Академический Документы
Профессиональный Документы
Культура Документы
Objectives
What is security ?
Security threats & measures to combat threats
Types of security
Confidential
Copyright IBM Corporation 2004
A who's who
Security , Secured System, Threats,
Safeguards
Confidential
Copyright IBM Corporation 2004
What is Security ?
Dictionary meaning
In Other Words
The process of ensuring confidentiality,
integrity, and availability of computers,
their programs, hardware devices, and
data.
Confidential
Copyright IBM Corporation 2004
A secure System
It is a system which does exactly
what we want it to do and nothing
that we don't want it to do even
when someone else tries to make it
behave differently.
Threat
It is an act or event that has the
potential to cause a failure of
security .
Confidential
Copyright IBM Corporation 2004
Confidential
Copyright IBM Corporation 2004
From
FromWhom
Whom
Confidential
Copyright IBM Corporation 2004
Security Achieved By
Keeping Unauthorized Person out of the System
Confidential
Copyright IBM Corporation 2004
Confidential
Copyright IBM Corporation 2004
Threats
Threats
Firewall
Encryption
Confidentiality
SafeGuards
Guards
Safe
Integrity
Goals
Goals
Availability
1.1.
2.2.
3.3.
4.4.
5.5.
6.6.
Tampering
Tampering
Planting
Planting
Eves-Dropping
Dropping
EvesPenetration
Penetration
AuthorizationViolation
Violation
Authorization
O/sCracking
Cracking
O/s
Digital
Certificate
Obligation
Anti-Virus
Security
O/S
Monitor
Hardening
Confidential
Copyright IBM Corporation 2004
Confidential
Copyright IBM Corporation 2004
Types Of Security
Organizational Policies
Monitoring
Training
Disaster Plan
Organizational
Server Facilities
Building
Fire Alarm
Camera
Physical
Program Level
O/S Level
Technical
Database
N/W security
Confidential
Copyright IBM Corporation 2004
Remember
Confidential
Copyright IBM Corporation 2004
Confidential
Copyright IBM Corporation 2004
Confidential
Copyright IBM Corporation 2004
Exact
Exact
Correct
Correct
Complete
Complete
A program is complete if
it meets all requirements.
Confidential
Copyright IBM Corporation 2004
Application
ApplicationOverview
Overview
Identify
IdentifyVulnerabilities
Vulnerabilities
Decompose
DecomposeApplication
Application
Identify
IdentifyThreats
Threats
Confidential
Copyright IBM Corporation 2004
Application Security
Virus,
Spy ware
Injection
Attacks
Cross
Site
Scripting
Web
Defacement
Authentication
Error
Architecture
T
e
s
t
Application
Application
Security
Security
D
e
s
i
g
n
Deny Of
Service
Implementation
Trojan
Path
Traversal
Confidential
Copyright IBM Corporation 2004
Confidential
Copyright IBM Corporation 2004
Confidential
Copyright IBM Corporation 2004
To avoid threats we
apply different Patches
and Harden our O/S.
O/S Patch
O/s
Hardening
OS Kernel
Confidential
Copyright IBM Corporation 2004
Confidential
Copyright IBM Corporation 2004
Database Threats
Data
Overwrite
Data
Loss
Scrambled
Data
User
Conflict
Database
Improper
Change/Alteration
of Data
Unauthorized
Changes
Confidential
Copyright IBM Corporation 2004
Name
Age
Data
DataBase
Base
No Of Cust.
Unit Price
inference
Aggregation
Customer Data
Confidential
Copyright IBM Corporation 2004
Database Vulnerabilities
Basically database security can be broken down into the following key
points of interest.
Server Security
Server security is the process of limiting actual
access to the database server itself, The basic idea is
this, "You can't access what you can't see".
Database Connections
Ensure that every connection uses it's own unique user
to access the shared data
Confidential
Copyright IBM Corporation 2004
Database Web-Security
For Web security, you must address three primary areas:
Session security -- ensuring that data is not
intercepted as it is broadcast over the
Internet or
Intranet
User-authentication security -- ensuring login
security that prevents unauthorized access to
information
Server security -- ensuring security relating to the
actual data or private HTML files stored on the
server
Confidential
Copyright IBM Corporation 2004
Confidential
Copyright IBM Corporation 2004
Database
Database
Session Security
User-Authentication Security
Vendor-Specific Security
Kerberos
Confidential
Copyright IBM Corporation 2004
Huh !!
