The first request contains other HTTP Requests, including its headers and URLs.

But, when a web application firewall (WAF) processes an HTTP request with multiple batched requests as a part of the payload, it will look at all the batched requests as a single payload. Therefore, it will only use payload-related signatures, which can lead to false positives and undetected attacks.

In F5 Advanced WAF v16.1, F5 has added native parsing and support for HTTP batched requests. This allows Advanced WAF to distinguish between each HTTP request individually - and not collectively in a batch - and therefore run the proper signatures on the right parts of each request.

F5 Advanced WAF protects all OData or other traffic with HTTP Batched Requests without risk of missing attacks or producing many false positives.

SAP leverages the OData protocol to communicate and interoperate with any application, software, or device that is not an SAP offering. As OData is based on HTTPS, any programming language - and for that matter, any developer - can use and communicate with an OData message. This allows any offering that is not an SAP offering to connect with SAP using HTTPS, as the interface to OData is based on XML or JSON.

SAP Fiori delivers tools that empower designers and developers to create and optimize native mobile and Web apps that deliver a consistent, innovative user experience across platforms. SAP Fiori provides a modern user experience to any device and for every user. SAP Fiori delivers users a simple, productive working from anywhere experience. OData enables non-SAP apps to be integrated and interoperable in an SAP Fiori-created environment.

While interoperability and easy communications are essential, so is security, especially for SAP Fiori deployments that are internet-facing and consume analytical applications or that use search over the Internet.

In a blog published by SAP, 'Considerations and Recommendations for Internet-facing Fiori apps,' it states that a WAF 'should be placed in front of the SAP Web Dispatcher, monitoring and controlling all incoming HTTP requests,' and that a WAF should be deployed 'between a trusted internal network and the untrusted Internet.' The blog goes on to point out that, among the security capabilities available in a WAF, it should stop Distributed Denial of Service (DDoS) attacks, particularly ' so they cannot reach your SAP S/4HANA system'.

Support of OData protocol by F5 Advanced WAF enables customers to protect SAP applications with higher efficacy and reduced false positives.

For more information on F5 solutions for SAP Fiori and S/4 HANA, please review the following:

Quick and Secure: SAP Migration to the Cloud (F5.com)
Mitigating Active Cyberattacks on Mission-Critical SAP Applications | DevCentral (f5.com)

For more information on SAP Fiori and the application of a WAF to ensure security and reduce false positives associated with SAP Fiori and its use of OData and HTTP batch requests, you can review the following: Considerations and Recommendations for Internet-facing Fiori apps | SAP Blogs
Deployment in the Intranet or on the Internet | SAP Help Portal

Related Content

OData - Everything that you need to know: Part 1 | SAP Blogs

OData - Everything that you need to know: Part 2 | SAP Blogs

OData - Everything that you need to know: Part 3 | SAP Blogs

Attachments

  • Original document
  • Permalink

Disclaimer

F5 Networks Inc. published this content on 30 August 2021 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 31 August 2021 18:41:06 UTC.