Your network infrastructure is extremely important in protecting your system, and must support the communication necessary for your business needs without allowing unauthorized access.
A well-defined network topology can eliminate many security threats based on software flaws (at both the operating system and application level) or network attacks such as eavesdropping.
If users cannot log on to your application or database servers at the operating system or database layer, then there is no way for intruders to compromise the machines and gain access to the SAP system’s database or files.
Additionally, if users are not able to connect to the server local area network (LAN), they cannot exploit well-known bugs and security holes in network services on the server machines.
The network topology for SAP Gateway components is based on the topology used by SAP NetWeaver. Therefore, the security guidelines and recommendations described in the SAP NetWeaver Security Guide also apply to SAP Gateway components.
The following topics are included in this section:
SAP Gateway uses open protocols in its communication channels:
Remote Function Calls (RFC)
You must secure the communication channels. To make it difficult for unauthorized persons to obtain sensitive data passing through the channel between SAP Gateway and the consumer server, secure the communication channels using means such as:
Secure Sockets Layer (SSL) and Secure Network Communications (SNC)
Designated network segments for communication pathways
Security schemes that defend against denial-of-service attacks
SAP recommends keeping a system with business functions separate from a system providing input validation.
For a productive environment in Internet facing scenarios, SAP recommends to install the SAP Gateway system separate from the application back-end system. This procedure offers the advantage to use the protocols between the servers for monitoring and to protect the system against attacks.
For back-end systems based on SAP NetWeaver 7.02, it is possible to deploy the SAP Gateway add-on together with the back-end system for saving time and effort. In this case, third party products must be deployed on a separate box in front of the co-deployed system. The product should offer the relevant validation checks for the SAP systems.
For a nonproductive environment, such codeployed setup does not require the additional system responsible for input validation.
For more information, see Deployment Options.