Event Summary
During the course of product evaluations for a customer, the Technology Evaluation
Center has uncovered a potential security hole in SAP R/3's three-tier architecture.
SAP has revealed that it expects the database or third party products to handle
security between the application server and the database server. If the client
does not take these extra measures, the master password for the SAP database
instance travels over the network in the clear, and can be captured. PeopleSoft
has the same issue.
The
original answer to TEC's questions to Dr. Peter Barth, Technology Marketing
Manager for SAP AG in Walldorf, Germany, was "With all the customers using SAP
R/3, I have never heard this question before. We will have to investigate it
further."
Further
investigation by Walldorf revealed the following response: "SAP supports for
the connection between database and application server support by security standards
provided by the database as well as open interfaces to external security products.
Typically, database specific features - from e.g. Oracle, MS SQL, etc. - are
used to protect initial logon. In case the data transfer needs to be secure
also either database specific or database independent security mechanisms can
be used. However, note that SAP advises to use a separate, internal subnet in
the networking environment. Thus, if it is physically impossible to sniff, the
security mechanisms are not mandatory. Note, that application server and database
server are expected to be in a LAN environment and not connected via WAN or
open Internet connection to the outside world (Only the presentation client
should be used over WAN and open Internet connection; here security can be achieved
by various means (e.g., PKI infrastructure)."
SAP
states that their Secure Network Communications Interface (BC-SNC) has the following
certified interfaces: CyberSafe (TrustBroker Security Solution for R/3), Entrust/PKI,
Platinum Technology (Computer Associates) Single Sign On, Seclude Sicherheitstechnologie
Informationssysteme Seclude for R/3, and Security Dynamics Technology Keon Agent
for R/3. They state "SAP has decided not to include cryptographic modules in
its own software. Instead, external products can be integrated."
Market
Impact
TEC
feels that this approach to security is inadequate. Our customer was not informed
that this was an issue (note SAP said they had never heard the question before).
Even though SAP explicitly recommends that R/3 users put the database and application
servers on a separate, internal subnet, our fear is that a customer will fail
to install a third party security product, and make it possible for a disgruntled
employee to "sniff" (examine packets travelling over the network) the ID and
password that "own" the SAP instance. In the case of PeopleSoft, the traffic
between the client and the application server is secured via encryption, but
the same problem with lack of encryption exists between the application server
and the database server.
User
Recommendations
Customers using either SAP or PeopleSoft in a three-tier configuration should
be very careful to employ a third-party encryption product that has been certified
by the ERP vendor. In the absence of this, or a secure database client (i.e.
Secure Oracle), a serious security breach could occur.