View
223
Download
5
Tags:
Embed Size (px)
Citation preview
Copyright © 2003 Americas’ SAP Users’ Group
Session 4904SAPConsole an End-to-End Security Implementation
Chris Kralovansky
NIBCO INC.
Technical Analyst - SAP Basis & Security
Monday, May 19, 2003
Objectives
Share project approach, key questions, and deliverables every customer should think about when undertaking an SAPConsole implementation
Discuss approaches to physical and logical security in an SAPConsole implementation
Develop an understanding of end-to-end security considerations for an SAPConsole implementation in a wireless environment
Agenda
NIBCO company background
NIBCO’s data collection technology evolution
SAPConsole implementation plan
SAPConsole physical and logical security consideration
Lesson learned
Background – NIBCO INC
Founded in Elkhart, IN in 1904
Fourth generation family-owned company
Twelve (12) manufacturing facilities throughout the U.S., Mexico, and Poland
Five (5) distribution centers: (4) U.S. and (1) Poland
Background – NIBCO INC
Employs 2900+ associates world-wide
Websites:
www.nibco.com
www.nibco.com.pl
www.tolco.com
www.nibcopartner.com
NIBCO’s SAP Implementation History
1996 - SAP selected as the sole provider of business systems for NIBCO
Oct. 1996 – Formation of NIBCO’s SAP implementation team (T.I.G.E.R.)
Dec. 1997- Big-bang implementation
Release 3.0F
19 Locations (manufacturing and distribution)
Modules – FI/CO/CO-PA/PCA/SD/MM/PP/WM/SD
Norgistics (N/3) – Data Collection Middleware
NIBCO’s SAP Implementation History
Upgrades
March 1999 - Release 4.0B
March 2001 – Release 4.6C
Support Packages 2-3 times per year
NIBCO’s SAP Implementation History
Additional Locations
May 2000 - International Distribution Center
May 2002 – NIBCO Sp.z.o.o. – Poland Manufacturing, Distribution, Sales, Finance,
Payroll In-bond locations
(2) locations in Poland
(2) locations in Hungary
(2) locations in Ukraine
NIBCO’s SAP Implementation History
Additional Functionality
December 1999 – Introduced eNIBCO a suite of customer facing eCommerce offerings
April 2000 – HR-Payroll – U.S.
2000 – Replaced Norgistics (N/3) with CIM Concepts Data Integrator for R/3 – Data Collection Middleware
May 2002 – Localized Polish implementation
December 2002 – SAPConsole goes LIVE
May 2003 – SAP Business Warehouse (Unicode)
June 2003 – HR-Payroll – Reynosa, Mexico
June 2003 - Time & Attendance – Reynosa, Mexico
NIBCO’s SAP Implementation History
Tolco Support Systems Acquisition – June 2002
Corona, CA
Houston, TX
Sacramento, CA
SAP HRMS Live – June 2002
SAP Operational – November 2002
SAP R/3
Norand N/3 -Norgistics
Off-lineApplication
Off-line Database
ALE
Co
nnec
tion
Wireless Controller
Ethernet
WirelessAccess Point
Wireless DataCollection Devices
1997 - 2000Initial Data Collection Implementation
One distribution siteWM Functions
SecurityFunctions
Combinationof SAP
security andoff-line
applicationsecurity
SAP R/3All Data Stored
and maintained inSAP
CIM ConceptsData Integrator for
R/3Off-line
Application
SA
PG
UI A
uto
mat
ion
Scr
een
Scr
apin
g
Wireless Controller
Ethernet
WirelessAccess Point
Wireless DataCollection Devices
2000 - 2002Three distribution & three MFG sites
WM, IM and PP Functions
SecurityFunctionsdeveloped
as anapplicationcomponent
in SAP
ALE
Co
nnec
tion
Se
curit
y in
itiat
ion
2000
SAP R/3Data and
application stored& maintained in
SAP
SAPCONSOLE-----------Georgia
SoftWorks
Wireless Controller
Ethernet
WirelessAccess Point
Wireless DataCollection Devices
SecurityFunctions“Pure SAPdeliveredsecurity”
2002 - CurrentMigrating from current
All data collection functions
Firewall
2002
NIBCO’s Data Collection Technology Evolution
NIBCO Data Collection Technology Evolution
…….so why did NIBCO change data collection middleware solutions????
