SlideShare a Scribd company logo

Being HAPI! Reverse Proxying on Purpose

Download as PPTX, PDF
Aman Kohli
Aman Kohli

Node is used to build a reverse proxy to provide secure access to internal web resources and sites for mobile clients within a large enterprise. Performance testing shows the proxy can handle over 1000 requests per second with latency under 1 second. Code quality analysis tools like Plato and testing frameworks like Jest are useful for maintaining high quality code. Scalability is achieved through auto-scaling virtual machine instances with a load balancer and configuration management.

Mobile
1 of 39
BEING HAPI! REVERSE PROXYING ON PURPOSE
DUBLIN NODE COMMUNITY TALK May 29 2014 Building a Reverse Proxy With Node Enterprise IT Scalability Testing Lots of Clients Tools Happy Second Anniversary! Chris Lawless | Kevin Yu Wei Xia |Fergal Carroll @phergalkarl| Ciarán Ó hUallacháin Aman Kohli @akohli
NODE IS MAINSTREAM
WHY NODE? ✔︎ Node • Everyone knows Javascript, right? • Community • Expediency • It was Cool in 2012
- @adam_baldwin “Walmart has had good success with HAPI and Node” - @ eoinbrazil “Node is good. I’ve heard good things about HAPI”
HOMOLOGATED It’s approved for internal usage Less Yak Shaving than other solutions • different at least • good internal community beware of dog, staff only
IT AIN’T EASY but we gotta try
ENTERPRISES • Plurality of systems, services • web resources • web sites • Connectivity challenges • direct • mediated • Security • AuthN • AuthZ • Data Encryption at rest
ENTERPRISES - DETAIL Accessing internal web resources Accessing internal web sites Lots of hoops connectivity, security Connectivity options Direct via opening firewall via gateway devie via meidated proxy
HOW WE DID IT
PROXYING IS EASY
WHAT IS INVOLVED
NOTES ON PREVIOUS SLIDE Node Component Security Who Identity (Authentication) What Permissions ing (Authorisation) Prevent Data Leakage Controls (cut and paste) Secure Sandbox Activation/Deactivation Connectivity + AuthN/Z Connectivity Gateway Appliance (~50ms overhead) Systems Dev SIT UAT Prod Not Production, Pre Production, and Mine
WHAT WE HAVE • Dual CPU Xeon 2.6GHz RHEL 6.3 • HTTP 1.1 no Keep-Alive, request payload is json • Client iOS ObjectiveC, Node + Hapi (with Some Good Monitoring) • Great Details on Best practice • https://gist.github.com/hueniverse/7686452
DETAILS
THE FLOW • The Protocol • Security - Gateway Access • Federated Identity, my foot • NTLM I hardly knew ye
PROTOCOL Request json body target headers body/post-data loginfo request = { URL = "http://www.citigroup.net/", method = "GET", timeout = 19500, clientInfo = { identifier = “…E”, model = "iPad Simulator", systemName = "iPhone OS", systemVersion = "7.1", }, headers = { Accept = "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", Cookie = "CGPLNG=ENG; JSESSIONID_CGNR3=..”, "User-Agent" = "Mozilla/5.0 (iPad; CPU OS 7_1 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Mobile/11D167" }, logEntries = [ { URL = “https://cinternal.site/target/fooa”, downstreamDuration = 656, httpMethod = "GET", roundtripDuration = 3461, statusCode = 200 }] }
RESPONSE body = “<base64>", code = 200, duration = 31, headers = { "Accept-Ranges" = [ "bytes" ], "Content-Length" = [ 225 ], "Content-Type" = [ "text/html" ], Date = [ "Thu, 29 May 2014 15:28:29 GMT" ], Etag = [ ""e1-4e50c74f"" ], "Last-Modified" = [ "Sun, 21 Aug 2011 08:52:31 GMT" ] }, message = "OK" }
NTLM Ouch
NTLM AUTHENTICATION Enterprise authentication protocol (Microsoft). NTLM requires all phases to take place across a single HTTP connection. NTLM messages are sent and received as request headers. The server’s response from the NTLM type 3 message is the requested content. This authentication process must be completed for every requested resource, unless an open connection is maintained.
NTLM TYPE 1 MESSAGE • Sent from the client to initiate the NTLM authentication process. • Includes flags and OS information (indicating version, build and revision). • May or may not include hostname and domain information. 0 NTLMSSP Signature - null-terminated ASCII "NTLMSSP“ (0x4e544c4d53535000) 8 NTLM Message Type - long (0x01000000) 12 Flags - long (16) Supplied Domain (optional) - security buffer (24) Supplied Workstation (optional) - security buffer (32) OS Version Structure (optional) - 8 bytes (32) (40) Start of data block (if required)
NTLM TYPE 2 MESSAGE • Server responds to the client’s type 1 message. • Includes the challenge, flags, target name and target information. • Each of these will is used to construct message the type 3 message. 0 NTLMSSP Signature - null-terminated ASCII "NTLMSSP" (0x4e544c4d53535000) 8 NTLM Message Type - long (0x02000000) 12 Target Name - security buffer 20 Flags - long 24 Challenge - 8 bytes (32) Context (optional) - 8 bytes (two consecutive longs) (40) Target Information (optional) - security buffer (48) OS Version Structure (optional) - 8 bytes
