cancel
Showing results for 
Search instead for 
Did you mean: 

NWBC - what is the security level of this service by the access from Internet

WaldemarFal
Active Participant
0 Kudos

Dear Colleagues,

I am project manager so please excuse if I am wrong but I am wired by the security aspect of NWBC as opened to Internet. Many basis experts (the conservative ones) are very skeptical about giving external access via NWBC to the system. They prefer SAP GUI or even SAP Portal via VPN. But without giving the real reasons. In my opinion NWBS is more secure at least because that is giving access only to limited to scope of functions and VPN opens access to everything in intranet.

I am very excited about the mobility and simplicity opened by NWBC access but now I am facing myths (better not to do it) instead clear positioning of the security levels that can be organised as the part of authorization politics. I found many security discussions on this forum but they are touching some spot aspects. The materials on SAP pages is too generall.

Can you advice me please where to find accurate explanation? We have 606.

Cheers Waldek

Accepted Solutions (0)

Answers (5)

Answers (5)

WaldemarFal
Active Participant
0 Kudos

as I've realized our IT gurus decided to allow the NWBC access by the recruiters via Juniper MAG6610. As I see that is some kind of VPN but easy in use bu creating new immediate URL. What is your opinion about the security level with this device? Cheers

WaldemarFal
Active Participant
0 Kudos

Dear Colleagues,

first - I will grant the points for sure but first lets make some conclusion. That is right to not expose the ERP directly. Perhaps I should give you the picture:

1. I am talking now about SAP ERECRUIT and we have (there is no other way) to expose the web services for the candidates

2. This is due the SAP recommendation done via Web Dispatcher

3. NWBC (for recruiters) we like to exposed the same way.

Is it sufficient or will you recommend something on the top?

Former Member
0 Kudos

Waldemar Falinski wrote:

I will grant the points for sure but first lets make some conclusion.

You just disqualified yourself as far as I am concerned.

Julius

Former Member
0 Kudos

With E-Recruting you can have another level of security by having a separate AS ABAP stack hosting only the E-Recruiting component. You then link your actual ERP HR system using ALE. Another even more secure senario is to build your own UI and leverage the existing eSOA services of E-Recruiting.

WaldemarFal
Active Participant
0 Kudos

Dear Julius,

What is your concern? One of aims of this Forum is to gain the serious advices from the colleagues in SAP world.

I am simply project manager lost in that endless dispute of basis gurus “yes we have to be mobile but better let’s stay closed” or “cloud is perfect but let’s stay on premise for the while”. I like to gain arguments. What is wrong that after interesting discussion I am promising points for constructive conclusion? Do you see something violating the rules in this Forum?

Regards

Waldemar

Former Member
0 Kudos

Sorry, I meant that you disqualified me from the discussion by baiting with points.

Please continue...

WaldemarFal
Active Participant
0 Kudos

Dear Samuli,

we have already separate AS ABAP stack hosting only teh E-Recruiting componen cinnected with ERP via ALE.

We have sensitive personal of candidates data inside and we have already the web services open via Web Dispatcher. Is that already dangerous in measurable way?

And as we enable the NWBC to be exposed via the same Web Dispatcher will it be more dangerous?

We don't like to have additional UI - we rather will close the acces for the recruters from their home computers.

Cheers

martin_voros
Active Contributor
0 Kudos

Hi

this changes a lot. So it's not your core system. It's a specific system that hosts e-recruiting only. I assume that you have some legal requirements that you have to take care of candidate data. Because the system is already exposed to Internet there is already some risk associated with this system. So if you want to go ahead with this I would suggest to check if web dispatcher is performing URL filtering. Also disable all unnecessary nodes in SCIF plus some standard stuff like carefully creating role(s) that will be assigned to candidates. I would also check how hard is it to jump from this system to your ERP system. Very often you can find RFC destinations with pre-defined users with really broad authorization in target system. This could be misused by attacker if the system is compromised.

Cheers

WaldemarFal
Active Participant
0 Kudos

Dear Colleagues,

please do not treat erecruitment system as less sensitive than erp - in Europe we have law taking serious care of personal data proper treatment what means that the database has to be properly secured. The misuse of the personal data can be painful even more than some financial data.

l will now verify our setup of WebDispatcher in view on your recommendations and will be back soon. Thank you for the cooperation so far.

