Fortinet for SAP Knowledge Base
MattCzwi
Staff
Staff
Article Id 263371
High-Level Summary of This Section

 

The modern SAP system, and its migration to the cloud, enable ever more interfaces and connections to other SAP and non-SAP systems that are internal and external to an organization. Defending a business’s most vital application is as complex as it is critical. An SAP deployment may involve multiple landscapes spread across hybrid premises and cloud footprint running on a variety of software-defined networks (SDNs). Frontends, application servers, and databases must be segmented against lateral infection and unauthorized access. With user connections and data largely encrypted by SSL, high-performing, inline deep packet inspection is a necessity. At the same time, security must have no perceptible impact on the user experience and system performance. With so many vectors to protect against, visibility can be a challenge across such a broad and diverse infrastructure as SAP.

 

Fortinet’s Security Fabric platform specifically addresses SAP’s most common and emerging threats by providing a unified security context that is simultaneously integrated with and independent of the underlying infrastructure. Fortinet uniquely provides the high-performing network and content protection that an SAP deployment demands.

 

The role of the SAP Web Dispatcher

 

The SAP Web Dispatcher is an SAP software component located between the Web client (browser) and the SAP system running the Web application. The SAP Web Dispatcher connects SAP users to SAP Application Servers and balances load between SAP AppServers. It provides basic capabilities but is not intended to provide security functionality like a web application firewall (WAF).

 

Limited security functionality leads to risk for cybersecurity attacks

 

Cybercrime is on the rise, and cybercriminals are becoming smarter and more dangerous, using scripted attacks that improve their speed and scale. Many organizations use Fortinet’s FortiADC and configure the SAP Connector to provide their business-critical applications with advanced protection, 24x7 availability, and optimization.

 

Security_Functionality.png

 

 

 

How FortiADC provides advanced services for SAP

 

FortiADC is an advanced application delivery controller that enhances SAP applications' security, scalability, and performance. FortiADC provides WAF, intrusion prevention system (IPS), SSLi, link load balancing, and user authentication in one solution, whether SAP applications are hosted on-premises or in the cloud. Deploy FortiADC as either a physical or virtual machine (VM) or a cloud solution.

 

Dynamic SAP integration

 

FortiADC secures SAP both with SAP connector and by integrating application delivery into the Fortinet Security Fabric. The SAP connector gets changes from the SAP Message Server. All SAP web traffic to the SAP Application Servers is protected with end-to-end encryption using the FortiADC.

 

Full-featured WAF and more

  • Detect a zero day attack
  • Protect from OWASP top-10 and many other threats
  • Enterprise-class layer 4-7 ADC
  • Disaster recovery and multi-site availability using FortiGSLB Cloud
  • DDoS application and web filtering
  • IPS, Geo-IP and IP reputation
  • Support multiple deployment mode

 

Simplify setup and management

 

An intuitive user interface streamlines the configuration of CLI and APIs. Automated configuration gathers information from the SAP ICM configuration (HTTP/HTTPs Ports, virtual hosts, etc.) and additional application server instances. The SAP connector provides a topology view of the SAP landscape within the network for easier management and unified visibility for multi-cloud or on-premises

 

Use real-time threat intelligence

 

Each day Fortinet FortiGuard Labs uses one of the most effective and proven artificial intelligence (AI) and machine learning (ML) systems in the industry to process and analyze more than 10 billion events,sending actionable real-time threat intelligence to customers. The FortiADC Fabric Connectors enables the SAP connector to use the threat intelligence of FortiLabs. With deep integration to the Fortinet Security Fabric, FortiADC integrates to additional Fortinet products such as FortiSandbox that decrypts, scans, and re-encrypts files before reaching the end-user, detecting both known and unknown threats

 

Optimize maintenance

 

The SAP connector automatically adds or removes the SAP Application Server. For example, if an SAP Application Server goes offline, the FortiADC will remove it from the pool, and likewise, if a new server is deployed, it will be automatically added.

 

Enterprise protection for SAP

 

Fortinet protects all SAP data generated by edge devices, endpoint systems, users, AI, applications, databases, 3rd party systems in multi-cloud environments and on-premises. By replacing the SAP Web Dispatcher with FortiADC, organizations not only improve security visibility and traffic but gain advanced functionality for their SAP systems.

