassedontoSAP.AnIPS/IDSalsoprovidessecuritybeforethesoftwarevendorprovidesapatchforavulnerability.Also,apatchdoesnotresolveallsecurity-relatedproblems.OftenamisconfigurationofanACLfilewillcauseaccesstoasystem.
1.1.1 Example 2: SQL Injection VulnerabilitySQLinjectionvulnerabilitymeansthatcodeincludesanSQLstatementthatcontainsstringsthatcanbealteredbyanattacker.ThemanipulatedSQLstatementcanbeusedtogainadditionaldatafromthedatabaseormodifydatainthedatabase.
How SQL injection compromises SAP systemsForexample,CVE2016-2386,whichisanSQLinjectionforSAPNetWeaverASJava.
ThisvulnerabilityaffectsSAPUDDI,whichisoneofthemostusedapplicationsinSAPdeployments.Thus,theSAPNetWeaverversions7.11–7.50aresusceptibletothisthreat.Toexploitthevulnerability,anattackermerelysendsanHTTPqueryofthefollowingtype:
WHITE PAPER | Fortinet Security Solutions for SAP S/4HANA
14
Figure8AttackHTTPQuery
Figure9SQLQuerylaunchedbyCVE2016-2386
ThevulnerabilityiscontainedinpermissionId thatcankeepanySQLcommand.WhentheSAPapplicationreceivesthecode,
itwillexecuteit.Forexample,anSAPserverwillexecutethisSQLcommandandreturnacountofrowsfromtheBC_UDV3_EL8EM_KEYtable.
Byexploitingthisvulnerability,attackerscanobtainthehashofuserpasswordsfromtheUME_STRINGStable.Afterthat,theywillneedtogetpasswordsfromthehash,whichtheycanachieveby:
n Usingabrute-forceattack
n Findinganothervulnerabilityinthepasswordcryptoalgorithm
HowcanweprotecttheSAPsystemfromsuchattackstoavoiddataexploitsandacompromisedsystem?GenericprotectionforthreatssuchasSQLinjectionsorcross-sitescriptingisaweb application firewall (WAF).
1.1.1 Expanding the SAP Threat Landscape TheSAPworldismovingintheclouddirectionandthenewfrontend,SAPFiori,forend-users.FioriisamodernuserwebinterfacetoaccessSAPapplications,whichisHTML5based,andisabouttoreplacethetraditionalfatclientSAPGUI.WithSAPFiori,SAPapplicationsnowhaveusabilitycomparabletoconsumerapps.Inthepast,usingtheSAPGUI,SAPinterfaceswereoverloadedwithmanyfunctionsthatmostuserswouldneveruse.UsersneededlongtrainingperiodsandhaddifficultyfindingtheirwayaroundintheGUI.Today,(different)SAPapplicationsofferthesamerangeoffunctions,buttheinterfacesareclearandtidy.Theyaretailoredtotheend-user’srespectiverole(e.g.,accounting)andonlyshowthefunctionsneededbytheend-user.SAPFioricreatesaconsistent,role-specific,andintuitiveuserexperienceacrossthevariousenterpriseapplications—independentoftheendpointdevicesused.
WHITE PAPER | Fortinet Security Solutions for SAP S/4HANA
15
1.1.1 Compromised SAP System in the Cloud Inadditiontoclassicalon-premisessolutions,SAPalsooffersitscustomersadditionalcloudorhybridsolutions.SAPdoesnotlimititselftoSAPHANAEnterpriseCloud(HEC)andenablesoperationsofSAPsolutionsinAWS,MicrosoftAzure,andGoogleCloudPlatform.
Asaresult,SAPsystemsarenolongeravailableonlyinternallywithincompanyboundariesbutcanalsobeexternallyaccessed.HybriddeploymentsaredeploymentswhereSAPispartlyavailableinthecloudaswellason-premises.Asdescribedin6.5.2below,evenmoreemphasismustbeplacedonsecurity-drivennetworkingtoavoidattackslike10KBLAZEorthelatestRECONhack.
Inthefuture,HTTPSorsimilarconnectionscomingfromoutsideofanSAPlandscapeshouldbescannedforanyknownthreatsbyusingaWAFincombinationwithanIDSandanIPS.Sofar,SAPsecurityisoftennotyettakenseriouslyenoughbycompanies,openingdoorstoattackersandriskingthelossofvaluabledataandunrestorablereputation.
1.1.2 Smart Devices Connected To SAP Systems Are Exposed To AttackersCompaniessuchasenergysuppliersaresupportedbySAPandoffermorecustomer-friendlydigitalservices.Theseincludethedeploymentofsmartelectricitymetersthatautomaticallysendconsumptiondatatotheutilityproviderorcorrespondingself-serviceportalsforcustomerstoenterthemeterreadingthemselvesorlookattheirconsumptionhourly.Inthefuture,suchself-serviceportalswillbebasedonSAPFioriandarethereforealsotargetsforattacksastheycaneasilybereachedfromanyinternetbrowser.ThetransmissionofconsumptiondatafromsmartelectricitymeterstosystemssuchasSAPLeonardomustalsobeprotectedagainstmanipulatingthedata.
