Encrypting SAP Network Connections 

The protection of network connections includes three levels of security:

Cryptographic methods are used in all three levels of security. Authentication is the lowest level of security, confidentiality the highest. If you use one of the higher levels, you probably use those below it as well.

Note that the use of cryptographic methods can be subject to national restrictions.

You can use cryptographic methods at different layers in the network protocol stack:

  1. Physical Layer
    The physical layer is a passive component that does not offer encryption of data. Electronic data security is not discussed in this piece of documentation.
  2. Data Link Layer
    The network packets in the data link layer (the Ethernet, for example) can be encrypted directly by the network card. This method is complicated by the need for special hardware and is rarely used in computers.
  3. Network Layer
    There are several standards for securing data at the network layer (the IP layer, for example); the best known is IPsec, which will in future be part of the Internet protocol standard IPv6.
  4. Transport Layer
    There are also a number of standards in the transport layer (the TCP layer, for example. The Secure Sockets Layer (SSL) is used particularly often in the Internet.
  5. Application Layer
    Most applications at this layer define their own security protocols. SAP does not have its own security procedure, instead it uses Secure Network Communication (SNC) as an interface to the security products of other vendors. See below for more information.

Securing Data Below the Application Layer

You can secure the transmission of data in any layer below the application layer. The mechanism you use must be completely transparent to the SAP System, since SAP does not support these methods directly.

There are a range of products that add security functions to the TCP/IP protocol in the operating system, while remaining transparent to the application. For example, you can use an external program to authenticate each TCP connection in a firewall system without this being seen by the communication partner. Some vendors use security functions to modify the TCP/IP protocol stack directly. You can use these products together with the SAP System, however you must carefully check their compliance with the system, the SAPgui and any other SAP components you use. SAP does not test these security functions itself.

If you want to connect separate local networks through a non-secure open network such as the Internet, you could use Virtual Private Networks (VPNs). VPNs use suitable network devices (such as routers) to encrypt all network connections between two local networks. This process is completely transparent to the applications, which means that you can run your SAP connections through a VPN.

Procedures that go below the application layer can only authenticate users between network components. The user must still log on to the SAP System with a user name and password. An exception to this is web access through the Internet Transaction Server that has been encrypted with Secure Sockets Layer (SSL). Here you can use the X.509 certificate used for the encryption for authentication in the SAP System as well. For more information, see ITS Security.

Securing Data in the Application Layer with SNC

SNC (Secure Network Communication) is an interface in the SAP architecture that lets you use external encryption products to secure SAP communication. SAP does not implement any encryption methods in its own software, instead it lets the user choose an encryption procedure and infrastructure, such as key distribution. SAP software is not subject to country-specific restrictions on encryption software and is always kept up-to-date. The security product can also use other security functions not offered directly by SAP, such as smart cards or biometrics. A variety of products has already been certified for use with SAP. The product you use determines whether SNC supports all three levels of security.

This piece of documentation only describes those areas where SNC differs from other methods of securing the transmission of data. For a detailed description of SNC, see the SAP Online Documentation.

SNC secures data in the application layer. This guarantees a secure connection between SAP communication nodes (for example, between the SAPgui and the SAP application server), independently of the communication connection or transport medium used. This data security applies to SAP data traffic only.

You can use SNC for all types of external SAP communication:

A user who logs on to the SAPgui through an SNC connection is automatically authenticated in the SAP System. The user does not need any other logon information such as user name or password.

You cannot use SNC to secure the connection between the SAP application servers and the database. For this reason, SAP recommends that you operate the application and database servers in a secure network that you can protect with appropriate network tools (see Controlling Access).

You can also use SNC between two SAProuters to set up a secure tunnel between networks, as in a Virtual Private Network (see the following graphic). This infrastructure secures your connections even if some of your components have an older SAP Release. SNC is supported for all external connections of the SAP System as of Release 4.0A (full Internet Transaction Server functions are supported as of Release 4.5A). You require the most up-to-date SAProuter version.

Comparison of Data Security Methods

The following table summarizes the main differences between securing data in the network layer and in the application layer (SNC):

Network Layer

Application Layer (SNC)

External product

External security product required

Transparent for SAP

Certification by SAP

Authentication in the network layer

Authentication in the SAP System

Secures all network data traffic

Secures SAP network data traffic only

Example of Usage: SAPgui over the Internet

The Internet is being used increasingly for conducting business transactions. These business applications are based mostly on Web technology and therefore use a Web browser as a frontend. With the Internet Transaction Server (ITS), SAP gives you the option of operating an SAP System through a Web browser. For more information on security issues in this area, see Internet Transaction Server: Technology. You can also log on to the SAP System directly through the Internet and the SAPgui. This does not present any technical problems, since the Internet works with the same network protocol as the SAPgui, namely TCP/IP. However, because the Internet is largely an open network, neither availability nor security is guaranteed.

As well as security for the transmission of data, you also need a firewall that rejects unauthorized access and so guarantees the security of your internal network and the SAP System. For more information, see the section Controlling Access.

Securing Data in the Application Layer

The following graphic shows you how you can use SNC to secure a SAPgui connection over the Internet. Communication is secured between the end nodes SAPgui and SAP System.

The security software takes care of authentication in the SAP System. You also need an authentication at the firewall to restrict access to the corporate network. Only SAP data is encrypted; access to files or the exchange of e-mail with the corporate network is not secure.

Securing Data in the Network Layer

The following graphic shows you how you can secure the transmission of data in the network layer. The data is secured between the access points to the open network, but not in the internal network.

A Virtual Private Network (VPN) is used to connect to a network in a remote subsidiary. The network components set up a secure connection to the end nodes of the Internet Service Provider that gives you access to the Internet. The network packets between the local networks are then tunneled through this connection. The connection uses a secure protocol such as IPsec. You can make use of these security functions either from devices in your network, or from an Internet Service Provider.

Dial-up connections from an individual computer can use a Virtual Private Dial-Up Network. In this case, either the network software on the frontend host or the Internet Service Provider must take responsibility for securing the data. The graphic shows in which part of the network stack the security function takes effect.

The type of data security you choose depends on your requirements. If you want to secure end-to-end data transmission, and use cryptographic methods for authentication in the SAP System, then you need to use SNC. It is particularly worthwhile to set up a corresponding infrastructure with a security product certified by SAP if you want to use SNC throughout the whole company. However, if you only want to secure the transmission of the data, a VPN is probably the simplest solution. You can then use generally available network components with security functions that secure all data traffic between the subsidiaries.