NTLM TYPE 3 MESSAGE • Final step in authentication. • Constructed using information from the type 2 server response message. 0 NTLMSSP Signature - null-terminated ASCII "NTLMSSP" (0x4e544c4d53535000) 8 NTLM Message Type - long (0x03000000) 12 LM/LMv2 Response - security buffer 20 NTLM/NTLMv2 Response - security buffer 28 Target Name - security buffer 36 User Name - security buffer 44 Workstation Name - security buffer (52) Session Key (optional) - security buffer (60) Flags (optional) - long (64) OS Version Structure (optional) - 8 bytes 52 (64) (72) Start of data block
WORKING Implementation Challenges • Storage of password on mobile device is prohibited, but is required in the authentication process. • Persistent connection not available. • Latency issues – 3 requests for every web resource. Solution • Ported from Apache Java implementation to Node.js. • Hashed username / password pair stored on device, transmitted to server for authentication rather than raw password. • hmac_md5(username, md4(password)) • NTLM message calculation split between client app and proxy server. • Defaults used and optional parameters omitted – simplified messages. • Observed desktop browsers wait for a 401 before beginning the authentication process. Pre-emptively sending the username / password hash eliminates the initial 401 response. Process is reduced from 3 direct requests to a single client request, mapped to 2 proxy requests.
GITHUB.COM/SPUMKO/FLO D flod -n 2000 -t 1500 -c 100..1000 -v http://target-place
FLOD OUTPUT ## 6k page results ec2-user@ip-10-199-51-233 node-hapi]$ flod -n 2000 -t 1500 -c 100..1000 -v http://localhost/loremipsum-6k-ish.html This is Flod, version 0.2.2 Copyright 2013 Walmart, http://github.com/spumko/flod Benchmarking (hold on)... Server Requests/sec Latency (ms) --------------------------------------- ------------ --------------- http://localhost/loremipsum-6k-ish.html 100 96.48 ± 18.54 http://localhost/loremipsum-6k-ish.html 200 164.24 ± 17.03 http://localhost/loremipsum-6k-ish.html 300 263.80 ± 62.44 http://localhost/loremipsum-6k-ish.html 400 359.61 ± 49.20 http://localhost/loremipsum-6k-ish.html 500 437.66 ± 58.69 http://localhost/loremipsum-6k-ish.html 600 481.29 ± 120.04 http://localhost/loremipsum-6k-ish.html 700 606.74 ± 114.45 http://localhost/loremipsum-6k-ish.html 800 555.08 ± 133.74 http://localhost/loremipsum-6k-ish.html 900 674.08 ± 190.91 http://localhost/loremipsum-6k-ish.html 1000 763.27 ± 69.25 ## running with high timeout - doubling responses times vs nginx direct [ec2-user@ip-10-199-51-233 node-hapi]$ ../node_modules/flod/bin/flod -n 2000 -t 4500 -c 100..1000 -v http://localhost:8000 This is Flod, version 0.2.2 Copyright 2013 Walmart, http://github.com/spumko/flod Benchmarking (hold on)... Server Requests/sec Latency (ms) --------------------- ------------ ---------------- http://localhost:8000 100 200.55 ± 39.40 http://localhost:8000 200 389.54 ± 67.39 http://localhost:8000 300 558.14 ± 112.57 http://localhost:8000 400 777.09 ± 160.01 http://localhost:8000 500 970.61 ± 305.76 http://localhost:8000 600 1032.37 ± 274.44 http://localhost:8000 700 1216.49 ± 249.94 http://localhost:8000 800 1483.31 ± 690.64 http://localhost:8000 900 1559.54 ± 805.31 http://localhost:8000 1000 1909.23 ± 845.81
MODIFYING FLOD • modified server to pull our decorated response timing information • modified reporting/logging to include this information • hope to contribute back to mainline
TESTING • Test Environment • Understanding the Results • Graphing the Results
SCENARIOS • Closed network, direct connection, Mac to Mac • Client server on a redhat VM, loopback. Redhat VM • Redhat client to Windows Server via network, Redhat to Windows • via Mobile network/wifi could only support 100 transactions/s because of latency Req/s Response (ms) Mac to Mac 1000 2000 Redhat VM 1000 8500 RD to Windows 1000 30, 000 External 100 17, 000
RESULTS
EXCELLENT
GITHUB.COM/ES- ANALYSIS/PLATOjavascript visualization and analysis tool. Plato can be used to estimate how maintainable code in project is. From the data it collects it generates easy to understand ,minimalist , interactive webpages.
PLATO Plato can also be used to estimate how many errors a project may contain. We can also use Plato to look more closely for potential problems in individual pieces of code.
• Plato is good for spotting area such as large nests of code which could be hard to read ,maintain and may be error prone. • It’s relying on heuristics that may not always be right, and it wont spot every bug.
More Plato Plato is good for spotting area such as large nests of code which could be hard to read ,maintain and may be error prone. It’s relying on heuristics that may not always be right, and it wont spot every bug. Plato is very easy to install: $ npm install -g plato And almost as easy to run: $ plato -r -d report src
JEST.JS Jest allows us to call up Javascript functions from other files so we can quickly pass them data and compare it to what should be returned. Jest minimizes the amount of code we have to write for tests and is setup so we can neatly bundle and keep our tests separate from our project code.
SCALABILITY PACKETS • Pile of VMs to auto-scale • Need elastic environment with a smart load balancer and configuration management
QUESTIONS? COMMENTS?
THANKS!

