Node is used to build a reverse proxy to provide secure access to internal web resources and sites for mobile clients within a large enterprise. Performance testing shows the proxy can handle over 1000 requests per second with latency under 1 second. Code quality analysis tools like Plato and testing frameworks like Jest are useful for maintaining high quality code. Scalability is achieved through auto-scaling virtual machine instances with a load balancer and configuration management.
Building Fast, Modern Web Applications with Node.js and CoffeeScriptroyaldark
The slides for a talk I gave at the Bits & Bytes computer science talk series at the University of Minnesota Morris in October 2013. Video of the talk is available here: http://www.kaltura.com/tiny/4lg1e
This presentation gives a brief overview of why and how many modern websites are built using Node.js and CoffeeScript. Using the plethora of libraries available for Node, I show how to quickly and easily develop a website with automatic server-client syncing which scales and can handle thousands of concurrent connections.
Think Like a Hacker - Database Attack VectorsMark Ginnebaugh
More here: http://bit.ly/2OMTu4
Sudha Iyer of LogLogic and Slavik Markovich of Sentrigo discuss how hackers learn their trade and what you can do to protect your database.
Learn about methods for protecting against each type of attack, including secure coding practices, database hardening methods and deep-scanning database activity monitoring tools.
You will learn:
• How to think like a hacker (including a demonstration of basic hacking)
• SQL injection in depth
• How to avoid SQL injection problems
• User-defined DBMS security policies
• Taking control of SQL injection, buffer overflow and other privilege-escalation attacks
• How to preserve the confidentiality and integrity of your data
• Strategies for monitoring and analyzing database activities without impacting performance
Как мы взломали распределенные системы конфигурационного управленияPositive Hack Days
В лекции речь пойдет о том, как команда исследователей обнаружила и эксплуатировала уязвимости различных систем конфигурационного управления в ходе пентестов. Авторы представят различные инструменты распределенного управления конфигурациями, например Apache ZooKeeper, HashiCorp Consul и Serf, CoreOS Etcd; расскажут о способах создания отпечатков этих систем, а также о том, как использовать в своих целях типичные ошибки в конфигурации для увеличения площади атак.
PowerUp - Automating Windows Privilege EscalationWill Schroeder
This slidedeck was given as a firetalk at @BSidesBoston '14, and covers the genesis and implementation of PowerUp, a Powershell tool for Windows privilege escalation.
Building Fast, Modern Web Applications with Node.js and CoffeeScriptroyaldark
The slides for a talk I gave at the Bits & Bytes computer science talk series at the University of Minnesota Morris in October 2013. Video of the talk is available here: http://www.kaltura.com/tiny/4lg1e
This presentation gives a brief overview of why and how many modern websites are built using Node.js and CoffeeScript. Using the plethora of libraries available for Node, I show how to quickly and easily develop a website with automatic server-client syncing which scales and can handle thousands of concurrent connections.
Think Like a Hacker - Database Attack VectorsMark Ginnebaugh
More here: http://bit.ly/2OMTu4
Sudha Iyer of LogLogic and Slavik Markovich of Sentrigo discuss how hackers learn their trade and what you can do to protect your database.
Learn about methods for protecting against each type of attack, including secure coding practices, database hardening methods and deep-scanning database activity monitoring tools.
You will learn:
• How to think like a hacker (including a demonstration of basic hacking)
• SQL injection in depth
• How to avoid SQL injection problems
• User-defined DBMS security policies
• Taking control of SQL injection, buffer overflow and other privilege-escalation attacks
• How to preserve the confidentiality and integrity of your data
• Strategies for monitoring and analyzing database activities without impacting performance
Как мы взломали распределенные системы конфигурационного управленияPositive Hack Days
В лекции речь пойдет о том, как команда исследователей обнаружила и эксплуатировала уязвимости различных систем конфигурационного управления в ходе пентестов. Авторы представят различные инструменты распределенного управления конфигурациями, например Apache ZooKeeper, HashiCorp Consul и Serf, CoreOS Etcd; расскажут о способах создания отпечатков этих систем, а также о том, как использовать в своих целях типичные ошибки в конфигурации для увеличения площади атак.
PowerUp - Automating Windows Privilege EscalationWill Schroeder
This slidedeck was given as a firetalk at @BSidesBoston '14, and covers the genesis and implementation of PowerUp, a Powershell tool for Windows privilege escalation.
This presentation was given at DerbyCon 6 on 9/23/2016. It covers the fusion of the PowerShell Empire and Python EmPyre projects, as well as new Empire 2.0 transports.
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
Talk of Skip Duckwall and I at BlackHat 2014 USA / Defcon Wall of Sheep.
