April 24, 2013

There are many methods from which you can access an SAP Application Server, but one of the more widely used applications is the SAP GUI client. This client is typically installed directly onto an end user's PC, and then configured in order to provide connectivity to each of the SAP systems a company may have in place (i.e. Development, Quality Assurance, Production, etc.).

Despite its widespread use, SAP GUI is not the most secure client "out of the box."

By default, the data transfer between the SAP GUI client and the SAP Application Server is compressed using the standard Huffman encoding compression algorithm. If you were to perform a packet capture of the data being transferred, it would appear to be illegible to read; however, it is not secured. In order to better understand this, you will need to know the difference between compression and encryption.

Data compression is a method of modifying the data being transferred in order to reduce the overall size of it. It also reduces the network bandwidth used during the data transfer. Data that has been compressed, must be decompressed once it has reached its destination in order to be used. If the data were to be compromised, it could be decompressed by an attacker so long as they know the compression algorithm used.

Data encryption is a method of modifying data in order to keep its contents secret. Once encrypted data reaches its destination, it must be decrypted before use. Unlike with decompression, merely knowing the algorithm used will not allow you to be able to view the data. Decryption requires a special key, known only to both members of the communication.

In its default state, it would be trivial for an attacker to decompress the data being transferred between SAP GUI and the SAP Application Server. Once the data has been compromised, the attacker would be able to view the entirety of the data transfer including:
    - Any UserID/Password entered into the system
    - Any transaction executed by the user
    - Any corporate data entered into the system

The image above shows the data transfer created during a user’s logon to the SAP Application Server after the compression has been removed. As you can see, the userid “testuser” is authenticating with the password “thisismypassword.”

In order to secure connections between SAP system components, the SAP interface for Secure Network Communications (SNC) must be used.

SNC offers the following protection to the communication:
    - Authentication
     Both the client and the server are always authenticated to each other.
    - Data Integrity
     The data transferred between the client and the server is protected so that if there is any manipulation of the data it will be detected.
    - Data Privacy
     The data transfer will now be encrypted, providing privacy protection. An attacker will not be able to access the data contained within it.
Subscribe to RSS Feed Follow me on Twitter!