Figure10EVBEnergySmartMeter11
Fortinet secures the Intelligent Enterprise running SAP—byprotectingallSAPdatageneratedbyedgedevices,endpointsystems,users,AI,applications,databases,third-partysystemsinmulti-cloudenvironments,andon-premises.
How Fortinet Provides Higher Security for SAP
1.1 High-Level Summary of This Section
ThemodernSAPsystem,anditsmigrationtothecloud,enableevermoreinterfaces—connectionstootherSAPandnon-SAPsystemsthatareinternalandexternaltoanorganization.Defendingwhatistypicallyabusiness’smostvitalapplicationisascomplexasitiscritical.AnSAPdeploymentmayinvolvemultiplelandscapesspreadacrossahybridpremisesandcloudfootprintrunningonavarietyofsoftware-definednetworks(SDNs).Frontends,applicationservers,anddatabasesmustbesegmentedagainstlateralinfectionandunauthorizedaccess.Withuserconnectionsanddatalargelyencryptedbysecuresocketslayer(SSL),high-performing,in-linedeeppacketinspectionisanecessity.Atthesametime,securitymusthavenoperceptibleimpactontheuserexperienceandsystemperformance.
Withsomanyvectorstoprotectagainst,visibilitycanbeachallengeacrosssuchabroadanddiverseinfrastructureasSAP.Withrespecttoinfrastructure,SAP’sSecurityBaselineTemplateleavestheseproblemstothecustomertosolve.TheFortinetSecurityFabricplatformspecificallyaddressesSAP’smostcommonandemergingthreatsbyprovidingaunifiedsecuritycontextthatissimultaneouslyintegratedwith,andindependentof,theunderlyinginfrastructure.Fortinetuniquelyprovidesthehigh-performingnetworkandcontentprotectionthatanSAPdeploymentdemands.
WHITE PAPER | Fortinet Security Solutions for SAP S/4HANA
16
1.1 SAP Well-Architected Security
SAP’swell-architectedsecuritystartswithconsideringhowSAPtrafficwilltransittheinfrastructureandwhereboundariesoftrustreside.SegmentingSAPfromotherworkloadsensuresaminimumboundaryoftrustandinspection.Critically,thisincludestheinternalsegmentationofapplicationservers,frontends,anddatabasestopreventlateralattacksthroughimpersonationorprivilegeescalation.ThebestpracticeofsegmentationenablestheFortiGatetohigh-performance,low-latencySAPsecuritythroughthedeeppacketandcontentinspectionspecifictoSAPservices.Withunmatchedsecurityeffectiveness,therealkeytosuccessistheperformanceinawaythatdoesn’timpacttransactiontimesforusersorimpededatabaseprocesses.FortinetFortiOSoperatingsystemsbringvariousformsofhardwareandsoftwareaccelerationtobear,removingthecompromisebetweensecurityandperformance.
SID AA1
MSG Server
Web Dispatcher Web Dispatcher
Fiori ABAP
Fina
nce
SID AA2
MSG ServerFiori ABAP
HR
Web Dispatcher
SID AB1
MSG ServerFiori ABAPM
anuf
actu
ring
HTTPS RFC
1.2 High-Performance Intrusion Prevention and Content Inspection
AddressingtargetedSAPthreatsrequiresthesecurityapparatustobeapplication-awareoftheSAPsystemsrunningwithinthesecurityboundary.TheFortinetFortiGateNGFWprovidesmanyfeaturestailoredtoSAP.TheFortiGate,combinedwithFortiGuardThreatIntelligence,deliversvalidatedindustry-leadingIPStechnology.FortiGuardLabsdeliversSAPthreatintelligencetotheFortiGate’sIPSenginetoprotectfromwell-knownandemergingthreats.Commonexploitssuchasrelayattacks,commandexecution,SQLinjectionsinSAPNetWeaverABAPandJava,andotherservicesaremitigatedwithmicrosecondlatency.ConfigurationerrorsareminimizedasSAPheuristics,andsignaturesareenabledinthedefaultIPSpolicy.Figure12showsasamplingofthese.
Figure11SAPEast/WestSegmentation
Figure12SampleofIPSSignaturesforSAP
WHITE PAPER | Fortinet Security Solutions for SAP S/4HANA
17
Yearafteryear,Fortinethasbeenreportedasastandoutleaderinnext-generationIPSthroughindependentstudiessuchas
100%
95%
90%
85%
80%
Blocked
Run
Coverage
891
893
99.8%
890
890
100.0%
Attacker Target
894
892
890
888
886
884
882
880
Figure13FortinetNSStestedcatchrates
thosebyNSSLabsandVirusBulletin.Fortinet’scatchrateforexploitandexploitevasionattemptsisamongthehighestintheindustry.