Kerberos, and new pass-the-* feature, like overpass-the-hash and the Golden Ticket
Has the traditional intro to event looped servers (thanks Ryan!) with a couple of examples of why I think node.js is particularly exciting today. Code for the demos can be found at https://github.com/davidpadbury/node-intro.
Nick Anderson, Facebook
Just as Microsoft grows to embrace the open source community more and more, we must use open source tools to help us grow as a community. In this talk we'll explore the various advanced detection techniques we employ at Facebook using osquery for Windows. Specifically, we will examine instrumenting Windows Event Log data, inspecting detailed attack patterns on processes such as path hijacking, and mapping operating system state to detect deviations of a healthy system - all at Facebook scale. Building on these detection capabilities, we will then consider different response features currently available in osquery and how one can extend these capabilities to suit the needs of their own enterprise. By striving to make these advanced detection capabilities more approachable we hope to raise the bar of defenses employed by companies everywhere and encourage the security community to take a more proactive role in developing detection features used to catch advanced exploitation.
DSLing your System For Scalability Testing Using Gatling - Dublin Scala User ...Aman Kohli
The power of Gatling is the DSL it provides to allow writing meaningful and expressive tests. We provide an overview of the framework, a description of their development environment and goals, and present their test results.
Source code available https://github.com/lawlessc/random-response-time
This presentation was given at DerbyCon 6 on 9/23/2016. It covers the fusion of the PowerShell Empire and Python EmPyre projects, as well as new Empire 2.0 transports.
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
Talk of Skip Duckwall and I at BlackHat 2014 USA / Defcon Wall of Sheep.
Kerberos, and new pass-the-* feature, like overpass-the-hash and the Golden Ticket
Has the traditional intro to event looped servers (thanks Ryan!) with a couple of examples of why I think node.js is particularly exciting today. Code for the demos can be found at https://github.com/davidpadbury/node-intro.
Nick Anderson, Facebook
Just as Microsoft grows to embrace the open source community more and more, we must use open source tools to help us grow as a community. In this talk we'll explore the various advanced detection techniques we employ at Facebook using osquery for Windows. Specifically, we will examine instrumenting Windows Event Log data, inspecting detailed attack patterns on processes such as path hijacking, and mapping operating system state to detect deviations of a healthy system - all at Facebook scale. Building on these detection capabilities, we will then consider different response features currently available in osquery and how one can extend these capabilities to suit the needs of their own enterprise. By striving to make these advanced detection capabilities more approachable we hope to raise the bar of defenses employed by companies everywhere and encourage the security community to take a more proactive role in developing detection features used to catch advanced exploitation.
DSLing your System For Scalability Testing Using Gatling - Dublin Scala User ...Aman Kohli
The power of Gatling is the DSL it provides to allow writing meaningful and expressive tests. We provide an overview of the framework, a description of their development environment and goals, and present their test results.
Source code available https://github.com/lawlessc/random-response-time
Fosdem 2016, Brussels, Belgium
A developer perspective of the components in the C code that impact the performances of the signaling servers, applied for Kamailio (https://www.kamailio.org), reflecting how they can be tuned from configuration file to increase the capacity of a SIP server.
Presented at NSA User Group. Steps through recent activities and technologies in use across NSA and the IC. Specifically mentions data ingress/egress with JBoss Messaging and MRG-M, storage of data with XFS and GFS, and data presentation capabilities with JBoss Enterprise Middleware Portfolio. 15-20min on Security Automation with SCAP.
Docker Logging and analysing with Elastic StackJakub Hajek
Collecting logs from the entire stateless environment is challenging parts of the application lifecycle. Correlating business logs with operating system metrics to provide insights is a crucial part of the entire organization. What aspects should be considered while you design your logging solutions?
Docker Logging and analysing with Elastic Stack - Jakub Hajek PROIDEA
Collecting logs from the entire stateless environment is challenging parts of the application lifecycle. Correlating business logs with operating system metrics to provide insights is a crucial part of the entire organization. We will see the technical presentation on how to manage a large amount of the data in a typical environment with microservices.
SIPLABS CEO Mikhail Rodionov discusses current projects, contributions back to the Kazoo platform, and challenges in the market for his emerging company.
Practical Operation Automation with StackStormShu Sugimoto
Automation is getting more and more important these days, but it is not always easy to achieve, because it requires tremendous effort to convert existing procedures machine-friendly. That often means, you need to change almost everything!
StackStorm (aka st2, https://stackstorm.com/) is an open source IFTTT-ish middleware that ships with powerful workflow engine and unique features called "inquiries".
I'll focus on this workflow engine functionalities of st2 and show how these can ease the "automation" of day to day tasks. The example I'll show in this presentation is the actual workflow that we use at JPNAP, the real world IXP operation.