The rabbit is on the way .. but is it secured enough ?
Confidential
Copyright IBM Corporation 2004
Network Security
Protection of networks and their services from unauthorized modification,
destruction, or disclosure, and provision of assurance that the network
performs its critical functions correctly and there are no harmful sideeffects. Network security includes data integrity .
Confidential
Copyright IBM Corporation 2004
Confidential
Copyright IBM Corporation 2004
Confidential
Copyright IBM Corporation 2004
Confidential
Copyright IBM Corporation 2004
IP Attacks
ICMP Attacks
Routing Attacks
Session Hijacking
Confidential
Copyright IBM Corporation 2004
Confidential
Copyright IBM Corporation 2004
Confidential
Copyright IBM Corporation 2004
Confidential
Copyright IBM Corporation 2004
Firewall
Firewall
Certificate
Certificate
Port
PortScan
Scan
Proxy
Proxy
Digital
DigitalCert
Cert
Spam
SpamBlocker
Blocker
Encryption
Encryption
Antivirus
Antivirus
Access
AccessControl
Control
Router
Router
IDS
IDS
Monitoring
Monitoring
Corporate Network
Confidential
Copyright IBM Corporation 2004
Confidential
Copyright IBM Corporation 2004
NETWORK
SECURITY
WORKSTATION
SECURITY
SAP
APPLICATION
SECURITY
O/S SECURITY
DATABASE
SECURITY
Confidential
Copyright IBM Corporation 2004
Privacy
Obligation
Confidential
Copyright IBM Corporation 2004
Confidential
Copyright IBM Corporation 2004
Objectives
Introduction to SAP
Netweaver What is ?
Netweaver Stack Introduction
Netweaver breakdown
SOA
Confidential
Copyright IBM Corporation 2004
Confidential
Copyright IBM Corporation 2004
continued
The 1980s: Rapid Growth
The SAP R/2 system attains the high level of stability
Keeping in mind its multinational customers, SAP designs SAP R/2 to handle different
languages and currencies.
With the founding of subsidiaries in Denmark, Sweden, Italy, and the United States,
SAP's international expansion takes a leap forward.
Confidential
Copyright IBM Corporation 2004
continued
The 1990s: A New Approach to Software and Solutions
SAP R/3 is unleashed on the market.
The client-server concept, uniform appearance of graphical interfaces, consistent use of
relational databases, and the ability to run on computers from different vendors meets
with overwhelming approval.
With SAP R/3, SAP ushers in a new generation of enterprise software -- from mainframe
computing to the three-tier architecture of database, application, and user interface.
Confidential
Copyright IBM Corporation 2004
continued
The 2000s: Innovation for the New Millennium
With the Internet, the user becomes the focus of software applications. SAP develops
mySAP Workplace and paves the way for the idea of an enterprise portal and rolespecific access to information.
By 2005,
12 million users work each day with SAP solutions
100,600 installations worldwide
more than 1,500 partners
over 25 industry-specific business solutions
more than 33,200 customers in 120 countries
SAP Netweaver developed based on Services-Oriented Architecture (SOA)
Companies can integrate people, information, and processes within the company and
beyond.
Confidential
Copyright IBM Corporation 2004
What is SOA ?
Confidential
Copyright IBM Corporation 2004
SOA
Software architecture that defines the use of loosely coupled software services to
support the requirements of business processes and software users
Resources on a network in an SOA environment are made available as independent
services that can be accessed without knowledge of their underlying platform
implementation
SOA-based systems can therefore be independent of development technologies and
platforms (such as Java, .NET etc)
Confidential
Copyright IBM Corporation 2004
Now let us take a look at some technical & operational challenges facing a
distributed system
Confidential
Copyright IBM Corporation 2004
SAP NetWeaver
Confidential
Copyright IBM Corporation 2004
Confidential
Copyright IBM Corporation 2004
SAP NetWeaver
SAP NetWeaver integrates various different technological concepts and previous
platforms in a single solution
It is an open technology platform which offers a comprehensive set of technologies that
are natively integrated
Confidential
Copyright IBM Corporation 2004
Multi-Channel Access
Portal
Collaboration
People Integration brings together the right functionality and the right
information to the right people
Confidential
Copyright IBM Corporation 2004
Confidential
Copyright IBM Corporation 2004
Multi-Channel Access
Portal
Collaboration
Confidential
Copyright IBM Corporation 2004
Multi-Channel Access
Portal
Collaboration
With multi-channel access, you can connect to enterprise systems through voice, mobile,
or radio-frequency technology
Multi-channel access is delivered through Mobile Infrastructure
The key elements of SAP NetWeavers multi-channel access capabilities are
SAP NetWeaver Mobile,
SAP Auto-ID Infrastructure
SAP NetWeaver Voice, Message Interfaces (SMS, Fax, Email) and
Web-based GUI
Confidential
Copyright IBM Corporation 2004
Confidential
Copyright IBM Corporation 2004
Multi-Channel Access
Portal
Collaboration
The collaboration capabilities delivered with SAP NetWeaver, are designed to enable
individuals, teams, and interest groups to work together closely towards a common goal.
