Skip to content

Safe Tuesday with SNOK: Hardening SAP HANA on SLES – Effective Firewall Configuration

In today's world, cybersecurity is a critical element of every organisation's operations. This is especially true in environments running critical…

In today’s world, cybersecurity is a critical element of every organisation’s operations. This is especially true in environments running critical business applications such as SAP HANA on the SUSE Linux Enterprise Server (SLES) for SAP Applications platform. In this instalment of Safe Tuesday with SNOK, we look at how to effectively harden SAP HANA, with particular focus on firewall configuration.

Introduction

SAP HANA is an advanced database platform that processes vast amounts of data in real time. Its security is critical to the integrity and confidentiality of enterprise data. SLES for SAP Applications offers a range of tools and features that allow the SAP HANA environment to be secured. One of the most important elements is correct firewall configuration.

Why is hardening important?

Hardening is the process of strengthening a system by reducing its vulnerability to attacks. In the context of SAP HANA and SLES, this includes, among other things:

Minimising the attack surface by disabling unnecessary services. Applying strong password and authorisation policies. Configuring the firewall to control network traffic.

Firewall configuration on SLES for SAP for SAP HANA

The firewall serves as the first line of defence against unauthorised access. For SAP HANA, it is necessary to open only the ports required for it to function correctly. Below are the steps that will help you configure the firewall for SAP HANA effectively.

Identifying the required ports for SAP HANA

SAP HANA uses a number of ports for communication. The most important ones are:

Port 30015: The standard SQL port for HANA instance number 00. Ports 30013 to 30017: Used by various SAP HANA services.

To obtain a list of all ports used by your SAP HANA installation, you can use the command:

sapcontrol -nr 00 -function GetSystemInstanceList

Checking the firewall status

Make sure firewalld is installed and running:

sudo systemctl status firewalld If it is not active, enable it:

sudo systemctl start firewalld sudo systemctl enable firewalld

Creating a new zone for SAP HANA

To better manage rules, it is worth creating a dedicated zone for SAP HANA:

sudo firewall-cmd -permanent -new-zone=sap-hana

Assigning the network interface to the new zone

Assign the network interface used by SAP HANA to the sap-hana zone:

sudo firewall-cmd -zone=sap-hana -change-interface=eth0 -permanent (Make sure eth0 is the correct network interface.)

Adding the required ports to the SAP HANA zone

Open only the ports that are required for SAP HANA:

sudo firewall-cmd -zone=sap-hana -add-port=30015/tcp -permanent sudo firewall-cmd -zone=sap-hana -add-port=30013-30017/tcp -permanent If your SAP HANA instance uses other ports, add them as needed.

Restricting access to trusted networks

To increase security, restrict access to the sap-hana zone to trusted IP addresses or networks only:

sudo firewall-cmd -zone=sap-hana -add-source=192.168.1.0/24 -permanent

Removing unnecessary services and ports

Make sure there are no unnecessary open ports or services in the sap-hana zone:

sudo firewall-cmd -zone=sap-hana -remove-service=ssh -permanent

Applying the changes

After making all the changes, restart the firewall:

sudo firewall-cmd -reload

Verifying the configuration

Check the current configuration of the sap-hana zone:

sudo firewall-cmd -zone=sap-hana -list-all

Monitoring traffic

Regularly monitor firewall logs in the context of the sap-hana zone to detect suspicious activity:

sudo journalctl -f -u firewalld

Additional security measures

System updates Regularly update the system and packages:

sudo zypper update

Secure SSH configuration Disable root login via SSH. Use public key authentication.

SELinux and AppArmor SLES uses AppArmor for application-level access control. Make sure it is enabled and properly configured.

Authentication and authorisation in SAP HANA Enforce strong passwords and regular password changes. Use SSO (Single Sign-On) mechanisms wherever possible.

Practical tips

Configuration backup Before making significant changes, always back up your configuration:

sudo cp /etc/firewalld/zones/public.xml /etc/firewalld/zones/public.xml.bak

Testing changes After making changes, run tests to ensure applications are working correctly and that unauthorised access is blocked.

Documentation Document all configuration changes. This will make it easier to manage and troubleshoot potential problems in the future.

Applying best practices

The principle of least privilege User accounts and processes should have only the privileges necessary to perform their tasks.

Regular security audits Conduct regular system audits to detect and remediate potential weaknesses.

User education Train employees on best security practices to minimise the risk associated with the human factor.

Extending security with SecurityBridge

In addition to Linux system hardening itself, it is worth considering implementing the SecurityBridge platform as a solution that raises SAP security. SecurityBridge is an advanced security platform designed specifically for SAP environments. It offers continuous monitoring, real-time threat detection, and automation of security-related processes. Through its integration with the SAP system, SecurityBridge enables proactive risk management, providing an additional layer of protection beyond standard security measures.

How SNOK takes care of SAP HANA security

At SNOK, we fully understand how critical it is to ensure the highest level of security in SAP environments. Our approach is based on comprehensively addressing every aspect of security, with particular emphasis on SAP HANA.

A holistic approach to security Network infrastructure: We design and implement network-level security, using advanced firewall technologies and intrusion detection systems. Operating system security: We implement best practices for hardening SLES for SAP, minimising the attack surface. Application security: We develop and implement security policies for SAP applications, taking into account user roles and access control.

Specialisation in SAP HANA Configuration optimisation: We provide specialised SAP HANA configuration services while ensuring both high performance and security. Security monitoring: We use tools for continuous monitoring of the SAP HANA environment, enabling rapid identification of and response to potential threats. Updates and patches: We manage the update process, ensuring systems are protected against the latest threats.

Education and support Training for clients: We organise training sessions and workshops to increase security awareness among end users. Technical support: Our team of experts is available 24/7, offering support with security matters and troubleshooting.

Regulatory compliance Audit and certification: We help prepare for security audits and certifications, such as ISO 27001 or GDPR compliance. Policies and procedures: We support the creation and implementation of security policies in line with industry best practices.

Innovation and research New technologies: We invest in research into new security technologies, such as artificial intelligence in threat detection. Collaboration with partners: We work with industry leaders such as SUSE and SAP to deliver the most cutting-edge security solutions.

Summary

Securing SAP HANA on the SLES for SAP Applications platform is critical to protecting data and ensuring business continuity. Correct firewall configuration forms the foundation of this security. By implementing the steps and best practices described above, you can significantly increase the level of protection for your environment.

At SNOK, we are committed to delivering the highest-quality security services for SAP systems. Our experience and expertise enable us to effectively secure SAP HANA environments, taking care of every aspect of security.

Remember that security is an ongoing process. It requires regular updates, monitoring and adaptation to new threats. As part of Safe Tuesday with SNOK, we encourage you to continue deepening your knowledge and applying the latest solutions in the field of cybersecurity.

Get in touch