This presentation was prepared for a Webcast where John Yerhot, Engine Yard US Support Lead, and Chris Kelly, Technical Evangelist at New Relic discussed how you can scale and improve the performance of your Ruby web apps. They shared detailed guidance on issues like:
Caching strategies
Slow database queries
Background processing
Profiling Ruby applications
Picking the right Ruby web server
Sharding data
Attendees will learn how to:
Gain visibility on site performance
Improve scalability and uptime
Find and fix key bottlenecks
See the on-demand replay:
http://pages.engineyard.com/6TipsforImprovingRubyApplicationPerformance.html
Pentesting RESTful webservices talks about problems penetration testers face while testing RESTful Webservices and REST based web applications. The presentation also talks about tools and techniques to do pentesting of RESTful webservices.
Similar to Being HAPI! Reverse Proxying on Purpose (20)
Decentralisation - DISTRIBUTED COMPUTING ON A MASSIVE SCALEAman Kohli
The Next Webs. A presentation given to Master's Students in Computing on Decentralisation, Distributed Computing and the next web. Full presentation is available here http://akohli.github.io/presentation-decentralised/decentralised-presentation.html
A Presentation and Talk given throughout Q2 and Q3 in 2013 to senior business and technology leaders, mainly in the Financial Services Industry, but also in government, general software and development.
Blog entry here: http://akohli.wordpress.com/2014/02/24/trending-mobile/
Mobile technology has reached a point where everyone working I technology cares about it, from boring corporate IT to fancy schmancy media. But it certainly is not a one size fits all market and there are a lot of subtitles and nuances that must be taken into account when considering working with the technology and providing a technical offering.
Welcome any comments, @akohli or leave the comment here.
What's Next: Talk to ITT Tallaght Final Year Computing GraduatesAman Kohli
I was asked to present to the final year computing students in ITT Talaght, a technical college in Dublin, Ireland. The subject matter covers 'What a professional needs', or words of experience.
We needed to cover the need for continuous development, education and professional qualifications as well as some of the skills needed to work within the big bad world.
Using Cloud Techniques to Remove Friction from Software Development. This presentation highlights how one can apply cloud architecture techniques, or use the cloud directly, along with agile development to reduce development friction.
This presentation was given at Engineers Ireland on January 18th 2012 as part of a session on using cloud computing.
Architecture Overview Presentation given at TCD on 24/11/2011 to a group of MSc students.
The slides are used as talking points during the talk, with some supporting material in the links and speaker notes.
Overview of architecture, system architecture, software architecture, enterprise architecture and governance provided. We briefly touched on the different architecture frameworks.
Speaker notes are included.
Links can be found at:
http://pinboard.in/u:akohli/t:talks:tcd/t:talks:arch/
2. DUBLIN NODE COMMUNITY TALK
May 29 2014
Building a Reverse Proxy With Node
Enterprise IT
Scalability Testing
Lots of Clients
Tools
Happy Second Anniversary!
Chris Lawless | Kevin Yu Wei Xia |Fergal Carroll @phergalkarl| Ciarán Ó hUallacháin Aman Kohli @akohli
4. WHY NODE?
✔︎ Node
• Everyone knows
Javascript, right?
• Community
• Expediency
• It was Cool in 2012
5. - @adam_baldwin
“Walmart has had good success with HAPI and
Node”
- @ eoinbrazil
“Node is good. I’ve heard good things about
HAPI”
6. HOMOLOGATED
It’s approved for internal
usage
Less Yak Shaving than
other solutions
• different at least
• good internal
community beware of dog, staff only
8. ENTERPRISES
• Plurality of systems, services
• web resources
• web sites
• Connectivity challenges
• direct
• mediated
• Security
• AuthN
• AuthZ
• Data Encryption at rest
9. ENTERPRISES - DETAIL
Accessing internal web resources
Accessing internal web sites
Lots of hoops
connectivity, security
Connectivity options
Direct via opening firewall
via gateway devie
via meidated proxy
13. NOTES ON PREVIOUS
SLIDE
Node Component
Security
Who Identity (Authentication)
What Permissions ing (Authorisation)
Prevent Data Leakage
Controls (cut and paste)
Secure Sandbox
Activation/Deactivation
Connectivity + AuthN/Z
Connectivity
Gateway Appliance (~50ms overhead)
Systems
Dev SIT UAT Prod
Not Production, Pre Production, and Mine
14. WHAT WE HAVE
• Dual CPU Xeon 2.6GHz RHEL 6.3
• HTTP 1.1 no Keep-Alive, request payload is json
• Client iOS ObjectiveC, Node + Hapi (with Some
Good Monitoring)
• Great Details on Best practice
• https://gist.github.com/hueniverse/7686452
20. NTLM AUTHENTICATION
Enterprise authentication protocol
(Microsoft).
NTLM requires all phases to take place
across a single HTTP connection.
NTLM messages are sent and received as
request headers.
The server’s response from the NTLM type
3 message is the requested content.
