[Opensim-users] Securing OpenSim with Sandboxie

Tue Mar 31 22:15:44 UTC 2009

Skidz,

You will enjoy VBOX.  I have had some years of experience with this and that
virtualization due tu prior work.

I am not too technical any more, but was quite impressed.

The problem with sandbox of the type like sandboxie is, that they have no
baseline etc. So, what they do is a best guess what is right and what is
wrong.

You could add Appamor or something like that on top, to make it a little bit
more secure.

Don´t get that wrong - those systems do actually help.

How does virtualization do the job:  it is the acceptance of calculated
risc, spoken in ISMS/risc management terms.

I have an (virtualized) operating system

I do patch it and secure it as usual.

I do NOT have data inside that is not needed for the testing inside (e.g.
opensim)

I have a maybe unsecure application on top.

So, if this system is compromised, it´s no big deal.  It´s very easy to set
up backup and recovery.
Even a denial of service would maybe crash the virtual guest, but not the
host.

If it is crashed/taken over - it is easy to get an copy for further
inspection.

If it is crashed for technical reasons, as easy for a debug copy.

If you even use a separate network interface - it is very secure.

I know a few system, that got PCI approval due to high security in a
virtualized scenario.

But - besides that:  I am very happy to see you here at the open source
front   ;-)

Cheers,
Ralf

On Sun, Mar 29, 2009 at 4:54 PM, Skidz Tweak <skidz.tweak at gmail.com> wrote:

> Hey Ralf...
>
> Thanks for the information, I had never heard of virtualbox before and
will
> defentrly check it out.
>
> But how does virtualization provide security? Besides the fact that you
can
> roll back any changes made?
> I currently run my sims on a esxi 3.5 server, and really I don't believe
it
> helps with security at all.
>
> If a exploit was discoved in Opensim, and someone took advantage of it,
> with
> sandboxie it would stop them from accessing anything on the computer..
> but with virtualization, it would not do anything at all.
>
>
> -----Original Message-----
> From: opensim-users-bounces at lists.berlios.de
> [mailto:opensim-users-bounces at lists.berlios.de] On Behalf Of Ralf Haifisch
> Sent: Sunday, March 29, 2009 6:47 AM
> To: opensim-users at lists.berlios.de
> Subject: Re: [Opensim-users] Securing OpenSim with Sandboxie
>
> Hey Skidz,
>
> It?s a quite good idea to have isolated environment - at least if you
> want/need to run opensim or other software in an "unclear security state"
> on
> a non dedicated system.
>
> I had a look into sandboxie and would maybe suggest to use a "full
> virtualization".  Since Hypervisor are not suitable for many people (need
> to
> run the virtualization on top of a operating system) and may have own
> security riscs, regular emulation type virtualization works nice.
>
> A nice opensource project is vbox from sun.  http://www.virtualbox.org/ It
> comes with binaries for most linux boxes, as well as for windows.
>
> In benchmarks compared to vmware server (not 3i), it did perform amazing
> fast.  You can even swap premade system or virtual disks for diagnosis.
>
> In any virtualization, remember to use a dedicated network interface card,
> if you want to protect against denial of service etc.
>
> So:
> - great idea to make a save environment
> - if you want a fast way and are not to paranoid about security or multi
> platform sandboxie seems a choice
> - if you look into multiplatform, or swapable virtual machines - or are
> more
> paranoid about security I would advice vbox
>
>
> I really love to see, that more and more people think about security and
> production environments.
>
>