Business strategy –
Utilize SAP products to solve business problems
Leverage SAP investment and relationship
Architectural & technical strategy
Complete the transition from an off-line, interfaced solution to an on-line, integrated solution
Utilize SAP as the core data repository
Leverage SAP programming language and security skills
Manage Total Cost of Ownership
SAPConsole Implementation Scope
Initial implementation was a wireless, manufacturing shop floor application pilot at one NIBCO facility
Develop an understanding of the of SAPConsole technology deployment
Develop support processes required to manage SAPConsole in a 7x24 environment
Develop a robust, secure, infrastructure to support SAPConsole in a wireless environment
Develop security management processes which meet the “real” business requirements of the operation
Develop a training approach for SAPConsole transaction deployment
SAPConsole Project Considerations
What were the challenges? OK, what did we argue over??
How do we adequately secure our wireless infrastructure? How will we allow terminals to bypass NT authentication? How will we maintain SAP userids? How will we support SAP password changes? What SAP user type will be assigned? What standards do we use for userids and passwords? Do we delegate SAP security administration to our remote locations? How will we add / revoke SAP Console specific security at a moments
notice? How will we support the administration of userid’s needing LM01 access? How will we manage various data collection device screen sizes?
SAPConsole Physical Security
Wireless security infrastructure Intermec - DCS300 Controllers, 2100AP, 6400 and 2455
terminals Changed network name and eliminated broadcasts Rationalized the use of WEP:
64 bit vs. 128 bit - Understand your devices capabilities Work with your partners –
Worked with Peak Technologies and Intermec to develop an approach (Wireless security whitepaper)
If you fail to plan for wireless security your network will be hacked!!
Cisco firewall technology Authorized the data collection devices through the firewall by IPaddress Utilized VPN for wireless PC’s
Treat the 802.11B wireless infrastructure like internet utilizing WEP encryption and firewall technology to “isolate” the network
SAPConsole Physical Security
Eth
erne
t
UntrustedNetwork Trusted
Network
Frame RelayFrom WHQ
Router
CoreSwitch
Switch
Firewall
Access Point
DCS300
Access Point
Access Point
File ServerPrint server
RF Base PC or Laptop
WirelessVPN Connection
VPN and DCS300 trafficwill be the only traffic
allowed to pass from theuntrusted to the trusted
side of the firewall.
SAPConsole Infrastructure Struggles
Implemented SAPConsole Version 620 which fixed many challenges:
Password changes at logon vs. an every 90 day parade
Logoff confirmation
Application messages are complete
User can select a memorable, personal password
Allows user to logon to multiple devices – this can also be prevented
Utilize Georgia SoftWorks for device telnet to SAPConsole application – Manages NT authentication process
SAPConsole Logical Security
Wasted time trying to develop special rules for SAPConsole users because of “special needs”
“We need to use a different userid and password standard for the floor people!”
“We need to develop our own authentication and application security tools for SAPConsole!”
“We can’t make them change their passwords every 90 days!”
“We need userid’s, and activity groups at a moments notice!”
“People come off the street, pick, pack and ship products!”
Do not abandon your current security administration processes,
if they work today then use them!!!
SAPConsole Logical Security
What did we do?
Utilized existing userid & password standards
Built SAP security roles by location and task
Utilized existing processes for establishing and maintaining userid’s and activity groups
Leveraged PID’s to drive higher transactional efficiencies for the SAPConsole user
Added processes to maintain the table for LM01 security in production client (SM30) Building a transaction for de-centralized table
maintenance of LRF_WKQU
Key SAPConsole Information Sources
OSS Note Components LE-MOB Mobile Devices BC-FES-CON SAP Console
OSS Note #380399 Multiple logons in RF transactions
OSS Note #507542 SAPConsole: Logoff & change password screens
OSS Note # 524881 SAPConsole security problem on WIN NT/2000 server
OSS Note #515874 Table LRF_WKQU Customizing or Master Data?
SAPConsole - Lessons Learned
SAPConsole implementation is more than about deploying a transaction to a wireless device
Understand and plan a secure, wireless infrastructure before you start
Understand your ”real” security requirements for SAP user administration – if you have solid processes use them
Get and stay current on SAPConsole – SAP continues to enhance the functionality
Track your implementation and validate that your security approach meets your company needs