If you are not using something then it is better to deactivate it or leave it inactive in front end component application gateways.
The trick is to limit the attack surface at the network port level and then use the application logic of the available ports to restrict what can be done with them if they must be open.
Opening DB ports from server LAN to Client LAN is not a good example of this. But you should harden your DBs anyway. Same goes for OS systems as they might trust each other beyond SAP and use other ports for that.
DR is always a tricky thing (how to automate securely). There are some clever ways of doing this if you accept that it is pushed from SAP and monitored by the SAP system.
You should only mirror to data centers whom you trust and in the SAP world it is not realistic to encrypt the DB.
Cheers,
Julius