 

Secure your SAP system with Fortinet

 

As the world evolves, businesses turn to SAP to remain resilient, agile, and innovative. SAP is a business’s most critical business application, and protecting its sensitive data is vital. Fortinet's holistic coverage ensures SAP systems are protected and that security policy and visibility remain unified across the hybrid and multi-cloud footprints. While SAP’s web dispatcher provides basic security, many organizations use FortiADC to reduce their security risk and leverage additional functionality.

 

Web Application Firewall

Multiple levels of protection to defend against attacks that target your SAP applications with native WAF integration.

 

API protection

Protection for SAP APIs (JSON, SOAP & XML) against security threats and attacks.

 

Antivirus and IPS

FortiADC has built-in IPS capabilities to provide an additional layer of security.

 

 

FortiADC is part of Fortinet's Security Fabric, which provides a broad, integrated, and automated cybersecurity framework. It weaves together all operational and technical security facets, creating a consistent structure to the SAP security landscape’s needs.

 

 

FortiADC_SAP_Connector.png

 

 

SAP Well-Architected Security

 

SAP’s well-architected security starts with considering how SAP traffic will transit the infrastructure and where boundaries of trust reside. Segmenting SAP from other workloads ensures a minimum boundary of trust and inspection. Critically, this includes the internal segmentation of application servers, front ends, and databases to prevent lateral attacks through impersonation or privilege escalation. The best practice of segmentation enables the FortiGate to high-performance, low-latency SAP security through the deep packet and content inspection specific to SAP services. With unmatched security effectiveness, the real key to success is the performance in a way that doesn’t impact transaction times for users or impede database processes. Fortinet FortiOS operating systems bring various forms of hardware and software acceleration to bear, removing the compromise between security and performance.

 

 

SAP_East_West_Segmentation.png

 

High-Performance Intrusion Prevention and Content Inspection

 

Addressing targeted SAP threats requires the security apparatus to be application-aware of the SAP systems running within the security boundary. The Fortinet FortiGate NGFW provides many features tailored to SAP. The FortiGate, combined with FortiGuard Threat Intelligence, delivers validated industry-leading IPS technology. FortiGuard Labs delivers SAP threat intelligence to the FortiGate's IPS engine to protect from well-known and emerging threats. Common exploits such as relay attacks, command execution, SQL injections in SAP NetWeaver ABAP and Java, and other services are mitigated with microsecond latency. Configuration errors are minimized as SAP heuristics, and signatures are enabled in the default IPS policy. Figure 13 shows a sampling of these.

 

Sample_of_IPS_Signatures_for_SAP.png

 

Year after year, Fortinet has been reported as a standout leader in next-generation IPS through independent studies such as

 

Fortinet_NSS_tested_catch_rates.png

 

those by NSS Labs and Virus Bulletin. Fortinet's catch rate for exploit and exploit evasion attempts is among the highest in the industry.

 

As malicious actors evolve their attack and evasion techniques against SAP, static signatures and even heuristics may miss novel attacks. Traditional signature detection is reactive, as the signatures are merely fingerprints of threats that have already been seen. Fortinet's patented compact pattern recognition language (CPRL) is a deep-inspection, proactive signature-detection technology developed through years of research by FortiGuard Labs. A single CPRL signature can catch 50,000 or more variants of a family of malware. It includes decryption, unpacking, and emulation of code for robust static analysis, which reduces the volume of code that needs full sandboxing. CPRL proactive signature detection helps cast a wider net over the attacks and methods of modern advanced persistent threats (APTs) and advanced evasion techniques (AETs), preserving full sandbox analysis for the most sophisticated threats.

 

APTs pursue SAP systems because they target multistage attacks that are aimed at an organization's most valuable data. Further, threat actors may attempt reconnaissance and social engineering to aid infiltration. APTs against SAP require the advanced countermeasures that FortiSandbox enables. FortiSandbox is a rigorous inspection tool that can fully execute and analyze content and executable code to uncover APTs. FortiSandbox explores all code execution paths. Combining sandboxing with proactive signature detection minimizes the opportunity for APTs. With Fortinet Security Fabric integration, threat intelligence is distributed across the network footprint in real time to elevate the security posture continually.