Recommended

Shytikov on NTLM Authentication
Shytikov on NTLM AuthenticationShytikov on NTLM Authentication
Shytikov on NTLM Authenticationshytikov
 
Building Fast, Modern Web Applications with Node.js and CoffeeScript
Building Fast, Modern Web Applications with Node.js and CoffeeScriptBuilding Fast, Modern Web Applications with Node.js and CoffeeScript
Building Fast, Modern Web Applications with Node.js and CoffeeScriptroyaldark
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsMark Ginnebaugh
 
Defcon CTF quals
Defcon CTF qualsDefcon CTF quals
Defcon CTF qualssnyff
 
[UniteKorea2013] Protecting your Android content
[UniteKorea2013] Protecting your Android content[UniteKorea2013] Protecting your Android content
[UniteKorea2013] Protecting your Android contentWilliam Hugo Yang
 
Jetty TLS troubleshooting
Jetty TLS troubleshootingJetty TLS troubleshooting
Jetty TLS troubleshootingRoman Tereschenko
 
Как мы взломали распределенные системы конфигурационного управления
Как мы взломали распределенные системы конфигурационного управленияКак мы взломали распределенные системы конфигурационного управления
Как мы взломали распределенные системы конфигурационного управленияPositive Hack Days
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationWill Schroeder
 

Recommended

Shytikov on NTLM Authentication
Shytikov on NTLM AuthenticationShytikov on NTLM Authentication
Shytikov on NTLM Authenticationshytikov
 
Building Fast, Modern Web Applications with Node.js and CoffeeScript
Building Fast, Modern Web Applications with Node.js and CoffeeScriptBuilding Fast, Modern Web Applications with Node.js and CoffeeScript
Building Fast, Modern Web Applications with Node.js and CoffeeScriptroyaldark
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsMark Ginnebaugh
 
Defcon CTF quals
Defcon CTF qualsDefcon CTF quals
Defcon CTF qualssnyff
 
[UniteKorea2013] Protecting your Android content
[UniteKorea2013] Protecting your Android content[UniteKorea2013] Protecting your Android content
[UniteKorea2013] Protecting your Android contentWilliam Hugo Yang
 
Jetty TLS troubleshooting
Jetty TLS troubleshootingJetty TLS troubleshooting
Jetty TLS troubleshootingRoman Tereschenko
 
Как мы взломали распределенные системы конфигурационного управления
Как мы взломали распределенные системы конфигурационного управленияКак мы взломали распределенные системы конфигурационного управления
Как мы взломали распределенные системы конфигурационного управленияPositive Hack Days
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationWill Schroeder
 
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkChris Gates
 
JWT: jku x5u
JWT: jku x5uJWT: jku x5u
JWT: jku x5usnyff
 
Passwords#14 - mimikatz
Passwords#14 - mimikatzPasswords#14 - mimikatz
Passwords#14 - mimikatzBenjamin Delpy
 
A Year in the Empire
A Year in the EmpireA Year in the Empire
A Year in the EmpireWill Schroeder
 
Harder Faster Stronger
Harder Faster StrongerHarder Faster Stronger
Harder Faster Strongersnyff
 
Jwt == insecurity?
Jwt == insecurity?Jwt == insecurity?
Jwt == insecurity?snyff
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)Will Schroeder
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys AdminsWill Schroeder
 
Writing robust Node.js applications
Writing robust Node.js applicationsWriting robust Node.js applications
Writing robust Node.js applicationsTom Croucher
 
Wielding a cortana
Wielding a cortanaWielding a cortana
Wielding a cortanaWill Schroeder
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
 
Top 30 Node.js interview questions
Top 30 Node.js interview questionsTop 30 Node.js interview questions
Top 30 Node.js interview questionstechievarsity
 
node.js: Javascript's in your backend
node.js: Javascript's in your backendnode.js: Javascript's in your backend
node.js: Javascript's in your backendDavid Padbury
 
Node js presentation
Node js presentationNode js presentation
Node js presentationmartincabrera
 
Building servers with Node.js
Building servers with Node.jsBuilding servers with Node.js
Building servers with Node.jsConFoo
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, PowershellRoo7break
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Rob Fuller
 
支撐英雄聯盟戰績網的那條巨蟒
支撐英雄聯盟戰績網的那條巨蟒支撐英雄聯盟戰績網的那條巨蟒
支撐英雄聯盟戰績網的那條巨蟒Toki Kanno
 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat Security Conference
 
NodeJS for Beginner
NodeJS for BeginnerNodeJS for Beginner
NodeJS for BeginnerApaichon Punopas
 