AsmaliciousactorsevolvetheirattackandevasiontechniquesagainstSAP,staticsignaturesandevenheuristicsmaymissnovelattacks.Traditionalsignaturedetectionisreactive,asthesignaturesaremerelyfingerprintsofthreatsthathavealreadybeenseen.Fortinet’spatentedcompactpatternrecognitionlanguage(CPRL)isadeep-inspection,proactivesignature-detectiontechnologydevelopedthroughyearsofresearchbyFortiGuardLabs.AsingleCPRLsignaturecancatch50,000ormorevariantsofafamilyofmalware.Itincludesdecryption,unpacking,andemulationofcodeforrobuststaticanalysis,whichreducesthevolumeofcodethatneedsfullsandboxing.CPRLproactivesignaturedetectionhelpscastawidernetovertheattacksandmethodsofmodernadvancedpersistentthreats(APTs)andadvancedevasiontechniques(AETs),preservingfullsandboxanalysisforthemostsophisticatedthreats.
APTspursueSAPsystemsbecausetheytargetmultistageattacksthatareaimedatanorganization’smostvaluabledata.Further,threatactorsmayattemptreconnaissanceandsocialengineeringtoaidinfiltration.APTsagainstSAPrequiretheadvancedcountermeasuresthatFortiSandboxenables.FortiSandboxisarigorousinspectiontoolthatcanfullyexecuteandanalyzecontentandexecutablecodetouncoverAPTs.FortiSandboxexploresallcodeexecutionpaths.CombiningsandboxingwithproactivesignaturedetectionminimizestheopportunityforAPTs.WithFortinetSecurityFabricintegration,threatintelligenceisdistributedacrossthenetworkfootprintinrealtimetoelevatethesecurityposturecontinually.
1.1 SSL Inspection
It’snosecretthatthemajorityofHTTPtrafficisSSLencryptedforapparentreasons.AsSAPhasembracedHTTPasaprotocolforamodernS/4deploymentandcustomersmoveawayfromtheSAPGUIthickclient,theguidancehasbeento“maintainend-to-endencryption.”Ingeneral,thisisverysoundadvice.However,becauseencryptionismerelyatool,itcanprotectanytrafficfromdetection,includingmalware.Todaymorethan60%ofmalwareisencrypted.Inthisseeminglyconflictingguidance,supportinglocalizedSSLinspection(decrypt,inspect,re-encrypt)providesboththevisibilityintomalicioustrafficflowsandmaintainsthebestpracticeof“end-to-endencryption.”Whilethisisasoundsecurityapproachwhendonecorrectly,performanceimpactscancauseuserexperienceanddatabaselocktimestosuffer.Forinstance,NSALabshasfoundthat,onaverage,theperformancehitfordeeppacketinspectionis60%,connectionratesdecreasebyanaverageof92%,andresponsetimesincreasedbyawhopping672%.Fortinetremovesthiscompromisebetweensecurityandperformanceinavarietyofways.
PhysicalFortiGateNGFWsareequippedwithproprietaryhardwareaccelerationthatoffloadsencryptionfunctionstoasecurityprocessingunit.ThisFortinet-onlycapabilityboastsperformanceadvantagesofupto20xthatofcompetitorsinthelatest-generationdevices.Todeliverdifferentiatedperformanceinvirtualformfactors,FortiGateimplementsthevirtualsecurityprocessingunit(vSPU)asavirtualizedapplication-specificintegratedcircuit(ASIC)inconjunctionwithauniquedecryptionload-balancingservice.TheFortiGaterunningasaVMinapublicorprivateclouddelivers5-7xtheperformanceofcompetitiveNGFWs.
WHITE PAPER | Fortinet Security Solutions for SAP S/4HANA
18
WithFortinet,SAPdecision-makerscanbeassuredthatFortinetprovidesthehighestsecuritycatchrateswiththemostsignificantperformancelevelspossible.
1.1 Hybrid Cloud Security Context
SAPS/4HANAisthecoreofSAP’smodernIntelligentEnterprisesolutionthatextendsline-of-businessapplicationsfromthedatacentertothecloud.Byadoptingthecloud,SAPallowstheenterprisetofocusonactivitiesthatcreatebrandvalue.Ahybridlouddeploymentpermitsflexibilitybetweencustomizationandspeedtomarket.Thisopportunityisnotwithoutcyberrisks.ThehybridfootprintmakesachallengetoprotectingdynamicedgeswhereSAPsystemsmayfederateacrosstheseplatforms.ForeverybitofbrandvalueSAPcreates,pooradministrationandpoorsecuritypracticescandestroythatvalue.SecurityimplementedforSAPsystemsmustunifythesevariousplatformsandedgesinasinglesecuritycontext.TheFortinetSecurityFabricdoesthisbygeneratingreal-timethreatintelligencesharedacrosstheentireSAPsecurityboundary.
Hybridcloud-datacenterdeploymentspresentmultiple,continuallyevolvingedgesthatrequireasinglesecuritycontext.Ahigh-levelviewofatwo-tiered,hybriddeploymentisdepictedinFigure14.Thedatacentershowsthetypicalenterpriseresourceplanning(ERP)systemonasoftware-definedstack.NetworksegmentationisimplementedasmicrosegmentationwithFortiGateNGFWpoliciesattachedateachvirtualnetworkinterfacecard(VNIC).Similarly,thecloudisdeployedonthecloudprovider’sSDNwithsubnet-levelsegmentationwitheast-westandnorth-southinspectionbetweenapplicationtiers.Thismodelalignswithversion2.0oftheSAPSecurityBaselineTemplateforsegmentingSAPapplicationzones.Identityservicesaresynchronizedfromthedatacenterintocloudsinglesign-on(SSO).
