[unisog] Configuring a (legitimate) proxy for Second Life?

Glenn Forbes Fleming Larratt gl89 at cornell.edu
Tue Jul 22 20:41:48 GMT 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Short version: is there a white paper or other documentation on
setting up a proxy for Second Life? Googling "proxy Second Life"
has so far turned up any number of anonymizing proxies, but that's
not what we're after at all.

Thanks for any replies - I will summarize to-list if there's interest.


  	-g

=========================================================
Long version:

So we received this ticket that begins...

    "We have several professors that want to use second life in
     their research/curriculum..."

They can't, currently, because our static filters (Cisco router
ACL's) are configured in accord with a default-deny strategy.

Unfortunately, per

    https://support.secondlife.com/ics/support/default.asp?deptID=4417&task=knowledge&questionID=4355

   - SL has a large proportion of UDP in its operation;
   - on a relatively large number of UDP ports;

and, (reading between the lines) per

    https://support.secondlife.com/ics/support/KBAnswer.asp?questionID=4356

   - from an effectively dynamic set of servers (the page has a
     static list, but then advises you "subscribe" to keep your
     list "up-to-date").

So, if we try to patch our ACL's, we wind up with

    permit udp any range {foo} {bar} any

where {foo} and {bar} are the endpoints of the UDP ranges SL
uses. This would have the side effect that any smart or lucky
attacker who used something in the range as a source port would
have carte blanche ability to UDP scan/sploit/whatever the
networks involved.

Given the socialization and likely spread of the use of SL, it's
there's no scalibility and really little use in ad-hoc per-edge-IP
filtering.

Is anyone aware of techniques for proxying SL, so we could deliver
this functionality to our users without overexposing them?

Thanks for any info,

- -g

- --
Glenn Forbes Fleming Larratt
Cornell University IT Security Office
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)

iD8DBQFIhkYZLyw7nZwiKgQRAknjAJ91opKUJ/Q7EFAT1677ABFWA0MXKACfQKRb
fqnhc3BKCzrdpjKhXgGMosw=
=K/ic
-----END PGP SIGNATURE-----

More information about the unisog mailing list