29 repository-uri
Mechanisms to restrict traffic flow and prevent unauthorized lateral movement between network segments.
Distinguishing note: Focuses on machine-level traffic restriction rather than general firewalling.
Explore 29 awesome GitHub repositories matching security & cryptography · Network Isolation. Refine with filters or upvote what's useful.
Tailscale is a zero-trust networking overlay that connects distributed devices and services into a private, encrypted mesh network. By utilizing a high-performance, user-space implementation of the WireGuard protocol, it establishes secure peer-to-peer tunnels across diverse network topologies without requiring complex firewall configuration. The platform operates on a centralized control plane that manages global network state, authentication, and policy distribution, ensuring that connectivity is governed by identity rather than traditional IP-based rules. What distinguishes Tailscale is it
Restricts shared machines to incoming connections only to prevent unauthorized outbound traffic.
Sandboxie is an operating system-level virtualization tool designed to run Windows applications in isolated, secure environments. By intercepting system calls and redirecting file system and registry modifications to a separate, discardable storage area, it prevents untrusted software from making permanent changes to the host system. This containment ensures that browser history, temporary files, and potential malware remain trapped within the sandbox, protecting the integrity and privacy of the underlying host. The software distinguishes itself through granular control over the isolation env
Applies per-sandbox firewall rules, proxy routing, and DNS filtering to control and monitor the connectivity of isolated applications.
This project is a containerized orchestration layer for the Elastic Stack, providing a pre-configured set of Docker Compose files to deploy Elasticsearch, Logstash, and Kibana as a unified data analysis stack. It functions as a centralized log management system for ingesting, indexing, and searching log data using a cluster of interconnected services. The deployment pattern includes an Elasticsearch cluster manager that enables scaling data nodes through replica scaling and internal discovery. It provides a web-based administration interface for monitoring cluster health and status. The syst
Provides dedicated virtual networks to isolate analysis tools from the host system.
This project is a secure container runtime that provides strong isolation for application workloads by implementing a userspace kernel. By intercepting system calls and executing them within a memory-safe, restricted environment, it minimizes the attack surface exposed to the host kernel. It functions as a drop-in engine for standard container orchestration platforms, ensuring compatibility with industry-standard runtime specifications while maintaining a hardened execution boundary. The runtime distinguishes itself through its ability to virtualize core system resources, including an indepen
Implements an independent userspace network stack to isolate traffic and prevent direct application access to the host kernel networking subsystem.
AISystem is a comprehensive AI full-stack infrastructure project covering the entire pipeline from AI chip architecture to high-level training frameworks. It encompasses the development of AI compiler frameworks, inference engines, and distributed training orchestrators designed to coordinate workloads across a heterogeneous compute stack of CPUs, GPUs, and NPUs. The project focuses on the deep integration of software and hardware, employing software-hardware co-design to align tensor layouts with physical memory structures. It provides specialized capabilities for accelerating Transformer mo
Partitions interconnect ports into logical networks to isolate resources and enhance system security.
ZeroTierOne is a software-defined networking engine that creates virtual local area networks by emulating Ethernet switches across distributed devices. It functions as a peer-to-peer platform, establishing encrypted tunnels directly between endpoints to bypass the need for centralized gateways or hub-and-spoke architectures. The system distinguishes itself through a decentralized approach to network discovery and identity management. By utilizing a distributed hash table and public key infrastructure, it authenticates devices and maps virtual addresses to physical endpoints without relying on
Implements packet processing and protocol handling within the application layer for consistent network behavior across platforms.
ScyllaDB is a distributed NoSQL database engine designed for high-throughput data storage and low-latency performance at scale. It functions as a shard-aware platform that manages large-scale datasets across distributed clusters, providing a foundation for real-time applications that require consistent availability and operational stability. The system distinguishes itself through a shared-nothing architecture that distributes data across independent CPU cores to eliminate lock contention. It incorporates a user-space networking stack and an asynchronous event-driven engine to maximize hardwa
Bypasses the kernel network stack to process incoming packets directly in application memory for extreme performance and low latency.
go2rtc is a media streaming server that functions as a protocol-agnostic gateway for video and audio feeds. It ingests media from diverse sources and redistributes them across multiple streaming standards, enabling compatibility between proprietary camera hardware and web-based playback clients. The system utilizes a centralized configuration schema to manage stream routing and lifecycle orchestration based on client demand. The platform distinguishes itself through its focus on low-latency delivery, utilizing peer-to-peer connections to facilitate sub-second playback directly within web brow
Enforces strict boundaries between internal streams and external access points via socket-level network isolation.
Laradock is a collection of pre-configured Docker containers and orchestration definitions used to deploy multi-service development sandboxes. It functions as a PHP runtime manager and a Docker-based development environment, providing a set of modular service definitions for deploying web servers, databases, and caches through a single orchestration file. The project enables the creation of a local ecosystem featuring Nginx, MySQL, Redis, and Elasticsearch to mirror production infrastructure. It allows for switching between different versions of PHP and associated extensions, as well as manag
Creates private virtual networks allowing containers to communicate via service names instead of IP addresses.
This project is a comprehensive collection of tutorials and guided laboratories designed to teach containerization, networking, and security using Docker. It serves as a learning path for building portable images and executing isolated processes. The materials provide specific guides for managing container clusters and scaling services through Docker Swarm and overlay networks. It includes a security handbook for implementing image scanning and secret management, as well as laboratories dedicated to modernizing legacy applications by wrapping older software installers into containers. The co
Guides the implementation of network isolation to restrict traffic flow and prevent unauthorized lateral movement between containers.