Figure14HybridInfrastructureSecurity
Asingle-pointtruthandmanagementforpoliciesaredeployedinthecloud(thoughitcanbedeployedanywhere)andmanagesecurityacrosstheentiredomain.Threatintelligenceshouldbecoordinatedtoensureasingleviewoftheactivethreatlandscape.Inthisway,policycanbeactivatedinrealtime,relativetocorrelatedindicatorsofcompromiseacrossthehybridfootprint.FortinetFortiManagerandFortiAnalyzercoordinatethemanagementandthreatintelligenceeverywhereFortinetnetworksecurityisdeployed.FortiManagerandFortiAnalyzercanbedeployedon-premisesorinthecloud.InFigure14,managementisdeployedintothecloudtocoordinatetheentiresecuritydeploymentacrossthehybridenvironment.
Secure Microsegment
Secure Microsegment
Secure Microsegment
... Customers
Partners Credit Processing
Service Provider / Extranet
Customer Data Center
SAP Business Suite
Cloud Region
SAP Gateway*
To Inter-region Replication/DR
Logs
Keys
Serverless
Storage
SAP NetWeaver (ABAP / Java)
Virtualization Layer
Net
wo
rk L
ayer
Database SAN/NFS
ERP CRM
ABAP
HANA
HANA Other DB
Apps Front End Non-SAP
VM VM VM VM
Java
Identity
BWFinance
FortiWeb
FortiManager
Subnet 1 Subnet 2
Security Subnet
Subnet 3 Subnet n...
FortiAnalyzer
FortiSandbox
FortiWebFortiGate
Connectivity
Secure Tunnel
federation
E/W Segmentation
HT
TP
/s
Internet
WHITE PAPER | Fortinet Security Solutions for SAP S/4HANA
19
Next-generationsoftware-defineddatacenters(SDDCs)andcloudsrunonSDNsthatareAPI-driven.TherichmetadataoftheSDNbenefitssecuritybyprovidinginformationontheobjectsandnetworksintheSDN.FortiGateNGFWsfarmthismetadatathroughFabricConnectorstoimplementdynamicpolicies.AsSAPworkloadsarepushedintoproduction,metadatafiltersinformtheFortiGateonhowtoapplypolicy.Thisautomationdrivesbusinessintentandnon-blockingproductionsecurityfornewservicedeployments.
1.1 The SAP Web Dispatcher Case
SAPS/4shiftsmuchofSAP’suserinteractionfromSAPGUItoauser’sbrowserandHTTP/sprotocol.Asthisencryptedwebtrafficgrows,theopportunitytoexploitcommonwebvulnerabilitiesexpands,creatingalargerattacksurface.WebDispatchersaredeployedforloadbalancingtoSAPFiorisystems.Still,theylackanyabilitytoprotectback-endresourcesfromcross-sitescripting,SQLinjection,JavaScriptexploits,andothercommonOpenWebApplicationSecurityProject(OWASP)attacks.SAPrecommendsmaintainingend-to-endencryptionalongwithappropriatepatching.Whilethisisabestpractice,mostmalwareisencryptedaswell,whichstillleavesagapinprotection.
FortiWebwebapplicationfirewall(WAF)isadedicatedHTTP/sprotectionplatformthatgoesbeyondprotectingknownOWASPTop10threatstoimplementingautotuningandmachinelearning.FortiWebdoesthiswhilemaintainingfull-lengthencryptionandonlydecryptinglocallytosupportinspection.FortiWebliftstheburdenofcumbersomemanualtuninganddistractingfalsepositives.FortiWeblooksfortheuser’shabitsandpatternstobuildsecuritytailoredtothesessionsthatshouldbepermitted.FortiWebgoesbeyondfirewallingtoprovidingvirtualpatching.FortiWebcanbedeployedasaphysicalorvirtualinstanceorasSoftware-as-a-Service(SaaS)asthemosteffectivewaytoprotectyourwebservicesinSAP.
