erp系统系统核心需求
In previous article we told a lot about security of ERP systems. Now we want to talk about ways to protect them.
在上一篇文章中,我们介绍了很多有关ERP系统的安全性。 现在我们要讨论保护它们的方法。
Protection of ERP systems is a challenge. A good comprehensive project may take years to be completed, especially when dealing with large landscapes. However, it is worth investments. Here are some basic steps that will help you to securely design your SAP implementation when you are in the planning stage. You can also apply this methodology to protect your systems from the most common attacks.
保护ERP系统是一个挑战。 一个好的综合项目可能需要数年才能完成,尤其是在处理大型景观时。 但是,值得投资。 以下是一些基本步骤,可以帮助您在计划阶段安全地设计SAP实施。 您也可以应用此方法来保护系统免受最常见的攻击。
1.保护免受外部攻击,禁用不安全的服务 (1. Protect from external attacks, disable insecure services)
Any more or less complex application has a large functionality that is needed in general, but unnecessary in particular cases. Almost all this functionality in a typical ERP system is enabled by default.
任何或多或少复杂的应用程序都具有通常需要的大功能,但在特定情况下则不需要。 默认情况下,典型的ERP系统中几乎所有这些功能都是启用的。
As usual, SAP installation includes approximately 1500 various web services, which are available remotely on behalf of any registered user, if the service is enabled by default. Besides, about 40 services are accessible even to anonymous users. Some research papers pointed out 13 critical services. As mentioned above, these ones are only basic services.
与往常一样,SAP安装包括大约1500种各种Web服务,如果默认情况下启用了该服务,则代表任何注册用户可以远程使用这些服务。 此外,甚至匿名用户也可以访问大约40种服务。 一些研究论文指出了13种关键服务。 如上所述,这些只是基本服务。
We recommend that you apply recommendations from the guideline mentioned above as soon as possible – disable all services accessible to anonymous users, analyze which of the installed services are necessary, and additionally restrict the access by implementing authorization checks. The architecture of SAP system should include a web-based proxy (SAP Web Dispatcher) that will restrict access to all unnecessary services from outside and allow access only to the necessary ones. The SAP Web dispatcher lies between the Internet and your SAP system. It is the entry point for HTTP(s) requests into your system, which consists of one or more SAP NetWeaver application servers. The SAP Web Dispatcher therefore contributes to security and balances the load in your SAP system.
我们建议您尽快应用上述指南中的建议–禁用匿名用户可访问的所有服务,分析哪些已安装的服务是必需的,并通过实施授权检查来限制访问。 SAP系统的体系结构应包括基于Web的代理(SAP Web Dispatcher),该代理将限制从外部访问所有不必要的服务,并仅允许访问必要的服务。 SAP Web调度程序位于Internet和您的SAP系统之间。 它是HTTP(一个或多个)请求进入系统的入口,该系统由一个或多个SAP NetWeaver应用程序服务器组成。 因此,SAP Web Dispatcher有助于提高安全性并平衡SAP系统中的负载。
Additional information about SAP Web Dispatcher you can find here.
您可以在此处找到有关SAP Web Dispatcher的其他信息。
2.应用SoD原则 (2. Apply SoD principles)
SAP solutions have various functional opportunities, which are implemented through programs, transactions, and reports. The access to these objects should be strictly regulated based on the authorization values defining users, methods, and objects, allowed for access. Access to critical actions (e.g., access rights to modify transactions or to read any tables) enables users to perform attacks on SAP systems, escalate their privileges or steal critical data.
SAP解决方案具有各种功能机会,可通过程序,交易和报告来实现。 应该根据定义允许访问的用户,方法和对象的授权值,严格控制对这些对象的访问。 对关键操作的访问(例如,修改交易或读取任何表的访问权限)使用户能够对SAP系统执行攻击,提升其特权或窃取关键数据。
Segregation of Duties (SoD) is a security method to prevent conflict of interests, i.e., to avoid two of more access rights which — being granted together — may give rise to a risk of fraudulent actions (e.g., a right to create and to approve a Payment Order).
职责分离(SoD)是一种防止利益冲突的安全方法,例如,避免将多个访问权中的两个(一起授予)可能导致欺诈行为的风险(例如,创建和批准的权利)付款订单)。
The first step is to minimize the number of users with SAP_ALL profile or ones having access to critical transactions such as SE16, SM59, and SE38. As the next step, apply SoD controls, at least ones mentioned in the ISACA guidelines.
