Using Firewall Systems for Access Control

The firewall is a system of hardware and software components that define which connections are allowed to pass back and forth between communication partners. By using a firewall system, for example, between your intranet and the Internet, you can allow a defined set of services to pass through the different network zones while keeping other services out. For example, you can allow users in your company's intranet to use Internet services such as mail or http, but not other services such as telnet.

The graphic below shows an example firewall scenario. Note that the machines in the so-called "demilitarized zone" are not directly accessible from either the internal or the external networks. The routers and packet filters are configured to allow only connections for specified network services.

Firewall System

Firewall Types

There are two primary firewall types:

?     Packet filters

The functions used for packet filtering are typically available with routers. The router's primary function is to route network traffic based on the source or destination IP addresses, TCP ports, or protocols used. In this way, certain requests are routed to the server that can best handle the request. For example, mail requests are routed to the company's mail server; ftp (file transfer protocol) requests are routed to the company's ftp server.

By using the router’s packet filtering functions, you can also restrict traffic based on this information, for example, to completely block requests using undesired protocols, for example telnet.

However, the packet filter is not able to filter information sent at the application level.

?     Application-level gateways

Contrary to packet filters, application-level gateways or proxies work at the application level. They are capable of permitting or rejecting requests based on the content of the network traffic.

Examples of access control functions that the application-level gateway can process:

?      Access control based on content: Does the request contain known exploits?

?      Access control based on user authentication: Is the user permitted to access the resource requested?

?      Access control based on source network zone: Is access to the resource from the source network allowed?

For example, you can prohibit access to certain intranet resources from the Internet.

?      Access control based on source address: Is the sender address allowed access to the resource?

In addition, application-level gateways often provide auditing and logging functions so that the network traffic can be monitored or analyzed at a later time.

SAP Application-Level Gateways

See Application-Level Gateways Provided by SAP.

Third-Party Application-Level Gateways

When using a third-party application-level gateway, the gateway must meet the following criteria:

?     Because SAP systems generate absolute URLs based on the host and port information found in the host header name, the host header name must not be changed by the application gateway.

?     SAP does not support the unification of multiple backend systems under one external hostname configured on the application-level gateway.

?     If external systems are to be integrated in the SAP NetWeaver landscape using URLs (for example, with a portal), then the URLs need to be accessible from internal and external systems under the same name.

?     If it is necessary to change the client protocol (for example, from HTTP to HTTPS), then you also have to set a corresponding header variable so that the SAP system can generate URLs correctly.

0     On AS ABAP, the header variable is clientprotocol. This variable cannot be changed.

0     On AS Java, the default header variable is ClientProtocol, which can be changed by modifying the ProtocolHeaderName in the HTTP Provider Service.

See also:

?     Network and Communication Security in the Portal Security Guide

?     HTTP Provider Service in the AS Java Administration Guide

?     SAP Note 833960: supported Application Gateway Configurations