Figure15FabricConnectorDynamicFilter
WHITE PAPER | Fortinet Security Solutions for SAP S/4HANA
20
MSG Server Enqueue Server
Web Dispatcher
Fiori
Fiori
Fiori
RFC
FortiWebD
MZ
Logon Group UpdatesLoad-Balancer Configuration
Full-LengthEncryption
HTTPS
SSLVPN
Figure16FortiWebWebApplicationFirewallprotectsSAPWebDispatchertrafficusingAIandML
1.1 SAP Compliance
Withtheincreaseinhybridarchitecturesandcloudusage,userbaseandresourceshavebecomeperimeterless,inthesensethattheyarenowdistributedacrosslandscapesandinfrastructure,especiallyinthecloudworldasorganizationsadoptmulti-cloudenvironmentstoreduceconcentrationrisk.FortinetbringstoolstosecurityteamssuchasFortiCWPcloudworkloadprotection(CWP).UsingFortiCWP,securityteamscanevaluatetheircloudconfigurationsecurityposture,detectpotentialthreatsoriginatingfrommisconfigurationofcloudresources,analyzetrafficacrosscloudresources(inandoutofthecloud),andevaluatecloudconfigurationagainstbestpractices.Itenablestheabilitytomanageriskthroughoutmulti-cloudinfrastructures,providesregulatorycompliancereporting,andintegratesremediationintothecloudinfrastructurelifecycleautomationframework.Fortinetenablesautomatictrackingofriskandcompliancethatismonitoredcontinuously.Reportsaregeneratedinasinglecentralizeddashboardacrossyourpubliccloudprovidersforholisticmonitoring.FortinetenablesaholisticunderstandingoftheriskpostureandcompliancelevelsofSAPresourcesdeployedinthecloud,consideringtheoverallecosystemandnotonlytheSAPlandscape.
ThislevelofgranularitygivestheCISOteamsasinglepaneofglasstotrackriskandgeneratetheNationalInstituteofStandardsandTechnology(NIST),SecurityOperationsCenter(SOC),andGeneralDataProtectionRegulation(GDPR)reports.CISCOteamscanprovideasecurityhealthsnapshotoftheSAPlandscapewithintheorganizationalcontext.
WHITE PAPER | Fortinet Security Solutions for SAP S/4HANA
21
Figure17FortiCWPGDPRsecuritycontrols
Figure18FortiCWPGDPRexamplecompliancereport
WHITE PAPER | Fortinet Security Solutions for SAP S/4HANA
22
Fortinet Reference Architecture for SAP
1.1 High-Level Summary of This Section
EachpubliccloudproviderreferencedbelowoffersSAPreferencearchitecturesbasedontheirbestpractices.TheseformedabaselinetogetherwiththeFortinetbestpracticestosecurepubliccloud.TheresultingarchitecturesprovideaddedsecurityandoptimizedconnectivityofanSAPlandscapeinthepubliccloudtowardotherSAPlandscapes,users,andthirdpartieson-premisesaswellasinthecloud.
1.2 Reference Architectures for SAP S/4HANA in Public Cloud
1.2.1 SAP S/4HANA on Microsoft AzureMicrosoftAzure’sarchitecturestartsfromaHub-SpokesetupwhereeachSAPlandscapecanbesegmentedandinspectedatahublocation.ThissetupalignswellwiththeFortinetCloudSecurityServiceHubconcept.Inthecentralhub,aFortiGateandFortiWebinstallationissetuptoscanthetraffic.BothFortiGateandFortiWebcanbedeployedasanActive/PassiveHighAvailabilitysetup,anActive/Activesetup,oranAutoscalingsetup.Dependingontheenvironmentrequirements,thesesetupsarethemostoptimalbasedonthroughput,uptime,andcomplexityrequirements.Totakeaheadstart,templatesinARMandTerraformareavailableonourgithub.
Dev Te
stQ
A Pre-
Prod
Jumpbox
vNET
Peer
ing
SAP vNET
Availability Set Availability Set Availability Set
NSG NSG NSG
Storage (Azure)Fiori
TCP 80/443 TCP 39xx
Database Subnet
Availability SetHANA Database
Prod
FortiGate NGFW
Premise Network
Segmentation
IPsec10G VPN
App Tier Subnet
Region 2: Disaster Recovery
Availability Set Availability Set Availability Set
NSG NSG NSG
ReplicationFiori
Database Subnet
Availability SetHANA Replica
Region 1: Primary
Azure Site Recovery
ExpressRoute
HANA System Replication
SAP Web Dispatcher
Security DMZ Subnet
Shared Services Subnet
ID Management Subnet
NSG NSG NSG
Availability Set
Key Vault
SAP routercluster
NI/SNCHub vNET
HTTP(s)NSG
WAF DMZ Subnet
Security DMZ Subnet
Shared Services Subnet
ID Management Subnet
NSG NSG NSG
FortiGate NGFWFortiWeb WAF Availability Set
Storage
Key VaultSAP router
cluster
NI/SNC
Hub vNET
HTTP(s)NSG
WAF DMZ Subnet
FortiGate NGFW FortiWeb WAF
App Tier Subnet
Express Route
Azure Storage
Storage
Figure19FortinetReferenceArchitectureforSAPS/4HANAonMicrosoftAzure
WHITE PAPER | Fortinet Security Solutions for SAP S/4HANA
23
1.1.1 SAP S/4HANA on Amazon Web Services (AWS)
AWSprovidesQuickStartreferencearchitecturesinbothsingleAZandmulti-AZenvironments.ThesereferencearchitecturesincludeaDMZ/PublicsubnetwheretheFortiGateandFortiWebinstancesaredeployed.TheFortiGateprovidestheconnectivitysecurityentrypointintothenetwork.OverDirectConnectaswellasviaInternetProtocolsecurity(IPsec)overtheinternet,inboundconnectionsarecontrolledandpassedontotheback-endsystemsafterinspection.