The Real World - Plugging the Enterprise Into It (nodejs)
The Real World - Plugging the Enterprise Into It (nodejs)The Real World - Plugging the Enterprise Into It (nodejs)
The Real World - Plugging the Enterprise Into It (nodejs)Aman Kohli
 
DSLing your System For Scalability Testing Using Gatling - Dublin Scala User ...
DSLing your System For Scalability Testing Using Gatling - Dublin Scala User ...DSLing your System For Scalability Testing Using Gatling - Dublin Scala User ...
DSLing your System For Scalability Testing Using Gatling - Dublin Scala User ...Aman Kohli
 

More Related Content

What's hot

Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkChris Gates
 
JWT: jku x5u
JWT: jku x5uJWT: jku x5u
JWT: jku x5usnyff
 
Passwords#14 - mimikatz
Passwords#14 - mimikatzPasswords#14 - mimikatz
Passwords#14 - mimikatzBenjamin Delpy
 
Harder Faster Stronger
Harder Faster StrongerHarder Faster Stronger
Harder Faster Strongersnyff
 
Jwt == insecurity?
Jwt == insecurity?Jwt == insecurity?
Jwt == insecurity?snyff
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)Will Schroeder
 
Writing robust Node.js applications
Writing robust Node.js applicationsWriting robust Node.js applications
Writing robust Node.js applicationsTom Croucher
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
 
Top 30 Node.js interview questions
Top 30 Node.js interview questionsTop 30 Node.js interview questions
Top 30 Node.js interview questionstechievarsity
 
node.js: Javascript's in your backend
node.js: Javascript's in your backendnode.js: Javascript's in your backend
node.js: Javascript's in your backendDavid Padbury
 
Node js presentation
Node js presentationNode js presentation
Node js presentationmartincabrera
 
Building servers with Node.js
Building servers with Node.jsBuilding servers with Node.js
Building servers with Node.jsConFoo
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, PowershellRoo7break
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Rob Fuller
 
支撐英雄聯盟戰績網的那條巨蟒
支撐英雄聯盟戰績網的那條巨蟒支撐英雄聯盟戰績網的那條巨蟒
支撐英雄聯盟戰績網的那條巨蟒Toki Kanno
 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat Security Conference
 

What's hot (20)

Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit Framework
 
JWT: jku x5u
JWT: jku x5uJWT: jku x5u
JWT: jku x5u
 
Passwords#14 - mimikatz
Passwords#14 - mimikatzPasswords#14 - mimikatz
Passwords#14 - mimikatz
 
A Year in the Empire
A Year in the EmpireA Year in the Empire
A Year in the Empire
 
Harder Faster Stronger
Harder Faster StrongerHarder Faster Stronger
Harder Faster Stronger
 
Jwt == insecurity?
Jwt == insecurity?Jwt == insecurity?
Jwt == insecurity?
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys Admins
 
Writing robust Node.js applications
Writing robust Node.js applicationsWriting robust Node.js applications
Writing robust Node.js applications
 
Wielding a cortana
Wielding a cortanaWielding a cortana
Wielding a cortana
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get it
 
Top 30 Node.js interview questions
Top 30 Node.js interview questionsTop 30 Node.js interview questions
Top 30 Node.js interview questions
 
node.js: Javascript's in your backend
node.js: Javascript's in your backendnode.js: Javascript's in your backend
node.js: Javascript's in your backend
 
Node js presentation
Node js presentationNode js presentation
Node js presentation
 
Building servers with Node.js
Building servers with Node.jsBuilding servers with Node.js
Building servers with Node.js
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, Powershell
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
 
支撐英雄聯盟戰績網的那條巨蟒
支撐英雄聯盟戰績網的那條巨蟒支撐英雄聯盟戰績網的那條巨蟒
支撐英雄聯盟戰績網的那條巨蟒
 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
 
NodeJS for Beginner
NodeJS for BeginnerNodeJS for Beginner
NodeJS for Beginner
 

Similar to Being HAPI! Reverse Proxying on Purpose

The Real World - Plugging the Enterprise Into It (nodejs)
The Real World - Plugging the Enterprise Into It (nodejs)The Real World - Plugging the Enterprise Into It (nodejs)
The Real World - Plugging the Enterprise Into It (nodejs)Aman Kohli
 
DSLing your System For Scalability Testing Using Gatling - Dublin Scala User ...
DSLing your System For Scalability Testing Using Gatling - Dublin Scala User ...DSLing your System For Scalability Testing Using Gatling - Dublin Scala User ...
DSLing your System For Scalability Testing Using Gatling - Dublin Scala User ...Aman Kohli
 
Designing High Performance RTC Signaling Servers
Designing High Performance RTC Signaling ServersDesigning High Performance RTC Signaling Servers
Designing High Performance RTC Signaling ServersDaniel-Constantin Mierla
 
Expanding your impact with programmability in the data center
Expanding your impact with programmability in the data centerExpanding your impact with programmability in the data center
Expanding your impact with programmability in the data centerCisco Canada
 