The comprehensive set of collaboration tools and services allows users to share
relevant information, communicate online in real-time, plan with the help of a unified
calendar, and provide a single point of access to documents and resources.
Confidential
Copyright IBM Corporation 2004
Business Intelligence
Knowledge Management
Confidential
Copyright IBM Corporation 2004
Business Intelligence
Knowledge Management
Confidential
Copyright IBM Corporation 2004
Knowledge Management
Knowledge Management (KM) is the umbrella term for the management of unstructured information
that is, all kinds of documents
The Knowledge Management (KM) capabilities of SAP NetWeaver turn unstructured information into
organizational knowledge an essential function in this age of global e-business
The business challenge is to transform unstructured information into organizational knowledge by
structuring and classifying it in such a way that it becomes assessable and relevant to the
enterprise's knowledge workers
There is an urgent need to create a central point of access within the enterprise to manage
information and translate it into knowledge for success
Confidential
Copyright IBM Corporation 2004
Knowledge Management
Today, companies operating within heterogeneous IT landscapes are commonplace, and the demand for
streamlining communication within such an environment is great.
SAP Master Data Management (SAP MDM) - a key capability of SAP NetWeaver - enables information
integrity across the business network. It enables companies to store, augment, and consolidate master
data, while ensuring consistent distribution to all applications and systems within the IT landscape.
It leverages existing IT investments in business-critical data, delivering vastly reduced data maintenance
costs through effective data management.
By ensuring cross-system data consistency, SAP MDM accelerates the execution of business
processes, greatly improves decision-making and helps companies maintain their competitive
advantage.
Confidential
Copyright IBM Corporation 2004
Integration Broker
Confidential
Copyright IBM Corporation 2004
Integration Broker
Confidential
Copyright IBM Corporation 2004
Integration Broker
Confidential
Copyright IBM Corporation 2004
J2EE
ABAP
DB and OS Abstraction
The application platform of SAP NetWeaver is the SAP Web Application Server
It provides a complete infrastructure to develop, deploy and run platformindependent, robust and scalable Web Services and business applications.
To allow this flexibility, different technologies have been established
Java 2 Platform Enterprise Edition (J2EE)
ABAP
DB and OS Abstraction
Confidential
Copyright IBM Corporation 2004
Confidential
Copyright IBM Corporation 2004
ABAP is the SAP Web Application Server programming language for business
applications
It contains all characteristics of an object-oriented programming language and at the
same time provides the benefits of a 4GL language: Many functions that are located
in libraries in other languages are contained as language elements, which make it
easier to check statistics and is beneficial for program performance.
Confidential
Copyright IBM Corporation 2004
Confidential
Copyright IBM Corporation 2004
Model-driven architecture
Confidential
Copyright IBM Corporation 2004
Questions ?
Confidential
Copyright IBM Corporation 2004
Confidential
Copyright IBM Corporation 2004
Objectives
Why security & implications ?
What types of security ?
NetWeaver Security
Confidential
Copyright IBM Corporation 2004
Perfect Security ?
There is no perfect security
Needs to evolve with changing technologies & associated risks
Risk to a security attack can be minimized
Confidential
Copyright IBM Corporation 2004
Confidential
Copyright IBM Corporation 2004
What to protect ?
There are various aspects to consider while considering the answer to the above
In the SAP environment, we should be able to reduce the risk of a security attack in the
entire NetWeaver stack
Broadly, we are looking at reducing security risks to the following NetWeaver layers:
People Integration
Process Integration
Information Integration
Application Platform
Confidential
Copyright IBM Corporation 2004
Multi-Channel Access
Portal
Collaboration
People Integration brings together the right functionality and the right
information to the right people. This module of the NetWeaver stack aims at
providing seamless user experience, boundless collaboration functionality, and
pervasive access.
