Unified Connectivity (UCON)OverviewJuly 2014 Public
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 2Public
Disclaimer
This presentation outlines our general product direction and should not be relied on in making apurchase decision. This presentation is not subject to your license agreement or any other agreementwith SAP. SAP has no obligation to pursue any course of business outlined in this presentation or todevelop or release any functionality mentioned in this presentation. This presentation and SAP'sstrategy and possible future developments are subject to change and may be changed by SAP at anytime for any reason without notice. This document is provided without a warranty of any kind, eitherexpress or implied, including but not limited to, the implied warranties of merchantability, fitness for aparticular purpose, or non-infringement. SAP assumes no responsibility for errors or omissions in thisdocument, except if such damages were caused by SAP intentionally or grossly negligent.
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 3Public
Agenda - UCON RFC Security Basic Scenario
Motivation and Scope
Basic Concepts
Coverage of New RFMs
How to Cope With the Restrictions of Productive Systems
Summary
UCON RFC Security Basic ScenarioMotivation and Scope
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 5Public
The Scope of UCON RFC Basic Connectivity
C
RFC-Based Connectivity
High-performing,for local high load scenarios,across all ABAP Releases,close integration into ABAP
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 6Public
UCON - A Simple Approach to Make RFC More Secure
Reduce the Overall Attack Surface of Your Remote-EnabledFunction Modules. Enhance RFC security by blocking theaccess to a large number of RFMs !
Facts:Most SAP ERP customers run just a limited number of the businessscenarios for which they need to expose some RFMsA lot of RFMs are only used to parallelize within a system.
SolutionFind out which RFMs need to be exposed for the scenarios of acustomer.Block the access to all other RFMs.
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 7Public
The Basic Strategy of UCON to Solve These Problems
Reduce the number of RFMs exposed to the outside world.
Expose only and exactly those RFMs a customer needs to run their business scenarios.
38000 RFMs inSAP ERP (incl.
SAP NetWeaver)
A typical SAPcustomer only needs
to expose a fewhundred RFMs for
their businessscenarios
UCON RFC Security Basic ScenarioBasic Concepts
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 9Public
The UCON Way to Security: Expose Only ThoseFunction Modules You Need to the Outside World
…RFM1
RFM2
RFM3
RFM4
RFM5
RFM6
RFM7
RFM8
RFM9
RFM
RFM.
Default Communication Assembly (CA)
1110
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 10Public
UCON Checks Do not Interfere with Calls Within the Same Client and System
SAP Business Suite
…RFM1
RFM3
RFM5
RFM7
RFM.…
Blocked for accessfrom outside –
Open for use inparallel RFC inside
the same client in thesame system
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 11Public
UCON - An Additional Role/User-Independent Layer of Security Checks
no No Access
yes
User has authorizationfor the relevant CA? No Access
yes Access toRFM
no
RFM inCA?
User hasauthorization?
User trying to access a RFM
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 12Public
UCON Setup and Configuration
It is simple to set up and configure Unified Connectivity (UCON):
1. Set the UCON profile parameter UCON/RFC/ACTIVE to 1 to enable UCON runtime checks for RFMs in thefinal phase.
2. Run the UCON setup to generate a default communication assembly (CA) and other required entities.
3. Choose a suitable duration of the logging and evaluation phase.
4. Schedule the batch job SAP_UCON_MANAGEMENT that selects and persists the RFC statistic recordsrequired by the UCON phase tool on the database.
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 13Public
UCON RFC SecurityEasy Customer Adoption in Three Steps
Logging of RFMscalled fromoutside
Evaluation/Simulation
Runtime checksactive
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 14Public
UCON RFC SecurityEasy Customer Adoption in Three Steps
Logging of RFMscalled fromoutside
Evaluation/Simulation
Runtime Checksactive
Evaluation/Simulation
Runtime checkactive
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 15Public
Phase 1Logging of RFC Connectivity Data
Tool support to use solid information instead of unreliable data
• Use a dedicated tool set to collect the information you need
Identify the RFMs you need to expose to run your businessscenarios
• Collect aggregated statistic data on which RFMs are called inyour system from outside• Over a time period you can choose
At the end of phase 1, choose the RFMs you need and assign themto the Default CA:
• Based on the statistical records, you decide which RFMsshould be accessed from outside and assign them to the CA
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 16Public
UCON RFC SecurityEasy Customer Adoption in Three Steps
Logging of RFMscalled fromoutside
Evaluation/simulation
Runtime checksactive
Logging of RFMscalled fromoutside
Evaluation/Simulation
Runtime Checksactive
Logging of RFMscalled fromoutside
Runtime checkactive
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 17Public
Phase 2Evaluation of the Data Logged
UCON should not interfere with productive customer scenarios:• Use the evaluation phase (phase 2) to simulate UCONruntime checks• Check completeness of RFMs you need to expose• Put required RFMs into Default CA
Customizable duration of evaluation phase:• Duration of evaluation phase depends on in-house experienceand knowledge
Check whether you have protected the right RFMs and makenecessary corrections
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 18Public
UCON RFC SecurityEasy Customer Adoption in Three Steps
Logging of RFMscalled fromoutside
Evaluation/simulation
Runtime checksactive
Logging of RFMscalled fromoutside
Evaluation/Simulation
Runtime Checksactive
Logging of RFMscalled fromoutside
Runtime checkactive
Runtime checksactive
Logging of RFMscalled fromoutside
Evaluation/Simulation
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 19Public
Phase 3The RFMs in the System Are Protected by UCON
UCON runtime checks are now active:• Only RFMs in the default CA are accessible from outside• RFM that are not in the Default CA are now protectedagainst any outside access
Less than 5% of all RFMs need to be exposed in a typicalcustomer system:
• Out of a total of 38,000 RFMs in an SAP ERP system, onlya few hundred are required and exposed for productivecustomer connectivity
Massive reduction of RFC attack surface for the averagecustomer system
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 20Public
Prerequisites for the Different Security Layers
UCONruntimechecks
S_RFCchecks
Access to RFMs
Access to RFMs
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 21Public
Efforts Required for the Different Security Layers
UCONruntimechecks
S_RFCchecks
Access to RFMs
Access to RFMs
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 22Public
UCON Protection After the Initial UCON Security Classification
SAP Business Suite
Default CA
Blocked RFMs from initial UCON set-up
Check-Active Phase
37,000++
100 ++
Blocked RFMs/ UCON-protected RFMs fromother, new transports orinstallations
UCON RFC Security Basic ScenarioCoverage of New Remote-Enabled Function Modules
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 24Public
UCON Protection After Initial Security Classification
Development
Default CommunicationAssembly
Exposed RFMs
Check-active Phase
Protected/blockedRFMs
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 25Public
New RFMs Arrive at a UCON-Protected System
Development
New RFMs Arrive at a UCON-Protected System
Check-active phase
Over time: New RFMs intransports, SPs, EhPs …
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 26Public
New RFMs on Their Way to UCON Protection – Logging Phase
Access allowed
Logging phase
Evaluation phase Access allowed
Access blockedUCON protection
Check-active phase
New RFMs areautomatically
assigned to thelogging phase
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 27Public
New RFMs on Their Way to UCON Protection – Evaluation Phase
Access allowed
Logging phase
Access allowed
Access blockedUCON protection
Check-active phase
Evaluation phase
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 28Public
New RFMs Have Achieved UCON Protection – Check-Active Phase
Access allowed
Logging phase
Evaluation phase
Access blockedUCON protection
Check-active phase
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 29Public
The Ever-Growing Scope of UCON Protection
SAP Business Suite
Default CA
Blocked RFMs from initial UCON set-upBlocked RFMsfrom other, newtransports orinstallations
UCON RFC Security Basic ScenarioHow to Cope With the Restrictions of Productive Systems
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 31Public
UCON and the Restrictions in a Productive SystemChallenges
PROD
UCONPhaseTool
Assignment of relevant RFMsto default CA and UCON
phases
Collectionof RFC callstatistics
and UCONprotection
Authorizations and system change options inProductive Systems are not sufficient for UCONOperations
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 32Public
UCON and the Restrictions in a Productive SystemSolution
DEV PROD
UCONPhaseTool
UCONPhaseTool
Assignment ofrelevant RFMsto default CAand UCON
phases
Collectionof RFC callstatistics
and UCONprotection
DelegateUCON
operationsto DEV
Slide 32
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 33Public
UCON and the Restrictions in a Productive SystemHow to Delegate UCON Operations to DEV - Step 1
DEV PROD
UCONPhase Tool
UCONPhase Tool
RFC callstatistics
.csv
Import RFC call statistics fromPROD to DEV
1
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 34Public
UCON and the Restrictions in a Productive SystemHow to Delegate UCON Operations to DEV - Step 2
DEV PROD
UCONPhase Tool
UCONPhase Tool
RFC callstatistics
.csv
Import RFC call statistics fromPROD to DEV
Assign relevant RFMs todefault CA and to next phase
1
2
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 35Public
UCON and the Restrictions in a Productive SystemHow to Delegate UCON Operations to DEV - Step 3
DEV PROD
UCONPhase Tool
UCONPhase Tool
UCONPhase Tool
UCONPhase Tool
RFC callstatistics
.csv
Import RFC call statistics fromPROD to DEV
Assign relevant RFMs todefault CA and to next phase
Phase and CA assignmentof RFMs
R3Trans
1
2
3
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 36Public
UCON and the Restrictions in a Productive SystemHow to Delegate UCON Operations to DEV in a Nutshell
DEV PROD
UCONPhaseTool
UCONPhaseTool
RFC callstatistics
Assignment ofrelevant RFMsto default CAand UCON
phases
Phase and CAassignment of RFMs
Collectionof RFC callstatistics
and UCONprotection
UCON RFC Security Basic ScenarioSummary
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 38Public
UCON - Summary
It is simple to set up and configure Unified Connectivity (UCON)
• The UCON framework offers a simple, straightforward approach for enhancing the security ofyour RFCs. It allows you to minimize the number of RFMs on ABAP-based servers exposedto other clients and systems, reducing the available attack surface in your RFCcommunications.
• The UCON phase tool guides and supports the administrator in the three-step setup and thethree-phased process.
• UCON covers new function modules entering the system via Support Packages,Enhancement Packages, transports, or new developments.
• UCON is fully enabled for life-cycle management to ensure consistent RFC securityacross your system landscape.
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 39Public
Get More Information
Get more information, videos and updates
Unified Connectivity (UCON)http://scn.sap.com/docs/DOC-53844
SAP NetWeaver Security Communityhttp://scn.sap.com/community/security
Community Network
© 2014 SAP SE or an SAP affiliate company. All rights reserved. 40Public
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or anSAP affiliate company.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE(or an SAP affiliate company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional trademarkinformation and notices.
Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or itsaffiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE orSAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothingherein should be construed as constituting an additional warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop orrelease any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible futuredevelopments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for anyreason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-lookingstatements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place unduereliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.