Network Automation with Salt and NAPALM: Introuction
Network Automation with Salt and NAPALM: IntrouctionNetwork Automation with Salt and NAPALM: Introuction
Network Automation with Salt and NAPALM: IntrouctionCloudflare
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...arnaudsoullie
 
2012-03-15 What's New at Red Hat
2012-03-15 What's New at Red Hat2012-03-15 What's New at Red Hat
2012-03-15 What's New at Red HatShawn Wells
 
Splunk Conf 2014 - Getting the message
Splunk Conf 2014 - Getting the messageSplunk Conf 2014 - Getting the message
Splunk Conf 2014 - Getting the messageDamien Dallimore
 
Docker Logging and analysing with Elastic Stack - Jakub Hajek
Docker Logging and analysing with Elastic Stack - Jakub Hajek Docker Logging and analysing with Elastic Stack - Jakub Hajek
Docker Logging and analysing with Elastic Stack - Jakub Hajek PROIDEA
 
Docker Logging and analysing with Elastic Stack
Docker Logging and analysing with Elastic StackDocker Logging and analysing with Elastic Stack
Docker Logging and analysing with Elastic StackJakub Hajek
 
KazooCon 2014 - Playing Kazoo Dudka Style
KazooCon 2014 - Playing Kazoo Dudka StyleKazooCon 2014 - Playing Kazoo Dudka Style
KazooCon 2014 - Playing Kazoo Dudka Style2600Hz
 
Scaling asp.net websites to millions of users
Scaling asp.net websites to millions of usersScaling asp.net websites to millions of users
Scaling asp.net websites to millions of usersoazabir
 
Linux Desktop Automation
Linux Desktop AutomationLinux Desktop Automation
Linux Desktop AutomationRui Lapa
 
Practical Operation Automation with StackStorm
Practical Operation Automation with StackStormPractical Operation Automation with StackStorm
Practical Operation Automation with StackStormShu Sugimoto
 
Spca2014 advanced share point troubleshooting hessing
Spca2014 advanced share point troubleshooting hessingSpca2014 advanced share point troubleshooting hessing
Spca2014 advanced share point troubleshooting hessingNCCOMMS
 
6 tips for improving ruby performance
6 tips for improving ruby performance6 tips for improving ruby performance
6 tips for improving ruby performanceEngine Yard
 
Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysqqlan
 
Pentesting RESTful webservices
Pentesting RESTful webservicesPentesting RESTful webservices
Pentesting RESTful webservicesMohammed A. Imran
 

Similar to Being HAPI! Reverse Proxying on Purpose (20)

The Real World - Plugging the Enterprise Into It (nodejs)
The Real World - Plugging the Enterprise Into It (nodejs)The Real World - Plugging the Enterprise Into It (nodejs)
The Real World - Plugging the Enterprise Into It (nodejs)
 
DSLing your System For Scalability Testing Using Gatling - Dublin Scala User ...
DSLing your System For Scalability Testing Using Gatling - Dublin Scala User ...DSLing your System For Scalability Testing Using Gatling - Dublin Scala User ...
DSLing your System For Scalability Testing Using Gatling - Dublin Scala User ...
 
Designing High Performance RTC Signaling Servers
Designing High Performance RTC Signaling ServersDesigning High Performance RTC Signaling Servers
Designing High Performance RTC Signaling Servers
 
Into The Box 2018 Ortus Keynote
Into The Box 2018 Ortus KeynoteInto The Box 2018 Ortus Keynote
Into The Box 2018 Ortus Keynote
 
Expanding your impact with programmability in the data center
Expanding your impact with programmability in the data centerExpanding your impact with programmability in the data center
Expanding your impact with programmability in the data center
 
Network Automation with Salt and NAPALM: Introuction
Network Automation with Salt and NAPALM: IntrouctionNetwork Automation with Salt and NAPALM: Introuction
Network Automation with Salt and NAPALM: Introuction
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
 
2012-03-15 What's New at Red Hat
2012-03-15 What's New at Red Hat2012-03-15 What's New at Red Hat
2012-03-15 What's New at Red Hat
 
Splunk Conf 2014 - Getting the message
Splunk Conf 2014 - Getting the messageSplunk Conf 2014 - Getting the message
Splunk Conf 2014 - Getting the message
 
Docker Logging and analysing with Elastic Stack - Jakub Hajek
Docker Logging and analysing with Elastic Stack - Jakub Hajek Docker Logging and analysing with Elastic Stack - Jakub Hajek
Docker Logging and analysing with Elastic Stack - Jakub Hajek
 
Docker Logging and analysing with Elastic Stack
Docker Logging and analysing with Elastic StackDocker Logging and analysing with Elastic Stack
Docker Logging and analysing with Elastic Stack
 
KazooCon 2014 - Playing Kazoo Dudka Style
KazooCon 2014 - Playing Kazoo Dudka StyleKazooCon 2014 - Playing Kazoo Dudka Style
KazooCon 2014 - Playing Kazoo Dudka Style
 
Scaling asp.net websites to millions of users
Scaling asp.net websites to millions of usersScaling asp.net websites to millions of users
Scaling asp.net websites to millions of users
 