第一步是最大程度地减少具有SAP_ALL概要文件或有权访问诸如SE16,SM59和SE38等关键事务的用户的数量。 下一步,应用SoD控件,至少是ISACA指南中提到的控件。
3.将开发与测试和漏洞检查分开 (3. Separate development from test and check for vulnerabilities)
To protect from malicious developers, first, design separation between test development and production infrastructure and then control all the transport requests from development to production. It seems easy; however, the matter is what exactly should be controlled. To securely architect separation between test development and production systems, you should be sure that there are no connections with stored credentials from systems with High priority (Production systems) to the systems with low priority (Development systems). These connections are only allowed to store technical connectivity configuration and authenticate the user for each access.
为了保护免受恶意开发人员的侵害,首先,在测试开发和生产基础结构之间进行设计分离,然后控制从开发到生产的所有传输请求。 看起来很简单; 但是,问题是究竟应该控制什么。 为了安全地将测试开发系统和生产系统之间的架构师区分开,您应该确保没有从高优先级系统(生产系统)到低优先级系统(开发系统)的存储凭证连接。 仅允许这些连接存储技术连接配置并为每次访问验证用户身份。
As you may know, OWASP (Open web-application security Project, focused on improving awareness in web application security) provides its top 10 list of the most dangerous vulnerabilities affecting web applications. When we deal with enterprise applications, it is not so trivial task to understand what issues we need to check. Fortunately, there is EAS-SEC (eas-sec.org) – a nonprofit organization aimed to increase awareness in enterprise application security space. EAS-SEC consists of separate projects and one of them covers code security. It is called Enterprise Application Systems Application development guide, or EASAD. This guide describes 9 general categories of source code issues for business languages.
如您所知,OWASP(开放Web应用程序安全性项目,致力于提高Web应用程序安全性的意识)提供了影响Web应用程序的十大最危险漏洞的前十名。 当我们处理企业应用程序时,了解我们需要检查哪些问题并不是一件容易的事。 幸运的是,有一个EAS-SEC(eas-sec.org)–一个旨在提高企业应用程序安全空间意识的非营利组织。 EAS-SEC由不同的项目组成,其中一个涵盖代码安全性。 它称为企业应用系统应用开发指南或EASAD。 本指南描述了业务语言的9个常规类别的源代码问题。
Categories:
分类:
Injections (Code, SQL, OS)
注入(代码,SQL,OS)
Critical calls (to DB, to OS)
紧急呼叫(至数据库,至操作系统)
Missing or bad access control checks (Missing authentication, mistakes)
缺少或错误的访问控制检查(缺少身份验证,错误)
- Directory traversal (Write, Read, SMBRelay) 目录遍历(写,读,SMBRelay)
- Modification of displayed content (XSS,CSRF) 修改显示内容(XSS,CSRF)
- Backdoors (hardcoded credentials) 后门(硬编码凭据)
- Covert channels (Open sockets, HTTP calls, SSRFs) 隐蔽通道(开放套接字,HTTP调用,SSRF)
- Information disclosure (hardcoded users, passwords) 信息泄露(硬编码用户,密码)
- Obsolete statements (READ TABLE, kernel methods) 过时的语句(READ TABLE,内核方法)
These categories are universal and the same for the majority of business applications such as SAP, Oracle, Microsoft Dynamics, and Infor and their custom languages.
这些类别是通用的,并且对于大多数业务应用程序(例如SAP,Oracle,Microsoft Dynamics和Infor)及其自定义语言而言都是相同的。
A secure developing process should include at least checking for code vulnerabilities of these nine categories.
一个安全的开发过程应至少包括检查这九类代码的漏洞。
4.安全连接 (4. Secure connections)
As each system is connected with others, understanding which system can be attacked, how SAP is connected with other enterprise applications, how an attacker can escalate privileges and what asset you should protect at first is essential. We should analyze which system is the most important and start solving issues on that particular system.
由于每个系统都与其他系统相连,因此了解哪个系统可以受到攻击,SAP如何与其他企业应用程序相连,攻击者如何提升特权以及首先应保护哪些资产至关重要。 我们应该分析哪个系统最重要,并开始解决该特定系统上的问题。
First of all, we need to assign severity for each asset. Then analyze connections between assets, whether or not they are secure, and finally prioritize assets by their overall impact on the whole landscape security. For example, you have a low-risk asset, say, a test system without any critical data. This system has a connection with the production system, and this production system, in its turn, has a connection with ICS infrastructure. Taking into account all the connections, this test system may have a high impact on all landscape and we should care about its security.
