We are going to face an SAP installation in the coming months, and there
will be some need for vendor service capability.
An overview paper about something called "SAProuter" appeared on my desk
here. According to the overview from the vendor, it acts "like a
firewall system" giving complete control over who might access an SAP R/3
system. Additionally, this product is supposed to allow non-unique
addresses in the path between source and destination, allowing you to
"connect two points that have identical IP addresses". Details are real
sketchy on this...
There is also supposed to be access control allowing access to particular
servers from only certain points in the network and through a
user-defined routing process. This is accomplished through a
route permissions table which contains source/destination and the
password for the connection, apparently in clear text (!). If there is
no source/destination entry in this table, the default action is to allow
the connection (!!). That makes me wonder what the possibility is for
getting around the "secure" path through normal IP routing.
Given that this doesn't sound like a security enhancement but more like a
ready-made security hole, my first instinct is to respond "Not just no,
but @#$% NO!" to this product . However, if anyone has any practical
experience with SAProuter and would share it, I'd appreciate it. Private
e-mail responses will be summarized to this list.