[Opensim-users] Grid Security

core core at odosys.net
Sun Oct 7 17:15:34 UTC 2012 

unless there have been profound recent changes in the OS services
connectors structure that i've failed to notice (which is QUITE
possible), all end-user accessibility is handled by port 8002 and the
rest (connection services) is governed by port 8003 (in a standard
ROBUST based grid setup).  therefore, placing :8003 behind your firewall
(thus preventing 'unauthorized' outside users from attaching to your
grid services) should not interfere with public/open access via viewers
on :8002 which would remain outside the firewall.  afaik, this is the
only reliable and in my experience completely effective solution to the
problem.

i also believe the security key function was removed by concensus as it
didn't provide any hardcore security.

hope this helps and is remotely correct in it's technical assumptions -
or at least follows the path your concerns and argument were headed...

- core

On 10/7/2012 11:50 AM, Tom Haines wrote:
> I disagree that this should not be considered a concern. Under this
> security model, anyone with the information to connect to the grid as
> a user has enough information to connect a region to the grid.
>
> I am concerned with this as an operator of an educational grid. We
> offer our services to students and educators with the understanding
> that we can limit the objectionable content they would be exposed to
> in SL or other public OpenSim grids. Obviously if anyone can connect
> their own regions without authorization from the grid operators, our
> ability to offer this service is compromised. 
>
> I know there were pass keys used in the past to authenticate regions,
> but I believe this functionality has been removed. I haven't seen
> anything on the website regarding this. I've read before that
> firewalls are the best defense, but this is untenable, since our usage
> requirements demand controlled access by region operators, but open
> access to end users from heterogeneous network environments. 
>
> Could someone weigh in with the official line on this?
>
> On Sunday, October 7, 2012, Fleep Tuque wrote:
>
>     Hi Josh,
>
>     As far as I know, in order to connect a region to your grid,
>     someone would need to know all the connection details and unless
>     you provide that information, I'm not sure how anyone would know
>     how to or be able to connect to your grid.  FleepGrid has been
>     running for nearly 2 years and I've never seen any attempts to
>     connect a rogue region as far as I know, so I'm not sure it's much
>     of a concern.
>
>     I'll let someone with more knowledge of the possible configuration
>     options address any .ini settings that you might be able to use to
>     disable region connections, but if this is a security issue or
>     problem, it's the first I've heard of it.
>
>     Sincerely,
>
>     - Chris/Fleep
>
>     Chris M. Collins (SL/OS: Fleep Tuque)
>     Center for Simulations & Virtual Environments Research (UCSIM)
>     UCIT Instructional & Research Computing
>     University of Cincinnati
>     406A Zimmer Hall
>     315 College Drive
>     PO BOX 210088
>     Cincinnati, OH 45221-0088
>     chris.collins at uc.edu <javascript:_e({}, 'cvml',
>     'chris.collins at uc.edu');>
>     (513) 556-3018
>
>     http://ucsim.uc.edu
>
>     On Sun, Oct 7, 2012 at 9:52 AM, Joshua Rubeck
>     <jrubeck1989 at gmail.com <javascript:_e({}, 'cvml',
>     'jrubeck1989 at gmail.com');>> wrote:
>
>         Okay so here is a question for everyone. Myself and a few
>         others are setting up a grid for public use, but we do not
>         want other people to be able to connect their regions on a
>         home based computer to our grid. One of my friends remembers
>         that there used to be a setting that would prevent an
>         opensimulator instance from connectiong to robust without
>         authentication but I cannot find that in the configuration
>         files. Is there a configuration that allows us to run a public
>         grid without other people being able to connect their regions
>         to our gird. 
>         _______________________________________________
>         Opensim-users mailing list
>         Opensim-users at lists.berlios.de <javascript:_e({}, 'cvml',
>         'Opensim-users at lists.berlios.de');>
>         https://lists.berlios.de/mailman/listinfo/opensim-users
>
>
>
>
> _______________________________________________
> Opensim-users mailing list
> Opensim-users at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/opensim-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://opensimulator.org/pipermail/opensim-users/attachments/20121007/4ccb56b9/attachment.html>

More information about the Opensim-users mailing list