This project is a Kubernetes certification training course and cluster administration guide. It provides an educational program and instructional materials designed to prepare students for the Certified Kubernetes Administrator professional exam. The project functions as an exam simulator and troubleshooting lab, offering mock exams and lightning labs that mimic the practical challenges of the certification process. It includes hands-on practice environments for resolving configuration, storage, and networking issues. The training covers the management of cluster architecture, scheduling, an
Configures network isolation to safely test security policies and traffic rules.
Seastar is a C++ server application framework and asynchronous programming library designed for building high-performance, shared-nothing server applications. It functions as a high-performance I/O engine providing direct disk and network access through a shared-nothing framework that partitions data and execution across CPU cores. The framework distinguishes itself through a thread-per-core architecture that eliminates locking and resource contention by assigning one execution thread to each physical CPU core. It implements a userspace TCP/IP stack and kernel-bypass techniques, integrating w
Implements a userspace network stack to bypass the kernel and reduce packet processing latency.
Flare-VM este un mediu de analiză a malware-ului pentru Windows, constând în scripturi de instalare care automatizează provizionarea unei mașini virtuale. Oferă o suită cuprinzătoare de instrumente de reverse engineering, inclusiv decompile-ere și debuggere, alături de configurațiile de sistem necesare și variabilele de mediu pentru cercetarea în securitate. Proiectul funcționează ca un orchestrator de imagini de mașini virtuale, permițând crearea, gestionarea și exportul automatizat al unor appliance-uri de analiză specializate. Dispune de selecție de instrumente bazată pe configurație și capacitatea de a extinde logica de instalare prin modificări personalizate de registru și definiții de layout de sistem. Sistemul include capabilități pentru configurarea rețelei izolate pentru a preveni comunicarea externă prin modul host-only. De asemenea, gestionează întregul ciclu de viață al stărilor de analiză prin gestionarea stărilor bazată pe snapshot-uri, inclusiv capacitatea de a curăța sau exporta snapshot-uri ca fișiere appliance verificate.
Implements network isolation to prevent analyzed malware from communicating with external networks via host-only mode.
Firejail is a Linux application sandbox and kernel security wrapper that isolates untrusted applications from the host system. It uses kernel namespaces and seccomp filters to restrict filesystem access, drop kernel capabilities, and limit the system attack surface. The project is distinguished by its use of predefined security profiles to automatically apply filesystem restrictions and syscall limits based on the executable being launched. It provides specialized isolation for portable packages such as AppImages and implements X11 display isolation via proxy servers to prevent keyboard loggi
Provides a dedicated TCP/IP stack with a unique IP and MAC address to hide the host identity.
Microsandbox is a runtime for creating and managing lightweight, hardware-isolated virtual machines — called sandboxes — that boot directly from standard OCI container images. Each sandbox runs as its own host process with a separate kernel, filesystem, and network stack, providing process-per-sandbox isolation. The project includes a command-line tool and multi-language SDKs (Rust, TypeScript, Python, Go) for programmatic lifecycle control, and it communicates with sandbox agents over Unix sockets using a CBOR-encoded protocol. What distinguishes Microsandbox is its combination of host-manag
Blocks outbound traffic to private and link-local addresses, preventing sandbox workloads from reaching internal resources.
Tailwind CSS Typography is a plugin for the Tailwind CSS framework that provides hand-tuned typographic defaults for blocks of vanilla HTML content, such as content from Markdown or a CMS. It applies beautiful prose styles to HTML content using a single class, eliminating the need for custom CSS to style rich text. The plugin distinguishes itself by offering deep customization and control over typography. Users can adjust the overall font size of prose content across five predefined sizes, select from five built-in gray-scale palettes to match a project's color scheme, and seamlessly adapt ty
Styles elements based on the size of a specific named container among multiple nested containers.
ByeByeDPI is a network utility designed to circumvent regional blocking and censorship by evading deep packet inspection. It functions as a traffic tunnel and local SOCKS5 proxy server that modifies network packets to prevent filters from identifying and blocking specific content. The project employs a user-mode network stack to manipulate traffic at the application level. It achieves bypass capabilities through TCP packet fragmentation and the modification of HTTP request header formatting and case sensitivity. The system includes application-level tunneling control to determine which progr
Uses a user-mode network stack to manipulate packets without requiring kernel-level drivers.
Bubblewrap is a Linux sandbox runner that creates lightweight, isolated execution environments for running untrusted applications. It combines Linux user, mount, network, PID, and UTS namespaces with seccomp-BPF system call filtering to restrict filesystem, network, process, and inter-process communication access. The project provides comprehensive process isolation by giving each sandbox its own private tmpfs root with selective bind-mounts, a separate network stack containing only a loopback interface, an independent process ID space, and remapped user and group identifiers. It applies secc
Cuts off external network connectivity by giving the sandbox its own network namespace with only a loopback device.
This project provides a containerized network bridge that isolates corporate VPN software from the host operating system. It utilizes a Docker container to encapsulate the VPN client, preventing software conflicts and installation clutter on the host machine. The system includes a web-accessible graphical user interface for remote login and session management, allowing users to interact with VPN authentication prompts from any device. To enable application-level access, it implements a SOCKS5 and HTTP proxy gateway that routes host machine network traffic through the containerized connection.
Isolates VPN network traffic within the container to prevent interference with host system networking.
Incus is a unified orchestration platform for managing system containers, OCI application containers, and virtual machines through a single control plane. It brings together cluster infrastructure management, secure multi-tenancy, software-defined networking, and pluggable storage backend orchestration into one cohesive system exposed via a full REST API and command-line interface. What distinguishes Incus is its ability to run multiple instance types side by side—full Linux system containers, OCI application containers, and QEMU virtual machines—all managed with consistent tooling. Networkin
Blocks access to /proc/sched_debug and /sys/kernel/slab to hide container names from process listings on the host.