Intercepting SAP SNC-protected traffic

Intercepting SAP SNC-protected traffic

Wednesday, March 22, 2017
Martin Gallo
Troopers

SNC (Secure Network Connections) is SAP’s standard security mechanism for protecting communications from clients to servers and between SAP servers. This security layer works with SAP protocols like RFC or DIAG, and strengthen the security of them by using additional security functions. While not enabled by default, its use rate has increased since SAP started shipping it in all kernel versions. Now it can be observed implemented on large and small organizations for preventing active attackers or eavesdroppers.

This talk will introduce the details about this security layer, dissecting the packets and messages and show how SNC is related to each one of the protocols that are protected using it. We’ll also review the main security characteristics and explore the attack surface exposed.

Getting crypto to work in the right way always presents some challenges, and doing it in complex environments like SAP systems might be even harder. We’ll demonstrate what could go wrong by using an interception attack implementation on some particular configuration scenarios, and end up with some recommendations on how to improve SNC configuration.