 

SSL Inspection

 

It's no secret that the majority of HTTP traffic is SSL encrypted for apparent reasons. As SAP has embraced HTTP as a protocol for a modern S/4 deployment and customers move away from the SAP GUI thick client, the guidance has been to “maintain end-to-end encryption.” In general, this is very sound advice. However, because encryption is merely a tool, it can protect any traffic from detection, including malware. Today more than 60% of malware is encrypted. In this seemingly conflicting guidance, supporting localized SSL inspection (decrypt, inspect, re-encrypt) provides both the visibility into malicious traffic flows and maintains the best practice of “end-to-end encryption.” While this is a sound security approach when done correctly, performance impacts can cause user experience and database lock times to suffer. For instance, NSA Labs has found that, on average, the performance hit for deep packet inspection is 60%, connection rates decrease by an average of 92%, and response times increased by a whopping 672%. Fortinet removes this compromise between security and performance in a variety of ways.

 

Physical FortiGate NGFWs are equipped with proprietary hardware acceleration that offloads encryption functions to a security processing unit. This Fortinet-only capability boasts performance advantages of up to 20x that of competitors in the latest-generation devices. To deliver differentiated performance in virtual form factors, FortiGate implements the virtual security processing unit (vSPU) as a virtualized application-specific integrated circuit (ASIC) in conjunction with a unique decryption load-balancing service. The FortiGate running as a VM in a public or private cloud delivers 5-7x the performance of competitive NGFWs.

 

With Fortinet, SAP decision-makers can be assured that Fortinet provides the highest security catch rates with the most significant performance levels possible.

 

Hybrid Cloud Security Context

 

SAP S/4HANA is the core of SAP's modern Intelligent Enterprise solution that extends line-of-business applications from the data center to the cloud. By adopting the cloud, SAP allows the enterprise to focus on activities that create brand value. A hybrid loud deployment permits flexibility between customization and speed to market. This opportunity is not without cyber risks. The hybrid footprint makes a challenge to protecting dynamic edges where SAP systems may federate across these platforms. For every bit of brand value SAP creates, poor administration and poor security practices can destroy that value. Security implemented for SAP systems must unify these various platforms and edges in a single security context. The Fortinet Security Fabric does this by generating real-time threat intelligence shared across the entire SAP security boundary.

 

Hybrid cloud-data center deployments present multiple, continually evolving edges that require a single security context. A high-level view of a two-tiered, hybrid deployment is depicted in Figure 15. The data center shows the typical enterprise resource planning (ERP) system on a software-defined stack. Network segmentation is implemented as microsegmentation with FortiGate NGFW policies attached at each virtual network interface card (VNIC). Similarly, the cloud is deployed on the cloud provider's SDN with subnet-level segmentation with east-west and north-south inspection between application tiers. This model aligns with version 2.0 of the SAP Security Baseline Template for segmenting SAP application zones. Identity services are synchronized from the data center into cloud single sign-on (SSO).

 

Hybrid_Infrastructure_Security.png

 

A single-point truth and management for policies are deployed in the cloud (though it can be deployed anywhere) and manage security across the entire domain. Threat intelligence should be coordinated to ensure a single view of the active threat landscape. In this way, policy can be activated in real time, relative to correlated indicators of compromise across the hybrid footprint. Fortinet FortiManager and FortiAnalyzer coordinate the management and threat intelligence everywhere Fortinet network security is deployed. FortiManager and FortiAnalyzer can be deployed on-premises or in the cloud. In Figure 15, management is deployed into the cloud to coordinate the entire security deployment across the hybrid environment.

 

Next-generation software-defined data centers (SDDCs) and clouds run on SDNs that are API-driven. The rich metadata of the SDN benefits security by providing information on the objects and networks in the SDN. FortiGate NGFWs farm this metadata through Fabric Connectors to implement dynamic policies. As SAP workloads are pushed into production, metadata filters inform the FortiGate on how to apply policy. This automation drives business intent and non-blocking production security for new service deployments.

