Several people are analyzing SAP security. Particularly, Remote Function Calls (RFC) has been examined more extensively. In March 2007, a security analysis of the RFC implementation was presented at the Blackhat conference. It was labeled Attacking the Giants: Exploiting SAP Internals.
You could value this as another indication that SAP is getting more and more attention of security researchers and hackers. The analysis is extensive and shows several ways how RFC can be exploited (all security issues have been fixed by SAP before the paper was published).
So what? It has been known for years, that RFC isn't a security protocol. Actually, the authors also ackknowledge that in the accompanying paper; the most important sentence is that SAP customers should use Secure Network Communication (SNC), SAP's answer for securing RFC connections. This is analogous to HTTP which is usually protected by SSL.
There are many ways to get information about SAP Security and we strongly recommend to follow SAP's security recommendations. Learn more about SNC in the SAP NetWeaver Security Guide. General information about SAP Security can also be found in the SAP Developer Network (here) or in SAP's Security Forum.
Conclusion: the short answer to the RFC (In)Security hype is: use SNC!
Montag, 9. April 2007
Abonnieren
Posts (Atom)