cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How much security protection does SAP WebDispatcher actually provide in DMZ?

Go to solution
former_member267124
Explorer

on ‎06-28-2017 7:20 AM

We want to expose SAP Web Services (running on our main ECC system) to users over the internet / public connection. We already have an F5 reverse proxy in our DMZ.

If the Web Service is hacked we don't want our internal corporate network exposed.

All of the documentation I can find simply indicates to place a SAP WebDispatcher in the DMZ, however (I believe) SAP WebDispatcher really only acts as a reverse proxy providing similar functions available in our F5. So our Security Team are arguing that if the Web Service is hacked then it would still be an internal SAP server that was hacked thus exposing our corporate internal network.

The only options I can think of are to either:

  • Have a separate app server running the web services in the DMZ; or
  • A separate ECC instance dedicated to public facing functions in the DMZ (along the lines of an external facing portal).

Has anyone else grappled with this issue, or does the DMZ-placed WebDispatcher actually provide more protection to the corporate network than I am giving it credit for?

Thanks very much for your assistance.

Todd

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

LutzR
Active Contributor
‎06-28-2017 8:03 AM
0 Kudos

Hi Todd,

just my two cents: If you have an F5 in place SAP Web Dispatcher (SWD) does not add much value to security.

SWD is an SAP specific reverse proxy that is manly used to distribute web load over SAP application servers. Or in Fiori scenarios it is used to concentrate the access to several SAP systems in one entry point.

Some people try to use SWD instead of an F5. That is no good idea at all, because SWD does not have a proven track record as a security gateway. The current security issue with blacklisting/whitelisting functionality indicates this.

The only feature that might be new and add some value somehow is Reverse Invoke. In case an attacker took over SWD Reverse Invoke might make it a little more complicated to take over the connection to the backend.

So finally:

  • you might see value in an SWD to do SAP specific load balancing (without taking any security features into account)
  • Or you might be fond of Reverse Invoke and use SWD because of this

Cheers, Lutz

Show replies
Show replies

Answers (1)

Answers (1)

hanmantgad_manjunath
Explorer
‎07-18-2017 10:25 AM
0 Kudos

Hi Todd,

On the lines of Lutz you can also check the link :

https://help.sap.com/viewer/683d6a1797a34730a6e005d1e8de6f22/7.5.6/en-US/489ab29948c673e8e10000000a4...

which explains how the web dispatcher security is used.

Regards,
Manjunath Hanmantgad

Show replies
Show replies
Ask a Question