Connection map

The connection map report can be started from the Protect4S VM Reports menu:

The Connection map report shows the connections between the SAP systems registered in the Protect4S system for system type ABAP, dual-stacks and Web Dispatcher.

The connection types shown are:

  • Type 3 RFC destination: connections using the RFC protocol with authentication consisting of a named user and password, for instance the TMS transport connections.

  • Type T RFC destination: TCP/IP connections using the RFC protocol between the SAP system and a (registered) server program, for instance the executable sapxpg.

  • Type G & H destinations: connections to external systems using the HTTP(S) protocol, for instance to the HTTP port of a SAP JAVA based system.

  • SOAP webservices: connections using HTTP(S) protocol and logical ports to external systems, for instance connections between a SAP system and SAP Control agents.

  • ADBC connections: connections between SAP databases using the ADBC protocol.

  • SAP Web Dispatcher: connections between a SAP Web Dispatcher and backend systems.

The report is meant to make security staff aware of the different system connections that may exist between SAP systems and to show the risk that these connections may pose.

The risk of these connections is that malicious 3rd parties may use them to jump from one compromised SAP system to a new SAP system target. Since the Solution Manager contains connections to other SAP systems, it is an attractive target that enables the compromise of other systems in the SAP landscape.

Creating a new Connection Map

The report must first run to create a new Connection Map. To do this, press the button “New” in the Connection map application. When you subsequently press the “Refresh” button, you will see that a new Connection map ID has been scheduled and is in progress.

The time to create a new Connection Map depends on the number of connections, the number of SAP systems registered and whether these systems are up and running.

After a while, the Connection Map ID status changes from “In progress” to “Completed” after which this map may be accessed by clicking on the “Display” icon from the row in the list.

The display shows the map that has been created. The display can be altered in various ways using the display settings:

The map consists of SAP System nodes connected by edges. The colors of the nodes and edges may be changed to indicate, Risk, System Role, Connection type or System type. The nodes can be dragged with the mouse to another location in the map.

System overview

The System overview menu shows a list of systems. When a system is selected in the upper list, the various connections that it contains are shown in the lower list:

The connections are sorted on Risk and for each connection, the target hostname, instance number and user associated is shown. When the display button on the left is selected for one of these connections, a new screen shows the source and target system properties:

When possible, the user authorizations and roles are shown after selecting the User Information Menu:

Connection overview

The connection overview shows the list of all connections associated with all SAP systems registered in the Protect4S system. In this overview, the Risk associated with the connection, source and target systems are shown:

When the display button on the left is selected for one of these connections, a new screen shows the source and target system properties (same as in System overview).

Risk value

The risk value of these connections depends on various factors:

  • whether the connection contains a user ID and password.

  • whether the connection is from a non-Production system to a Production System.

  • whether the target system is a Production System.

  • whether the authorizations of the user contain SAP_ALL or admin roles.

  • for SOAP connections: whether the logical port facilitates Operating System access

  • for type T RFC: whether the external server program name is "sapxpg"or "rfcexec"

Risk reasons

See overview below for an explanation of the Risk reasons.

Risk reasonExplanation

The connection contains an username with user profile: SAP_ALL

The composite profile SAP_ALL contains all SAP authorizations allowing to perform all tasks in the SAP system

The connection connects a non-productive system to a productive system

This potentially allows lateral movement across prodution tiers in an SAP landscape

The default risk of this kind of connection

Meaning no specific additional risks are found, other than if this connection is not needed anymore it should be deleted.

The connection contains no username

This allows a user to be defined dynamically rather than making sure the user is fixed for the expected purpose

The connection contains an username without any user profile

A user without any profile does not mean it is safe, it can be a user that makes use of reference users e.g.

The connection contains a password or is a trusted connection

This means that authentication to the system can be automatically used.

The connection starts program SAPXPG or RFCEXEC on an explicit host

This may allow starting of external programs or a check for successful gateway registration of a program on the host.

The connection starts program SAPXPG or RFCEXEC on a frontend workstation

This may allow starting of external programs or a check for successful gateway registration of a program on the used frontend workstation.

The connection is to the local system itself

A connection to the local itself can be either used to impersonate another user if a user is defined there. A connection to itself can also be used to retrieve information from another client within its own system.

The connection uses the logical port proxy class: CO_SSISAPCONTROL_PORT_TYPE

This indicates usage of the SAPControl functionality for non-standard SAP funcionality on the SAP system.

The connection uses the logical port proxy class: CO_WSSAPCONTROL_PORT_TYPE

This indicates usage of the SAPControl functionality for non-standard SAP funcionality on the SAP system.

The connection uses the logical port proxy class: CO_WSSAPOSCOL

This indicates usage of the SAPOSCOL functionality for non-standard SAP funcionality on the SAP system.

How to secure connections between different SAP systems

Our blog on this topic describes various ways to secure the connections between SAP systems:

https://protect4s.com/2020/06/16/introducing-the-new-protect4s-connection-map-how-to-secure-connections-between-sap-systems/

Last updated