Linux Desktop Automation
Linux Desktop AutomationLinux Desktop Automation
Linux Desktop Automation
 
Practical Operation Automation with StackStorm
Practical Operation Automation with StackStormPractical Operation Automation with StackStorm
Practical Operation Automation with StackStorm
 
Spca2014 advanced share point troubleshooting hessing
Spca2014 advanced share point troubleshooting hessingSpca2014 advanced share point troubleshooting hessing
Spca2014 advanced share point troubleshooting hessing
 
6 tips for improving ruby performance
6 tips for improving ruby performance6 tips for improving ruby performance
6 tips for improving ruby performance
 
Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-rays
 
Linked Process
Linked ProcessLinked Process
Linked Process
 
Pentesting RESTful webservices
Pentesting RESTful webservicesPentesting RESTful webservices
Pentesting RESTful webservices
 

More from Aman Kohli

New Payments Architectures and Infrastructures
New Payments Architectures and Infrastructures New Payments Architectures and Infrastructures
New Payments Architectures and Infrastructures Aman Kohli
 
Decentralisation - DISTRIBUTED COMPUTING ON A MASSIVE SCALE
Decentralisation - DISTRIBUTED COMPUTING ON A MASSIVE SCALEDecentralisation - DISTRIBUTED COMPUTING ON A MASSIVE SCALE
Decentralisation - DISTRIBUTED COMPUTING ON A MASSIVE SCALEAman Kohli
 
Mobile trends 2013
Mobile trends 2013Mobile trends 2013
Mobile trends 2013Aman Kohli
 
What's Next: Talk to ITT Tallaght Final Year Computing Graduates
What's Next: Talk to ITT Tallaght Final Year Computing GraduatesWhat's Next: Talk to ITT Tallaght Final Year Computing Graduates
What's Next: Talk to ITT Tallaght Final Year Computing GraduatesAman Kohli
 
Greasing The Wheels
Greasing The WheelsGreasing The Wheels
Greasing The WheelsAman Kohli
 
Frayed Edges - Architecture In Practice
Frayed Edges - Architecture In PracticeFrayed Edges - Architecture In Practice
Frayed Edges - Architecture In PracticeAman Kohli
 

More from Aman Kohli (6)

New Payments Architectures and Infrastructures
New Payments Architectures and Infrastructures New Payments Architectures and Infrastructures
New Payments Architectures and Infrastructures
 
Decentralisation - DISTRIBUTED COMPUTING ON A MASSIVE SCALE
Decentralisation - DISTRIBUTED COMPUTING ON A MASSIVE SCALEDecentralisation - DISTRIBUTED COMPUTING ON A MASSIVE SCALE
Decentralisation - DISTRIBUTED COMPUTING ON A MASSIVE SCALE
 
Mobile trends 2013
Mobile trends 2013Mobile trends 2013
Mobile trends 2013
 
What's Next: Talk to ITT Tallaght Final Year Computing Graduates
What's Next: Talk to ITT Tallaght Final Year Computing GraduatesWhat's Next: Talk to ITT Tallaght Final Year Computing Graduates
What's Next: Talk to ITT Tallaght Final Year Computing Graduates
 
Greasing The Wheels
Greasing The WheelsGreasing The Wheels
Greasing The Wheels
 
Frayed Edges - Architecture In Practice
Frayed Edges - Architecture In PracticeFrayed Edges - Architecture In Practice
Frayed Edges - Architecture In Practice
 

Recently uploaded

Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost LoverPowerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost LoverPsychicRuben LoveSpells
 
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,Pooja Nehwal
 
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort ServiceDelhi Call girls
 
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual serviceCALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual serviceanilsa9823
 
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun serviceCALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun serviceanilsa9823
 
9892124323 | Book Call Girls in Juhu and escort services 24x7
9892124323 | Book Call Girls in Juhu and escort services 24x79892124323 | Book Call Girls in Juhu and escort services 24x7
9892124323 | Book Call Girls in Juhu and escort services 24x7Pooja Nehwal
 
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCRFULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCRnishacall1
 

Recently uploaded (7)

Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost LoverPowerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
 
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,
 
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
 
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual serviceCALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
 
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun serviceCALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
 
9892124323 | Book Call Girls in Juhu and escort services 24x7
9892124323 | Book Call Girls in Juhu and escort services 24x79892124323 | Book Call Girls in Juhu and escort services 24x7
9892124323 | Book Call Girls in Juhu and escort services 24x7
 
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCRFULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
 

