OpenSim 103: Securing your grid

Enterprises rolling out new OpenSim grids are often concerned about security issues of running OpenSim, and justifiably so. OpenSim is alpha software and still poses some security challenges. However, the security level of a particular OpenSim deployment depends quite a bit on how it is configured.

Here are the most common options, ranked in order from most to least secure.

PRIVATE WORLD ON A PC

The most secure configuration of OpenSim is running the entire world on a single computer. If the computer is not connected to a network, then outsiders won’t be able to access the grid — unless they break in and steal the computer itself.

How to do it

• The Diva Distro is the easiest deployment, with a four-region border regions — a total of 64 virtual acres, with no border crossings. It’s a free download, and there’s an upgrade utility for when a new version of OpenSim comes out.
• For the more technically inclined, there’s the standard OpenSimulator.org distribution. Expect to edit configuration files, and upgrades need to be handled manually.
• For those looking for a plug-and-play solution, the ReactionGrid Harmony distribution starts at $875. Upgrades are included in the price, and ReactionGrid has a good reputation for customer service. You can see ReactionGrid’s customer list here. However, ReactionGrid tends to use older versions of OpenSim, stabilized, hardened, and adapted for enterprise use. While stable, these versions may lack the features and benefits of more recent releases, such as better hypergrid security, media-on-a-prim, and mesh support.

Why do it

• Virtual world designers, builders, machinimators and other creative professionals may appreciate having a personal, off-line sandbox for development work. Finished regions can later be saved as OAR files and uploaded to a live grid. In addition, individual objects can be saved and uploaded to other OpenSim-based grids or SecondLife.
• Architects are using private OpenSim worlds on their computers to demonstrate houses to the clients. The clients sit next to the architect during the walk-through, and can see how the house will look like from all angles, check out the views through the windows — even make on-the-spot changes to the house. OpenSim allows architects to instantly change wall colors, move walls, rearrange furniture, even rotate the entire house to catch the morning sun — all right in front of the client.
• In training or testing situations, the student can sit at an individual computer to go through a simulated scenario.

PRIVATE WORLD BEHIND A FIREWALL

A behind-the-firewall deployment is the next most secure option for OpenSim. Only people with access to the internal network are able to visit the grid. However, trusted employees might still be able to download regions files or individual objects and mail them out of the company — or carry themn out on USB drives. Standards network security measures will help protect corporate content, but no system is completely secure.

Companies should also be aware that they might need to set up separate grids for sensitive functions, like human resources or finance, in order to protect critical information. In addition, private areas can be set up within grids limited to particular individuals or groups of employees.

A secondary benefit of running a grid over internal networks is that network speeds are normally significantly higher than over the public Internet, making for a more responsible virtual world.

How to do it

• The Diva Distro, the standard OpenSimulator.org distribution, and the ReactionGrid Harmony distribution can all be run in behind-the-firewall mode.
• For a more robust deployment with integration with enterprise systems, corporate directories, IBM offers a hardened, stabilized version of OpenSim in its Virtual Collaboration for Lotus Sametime product. Pricing starts at $50,000 and includes several pre-configured regions for meeting and collaboration spaces.
• OpenSim hosting vendors are starting to offer centralized grid management services for self-hosted grids. PioneerX Estates is currently the leading vendor, with centralized grid management software that allows for easy region restarts, software upgrades, user management, and even in-world economies.

Why do it

• This is the right deployment for enterprises that need to restrict access to virtual worlds to just their employees.
• Educational institutions — especially elementary schools — should run behind-the-firewall grids to ensure that outsiders can not enter their virtual campus.

PRIVATE HOSTED WORLD

Enterprises and institutions without the internal resources to operate their own virtual worlds can have their worlds hosted by an OpenSim vendor.

With hypergrid turned off, access is limited to registered account holders. User accounts can be managed centrally, and registrations limited to current employees, or to a school’s students and faculty.