首先,我们需要为每种资产分配严重性。 然后分析资产之间的连接(无论它们是否安全),最后根据资产对整个景观安全的总体影响来确定资产的优先级。 例如,您拥有低风险资产,例如没有任何关键数据的测试系统。 该系统与生产系统具有连接,而该生产系统又与ICS基础结构具有连接。 考虑到所有连接,该测试系统可能会对所有环境产生重大影响,我们应该注意其安全性。
In addition to mechanisms of an application server, servers may often be connected with a number of other mechanisms. For example, SAP solutions may be installed on Windows servers, which are a part of a single domain and run with privileges of a common account. In this case, getting access to one server almost always means access to all other servers, no matter how properly they are protected at the application level. It is also possible when links or trusted connections are implemented via DBMS. DBMS often store references to other databases with pre-defined authentication data thus making other DBMS accessible. Further, the scope of such mechanisms includes any other possible methods to penetrate neighbour system, which auditors usually use in penetration tests, i.e., an attempt to login into a neighbor system with the same or similar passwords both at OS, DBMS, and application levels, as well as all kinds of search for passwords in plain text in the file system; update, integration, backup scripts, etc. All these options should be checked to eliminate any risk of penetration with one weak link to all systems.
除了应用程序服务器的机制外,服务器通常还可以与许多其他机制连接。 例如,SAP解决方案可以安装在Windows服务器上,该Windows服务器是单个域的一部分,并以公共帐户的特权运行。 在这种情况下,无论对应用程序级别的保护程度如何,访问一台服务器几乎总是意味着要访问所有其他服务器。 通过DBMS实现链接或受信任的连接也是可能的。 DBMS通常使用预定义的身份验证数据存储对其他数据库的引用,从而使其他DBMS可以访问。 此外,此类机制的范围还包括渗透邻居系统的任何其他可能方法,审核员通常在渗透测试中使用该方法,即,尝试在OS,DBMS和应用程序级别使用相同或相似的密码登录到邻居系统,以及在文件系统中以纯文本形式进行的各种密码搜索; 更新,集成,备份脚本等。应检查所有这些选项,以消除与所有系统之间只有一个弱链接的渗透风险。
Another risk of insecure connections is data leakage. SAP Systems should encrypt data while transferring it. It’s clear that HTTP traffic should be secured by SSL, but the big part of traffic is transferred using SAP’s proprietary protocols which are insecure by default such as RFC (Protocol to connect SAP systems ), DIAG (Protocol to connect SAP client with SAP Server), and Message Server protocol. Unfortunately, there is no way to secure Message Server traffic; therefore, simply putting this service under the firewall will be the only option. As for DIAG and RFC protocols, encryption can be implemented via SNC.
连接不安全的另一个风险是数据泄漏。 SAP Systems应该在传输数据时对其进行加密。 很明显,HTTP流量应该由SSL保护,但是大部分流量是使用默认情况下不安全的SAP专有协议传输的,例如RFC(连接SAP系统的协议),DIAG(连接SAP客户端和SAP Server的协议)和Message Server协议。 不幸的是,没有办法确保Message Server通信的安全。 因此,仅将该服务置于防火墙之下将是唯一的选择。 对于DIAG和RFC协议,可以通过SNC实施加密。
SNC without single sign-on capability is available to all SAP NetWeaver customers for SAP GUI using SNC client encryption and for all RFC communication between SAP servers. Basic single sign-on capabilities are available in environments where SAP servers and SAP GUI clients run Microsoft.
所有不具有单点登录功能的SNC可供所有SAP NetWeaver客户使用SNC客户端加密的SAP GUI和SAP服务器之间的所有RFC通信使用。 基本的单点登录功能在SAP服务器和SAP GUI客户端运行Microsoft的环境中可用。
摘要 (Summary)
The ERP Security is a complex task. However, just taking these 4 high-level steps can significantly improve the security level of your ERP system. Only after implementing the architecture securely, it makes sense to take further steps such as vulnerability management and incident response.
ERP安全是一项复杂的任务。 但是,仅采取这4个高级步骤就可以显着提高ERP系统的安全级别。 只有在安全地实施了体系结构之后,才有必要采取进一步措施,例如漏洞管理和事件响应。
erp系统系统核心需求
扫一扫
5436
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