Being HAPI! Reverse Proxying on Purpose

  • 2. DUBLIN NODE COMMUNITY TALK May 29 2014 Building a Reverse Proxy With Node Enterprise IT Scalability Testing Lots of Clients Tools Happy Second Anniversary! Chris Lawless | Kevin Yu Wei Xia |Fergal Carroll @phergalkarl| Ciarán Ó hUallacháin Aman Kohli @akohli
  • 4. WHY NODE? ✔︎ Node • Everyone knows Javascript, right? • Community • Expediency • It was Cool in 2012
  • 5. - @adam_baldwin “Walmart has had good success with HAPI and Node” - @ eoinbrazil “Node is good. I’ve heard good things about HAPI”
  • 6. HOMOLOGATED It’s approved for internal usage Less Yak Shaving than other solutions • different at least • good internal community beware of dog, staff only
  • 7. IT AIN’T EASY but we gotta try
  • 8. ENTERPRISES • Plurality of systems, services • web resources • web sites • Connectivity challenges • direct • mediated • Security • AuthN • AuthZ • Data Encryption at rest
  • 9. ENTERPRISES - DETAIL Accessing internal web resources Accessing internal web sites Lots of hoops connectivity, security Connectivity options Direct via opening firewall via gateway devie via meidated proxy
  • 13. NOTES ON PREVIOUS SLIDE Node Component Security Who Identity (Authentication) What Permissions ing (Authorisation) Prevent Data Leakage Controls (cut and paste) Secure Sandbox Activation/Deactivation Connectivity + AuthN/Z Connectivity Gateway Appliance (~50ms overhead) Systems Dev SIT UAT Prod Not Production, Pre Production, and Mine
  • 14. WHAT WE HAVE • Dual CPU Xeon 2.6GHz RHEL 6.3 • HTTP 1.1 no Keep-Alive, request payload is json • Client iOS ObjectiveC, Node + Hapi (with Some Good Monitoring) • Great Details on Best practice • https://gist.github.com/hueniverse/7686452
  • 16. THE FLOW • The Protocol • Security - Gateway Access • Federated Identity, my foot • NTLM I hardly knew ye
  • 17. PROTOCOL Request json body target headers body/post-data loginfo request = { URL = "http://www.citigroup.net/", method = "GET", timeout = 19500, clientInfo = { identifier = “…E”, model = "iPad Simulator", systemName = "iPhone OS", systemVersion = "7.1", }, headers = { Accept = "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", Cookie = "CGPLNG=ENG; JSESSIONID_CGNR3=..”, "User-Agent" = "Mozilla/5.0 (iPad; CPU OS 7_1 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Mobile/11D167" }, logEntries = [ { URL = “https://cinternal.site/target/fooa”, downstreamDuration = 656, httpMethod = "GET", roundtripDuration = 3461, statusCode = 200 }] }
  • 18. RESPONSE body = “<base64>", code = 200, duration = 31, headers = { "Accept-Ranges" = [ "bytes" ], "Content-Length" = [ 225 ], "Content-Type" = [ "text/html" ], Date = [ "Thu, 29 May 2014 15:28:29 GMT" ], Etag = [ ""e1-4e50c74f"" ], "Last-Modified" = [ "Sun, 21 Aug 2011 08:52:31 GMT" ] }, message = "OK" }
  • 20. NTLM AUTHENTICATION Enterprise authentication protocol (Microsoft). NTLM requires all phases to take place across a single HTTP connection. NTLM messages are sent and received as request headers. The server’s response from the NTLM type 3 message is the requested content. This authentication process must be completed for every requested resource, unless an open connection is maintained.
  • 21. NTLM TYPE 1 MESSAGE • Sent from the client to initiate the NTLM authentication process. • Includes flags and OS information (indicating version, build and revision). • May or may not include hostname and domain information. 0 NTLMSSP Signature - null-terminated ASCII "NTLMSSP“ (0x4e544c4d53535000) 8 NTLM Message Type - long (0x01000000) 12 Flags - long (16) Supplied Domain (optional) - security buffer (24) Supplied Workstation (optional) - security buffer (32) OS Version Structure (optional) - 8 bytes (32) (40) Start of data block (if required)
  • 22. NTLM TYPE 2 MESSAGE • Server responds to the client’s type 1 message. • Includes the challenge, flags, target name and target information. • Each of these will is used to construct message the type 3 message. 0 NTLMSSP Signature - null-terminated ASCII "NTLMSSP" (0x4e544c4d53535000) 8 NTLM Message Type - long (0x02000000) 12 Target Name - security buffer 20 Flags - long 24 Challenge - 8 bytes (32) Context (optional) - 8 bytes (two consecutive longs) (40) Target Information (optional) - security buffer (48) OS Version Structure (optional) - 8 bytes
  • 23. NTLM TYPE 3 MESSAGE • Final step in authentication. • Constructed using information from the type 2 server response message. 0 NTLMSSP Signature - null-terminated ASCII "NTLMSSP" (0x4e544c4d53535000) 8 NTLM Message Type - long (0x03000000) 12 LM/LMv2 Response - security buffer 20 NTLM/NTLMv2 Response - security buffer 28 Target Name - security buffer 36 User Name - security buffer 44 Workstation Name - security buffer (52) Session Key (optional) - security buffer (60) Flags (optional) - long (64) OS Version Structure (optional) - 8 bytes 52 (64) (72) Start of data block
