Skip to Content

How much security protection does SAP WebDispatcher actually provide in DMZ?

We want to expose SAP Web Services (running on our main ECC system) to users over the internet / public connection. We already have an F5 reverse proxy in our DMZ.

If the Web Service is hacked we don't want our internal corporate network exposed.

All of the documentation I can find simply indicates to place a SAP WebDispatcher in the DMZ, however (I believe) SAP WebDispatcher really only acts as a reverse proxy providing similar functions available in our F5. So our Security Team are arguing that if the Web Service is hacked then it would still be an internal SAP server that was hacked thus exposing our corporate internal network.

The only options I can think of are to either:

  • Have a separate app server running the web services in the DMZ; or
  • A separate ECC instance dedicated to public facing functions in the DMZ (along the lines of an external facing portal).

Has anyone else grappled with this issue, or does the DMZ-placed WebDispatcher actually provide more protection to the corporate network than I am giving it credit for?

Thanks very much for your assistance.

Todd

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • Best Answer
    Jun 28, 2017 at 07:03 AM

    Hi Todd,

    just my two cents: If you have an F5 in place SAP Web Dispatcher (SWD) does not add much value to security.

    SWD is an SAP specific reverse proxy that is manly used to distribute web load over SAP application servers. Or in Fiori scenarios it is used to concentrate the access to several SAP systems in one entry point.

    Some people try to use SWD instead of an F5. That is no good idea at all, because SWD does not have a proven track record as a security gateway. The current security issue with blacklisting/whitelisting functionality indicates this.

    The only feature that might be new and add some value somehow is Reverse Invoke. In case an attacker took over SWD Reverse Invoke might make it a little more complicated to take over the connection to the backend.

    So finally:

    • you might see value in an SWD to do SAP specific load balancing (without taking any security features into account)
    • Or you might be fond of Reverse Invoke and use SWD because of this

    Cheers, Lutz

    Add comment
    10|10000 characters needed characters exceeded

  • Jul 18, 2017 at 09:25 AM

    Hi Todd,

    On the lines of Lutz you can also check the link :

    https://help.sap.com/viewer/683d6a1797a34730a6e005d1e8de6f22/7.5.6/en-US/489ab29948c673e8e10000000a42189b.html

    which explains how the web dispatcher security is used.

    Regards,
    Manjunath Hanmantgad

    Add comment
    10|10000 characters needed characters exceeded