SAP-Security : Monitoring and Securing SAPRouter with SAGESSE TECH Solutions and IBM QRadar / SPLUNK

SAPRouter is a reverse proxy between external networks and SAP Landscapes. If configured correctly, SAPRouter enables companies to apply more granular and secure connections to SAP Systems. On the flip side, an improperly configured SAPRouters can expose organizations to dangerous exploits that could lead to the compromise of SAP Systems.

Since the SAProuter is an internet-facing proxy that provides a direct path to SAP systems and it is a high-value target for attackers. Attackers can send information requests to detected SAPRouters to enumerate the scheme for internal IP addresses based on the details of connected hosts disclosed in the response. Once the internal IP address scheme is determined, attackers can then scan the internal network by sending connection requests from the SAProuter to connected hosts. The responses can enable attackers to discover open ports for not only SAP services but services such as HTTP, SMTP, FTP, and SSH if the SAPRouter supports native connections.

The secure configuration of the SAProuter can prevent or mitigate such attacks. The route permission table defined in the saprouttab file should specify the source hosts permitted to connect to specific services and target hosts. The use of wildcards in route strings should be avoided.

Logging for the SAProuter should also be enabled.

We have developed dashboards, reports and alerts related to SAPRouter Configuration and Connection Requests as part of our SAP Threat Detection and Security Monitoring Solution. We can detect suspicious connections to SAPRouter immediately and create necessary alerts for SOC and SAP Security Teams in integration with SIEM Solutions like SPLUNK, IBM QRadar and Wazuh.

SAGESSE TECH, global SAP Security / Oracle Security / ERP Security Tech Company, is providing Automated Audit Tool for SAP, SAP Threat Detection and Monitoring Products, SAP PenTest Framework and an SAP Audit Service which control these kinds of configurations, vulnerabilities and much more in your SAP Systems. Their products and services can help you to integrate your SAP System into your central threat detection solutions and foster your NIS2 Compliance.

SAGESSE TECH is now providing companies who do not use a SIEM Solution or would like to have a separate SIEM for SAP Threat Detection with a Wazuh SIEM App.

You can contact SAGESSE TECH(E-mail : [email protected], [email protected] or [email protected] ), if you would like to have more information about our products or to have a Vulnerability Scanning, SAP Audit or SAP PenTest on your SAP Systems or implement a SAP Threat Detection and Monitoring Solution integrated with leading SIEM Vendors like SPLUNK, IBM QRadar and Wazuh.