ForanyHTTP(S)relatedservicessuchasSAPFiori,wedirectthetraffictowardtheFortiWebforinspectionattheLayer7,includingmachinelearningofamodelofyourtrafficaswellasauthenticationandprotectionagainstdifferentcommonwebvulnerabilities.
Corporate
Availab
ility Zo
ne 1
DMZ Subnet
HTTP/S
HTTP/SFortiWeb
Database Subnet
Application Subnet
AS-ABAPSAP Web Dispatcher MSG Server / Enqueue
Storage Volumes
SG
SG
SG
Region
AWS S3 Route 53
IPsec10G VPN
HTTP/S
FortiGate
Fiori
TCP 39xx
SAP Router
TCP 39xx
SAP HANA(master)
Figure20FortinetReferenceArchitectureforSAPS/4HANAonAWS
1.1.2 SAP S/4HANA on Google Cloud
GoogleCloudoffersspecificSAParchitecturesandadvisoriestotheircustomers.Basedonthesearchitectures,wecanstartaddingadditionalsecurityandoptimizetheconnectivityofanSAPlandscapetowardotherSAPlandscapes,users,andthirdparties.
Google Cloud SAP Architectures: ForGoogleCloud,thearchitectureincludesprotectionandtrafficinspectionforbothnorth-southandeast-westtrafficflowsbetweenthedifferentvirtualprivatecloud(VPC)networkscontaininganSAPlandscapeorsharedservices.ThediverseSAPlandscapescanbeeitherinadifferentstageintheproduction(development,test,production)orSAPlandscapesthatareunrelatedtoeachotherandperformingvariousfunctionsfordifferentpartsoftheoperations.
Inthisdesign,trafficbetweenthesharedservicessuchastheSAPRouterandtheApplicationServerintheproductionVPCisinspectedusingtheFortiGate.Allinboundtraffic,asdepictedinFigure21(FortinetReferenceArchitectureforSAPS/4HANAonGoogleCloud)isexaminedbyFortiGate(TCP39xx,NIRCP/DIAG/…,HTTPS)orbytheFortiWeb(HTTPS).OnceinsidetheVPC,trafficbetweentheSAPlandscapescanbeallowedorblockedusingtheACLsinGoogleCloud.
WHITE PAPER | Fortinet Security Solutions for SAP S/4HANA
24
NI - RPC/DIAG/...
TCP 39xx TCP 39xx
Region
VPC Peering
External subnet
External VPC
Relay subnet HTTP(S)
Relay VPC
FortiGate VMFortiWeb VM
Production VPC
HANA DB Subnet
HANA Database
Web Dispatcher
SAP Instance
Shared services VPC
Service subnet
SAP Router
Jump Server
Preproduction VPC QA VPC Test VPC Development VPC
Gateway
HTTP(S)NI - RPC/DIAG/...
TCP 39xx
Colo / DC / On-premises
Gateway
Local Compute
Application Subnet
Figure21FortinetReferenceArchitectureforSAPS/4HANAonGoogleCloud
SAPlandscapesareanessentialpartofthebusinessenginedrivingyourcompany.Assuch,itisimportanttohaveadisasterrecoverystrategyfortheseenvironments.VariouscomponentsintheSAPlandscapecanbereplicatedassuggestedbyGoogleinthislink.
TheFortiGateandFortiWebcanbedeployedintheDRenvironmenteitherwithabackupconfigusingcloud-initorlinkedtoacentralmanagementsystem.
WHITE PAPER | Fortinet Security Solutions for SAP S/4HANA
25
NI - RPC/DIAG/...
TCP 39xx TCP 39xx
Region
VPC Peering
External subnet
External VPC
Relay subnet HTTP(S)
Relay VPC
FortiGate VMFortiWeb VM
Production VPC
HANA DB Subnet
HANA Database
Web Dispatcher
SAP Instance
Shared services VPC
Service subnet
SAP Router
Jump Server
Preproduction VPC QA VPC Test VPC Development VPC
Gateway
HTTP(S)NI - RPC/DIAG/...
TCP 39xx
Colo / DC / On-premises
Gateway
Local Compute
Application Subnet
Asynchronous replicationCross-Region Persistent Disk snapshot
Region B: Disaster Recovery
HANASystem Replication
VPC Peering
External subnet
External VPC
Relay subnet
DMZ VPC
FortiGate VMFortiWeb VM
Production VPC
HANA DB Subnet
HANA DatabaseWeb Dispatcher
SAP Instance
Shared services VPC
Service subnet
SAP Router
Jump Server
Gateway
Application Subnet
Figure22FortinetReferenceArchitectureforSAPS/4HANAonGoogleCloudwithdisasterrecovery
WHITE PAPER | Fortinet Security Solutions for SAP S/4HANA
26
1.1 Reference Architecture for Hybrid Environment
Conclusion and ActionsSAPisabusiness’smostcriticalbusinessapplicationinitsabilitytocreatevaluebyorganizing,operationalizing,andmonetizingcomplexdata.Forthesereasons,greatcaremustbegiventoprotectSAP’sinfrastructureandsystems.ThisbecomesespeciallydifficultformigrationsfromtraditionaldatacenterstoS/4HANArunninginthecloud,creatingtheopportunityforblindspotsinthesecurityposture.Whilecloudprovidershavesolutionsforbasicnetworkfiltering,theylackdeepapplicationvisibilityandhavenoeffectivenessbeyondtheirownedge.Fortinet’sholisticcoverageensuresSAPsystemsareprotectedandthatsecuritypolicyandvisibilityremainunifiedacrossthehybridandmulti-cloudfootprints.Fortineteasesskillsgapsandcorrelateseventsthroughmachinelearningandworkflowautomation,multiplyingthescaleofbasis,network,andsecurityadministrators.