  • 24. WORKING Implementation Challenges • Storage of password on mobile device is prohibited, but is required in the authentication process. • Persistent connection not available. • Latency issues – 3 requests for every web resource. Solution • Ported from Apache Java implementation to Node.js. • Hashed username / password pair stored on device, transmitted to server for authentication rather than raw password. • hmac_md5(username, md4(password)) • NTLM message calculation split between client app and proxy server. • Defaults used and optional parameters omitted – simplified messages. • Observed desktop browsers wait for a 401 before beginning the authentication process. Pre-emptively sending the username / password hash eliminates the initial 401 response. Process is reduced from 3 direct requests to a single client request, mapped to 2 proxy requests.
  • 25. GITHUB.COM/SPUMKO/FLO D flod -n 2000 -t 1500 -c 100..1000 -v http://target-place
  • 26. FLOD OUTPUT ## 6k page results ec2-user@ip-10-199-51-233 node-hapi]$ flod -n 2000 -t 1500 -c 100..1000 -v http://localhost/loremipsum-6k-ish.html This is Flod, version 0.2.2 Copyright 2013 Walmart, http://github.com/spumko/flod Benchmarking (hold on)... Server Requests/sec Latency (ms) --------------------------------------- ------------ --------------- http://localhost/loremipsum-6k-ish.html 100 96.48 ± 18.54 http://localhost/loremipsum-6k-ish.html 200 164.24 ± 17.03 http://localhost/loremipsum-6k-ish.html 300 263.80 ± 62.44 http://localhost/loremipsum-6k-ish.html 400 359.61 ± 49.20 http://localhost/loremipsum-6k-ish.html 500 437.66 ± 58.69 http://localhost/loremipsum-6k-ish.html 600 481.29 ± 120.04 http://localhost/loremipsum-6k-ish.html 700 606.74 ± 114.45 http://localhost/loremipsum-6k-ish.html 800 555.08 ± 133.74 http://localhost/loremipsum-6k-ish.html 900 674.08 ± 190.91 http://localhost/loremipsum-6k-ish.html 1000 763.27 ± 69.25 ## running with high timeout - doubling responses times vs nginx direct [ec2-user@ip-10-199-51-233 node-hapi]$ ../node_modules/flod/bin/flod -n 2000 -t 4500 -c 100..1000 -v http://localhost:8000 This is Flod, version 0.2.2 Copyright 2013 Walmart, http://github.com/spumko/flod Benchmarking (hold on)... Server Requests/sec Latency (ms) --------------------- ------------ ---------------- http://localhost:8000 100 200.55 ± 39.40 http://localhost:8000 200 389.54 ± 67.39 http://localhost:8000 300 558.14 ± 112.57 http://localhost:8000 400 777.09 ± 160.01 http://localhost:8000 500 970.61 ± 305.76 http://localhost:8000 600 1032.37 ± 274.44 http://localhost:8000 700 1216.49 ± 249.94 http://localhost:8000 800 1483.31 ± 690.64 http://localhost:8000 900 1559.54 ± 805.31 http://localhost:8000 1000 1909.23 ± 845.81
  • 27. MODIFYING FLOD • modified server to pull our decorated response timing information • modified reporting/logging to include this information • hope to contribute back to mainline
  • 28. TESTING • Test Environment • Understanding the Results • Graphing the Results
  • 29. SCENARIOS • Closed network, direct connection, Mac to Mac • Client server on a redhat VM, loopback. Redhat VM • Redhat client to Windows Server via network, Redhat to Windows • via Mobile network/wifi could only support 100 transactions/s because of latency Req/s Response (ms) Mac to Mac 1000 2000 Redhat VM 1000 8500 RD to Windows 1000 30, 000 External 100 17, 000
  • 32. GITHUB.COM/ES- ANALYSIS/PLATOjavascript visualization and analysis tool. Plato can be used to estimate how maintainable code in project is. From the data it collects it generates easy to understand ,minimalist , interactive webpages.
  • 33. PLATO Plato can also be used to estimate how many errors a project may contain. We can also use Plato to look more closely for potential problems in individual pieces of code.
  • 34. • Plato is good for spotting area such as large nests of code which could be hard to read ,maintain and may be error prone. • It’s relying on heuristics that may not always be right, and it wont spot every bug.
  • 35. More Plato Plato is good for spotting area such as large nests of code which could be hard to read ,maintain and may be error prone. It’s relying on heuristics that may not always be right, and it wont spot every bug. Plato is very easy to install: $ npm install -g plato And almost as easy to run: $ plato -r -d report src
  • 36. JEST.JS Jest allows us to call up Javascript functions from other files so we can quickly pass them data and compare it to what should be returned. Jest minimizes the amount of code we have to write for tests and is setup so we can neatly bundle and keep our tests separate from our project code.
  • 37. SCALABILITY PACKETS • Pile of VMs to auto-scale • Need elastic environment with a smart load balancer and configuration management

Editor's Notes

  1. Accessing internal web resources Accessing internal web sites Lots of hoops connectivity, security Connectivity Diagrams …. A couple of slides on options Direct Firewall opening Via ext NOC
  2. Node Component Security Who Identity (Authentication) What Permissions ing (Authorisation) Prevent Data Leakage Controls (cut and paste) Secure Sandbox Activation/Deactivation Connectivity + AuthN/Z Connectivity Gateway Appliance (~50ms overhead) Systems Dev SIT UAT Prod Not Production, Pre Production, and Mine