Using Firewall Systems for Access Control

The firewall is a system of hardware and software components that define which connections are allowed to pass back and forth between communication partners. By using a firewall system, for example, between your intranet and the Internet, you can allow a defined set of services to pass through the different network zones while keeping other services out. For example, you can allow users in your company's intranet to use internet services such as mail or http, but not other services such as telnet.

The following figure shows an example firewall scenario. Note that the machines in the so-called “demilitarized zone” are not directly accessible from either the internal or the external networks. The routers and packet filters are configured to allow only connections for specified network services.

Firewall System

Firewall Types

There are two primary firewall types:

Packet filters

The functions used for packet filtering are typically available with routers. The router's primary function is to route network traffic based on the source or destination IP addresses, TCP ports, or protocols used. In this way, certain requests are routed to the server that can best handle the request. For example, mail requests are routed to the company's mail server; ftp (file transfer protocol) requests are routed to the company's ftp server.

By using the router's packet filtering functions, you can also restrict traffic based on this information, for example, to block requests using undesired protocols completely, for example telnet.

However, the packet filter is not able to filter information sent at the application level.
Application-level gateways

Contrary to packet filters, application-level gateways or proxies work at the application level. They can permit or reject requests based on the content of the network traffic.
Example

Examples of access control functions that the application-level gateway can process:
- Access control based on content
  
  Does the request contain known exploits?
- Access control based on user authentication
  
  Is the user permitted to access the resource requested?
- Access control based on source network zone
  
  Is access to the resource from the source network allowed?
  
  For example, you can prohibit access to certain intranet resources from the Internet.
- Access control based on source address
  
  Is the sender address allowed access to the resource?

In addition, application-level gateways often provide auditing and logging functions so that the network traffic can be monitored or analyzed at a later time.

Third-Party Application-Level Gateways

When using a third-party application-level gateway, the gateway must meet the following criteria:

Because SAP systems generate absolute URLs based on the host and port information found in the host header name, the host header name must not be changed by the application gateway.
SAP does not support the unification of multiple back-end systems under one external hostname configured on the application-level gateway.
If external systems are to be integrated in the SAP NetWeaver landscape using URLs (for example, with a portal), then the URLs must be accessible from internal and external systems under the same name.
If it is necessary to change the client protocol (for example, from HTTP to HTTPS), then you also have to set a corresponding header variable so that the SAP system can generate URLs correctly.
- On SAP NetWeaver AS for ABAP, the header variable is clientprotocol. This variable cannot be changed.
- On SAP NetWeaver AS for Java, the default header variable is ClientProtocol, which can be changed by modifying the ProtocolHeaderName in the HTTP Provider Service .

SAP Note 833960 Information published on SAP site : supported Application Gateway Configurations