However, security depends on the skills and systems of the hosting provider. Companies putting highly sensitive information on a grid hosted by an outside service should perform the same security audit as for any software-as-a-service vendor or cloud provider.

How to do it

• Prices for OpenSim regions start at under $10 a month, and companies can choose from any of a number of OpenSim hosting providers. Expect to pay extra for high-traffic regions, custom configuration, grid infrastructure, voice support, currency, or other services. Regular backups and maintenance are normally part of the standard service.
• Additional security can be obtained by requiring users to use custom browsers to access the world.
• The newest option is to use cloud hosting from Kitely, where access to be restricted to members of a particular Facebook group.

Why do it

• Schools and enterprises running pilot virtual world projects can use hosted grids to experiment with the platforms without high initial investment.
• A hosted world allows enterprises to grand access to employees who are not connected to the company network, to outside contractors, to business partners, and to customers by simply creating new user accounts for them.
• Many public grids currently run in private hosted mode, but allow anyone to create a user account through a Web interface. Grid administrators may review the account requests, or shut down the accounts if grid rules are violated.

PUBLIC WORLD BEHIND THE FIREWALL

Schools and companies who want to create virtual worlds that can be accessed from the outside can still set up virtual worlds on their in-house servers. However, this requires opening non-standard ports in the enterprise firewall and may expose the network to additional risks. Existing security platforms and intrusion detection systems may not be prepared to handle the new holes in the firewall.

How to do it

• Network routers need to be configured to direct grid traffic to the appropriate server
• Firewalls need to be adjusted to allow these messages to pass through
• For hypergrid access, both the grid and individual regions need to be hypergrid enabled, though this is preconfigured in the Diva Distro.

Why do it

• If a particular network is isolated from the main enterprise or school network, using servers on that network to host virtual worlds can provide more control at a lower cost.
• A public world will allow access by company employees or school students and staff, but also allow visitors to log in or teleport in from other worlds.

PUBLIC HOSTED WORLDS

Public worlds serve much the same function as a public Website. Companies, non-profits and educational institutions can use them for marketing, promotion, or to educate the public. A public world can also serve as the virtual lobby of the enterprise, a place where people can come to ask questions, try out products or services, or participate in a community of users.

How to do it

• Most OpenSim hosting providers can set up custom public virtual worlds for clients, on the company’s own domain name.
• Visitors teleporting in need to know the hypergrid address of the destination region. Alternatively, visitors can teleport in via in-bound gates located on other worlds. This is similar to the way that Website visitors can either type the site’s URL into the address bar, or arrive by clicking on a link on another site.
• For additional security, grid operators can mark certain areas as private, accessible only to particular individuals or groups.
• Grids can restrict traffic from particular sources. For example, a school might decide to not allow in-bound traffic from grids oriented towards adult activities — and may prohibit outbound traffic to those grids as well.

Why do it

• A hypergrid-enabled world means that the grid operators have little or no control over visitors. But it also means that there are no obstacles — other than occasional technical hiccups or the usual marketing challenges — to people coming in. Museums, retailers, entertainment venues, social gathering places, and corporate marketing divisions can benefit from a public virtual presence, and this benefit will increase as the population of the virtual worlds grows.
• In addition, “security by obscurity” will apply during the first few years of virtual world development. This is similar to the way that when the Internet was first created, the only people who would visit a Website would be those who were personally invited by the site owners. Later, search engines would find sites even if the owners made no attempt to publicize them. Today, there are no usable search engines for OpenSim-based worlds. Grid operators who put up a world don’t need to worry about random strangers stumbling into their builds — for a little while, at least.

REGIONS ON PUBLIC GRIDS

Many public grids allow companies and schools to rent land anywhere in size from entire 16-acre regions down to one-acre parcels or smaller. Prices vary significantly, and depend on the grid, and on the parcel’s location on that grid. For example, a furnished store front in a popular virtual mall will probably be much more expensive than an empty plot of land of equivalent size in a remote region of the grid.

