Unified Connectivity (UCON) for SAP NetWeaver Overview

Unified Connectivity (UCON)OverviewJuly 2014 Public

© 2014 SAP SE or an SAP affiliate company. All rights reserved. 2Public

Disclaimer

This presentation outlines our general product direction and should not be relied on in making apurchase decision. This presentation is not subject to your license agreement or any other agreementwith SAP. SAP has no obligation to pursue any course of business outlined in this presentation or todevelop or release any functionality mentioned in this presentation. This presentation and SAP'sstrategy and possible future developments are subject to change and may be changed by SAP at anytime for any reason without notice. This document is provided without a warranty of any kind, eitherexpress or implied, including but not limited to, the implied warranties of merchantability, fitness for aparticular purpose, or non-infringement. SAP assumes no responsibility for errors or omissions in thisdocument, except if such damages were caused by SAP intentionally or grossly negligent.


Agenda - UCON RFC Security Basic Scenario

Motivation and Scope

Basic Concepts

Coverage of New RFMs

How to Cope With the Restrictions of Productive Systems

Summary

UCON RFC Security Basic ScenarioMotivation and Scope


The Scope of UCON RFC Basic Connectivity

C

RFC-Based Connectivity

High-performing,for local high load scenarios,across all ABAP Releases,close integration into ABAP


UCON - A Simple Approach to Make RFC More Secure

Reduce the Overall Attack Surface of Your Remote-EnabledFunction Modules. Enhance RFC security by blocking theaccess to a large number of RFMs !

Facts:Most SAP ERP customers run just a limited number of the businessscenarios for which they need to expose some RFMsA lot of RFMs are only used to parallelize within a system.

SolutionFind out which RFMs need to be exposed for the scenarios of acustomer.Block the access to all other RFMs.


The Basic Strategy of UCON to Solve These Problems

Reduce the number of RFMs exposed to the outside world.

Expose only and exactly those RFMs a customer needs to run their business scenarios.

38000 RFMs inSAP ERP (incl.

SAP NetWeaver)

A typical SAPcustomer only needs

to expose a fewhundred RFMs for

their businessscenarios

UCON RFC Security Basic ScenarioBasic Concepts


The UCON Way to Security: Expose Only ThoseFunction Modules You Need to the Outside World

…RFM1

RFM2

RFM3

RFM4

RFM5

RFM6

RFM7

RFM8

RFM9

RFM

RFM.

Default Communication Assembly (CA)

1110


UCON Checks Do not Interfere with Calls Within the Same Client and System

SAP Business Suite

…RFM1

RFM3

RFM5

RFM7

RFM.…

Blocked for accessfrom outside –

Open for use inparallel RFC inside

the same client in thesame system


UCON - An Additional Role/User-Independent Layer of Security Checks

no No Access

yes

User has authorizationfor the relevant CA? No Access

yes Access toRFM

no

RFM inCA?

User hasauthorization?

User trying to access a RFM


UCON Setup and Configuration

It is simple to set up and configure Unified Connectivity (UCON):

1. Set the UCON profile parameter UCON/RFC/ACTIVE to 1 to enable UCON runtime checks for RFMs in thefinal phase.

2. Run the UCON setup to generate a default communication assembly (CA) and other required entities.

3. Choose a suitable duration of the logging and evaluation phase.

4. Schedule the batch job SAP_UCON_MANAGEMENT that selects and persists the RFC statistic recordsrequired by the UCON phase tool on the database.


UCON RFC SecurityEasy Customer Adoption in Three Steps

Logging of RFMscalled fromoutside

Evaluation/Simulation

Runtime checksactive





Runtime Checksactive


Runtime checkactive


Phase 1Logging of RFC Connectivity Data

Tool support to use solid information instead of unreliable data

• Use a dedicated tool set to collect the information you need

Identify the RFMs you need to expose to run your businessscenarios

• Collect aggregated statistic data on which RFMs are called inyour system from outside• Over a time period you can choose

At the end of phase 1, choose the RFMs you need and assign themto the Default CA:

• Based on the statistical records, you decide which RFMsshould be accessed from outside and assign them to the CA




Evaluation/simulation






Runtime checkactive


Phase 2Evaluation of the Data Logged

UCON should not interfere with productive customer scenarios:• Use the evaluation phase (phase 2) to simulate UCONruntime checks• Check completeness of RFMs you need to expose• Put required RFMs into Default CA

Customizable duration of evaluation phase:• Duration of evaluation phase depends on in-house experienceand knowledge

Check whether you have protected the right RFMs and makenecessary corrections




Evaluation/simulation






Runtime checkactive





Phase 3The RFMs in the System Are Protected by UCON

UCON runtime checks are now active:• Only RFMs in the default CA are accessible from outside• RFM that are not in the Default CA are now protectedagainst any outside access

Less than 5% of all RFMs need to be exposed in a typicalcustomer system:

• Out of a total of 38,000 RFMs in an SAP ERP system, onlya few hundred are required and exposed for productivecustomer connectivity

Massive reduction of RFC attack surface for the averagecustomer system


Prerequisites for the Different Security Layers

UCONruntimechecks

S_RFCchecks

Access to RFMs

Access to RFMs


Efforts Required for the Different Security Layers

UCONruntimechecks

S_RFCchecks

Access to RFMs

Access to RFMs


UCON Protection After the Initial UCON Security Classification

SAP Business Suite

Default CA

Blocked RFMs from initial UCON set-up

Check-Active Phase

37,000++

100 ++

Blocked RFMs/ UCON-protected RFMs fromother, new transports orinstallations

UCON RFC Security Basic ScenarioCoverage of New Remote-Enabled Function Modules


UCON Protection After Initial Security Classification

Development

Default CommunicationAssembly

Exposed RFMs

Check-active Phase

Protected/blockedRFMs


New RFMs Arrive at a UCON-Protected System

Development

New RFMs Arrive at a UCON-Protected System

Check-active phase

Over time: New RFMs intransports, SPs, EhPs …


New RFMs on Their Way to UCON Protection – Logging Phase

Access allowed

Logging phase

Evaluation phase Access allowed

Access blockedUCON protection

Check-active phase

New RFMs areautomatically

assigned to thelogging phase


New RFMs on Their Way to UCON Protection – Evaluation Phase

Access allowed

Logging phase

Access allowed


Check-active phase

Evaluation phase


New RFMs Have Achieved UCON Protection – Check-Active Phase

Access allowed

Logging phase

Evaluation phase


Check-active phase


The Ever-Growing Scope of UCON Protection

SAP Business Suite

Default CA

Blocked RFMs from initial UCON set-upBlocked RFMsfrom other, newtransports orinstallations

UCON RFC Security Basic ScenarioHow to Cope With the Restrictions of Productive Systems


UCON and the Restrictions in a Productive SystemChallenges

PROD

UCONPhaseTool

Assignment of relevant RFMsto default CA and UCON

phases

Collectionof RFC callstatistics

and UCONprotection

Authorizations and system change options inProductive Systems are not sufficient for UCONOperations


UCON and the Restrictions in a Productive SystemSolution

DEV PROD

UCONPhaseTool

UCONPhaseTool

Assignment ofrelevant RFMsto default CAand UCON

phases


and UCONprotection

DelegateUCON

operationsto DEV

Slide 32


UCON and the Restrictions in a Productive SystemHow to Delegate UCON Operations to DEV - Step 1

DEV PROD

UCONPhase Tool

UCONPhase Tool

RFC callstatistics

.csv

Import RFC call statistics fromPROD to DEV

1



DEV PROD

UCONPhase Tool

UCONPhase Tool

RFC callstatistics

.csv


Assign relevant RFMs todefault CA and to next phase

1

2



DEV PROD

UCONPhase Tool

UCONPhase Tool

UCONPhase Tool

UCONPhase Tool

RFC callstatistics

.csv


Assign relevant RFMs todefault CA and to next phase

Phase and CA assignmentof RFMs

R3Trans

1

2

3


UCON and the Restrictions in a Productive SystemHow to Delegate UCON Operations to DEV in a Nutshell

DEV PROD

UCONPhaseTool

UCONPhaseTool

RFC callstatistics

Assignment ofrelevant RFMsto default CAand UCON

phases

Phase and CAassignment of RFMs


and UCONprotection

UCON RFC Security Basic ScenarioSummary


UCON - Summary

It is simple to set up and configure Unified Connectivity (UCON)

• The UCON framework offers a simple, straightforward approach for enhancing the security ofyour RFCs. It allows you to minimize the number of RFMs on ABAP-based servers exposedto other clients and systems, reducing the available attack surface in your RFCcommunications.

• The UCON phase tool guides and supports the administrator in the three-step setup and thethree-phased process.

• UCON covers new function modules entering the system via Support Packages,Enhancement Packages, transports, or new developments.

• UCON is fully enabled for life-cycle management to ensure consistent RFC securityacross your system landscape.


Get More Information

Get more information, videos and updates

Unified Connectivity (UCON)http://scn.sap.com/docs/DOC-53844

SAP NetWeaver Security Communityhttp://scn.sap.com/community/security

Community Network

http://scn.sap.com/community/security

http://scn.sap.com/docs/DOC-53844






© 2014 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or anSAP affiliate company.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE(or an SAP affiliate company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional trademarkinformation and notices.

Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.

National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or itsaffiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE orSAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothingherein should be construed as constituting an additional warranty.

In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop orrelease any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible futuredevelopments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for anyreason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-lookingstatements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place unduereliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.

Technology

Unified Connectivity (UCON) for SAP NetWeaver Overview