Fortinet’scontributionstoSAP’sprotectionalignwithandfillgapsinSAP’ssecuritybaselinetemplatebyaddressinginfrastructuresecurityandalignstotheSAPSecureOperationsMap.UserwebinterfacesandotherHTTPfrontendsareprotectedbytheFortinetadvancedwebapplicationfirewall,FortiWeb,usingadvancedmachinelearningthatmonitorsSAPusers’behaviortotailorprotectionandminimizefalsepositives.FortiWebprotectsagainstOWASPattacks,includingSQLinjections,cross-sitescripting,DoS,andnovelattackssuchas10KBLAZE.TheFortinetFortiGateNGFWaddressesthesecuritybaselinebyprovidingeast-westsegmentationwiththeabilitytoinspectSAPtransactionsforknownCVEsandevolvingexploits.TheneedforthisprotectionispronouncedbythedifficultyinpatchingcomplexSAPproductionsystemsandthecontinualonslaughtofadvancedpersistentthreats.
Figure23FortinetReferenceArchitectureforSAPS/4HANAinHybridEnvironment
Secure Microsegment
Secure Microsegment
Secure Microsegment
... Customers
Partners Credit Processing
Service Provider / Extranet
Customer Data Center
SAP Business Suite
Cloud Region
SAP Gateway*
To Inter-region Replication/DR
Logs
Keys
Serverless
Storage
SAP NetWeaver (ABAP / Java)
Virtualization LayerN
etw
ork
Lay
er
Database SAN/NFS
ERP CRM
ABAP
HANA
HANA Other DB
Apps Front End Non-SAP
VM VM VM VM
Java
Identity
BWFinance
FortiWeb
FortiManager
Subnet 1 Subnet 2
Security Subnet
Subnet 3 Subnet n...
FortiAnalyzer
FortiSandbox
FortiWebFortiGate
Connectivity
Secure Tunnel
federation
E/W Segmentation
HT
TP
/s
Internet
WHITE PAPER | Fortinet Security Solutions for SAP S/4HANA
27
ExecutivesandManagementApproachestoProtectingYourBusiness
Topics of Concern Challenge Approach Fortinet Solution
Executive and Management
ChiefInformationSecurityOfficer(CISO)
HeadofITInfrastructure
LinesofBusinessManager
SAPProgramandSecurityManager
ThreatlandscapeforSAPsoftwareisshifting
AttacksurfaceisbroaderanddeeperduetoSAPFiori,IoT,etc.
Addingmoresecurityproductscreatescomplexity
Integrationforreal-timevisibility
Breakdownsecuritysilosformulti-cloudenvironments
Manageallsecurityentrypoints(Fiori,IoTdevices)
Reducesriskexposurebydynamicallyadaptingtochangesintheattacksurfacesuchasnewendpointsandaccesspoints
High-performancesecurityintelligentlyadaptstotrafficfluctuationsandscalestoaddressrequirementssuchasSSLinspection
Clouddeploymentsincreasecomplexity
Proliferationofpointproducts
Sophisticationofthreatsmakesitincreasinglymoredifficulttomanagesecurity
Automatemanualintrusionandpreventionanddetectionandincidentresponseprocesses
Agilescaleandflexibilitytoaccommodatenewsecurityrequirements
Integrationofdifferentsecurityproductsintoasinglefabricstreamlinescommunications,reducescomplexity,andenablesvirtualreal-timeresponses
Built-in(withintheOS)regulatory/standardscontrolsandreportingthathelpsupporteffortsforcomplianceforexecsandboard
Automatesmanualsecurityprocesses
Rapidlychangingadvancedthreats
Traditionalsecuritytechnologiesareineffective
Volumeofsecurityalertsisoverwhelmingandleadstoparalysiswhenitcomestoprioritizingvulnerabilities
Solutionsthatenabletransitionfromreactivetoproactivesecurityposture
UseAIandML,includingautomation,toreducetime-to-detectionandtime-to-response
Securityfabricthatincludesend-to-endsecuritycapabilities—fromidentificationanddetectionofthreats,topreventionofthreats,todetectionandresponseofbreaches,torecoveryfromintrusionsand/orbreaches
Advancedthreatpreventionusingsandboxingandintelligencenetworkthatseamlesslyintegrateswiththeentiresecurityfabric
Comprehensivethreatposturescoring;compliancetrackingandreportingfortheboardroom
WHITE PAPER | Fortinet Security Solutions for SAP S/4HANA
28
1.1 Technical and Operations Approaches To Protecting Your Business
Topics of Concern Challenge Approach Fortinet Solution
Technical and OperationsSAPBasisConsultantSAPSecurityArchitectorSAPSecurityAdministratorSAPApplicationArchitectRiskManagementandSecurityProfessional
