Show TOC

Background documentationUsing Firewall Systems for Access Control

 

The firewall is a system of hardware and software components that define which connections are allowed to pass back and forth between communication partners. By using a firewall system, for example, between your intranet and the Internet, you can allow a defined set of services to pass through the different network zones while keeping other services out. For example, you can allow users in your company's intranet to use internet services such as mail or http, but not other services such as telnet.

The following figure shows an example firewall scenario. Note that the machines in the so-called “demilitarized zone” are not directly accessible from either the internal or the external networks. The routers and packet filters are configured to allow only connections for specified network services.

Firewall Types

There are two primary firewall types:

  • Packet filters

    The functions used for packet filtering are typically available with routers. The router's primary function is to route network traffic based on the source or destination IP addresses, TCP ports, or protocols used. In this way, certain requests are routed to the server that can best handle the request. For example, mail requests are routed to the company's mail server; ftp (file transfer protocol) requests are routed to the company's ftp server.

    By using the router's packet filtering functions, you can also restrict traffic based on this information, for example, to block requests using undesired protocols completely, for example telnet.

    However, the packet filter is not able to filter information sent at the application level.

  • Application-level gateways

    Contrary to packet filters, application-level gateways or proxies work at the application level. They can permit or reject requests based on the content of the network traffic.

    Example Example

    Examples of access control functions that the application-level gateway can process:

    • Access control based on content

      Does the request contain known exploits?

    • Access control based on user authentication

      Is the user permitted to access the resource requested?

    • Access control based on source network zone

      Is access to the resource from the source network allowed?

      For example, you can prohibit access to certain intranet resources from the Internet.

    • Access control based on source address

      Is the sender address allowed access to the resource?

    End of the example.

In addition, application-level gateways often provide auditing and logging functions so that the network traffic can be monitored or analyzed at a later time.

SAP Application-Level Gateways

See Application-Level Gateways Provided by SAP.

Third-Party Application-Level Gateways

When using a third-party application-level gateway, the gateway must meet the following criteria:

  • Because SAP systems generate absolute URLs based on the host and port information found in the host header name, the host header name must not be changed by the application gateway.

  • SAP does not support the unification of multiple back-end systems under one external hostname configured on the application-level gateway.

  • If external systems are to be integrated in the SAP NetWeaver landscape using URLs (for example, with a portal), then the URLs must be accessible from internal and external systems under the same name.

  • If it is necessary to change the client protocol (for example, from HTTP to HTTPS), then you also have to set a corresponding header variable so that the SAP system can generate URLs correctly.

    • On SAP NetWeaver AS ABAP, the header variable is clientprotocol. This variable cannot be changed.

    • On SAP NetWeaver AS Java, the default header variable is ClientProtocol, which can be changed by modifying the ProtocolHeaderName in the HTTP Provider Service.

More Information