Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Security advantage with reverse invoke or not?

frank_schewe
Explorer
0 Kudos

Hi colleagues,

we have an scenario with an reverse proxy in front of an sap system. The reverse proxy stands in the dmz. The sap system is in data center. The Reverse Invoke with a sap webdispatcher in the dmz seems to be promising more security because the firewall don't have open ports from dmz to data center.

The help.sap.com entry I have found describe it thin and my other search I haven't found any notes whether this scenario is safer at using URL exploits?


If there is an exploit, is the exploit executed on the sap system and than delivered via reverse invoke in the dmz to the sap web dispatcher? So in this scenario only one system can attacked or will the attack stops at the sap web dispatcher?


or can this only blocked with an firewall and activ Intrusion Prevention System/Intrusion Detection System?


So the only advantage with a sap web dispatcher is that the attack stops in dmz and system is still vulnerable but delivering the attacks to the dmz?


Maybe someone can describe reverse procedure accurately. Hopefully it's clearly explained for you.

Kind regards,

Frank Schewe

1 ACCEPTED SOLUTION

martin_voros
Active Contributor
0 Kudos

Hi Frank,

Web Dispatcher provides some additional benefits in terms of security but you can't think of it as a silver bullet. I would never suggest to expose core business system directly to the internet. E.g. just for DDoS prevention. If somebody is start hitting you with DDoS you can always shutdown web dispatcher and your core business system can be still accessed via internal network. This could be achieved via other means but it's still an option. Another plus for web dispatcher is that it supports load balancing to multiple application servers.

Web dispatcher also allows you to setup rudimentary URL filtering (you need to drop or terminate SSL connection to be able to do this). So that's another layer of preventing exposing something that should be kept hidden.

Cheers

1 REPLY 1

martin_voros
Active Contributor
0 Kudos

Hi Frank,

Web Dispatcher provides some additional benefits in terms of security but you can't think of it as a silver bullet. I would never suggest to expose core business system directly to the internet. E.g. just for DDoS prevention. If somebody is start hitting you with DDoS you can always shutdown web dispatcher and your core business system can be still accessed via internal network. This could be achieved via other means but it's still an option. Another plus for web dispatcher is that it supports load balancing to multiple application servers.

Web dispatcher also allows you to setup rudimentary URL filtering (you need to drop or terminate SSL connection to be able to do this). So that's another layer of preventing exposing something that should be kept hidden.

Cheers