Check your network encryption related settings periodically
In today’s world of doing business, it is unavoidable to communicate with parties outside your company’s walls. Think for example of outgoing or incoming interfaces, users that log on from remote places (like home), providing access to business partners or hybrid scenarios where data flows from on-premise systems to the cloud and back.
As we are exchanging data more and more over the public internet it is critical to make sure these dataflows are properly secured. This can be done for SAP-based protocols like SAP Gui or RFC traffic and for more standard HTTP-based traffic. This article only focuses on the latter. For HTTP-based traffic, there are standards to prevent malicious parties from eavesdropping on your communications. And while this may sound far-fetched or technically hard it really isn’t when you can ‘listen’ in on the traffic. For example, when sending passwords over an unencrypted channel, it is possible to sniff this data like shown below:
To prevent the above from happening one can use encryption. For HTTP-based traffic, this is typically done via SSL/TLS. This post is not a detailed paper on cryptography since this topic is big, but we hope to provide a basic understanding of the importance of encryption and to urge customers to use a recent and supported version.
Over time several versions of SSL and its successor TLS have been released, for an overview see the below table:
|Version||Release year||Deprecation year|
|SSL 1.0||Never publicly released||Never publicly released|
Figure 3 SSL / TLS versions
Important to note is that all SSL versions and TLS versions 1.0 and 1.1 are deprecated and not considered secure anymore. This is because of practical or theoretical weaknesses in these versions. For example, for SSL there are many vulnerabilities found like the POODLE and DROWN attacks.
The currently considered secure and best-practice versions are TLS 1.2 and the more recent TLS 1.3. Where normally it is advised to use the most recent version, for SAP products this is not yet possible as TLS 1.3 is not yet supported for most SAP products. To provide some overview:
|SAP Product||TLS 1.2||TLS 1.3|
Figure 4 SAP Products and support for TLS 1.2 and 1.3
As currently TLS 1.3 is not supported for most common SAP products, a good practice is to use at least TLS 1.2. There are more specific recommendations to make on this topic as the implementation of TLS comes with many details, but on a high level please make sure to only implement supported TLS versions that are considered secure.
Checking all network encryption-related settings can involve a lot of manual work, it is therefore that in our Protect4S SAP Vulnerability Management solution we check your SAP landscape periodically in an automated way.
There is a lot more information available on this topic, some starting points are:
For more SAP security-related news, articles, and whitepapers, please follow us on LinkedIn!
Try out Protect4S for 1 month for free or request a demo!