If you’re on a public grid, however, you should expect the public to wander through. This may include unsavory individuals who harass your legitimate visitors, or even deface your virtual property. Standard precautions include setting private areas as off-limits to unapproved guests, and prohibiting unapproved visitors from changing anything on your land or putting down new objects.

Harassment can be curtailed by banning offenders from a particular region, but the offenders can simply create a new account and come back under another name.

How to do it

• The most popular grid on which to rent land for marketing, promotion, outreach or retail is Second Life. It has the highest traffic of any existing grid, and the single biggest in-world economy. Land can be rented directly from Linden Lab or from virtual real estate developers who buy large areas, and subdivide them. The price for an entire regions is $295 per month, with a $1,000 initial setup fee. There is a discount for educational and non-profit institutions –  $147.50 per month, with a $700 setup fee.
• Creators looking for alternatives first go to InWorldz and Avination grids, which have security policies in place similar to that of Second Life. Users aren’t allowed God powers, can’t hypergrid in and out to other grids, and can’t export content in the form of OAR or IAR files.
• Enterprises and schools looking for lower-cost land in a community that’s more oriented towards business and education have been migrating to JokaydiaGrid, where entire regions start at just $25 a month with a $50 initial setup fee.
• More grid choices are here: An OpenSim grid primer and OpenSim Grid Info.

Why do it

• Retailers of virtual goods need to go to where their customers are and, today, that means a large public grid.
• Companies looking for training or collaboration space that rent it on a large public grid can enjoy the technical support that comes from being a customer of the grid, as well as the ability to participate in a larger community of users.

INTELLECTUAL PROPERTY

OpenSim and Second Life actually offer more security when it comes to protecting intellectual property than the Web itself. For example, if you go to a Website, you can easily copy-and-paste any text or photo that you see on a typical page. If you’re curious about how a page was designed, the option to see the source HTML code is built into the browser (under View-Page Source in Firefox). The only defensible intellectual property is that which never shows up on page itself, like Google’s search algorithms or Amazon’s ranking system. These are software and databases that run on back end servers, separate from the site itself.

Second Life and OpenSim, by comparison, allow content creators to set permissions on objects that prevent users from modifying, copying or transferring them to other people. Determined hackers can bypass these permissions, but their tools are not easily available to the average user.

For many enterprises, this is a non-issue. If someone visits a corporate facility and steals copies of buildings or furniture, it will not materially affect the company’s operations.

In fact, the company may even choose to allow branded goods to be copied, as a way of promoting the company’s image.

If the copying is blatant — say, a competitor rips off a company’s entire virtual world — then the company has the same legal recourse as it would if the competitor copied its Website. This includes DMCA filings with the hosting service, or copyright or trademark lawsuits.

For enterprises that produce or distribute virtual content, copying can, and often does, materially impact the business.

Virtual content companies can take the following steps to deter theft:

• Make the content easier to buy legally than to steal. The Apple iTunes store has shown that people are willing to pay for content if it the platform is convenient and attractive enough.
• Add server-side software to the content. Anyone can copy a page of Google search results, but it doesn’t mean that they can go into business as a new search engine — most of the value of Google is in the code that runs behind the scenes. Similarly, objects in Second Life and OpenSim can be designed so that they depend on server-side software for their functionality. Stealing the object and passing it to an unregistered user would break this functionality, rendering the object worthless.
• Prohibit outside access to virtual content by keeping it locked up in a private grid, and allow customers to log in and experience the content but not take it home with them.
• Offer value-added services like after-sale support, customization, training and upgrades.
• Force customers to use custom viewers incompatible with other worlds and use proprietary encoding for the content itself, so that customers can not copy it, use it elsewhere, or distribute it to anyone else.

As with all copyright protection mechanisms, however, there is an optimum balance between protection and customer convenience. Too little security, and the content walks out the door. Too much, and nobody can use the product.

(This is an updated version of a post that first appeared a year ago: OpenSim security 101.)