This authentication process must be
completed for every requested resource,
unless an open connection is maintained.
21. NTLM TYPE 1 MESSAGE
• Sent from the client to initiate the NTLM authentication process.
• Includes flags and OS information (indicating version, build and revision).
• May or may not include hostname and domain information.
0 NTLMSSP Signature - null-terminated ASCII "NTLMSSP“ (0x4e544c4d53535000)
8 NTLM Message Type - long (0x01000000)
12 Flags - long
(16) Supplied Domain (optional) - security buffer
(24) Supplied Workstation (optional) - security buffer
(32) OS Version Structure (optional) - 8 bytes
(32) (40) Start of data block (if required)
22. NTLM TYPE 2 MESSAGE
• Server responds to the client’s type 1 message.
• Includes the challenge, flags, target name and target information.
• Each of these will is used to construct message the type 3 message.
0 NTLMSSP Signature - null-terminated ASCII "NTLMSSP" (0x4e544c4d53535000)
8 NTLM Message Type - long (0x02000000)
12 Target Name - security buffer
20 Flags - long
24 Challenge - 8 bytes
(32) Context (optional) - 8 bytes (two consecutive longs)
(40) Target Information (optional) - security buffer
(48) OS Version Structure (optional) - 8 bytes
23. NTLM TYPE 3 MESSAGE
• Final step in authentication.
• Constructed using information from the type 2 server response message.
0 NTLMSSP Signature - null-terminated ASCII "NTLMSSP" (0x4e544c4d53535000)
8 NTLM Message Type - long (0x03000000)
12 LM/LMv2 Response - security buffer
20 NTLM/NTLMv2 Response - security buffer
28 Target Name - security buffer
36 User Name - security buffer
44 Workstation Name - security buffer
(52) Session Key (optional) - security buffer
(60) Flags (optional) - long
(64) OS Version Structure (optional) - 8 bytes
52 (64) (72) Start of data block
24. WORKING
Implementation Challenges
• Storage of password on mobile device is
prohibited, but is required in the authentication
process.
• Persistent connection not available.
• Latency issues – 3 requests for every web
resource.
Solution
• Ported from Apache Java implementation to
Node.js.
• Hashed username / password pair stored on
device, transmitted to server for authentication
rather than raw password.
• hmac_md5(username, md4(password))
• NTLM message calculation split between client
app and proxy server.
• Defaults used and optional parameters omitted –
simplified messages.
• Observed desktop browsers wait for a 401 before
beginning the authentication process. Pre-emptively
sending the username / password hash eliminates
the initial 401 response.
Process is reduced from 3 direct requests to a
single client request, mapped to 2 proxy requests.
27. MODIFYING FLOD
• modified server to pull our decorated
response timing information
• modified reporting/logging to include this
information
• hope to contribute back to mainline
29. SCENARIOS
• Closed network, direct
connection, Mac to Mac
• Client server on a redhat VM,
loopback. Redhat VM
• Redhat client to Windows Server
via network, Redhat to Windows
• via Mobile network/wifi could only
support 100 transactions/s
because of latency
Req/s
Response
(ms)
Mac to
Mac
1000 2000
Redhat
VM
1000 8500
RD to
Windows
1000 30, 000
External 100 17, 000
33. PLATO
Plato can also be used
to estimate how many
errors a project may
contain. We can also use
Plato to look more
closely for potential
problems in
individual pieces of
code.
34. • Plato is good for spotting area such as large
nests of code which could be hard to read
,maintain and may be error prone.
• It’s relying on heuristics that may not always
be right, and it wont spot every bug.
35. More Plato
Plato is good for spotting area such as large nests of code
which could be hard to read ,maintain and may be error
prone.
It’s relying on heuristics that may not always be right, and it
wont spot every bug.
Plato is very easy to install:
$ npm install -g plato
And almost as easy to run:
$ plato -r -d report src
36. JEST.JS
Jest allows us to call up Javascript functions from other files so we can quickly
pass them data and compare it to what should be returned.
Jest minimizes the amount of code we have to write for tests and is setup so we
can neatly bundle and keep our tests separate from our project code.
37. SCALABILITY PACKETS
• Pile of VMs to auto-scale
• Need elastic environment with a smart load
balancer and configuration management
Accessing internal web resources
Accessing internal web sites
Lots of hoops
connectivity, security
Connectivity Diagrams ….
A couple of slides on options
Direct Firewall opening
Via ext NOC
Node Component
Security
Who Identity (Authentication)
What Permissions ing (Authorisation)
Prevent Data Leakage
Controls (cut and paste)
Secure Sandbox
Activation/Deactivation
Connectivity + AuthN/Z
Connectivity
Gateway Appliance (~50ms overhead)
Systems
Dev SIT UAT Prod
Not Production, Pre Production, and Mine