Weitere ähnliche Inhalte Ähnlich wie Unified Connectivity (UCON) for SAP NetWeaver Overview (20) Mehr von SAP Technology (20) Kürzlich hochgeladen (20) Unified Connectivity (UCON) for SAP NetWeaver Overview2. Disclaimer
This presentation outlines our general product direction and should not be relied on in making a
purchase decision. This presentation is not subject to your license agreement or any other agreement
with SAP. SAP has no obligation to pursue any course of business outlined in this presentation or to
develop or release any functionality mentioned in this presentation. This presentation and SAP's
strategy and possible future developments are subject to change and may be changed by SAP at any
time for any reason without notice. This document is provided without a warranty of any kind, either
express or implied, including but not limited to, the implied warranties of merchantability, fitness for a
particular purpose, or non-infringement. SAP assumes no responsibility for errors or omissions in this
document, except if such damages were caused by SAP intentionally or grossly negligent.
© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 2
3. Agenda - UCON RFC Security Basic Scenario
Motivation and Scope
Basic Concepts
Coverage of New RFMs
How to Cope With the Restrictions of Productive Systems
Summary
© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 3
5. The Scope of UCON RFC Basic Connectivity
C
High-performing,
for local high load scenarios,
across all ABAP Releases,
close integration into ABAP
RFC-Based Connectivity
© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 5
6. UCON - A Simple Approach to Make RFC More Secure
Reduce the Overall Attack Surface of Your Remote-Enabled
Function Modules. Enhance RFC security by blocking the
access to a large number of RFMs !
Facts:
y Most SAP ERP customers run just a limited number of the business
scenarios for which they need to expose some RFMs
y A lot of RFMs are only used to parallelize within a system.
Solution
y Find out which RFMs need to be exposed for the scenarios of a
customer.
y Block the access to all other RFMs.
© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 6
7. The Basic Strategy of UCON to Solve These Problems
Reduce the number of RFMs exposed to the outside world.
Expose only and exactly those RFMs a customer needs to run their business scenarios.
38000 RFMs in
SAP ERP (incl.
SAP NetWeaver)
A typical SAP
customer only needs
to expose a few
hundred RFMs for
their business
scenarios
© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 7
9. The UCON Way to Security: Expose Only Those
Function Modules You Need to the Outside World
…
RF
M1
RF
M2
RF
M3
RF
M4
RF
M5
RF
M6
RF
M7
RF
M8
RF
M9
RF
M
RF
M.
10 11
Default Communication Assembly (CA)
© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 9
10. UCON Checks Do not Interfere with Calls Within the Same Client and System
RF
M3
RF
M5
RF
M7
SAP Business Suite
Blocked for access
from outside –
Open for use in
parallel RFC inside
the same client in the
…
RF
M1
RF
M.
…
same system
© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 10
11. UCON - An Additional Role/User-Independent Layer of Security Checks
User trying to access a RFM
no No Access
RFM in
CA?
yes
no
User has
authorization?
User has authorization
for the relevant CA? No Access
yes Access to
RFM
© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 11
12. UCON Setup and Configuration
It is simple to set up and configure Unified Connectivity (UCON):
1. Set the UCON profile parameter UCON/RFC/ACTIVE to 1 to enable UCON runtime checks for RFMs in the
final phase.
2. Run the UCON setup to generate a default communication assembly (CA) and other required entities.
3. Choose a suitable duration of the logging and evaluation phase.
4. Schedule the batch job SAP_UCON_MANAGEMENT that selects and persists the RFC statistic records
required by the UCON phase tool on the database.
© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 12
13. UCON RFC Security
Easy Customer Adoption in Three Steps
Logging of RFMs
called from
outside
Evaluation/
Simulation
Runtime checks
active
© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 13
14. UCON RFC Security
Easy Customer Adoption in Three Steps
Logging of RFMs
called from
outside
Runtime check
Runtime Checks
active
Evaluation/
Simulation
active
© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 14
15. Phase 1
Logging of RFC Connectivity Data
Tool support to use solid information instead of unreliable data
• Use a dedicated tool set to collect the information you need
Identify the RFMs you need to expose to run your business
scenarios
• Collect aggregated statistic data on which RFMs are called in
your system from outside
• Over a time period you can choose
At the end of phase 1, choose the RFMs you need and assign them
to the Default CA:
• Based on the statistical records, you decide which RFMs
should be accessed from outside and assign them to the CA
© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 15
16. UCON RFC Security
Easy Customer Adoption in Three Steps
Logging of RFMs
Logging of RFMs
called from
from
outside
outside
Evaluation/
simulation
Runtime check
Runtime checks
active
Simulation
Checks
active
© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 16
17. Phase 2
Evaluation of the Data Logged
UCON should not interfere with productive customer scenarios:
• Use the evaluation phase (phase 2) to simulate UCON
runtime checks
• Check completeness of RFMs you need to expose
• Put required RFMs into Default CA
Customizable duration of evaluation phase:
• Duration of evaluation phase depends on in-house experience
and knowledge
Check whether you have protected the right RFMs and make
necessary corrections
© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 17
18. UCON RFC Security
Easy Customer Adoption in Three Steps
Logging of RFMs
Logging of RFMs
called from
from
outside
outside
Evaluation/
Simulation
simulation
Runtime check
Runtime checks
active
Checks
active
© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 18
19. Phase 3
The RFMs in the System Are Protected by UCON
UCON runtime checks are now active:
• Only RFMs in the default CA are accessible from outside
• RFM that are not in the Default CA are now protected
against any outside access
Less than 5% of all RFMs need to be exposed in a typical
customer system:
• Out of a total of 38,000 RFMs in an SAP ERP system, only
a few hundred are required and exposed for productive
customer connectivity
Massive reduction of RFC attack surface for the average
customer system
© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 19
20. Prerequisites for the Different Security Layers
Access to RFMs
UCON
runtime
checks
S_RFC
checks
Access to RFMs
© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 20
21. Efforts Required for the Different Security Layers
Access to RFMs
UCON
runtime
checks
S_RFC
checks
Access to RFMs
© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 21
22. UCON Protection After the Initial UCON Security Classification
Check-Active Phase
Blocked RFMs from initial UCON set-up
100 ++
Default CA
37,000++
SAP Business Suite
Blocked RFMs/ UCON-protected
RFMs from
other, new transports or
installations
© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 22
24. UCON Protection After Initial Security Classification
Check-active Phase
Development
Protected/
blocked
RFMs
Default Communication
Assembly
Exposed RFMs
© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 24
25. New RFMs Arrive at a UCON-Protected System
Check-active phase
Development
Over time: New RFMs in
transports, SPs, EhPs …
© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 25
26. New RFMs on Their Way to UCON Protection – Logging Phase
Logging phase
Evaluation phase Access allowed
Access blocked
UCON protection
Check-active phase
Access allowed
New RFMs are
automatically
assigned to the
logging phase
© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 26
27. New RFMs on Their Way to UCON Protection – Evaluation Phase
Logging phase
Access allowed
Access blocked
UCON protection
Evaluation phase
Check-active phase
Access allowed
© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 27
28. New RFMs Have Achieved UCON Protection – Check-Active Phase
Logging phase
Evaluation phase
Access blocked
UCON protection
Check-active phase
Access allowed
© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 28
29. The Ever-Growing Scope of UCON Protection
Blocked RFMs from initial UCON set-up
Default CA
SAP Business Suite
Blocked RFMs
from other, new
transports or
installations
© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 29
30. UCON RFC Security Basic Scenario
How to Cope With the Restrictions of Productive Systems
31. UCON and the Restrictions in a Productive System
Challenges
PROD
Assignment of relevant RFMs
to default CA and UCON
UCON
Phase
Tool
phases
Collection
of RFC call
statistics
and UCON
protection
Authorizations and system change options in
Productive Systems are not sufficient for UCON
Operations
© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 31
32. UCON and the Restrictions in a Productive System
Solution
DEV PROD
UCON
Phase
Tool
Assignment of
relevant RFMs
to default CA
and UCON
UCON
Phase
Tool
phases
Collection
of RFC call
statistics
and UCON
protection
Delegate
UCON
operations
to DEV
Slide 32
© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 32
33. UCON and the Restrictions in a Productive System
How to Delegate UCON Operations to DEV - Step 1
DEV PROD
UCON
Phase Tool
Import RFC call statistics from
PROD to DEV
UCON
Phase Tool RFC call
statistics
.csv
1
© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 33
34. UCON and the Restrictions in a Productive System
How to Delegate UCON Operations to DEV - Step 2
DEV PROD
UCON
Phase Tool
Import RFC call statistics from
PROD to DEV
UCON
Phase Tool RFC call
statistics
.csv
Assign relevant RFMs to
default CA and to next phase
1
2
© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 34
35. UCON and the Restrictions in a Productive System
How to Delegate UCON Operations to DEV - Step 3
DEV PROD
UCON
Phase Tool
UCON
Phase Tool
Import RFC call statistics from
PROD to DEV
UCON
Phase Tool RFC call
Assign relevant RFMs to
default CA and to next phase
UCON
Phase Tool
statistics
.csv
Phase and CA assignment
of RFMs
R3Trans
1
2
3
© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 35
36. UCON and the Restrictions in a Productive System
How to Delegate UCON Operations to DEV in a Nutshell
DEV PROD
UCON
Phase
Tool
Assignment of
relevant RFMs
to default CA
and UCON
UCON
Phase
Tool
RFC call
statistics
phases
Phase and CA
assignment of RFMs
Collection
of RFC call
statistics
and UCON
protection
© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 36
38. UCON - Summary
It is simple to set up and configure Unified Connectivity (UCON)
• The UCON framework offers a simple, straightforward approach for enhancing the security of
your RFCs. It allows you to minimize the number of RFMs on ABAP-based servers exposed
to other clients and systems, reducing the available attack surface in your RFC
communications.
• The UCON phase tool guides and supports the administrator in the three-step setup and the
three-phased process.
• UCON covers new function modules entering the system via Support Packages,
Enhancement Packages, transports, or new developments.
• UCON is fully enabled for life-cycle management to ensure consistent RFC security
across your system landscape.
© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 38
39. Get More Information
Community Network
Get more information, videos and updates
Unified Connectivity (UCON)
http://scn.sap.com/docs/DOC-53844
SAP NetWeaver Security Community
http://scn.sap.com/community/security
© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 39
40. © 2014 SAP SE or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an
SAP affiliate company.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE
(or an SAP affiliate company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional trademark
information and notices.
Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its
affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or
SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing
herein should be construed as constituting an additional warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or
release any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future
developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any
reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking
statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue
reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.
© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 40