Facing the Internet and Often Vulnerable: SAP Web Dispatcher
Situated on the edge of company IT infrastructures, often located in the area called the demilitarized zone (DMZ), the SAP Web dispatcher handles the incoming HTTP(S) requests from the internet and distributes these to the SAP servers that are situated deeper inside the infrastructure.
The DMZ is a network segment that is located between the internal company network and the external network (Internet). It is an unforgiving place and exposed to all kinds of attacks from outside: port scans, Denial of Service, Man-in-the-middle, CSS (XSS), Phishing, SQL Injection, Command injection, Malware, Eavesdropping etc.
Because the SAP Web Dispatcher is critical in the detection of hacking attempts, it is therefore of the utmost importance that it:
- has a current version
- is up to date with (security) patches
- appropriate SSL scenarios are chosen
- is correctly configured with regards to SSL and
- is hardened
- has logging (HTTP and TCP) activated and actively monitored
Availability vs. Vulnerability
But here usually is a conflict. Even from inside a company, the DMZ is not an environment that can be easily accessed or patched. The components located in the DMZ usually must always be available and therefore have an extremely limited downtime window.
On the other hand, the components in the DMZ are internet facing and must be patched regularly to reduce the number of vulnerabilities that these might have.
SAP Web Dispatcher: with or without SAPControl registration
The SAP Web Dispatcher is a complex piece of SAP Infrastructure that can do many things. Although its primary role is reverse proxy, it also:
- distributes HTTP(S) requests to one or more SAP backend systems
- redirects incoming HTTP(S) requests to other HTTP servers based on rules
- changes the protocol of incoming requests based on rules
- filters URL’s based on rules
- load balances incoming requests across multiple application servers
- executes SSL encryption and -decryption
To configure all these different features, the SAP Web Dispatcher has a large amount of parameters and a complicated parameter syntax. Often, we see SAP Web Dispatchers that are wrongly configured to errors in syntax, deprecated parameters, and simply wrong or unsafe scenarios that have been chosen.
There are 2 ways to install an SAP Web Dispatcher:
- using SWPM
This method will create an SAP instance with the typical directory structure (/usr/sap/<SID>/SYS, /usr/sap/<SID>/<instance>, etc.), create the usual SAP administrative users on OS level (sapadm, <SID>adm, etc.). It will also register the instance as a service which means that it can be accessed by SAPControl/SAPMMC.
- The “flatpack” method
By extraction of an executable package (sapwebdisp_xxxx-yyyyyyyy.sar) downloaded from SAPNet.
This last method is a lightweight installation without a SAPControl / SAP MMC connection. The first method of installation also exposes HTTP ports used for the SAP MMC:
When planning for a Web Dispatcher installation or upgrade there are a lot of security aspects to consider:
- SSL Scenario: HTTP/HTTP, HTTP/HTTPS, HTTPS/HTTP, HTTPS/HTTPS or HTTPS end-to-end
- logging: incoming/outgoing connections, URL-specific/not, HHTP(S) and/or TCP
- access: restricted access for incoming connections, Admin functionality
- ports: restricted access by means of ACL’s
- encryption: version of Crypto Library, which cyphers to enable, disable TLSv1.0 or not
- disclosure: disable information disclosure in log and trace files
Decide on the method of installation (SWPM or “flatpack”) download the latest version Web Dispatcher and make sure to read the security tips stated in the following 3 OSS Notes:
*SAP OSS userID needed to see these notes
We definitely advise you to restrict access to the ports 5XX13 / 5XX14 by using an ACL file as described in OSS Note 1439348.
In the current version of the SAP Web Dispatcher (7.77), a lot of configuration parameters have become deprecated. When upgrading the SAP Web Dispatcher to this release also make sure to read the Release Notes and OSS Note 2593926 – Incompatible ICM / SAP Web Dispatcher Parameter Changes in 773 – Deprecated, Obsolete and Changed Parameters and to adjust your configuration accordingly.
Protect4S and the SAP Web Dispatcher
Protect4S checks SAP Web Dispatchers that have a SAPControl interface. It currently runs 27 dedicated Web Dispatcher checks that check most security related aspects:
- Protect4S also explains the vulnerabilities detected and shows how to solve the vulnerabilities detected using trusted SAP sources of information.
- Protect4S automates many processes and guides additional actions via clear dashboards, task lists and reports.
Are you curious to find out how Protect4S can secure your SAP Landscape?