This functionality of this module of the NetWeaver stack is further broken down
into:
Portal Infrastructure
Collaboration
Multi-Channel Access
We will investigate the security aspects to be considered for the above subcomponents in forth coming slides.
Confidential
Copyright IBM Corporation 2004
The SAP NetWeaver Portal offers users a single point of access to all applications, information, and
services needed to accomplish their daily tasks. Links to back-end and legacy applications, selfservice applications, company intranet services, and Internet services are all readily available in the
users portal. Because the borders between company intranets and the Internet are blurring,
comprehensive security is vital to protect the companys business.
Below are the aspects to consider while aiming to secure enterprise portal:
Authorizations
Confidential
Copyright IBM Corporation 2004
Confidential
Copyright IBM Corporation 2004
User Management
The SAP NetWeaver Portal uses the User Management Engine (UME) for user
management.
The UME can be configured to work with user management data from multiple data
sources, for example, an LDAP directory, database of the SAP NetWeaver Application
Server (AS) Java, or ABAP system.
The UME is integrated as a service of the Java AS.
Confidential
Copyright IBM Corporation 2004
Confidential
Copyright IBM Corporation 2004
The User Management Engine (UME) provides a centralized user management for all Java
applications. It can be configured to work with user management data from multiple data sources. It
is seamlessly integrated in the SAP NetWeaver Application Server (AS) Java as its default user
store and can be administrated using the administration tools of the AS Java.
In the figure, user data is stored in one or more data sources. Each type of data source has its own
persistence adapter. The persistence manager consults the persistence adapters when creating,
reading, writing, and searching user management data. The application programming interface (API)
is a layer on top of the persistence manager.
In the persistence manager, you configure which data is written to or read from which data source,
so that the applications using the API do not have to know any details about where user
management data is stored.
Confidential
Copyright IBM Corporation 2004
Client Certificates
Single Sign-on
Confidential
Copyright IBM Corporation 2004
Confidential
Copyright IBM Corporation 2004
Confidential
Copyright IBM Corporation 2004
Both variants eliminate the need for repeated logons to individual applications after the
initial authentication at the portal. Whereas SSO with logon tickets is based on a secure
ticketing mechanism, SSO with user ID and password forwards the users logon data
(user ID and password) to the systems that a user wants to call.
Confidential
Copyright IBM Corporation 2004
The logon ticket itself is stored as a cookie on the client and is sent with each request of that client.
It can then be used by external applications such as SAP systems to authenticate the portal user to
those external applications without any further user logons being required.
Logon tickets contain information about the authenticated user. They do not contain any passwords.
Specifically, logon tickets contain the following items:
-
Authentication scheme
Validity period
When using logon tickets, one system must be the ticket-issuing system. This can either be the portal
or another system.
Confidential
Copyright IBM Corporation 2004
Confidential
Copyright IBM Corporation 2004
Portal permissions define portal user access rights to portal objects in the PCD and are based on
access control list (ACL) methodology.
Security Zones Control which portal components and portal services users can launch and are
defined in the development phase.
UME Actions the User Management Engine (UME) equivalent of portal permissions. The UME
verifies that users have the appropriate UME actions assigned to them before granting them access
to UME iViews and functions.
AuthRequirement property This is a master iView property used in EP 5.0 that defines which users
are authorized to access a master iView or Java iViews derived from a master iView.
Confidential
Copyright IBM Corporation 2004
Confidential
Copyright IBM Corporation 2004
Confidential
Copyright IBM Corporation 2004
Collaboration Security
SAP Collaboration allows access to company-internal personal data, information, and
documents that may not be equally accessible to all portal users. Settings for data
security prevent unauthorized access and data manipulation.
Collaboration uses the user management and user authentication mechanisms in the
SAP NetWeaver platform, in particular those in the SAP Web Application Server (Java).
Therefore, the security recommendations and guidelines for user management and
authentication apply as described in the SAP Web Application Server security guide.
Collaboration uses the permissions concept provided by the SAP Web Application
Server (Java). Therefore, the security recommendations and guidelines for permissions
apply as described in the SAP Web Application Server (Java) security guide.
This permissions concept is based on roles that are valid throughout the portal, which
are assigned to the users.