 

Fabric_Connector_Dynamic_Filter.png

The SAP Web Dispatcher Case

 

SAP S/4 shifts much of SAP's user interaction from SAP GUI to a user's browser and HTTP/s protocol. As this encrypted web traffic grows, the opportunity to exploit common web vulnerabilities expands, creating a larger attack surface. Web Dispatchers are deployed for load balancing to SAP Fiori systems. Still, they lack any ability to protect back-end resources from cross-site scripting, SQL injection, JavaScript exploits, and other common Open Web Application Security Project (OWASP) attacks. SAP recommends maintaining end-to-end encryption along with appropriate patching. While this is a best practice, most malware is encrypted as well, which still leaves a gap in protection.

 

FortiWeb web application firewall (WAF) is a dedicated HTTP/s protection platform that goes beyond protecting known OWASP Top 10 threats to implementing auto tuning and machine learning. FortiWeb does this while maintaining full-length encryption and only decrypting locally to support inspection. FortiWeb lifts the burden of cumbersome manual tuning and distracting false positives. FortiWeb looks for the user's habits and patterns to build security tailored to the sessions that should be permitted. FortiWeb goes beyond firewalling to providing virtual patching. FortiWeb can be deployed as a physical or virtual instance or as Software-as-a-Service (SaaS) as the most effective way to protect your web services in SAP.

 

FortiWeb_Web_Application_Firewall_protects_SAP_Web_Dispatcher_traffic_using_AI_and_ML.png

 

FortiCASB is a Fortinet-developed cloud-native Cloud Access Security Broker (CASB) solution designed to provide visibil-ity, compliance, data security, and threat protection for cloud-based services employed by an organization. FortiCASB provides policy-based insights into users, behaviors, and data stored in major SaaS applications. For organizations that comply with regulatory requirements and industry mandates, FortiCASB has predefined policies for common regulatory standards to detect violations with actionable recommendations to remediate, along with reports for auditing and tracking. FortiCASB monitors malicious traffic, malware and sensitive data, suspicious user activity, and compliance violation with predefined out-of-the-box security policies.

 

  • Uses RESTful APIs to integrate directly with SAP Identity Authentication Service (IAS) to monitor and track SAP IAS user activities such as logins, user assignments, updates, etc.
  • Integrates with SAP Success Factors using an API-based approach, pulling data directly from SAP Success Factors via RESTful API. Documents are uploaded to determine if malicious. Log files reviewed to verify the traffic is valid.

 

FortiCNP uses User Entity Behavior Analytics (UEBA) to look for suspicious or irregular user behavior and sends alerts for malicious behavior. A centralized dashboard displays security events and user activity in real-time to shorten the time to insight.

 

FortiWeb Cloud WAFaaS natively integrates into public clouds to protect hosted web applications without deploying and managing infrastructure.

 

SAP Compliance

 

With the increase in hybrid architectures and cloud usage, userbase and resources have become perimeterless, in the sense that they are now distributed across landscapes and infrastructure, especially in the cloud world as organizations adopt multi-cloud environments to reduce concentration risk. Fortinet brings tools to security teams such as FortiCNP cloud native protection (CNP). Using FortiCNP, security teams can evaluate their cloud configuration security posture, detect potential threats originating from misconfiguration of cloud resources, analyze traffic across cloud resources (in and out of the cloud), and evaluate cloud configuration against best practices. It enables the ability to manage risk throughout multi-cloud infrastructures, provides regulatory compliance reporting, and integrates remediation into the cloud infrastructure life cycle automation framework. Fortinet enables automatic tracking of risk and compliance that is monitored continuously. Reports are generated in a single centralized dashboard across your public cloud providers for holistic monitoring. Fortinet enables a holistic understanding of the risk posture and compliance levels of SAP resources deployed in the cloud, considering the overall ecosystem and not only the SAP landscape.

 

This level of granularity gives the CISO teams a single pane of glass to track risk and generate the National Institute of Standards and Technology (NIST), Security Operations Center (SOC), and General Data Protection Regulation (GDPR) reports. CISCO teams can provide a security health snapshot of the SAP landscape within the organizational context.

 

 

Screenshot 2023-06-19 at 17.36.11.png

 

FortiCWP_GDPR_example_compliance_report.png

Contributors