OSS Configuring VPN

Introduction

SAP has embarked on a project to enable its customers to establish secure connections to SAP over
the Internet for support purposes. Currently, SAP offers two alternative ways to connect to the
Support Network over the Internet:

• SAProuter with Secure Network Communications (SNC) over the Internet

• Internet Virtual Private Network (VPN)

Overview of Technical Setup

SAP has implemented a functional subset of the Remote Customer Support Network services in an
Internet DMZ (demilitarized zone) in SAP AG, Walldorf. With this infrastructure in place, the suite
of Remote Customer Support Network service offerings is accessible over the Internet.

SAProuter/SNC via Internet Internet VPN

• SNC secured SAProuter – SAProuter
connections are established between
SAP and the customer’s SAProuter to
provide data confidentiality and
integrity services. These SNC
connections complement the leased
lines in the current SAPNet R/3
Frontend environment. State-of-the-art
encryption, authentication, and access
control technology will be employed.
No additional hardware compared to a
leased-line setup is required at either
end of the connection. (See diagram
below).
• Customers are required to install a
SAProuter with an official, static IP
address (DHCP Addresses will not
work) running SNC inbound and
outbound connection to SAP at their
end of the connection in a
Demilitarized Zone. This SAProuter
must be accessible from the Internet.
All service connections between SAP
and the customer must be made over
the respective SAProuters.
• Certificates needed are available on the
SAP Service Marketplace.
• LAN-to-LAN IPSec VPNs are
established between SAP and the
customer’s network to provide data
confidentiality and integrity services.
These VPNs complement the leased lines
in the current Remote Customer Support
Network environment. State-of-the-art
encryption, authentication, and access
control technology will be employed.
VPN equipment is required at both ends
of the connection. The VPN switch at
customer’s side must be reachable from
the Internet. (See diagram below).
• Besides the VPN equipment (also called
VPN switch or VPN gateway),
customers are also required to install a
SAProuter with an official IP address at
their end of the connection. All service
connections between SAP and the
customer must be made over the
respective SAProuters.
• For the pilot project, access control and
authentication at the VPN gateways will
be regulated using static keys. SAP will
generate these keys and provide them to
the customer. In future, certificate-based
authentication is likely to be utilized.
 • VPN access can also be achieved
through a telecommuncations provider.
The provider will then be connected to
SAP’s VPN switch, and the provider can
offer connections to customers over the
Internet. SAP will make a list of VPN-
enabled providers. This option is not
covered in this document. For more
information, contact SAP.

Diagrams and Infrastructure

Figure 1 - SAProuter with SNC over Internet

Figure 2 - Internet VPN

Comparison of the Two Options

Property SAProuter / SNC via Internet Internet VPN

Hardware Firewall + SAProuter host in DMZ VPN switch + firewall + SAProuter
requirements host (VPN and firewall may be the
same box)
Software SAProuter starting from NI version 35 N.A.
SAPSECULIB can be obtained from
the Service Marketplace
Network 1 official static IP address for 1 official static IP address for VPN
addresses SAProuter switch + 1 official static IP address for
(besides address SAProuter host
of Internet
router, firewall,
…)
Configuration Careful setup of saprouttab necessary Careful setup of routing configuration
issues for security. Saprouttab influences in VPN switch necessary for security.
security strongly as access is Saprouttab influences security less
controlled via saprouttab and firewall. strongly as access is controlled via
VPN switch, SAProuter software and
firewall
Encryption By software By hardware
Encrypted data TCP packets IPsec (IP packets)
Only the data stream between Encryption is handled on IP layer
 SAProuters is encrypted (OSI network layer 3)
Encryption is handled on Application
layer (OSI network layer 7)
Minimum 64 kbit/s but may work also with 64 kbit/s
required free 32 kbit/s
bandwidth
Supported All except FTP (files download) All including FTP (files download)
services on SAP
side
Key managementDigital certificates being requested via Pre-shared keys provided by SAP, later
Service Marketplace Public Key Public Key Infrastructure (PKI)
Infrastructure (PKI)
Key storage In file system In VPN switch
Operating systemSAProuter resides on a computer VPN switch has a very small and
therefore it is necessary to harden the limited operating system, thus no
security at the operating system level additional security hardening is
(for example, C2 level OS) to required. The SAProuter machine is
minimize the risk of the machine not reachable from the Internet, thus
being hacked from the Internet the risk of hacking is much less.
However, security hardening measures
at the SAProuter operating system
level are also recommended
Additional SAProuter knowledge usually VPN hardware requires special
expertise available, SNC configuration requires knowledge, higher technical expertise
additional knowledge
Standards Based on SNC, SAP proprietary Based on IPSec, well established
standard industry standard
Contributing to • Firewall hardware and • Firewall hardware and software
costs software • Firewall administration costs
• Firewall administration costs
• Costs for VPN hardware and
• No additional license fee for setup
security library based on
SECUDE

Why VPN over SNC

In this project Internet VPN was selected over SNC for the following reason
VPN using IPsec is industry standard and have better encryption
FTP is not possible with SNC.

Requirement
• Internet connection: recommended
minimum bandwidth = 64 kbps
• SAProuter machine
• Official IP address (static) for the SAProuter host.
• SAProuter installation package
• SAP SNC libraries and executables.
These may be downloaded from the SAP Service Marketplace.
• A Demilitarized Zone at the customer site with a minimal setup as described in the networking
section of the SAP Security Guide, Parts 1-3 available in the Service Marketplace at:
http://service.sap.com/SYSTEMMANAGEMENT Choose: Security > Technical Track
> SAP Security Guide.
More information on SNC connections is also available in the SAP Service Marketplace.
• Since the host running the SAProuter software is a full computer with operating system, the
security at the operating system level must be hardened in order to minimise the risk of the
machine being hacked from the Internet. One recommendation will be for example to run a C2
security level compliant operating system. SAP takes no liability if the security of the
company’s network is compromised.

• Other networking equipment (routers and hubs) needed to form the network at the customer’s
premises (see Figure 1).