Cheers

Waldek

WaldemarFal
Active Participant
0 Kudos

Dear Samuli and Martin, thank you! However we are still in the 0/1 – yes/no state discussion and I am sure that there are various levels and methods available allowing real mobility and byod. Sure for some users having access to very sensitive areas have to secured by VPN but for the majority is that really necessary? How is SAP granting the users access to SAP HANA Cloud?

Please note that we are living in the era of internet banking and the access to bank account’s doesn’t requires VPN. Of course there is risk but due to the rules it has to be identified, assessed etc. I viewed the “Secutity” space but there are very specific issues treated. Can you advice where to find about many incidents of hacking on SAP (as Samuli wrote). And Marting – good point about the castle approach – we know already that this is giving only the illusion of security. As they are static and there always are weak points intruder may evaluate and prepare the right and smart assault.

Is the NWBC access allowing the intruder to reach something outside the assigned authorizations of particular user?

martin_voros
Active Contributor
0 Kudos

Hi,

few comments.

I don't think that internet banking is a good example. An internet banking app is not a core banking system. For example let's take DoS attack. If it sends down internet banking app then you can still go to a branch and withdraw or withdraw money from ATM. In your scenario I assume that ERP is a core system for your company. SAP Gateway would be an equivalent of internet banking app. That's why SAP suggest to deploy Fiori apps to a separate system. In case something happens to this system (e.g. DoS attack) the other processing like sending/receiving IDocs can be still running without any disruption. Loosing gateway server for one hour can cause lots of grief to a company (similarly to bank loosing internet banking for one hour) but it's not a complete disaster.

Another important thing to remember is that ABAP AS is a legacy app and was not designed with cloud in mind. I always get slightly irritated when somebody says that ABAP AS is cloud ready but I guess that depends on definition of cloud ready.

Regarding SAP hacking. Honestly, I am not sure about this. There are some people that present on various security conferences about SAP hacking but it reminds me mainframe hacking. There is plenty of opportunity but nobody does this because it requires some additional knowledge and you can always find some other app that allows you to compromise network (e.g. POS system). But I do not have any numbers about this.

Cheers

Former Member
0 Kudos

Perhaps they are trying to say that you should expose only selected web services for front end interaction from the internet.

NWBC embeds the SAPGui controls as well as the html controls. It is better than SAPGui local in most respects, but not a banking services 3rd party scalable business partner candidate as they need simple applications and you need a stronger seperation to your back end systems.

My 2 cents,

Julius

martin_voros
Active Contributor
0 Kudos

Hi,

disclaimer: I am not a network security expert. This is a really complex topic. The traditional defense of core IT systems was based on this medieval castle approach. You separate your network into different zones and control access to each zone. Many people claim that this approach does not work anymore. Some even claim that it never worked. The problem is that users need access from anywhere these and very often you don't have control over device they use for access (BYOD policy).

You should always do risk analysis of your all options and choose based on level of acceptable risk. I assume that you want to provide access to some users outside of your company network. Opening ECC system directly to Internet is not a good idea. You will have to be able to quickly patch your system and many customers struggle with this. Hence you would like to put something in front of it. I am not aware how you could use gateway system to tunnel NWBC communication. You could use standard HTTP proxy but that still exposes you to security bugs in ABAP AS.

BTW some VPN software solutions allow to define different profiles for users. So giving VPN access to user does nor necessary equal to giving access to whole network.

So in this case I would gravitate to VPN solution but in near future you might find yourself in need to install gateway system because your users would like to use Fiori apps.

Cheers

Former Member
0 Kudos

I'll ping the space. It's no myth, I would never open my ERP system externally without having another level of security in between (e.g. Gateway) and very tight control on what services can be invoked. Having a ICF node inactive doesn't mean that your ICF can't be hacked. Simply too much hacking on SAP systems going on these days. There is no going back to the time where you could have your SAP system exposed externally without ever installing SAP security notes. Opening NWBC externally is comparable to opening webgui externally, also something I wouldn't do. Deploy a VPN based solution so that everyone involved can sleep peacefully.