ThreatlandscapeforSAPsoftwareisshifting
AttacksurfaceisbroaderanddeeperduetoSAPFioriandsmartdevicesThemodernSAPsystemconnectstomoreinterfaces—connectionstootherSAPandnon-SAPsystemsthatareinternalandexternaltoanorganization
Fragmentedsecurityarchitecturalapproachesmustbereplacedwithasecurityfabricthatbroadlyaddressesanexpandedattacksurfaceperimeter,integrateseachofthesecurityelementsforreal-timethreatintelligencesharing,andautomatesdetection,prevention,andremediationprocesses
TheFortinetSecurityFabricistheonlytrueend-to-endnetworksecuritysolutionthataddressesdigitaltransformationthroughautomateddevicerecognitionandnetwork,application,andusersegmentationthatblocksmaliciousintrusionsandpreventsthemfromspreading
SAPdeploymentsmayinvolvemultiplelandscapesspreadacrossahybridpremisesandcloudfootprint
SAPdeploymentsaremorecomplex,makingitchallengingtoprotectagainstManyorganizationsendupwithaproliferationofpointproductsthatleadstomorecomplexity
Organizationsrequireanewarchitecturalapproachthatintegratesthevarioussecurityelementsintoafabricthatautomatesmanualdetection,prevention,andremediationprocessesaswellascompliancetrackingandreporting
Byintegratingsecurityelementsintoaholisticarchitecture,theFortinetSecurityFabricenablesorganizationstounlockautomationprocessesrelatedtothreatdetection,prevention,andremediationanddemonstrationofcompliancewithsecurityandindustryregulations
CloudinfrastructureincreasessecurityriskforSAP
CurrentlySAPdoesnotprovideguidanceoninfrastructuresecuritySAPdoesnotprovideanyrulesonhowSAPsystemscanpreventsecurityattackswithtoday’stechnologiesavailabletocybercriminals
Asecurityarchitecturemustdeliveradvancedthreatprotectionbyenablingreal-timethreatintelligencesharingandsandboxingforproactivethreatdetection,prevention,andremediationModernsecurityarchitecturesmustleverageAI/MLcapabilitiesthatdeliverreal-timethreatintelligencethatkeeppacewiththreatvolume,velocity,andsophistication
FortinetprovideshighersecuritytoprotectSAPRouterandSAPcomponentsonthenetworklayerbeforeanattackercanaccesstheSAPsystemFortinetwebapplicationfirewall(WAF)protectstheSAPsystemfromSQLinjectionsorcross-sitescriptingPhysicalFortiGateNGFWsareequippedwithproprietaryhardwareaccelerationthatoffloadsencryptionfunctionstoasecurityprocessingunitTheFortinetSecurityFabricprovidesproactiveadvancedthreatdetection,prevention,andremediationcapabilitiesthroughsandboxingandthreatintelligenceacrosseachsecurityelementinrealtime,whichshrinksintrusion-to-detectionanddetection-to-remediationwindowsAdvancedpersistentthreats(APT)andadvancedevasiontechniques(AET)capabilitiesthatintegrateAI/ML-enabledthreatintelligencefeatures
WHITE PAPER | Fortinet Security Solutions for SAP S/4HANA
29
Figure24SampleofFortinetIPSSignaturesforSAPwithHighSeverity
Figure25FortinetApplicationSignaturesforSAP Figure26FortinetpredefinedInternetServicesforSAP
WHITE PAPER | Fortinet Security Solutions for SAP S/4HANA
Copyright © 2021 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.
www.fortinet.com
June7,20215:53PM
1074751-A-0-EN
References
1“SAPS/4HANAIntelligentERPSystem”SAP,accessedJuly20,2020.2“Strategy-ExtendedInnovationCommitmentforSAPS/4HANAClarityandChoiceonSAPBusinessSuite7,”SAP,accessedMarch10,2020.
3“MakethemovetoSAPS/4HANAwithMicrosoftAzure,”SAP,accessedJuly14,2020.4“SAPCompanyInformation,”SAP,accessedJune10,2020.5SteveEvans,“CloudUseIncreasesAttackSurface,ButSecurityNotKeepingUp,”Infosecurity,August22,2016.6StefanHoechbauer,“EmbracingtheHyperscalers,YourFastLanetoBecominganIntelligentEnterpriseintheCloud,”SAP,May9,2019.7GarySlater,“SAPandGoogleCloudpartnership:Ourjointcloudjourneycontinues,”SAP,June12,2020.8“SAPONESupportLaunchpad,”SAP,accessedOctober6,2020.9“Alert(AA19-122A),”Cybersecurity&InfrastructureSecurityAgency,May3,2019.10“GitHubRepository,”GitHub,accessedJune10,2020.11“EVBEnergyLtdSmartMeter,”WikimediaCommons,accessedJuly21,2020.