Confidential
Copyright IBM Corporation 2004
Theft
Authentication & Authorization procedures are discussed in the next few slides
Confidential
Copyright IBM Corporation 2004
Confidential
Copyright IBM Corporation 2004
Confidential
Copyright IBM Corporation 2004
Confidential
Copyright IBM Corporation 2004
Confidential
Copyright IBM Corporation 2004
From the SAP MI Client Component to the SAP NetWeaver AS ABAP and vice versa
Protocols include HTTP,SSL or HTTPS
Data transferred includes application data, control data for SAP Mobile Infrastructure,
synchronization password
Data requiring particular protection includes synchronization password, as it is copied from
the mobile device to the SAP NetWeaver AS ABAP with each HTTP request. Use of SSL or
HTTPS is recommended
Confidential
Copyright IBM Corporation 2004
Confidential
Copyright IBM Corporation 2004
Attacks from the Internet or Intranet when using BEx Web functionality and Web
Services
Confidential
Copyright IBM Corporation 2004
BI Security - Authentication
The authentication process enables the identity of a user to be checked before this user gains
access to BI or BI data. SAP NetWeaver supports various authentication mechanisms.
Some of the authentication mechanisms include:
-
Single sign-on implies that once a user is authenticated with a username & password, the user then
has access to other SAP systems that are in the landscape
As an alternative to user authentication using a user ID and passwords, users using Internet
applications via the Internet Transaction Server (ITS) can also provide X.509 client certificates. In
this case, user authentication is performed on the Web Server using the Secure Sockets Layer
Protocol (SSL Protocol) and no passwords have to be transferred. User authorizations are valid in
accordance with the authorization concept in the SAP system.
BI supports SAP logon tickets. To make Single Sign-On available for several systems, users can
issue an SAP logon ticket after they have logged on to the SAP system. The ticket can then be
submitted to other systems (SAP or external systems) as an authentication token. The user does not
need to enter a user ID or password for authentication but can access the system directly after the
system has checked the logon ticket.
Confidential
Copyright IBM Corporation 2004
BI Security - Authorization
An authorization allows a user to perform a certain activity on a certain object
in the BI System. There are two different concepts for this depending on the
role and tasks of the user:
Standard Authorizations
-
These authorizations are required by all users that are working in the Data
Warehousing Workbench to model or load data, and also by users that work in the
planning workbench or the Analysis Process Designer and those that work with the
Reporting Agent or the BEx Broadcaster or define queries.
Analysis Authorizations.
-
Confidential
Copyright IBM Corporation 2004
Roles
ACLs
Security Zones
Confidential
Copyright IBM Corporation 2004
Change the ACLs for subordinate folders if different permissions apply for these folders.
Security zones
-
Confidential
Copyright IBM Corporation 2004
HTTP/HTTPS
WebDAV
ICE
JDBC on OpenSQL
Operation-system-dependent and database-specific technologies
Confidential
Copyright IBM Corporation 2004
Confidential
Copyright IBM Corporation 2004
PI Security - Communication
The components of a process integration (PI) landscape communicate with each other
for different purposes like configuration, administration, monitoring, or the actual
messaging.
The primary purpose of a PI landscape is to enable business partners and applications
to exchange XML messages (business documents). This includes business
communication between business systems, Integration Servers or Adapter Engines.
In addition to proper messaging, technical communication between various PI tools and
runtime components is required.
Two different technical protocols are used for these communications: HTTP and RFC.
Confidential
Copyright IBM Corporation 2004
PI Security - Authentication
Session-based single sign-on is supported for the dialog users of the PI tools.
A dialog user has to log on only once for all PI tools, provided that the same browser
session is used for each tool access, and that the tools are started from the same SAP
NetWeaver Application Server Java.
Single sign-on is also supported by the Runtime Workbench where access to other PI
components is required (for example, for component monitoring).
Confidential
Copyright IBM Corporation 2004
Message-level security processing is generally done in SAP NetWeaver Application Server Java
(AS-Java). If the Integration Server executes security processing, a Web service is called in the
J2EE Engine. Therefore, the certificates as well as the certification authority (CA) certificates to
be used must be entered into the keystore of the J2EE Engine that executes the security
handling at runtime.
For non-repudiation purposes, signed messages are stored in a dedicated archive, the nonrepudiation archive. It contains data to prove the validity of the signature. The following data is
stored:
The raw message
The security policy as configured in the Integration Directory
The sender certificate
Confidential
Copyright IBM Corporation 2004
Questions ?
Confidential
Copyright IBM Corporation 2004