89 个仓库
Systems for defining and enforcing security policies to regulate traffic flow between network entities.
Distinguishing note: Focuses on network-level traffic filtering and access policy enforcement rather than generic user authentication or credential management.
Explore 89 awesome GitHub repositories matching security & cryptography · Network Access Control. Refine with filters or upvote what's useful.
Nanobot is an orchestration framework designed for building, deploying, and managing autonomous AI agents. It provides a secure runtime environment that supports persistent memory, multi-step workflow management, and tool integration, allowing agents to maintain context and state across long-running tasks. The platform distinguishes itself through a unified model gateway that normalizes requests across diverse local and remote language models, alongside a multi-channel integration layer that connects agents to various messaging platforms. It enforces security through containerized sandboxing
Enforces security through containerized sandboxing and network policies to ensure isolated agent execution.
Nanoclaw is an LLM agent orchestrator and multi-platform chat gateway designed to deploy and manage isolated AI agents. It provides a containerized runtime that executes agents within sandboxed Linux containers, ensuring filesystem and state isolation through dedicated workspaces and host bind-mounts. The project distinguishes itself through a unified routing pipeline that connects agents to diverse messaging platforms, including WhatsApp, Discord, Slack, Telegram, Signal, and iMessage. It integrates the Model Context Protocol to extend agent capabilities via managed external data and functio
Forces all agent traffic through a central gateway container to prevent unauthorized external internet communication.
NetBird is a zero-trust networking platform that builds secure, encrypted peer-to-peer overlay networks using the WireGuard protocol. It functions as a software-defined perimeter, connecting distributed infrastructure across cloud environments and physical locations while hiding network resources from the public internet. By integrating with external identity providers, the platform enforces granular access control and identity-based segmentation for every user and device. The platform distinguishes itself through extensive automation and programmatic management capabilities. It provides a ce
Enforces granular access control and identity-based segmentation to isolate network resources across distributed environments.
This project is a comprehensive API security audit checklist and vulnerability audit framework. It provides a structured guide of security countermeasures for designing, testing, and deploying secure APIs across various protocols. The framework includes specialized guides for securing OAuth 2.0 authorization flows, implementing zero trust networking for service-to-service communication, and protecting GraphQL endpoints from resource exhaustion and information leakage. It also provides standards for integrating static analysis, dynamic scanning, and secret detection into CI/CD delivery pipelin
Implements network access controls using TLS configurations, HSTS headers, and IP safelisting.
Pangolin is a zero-trust remote access platform designed to provide secure, identity-aware connectivity to private network resources. It functions as a cloud-native network controller that orchestrates encrypted tunnels, traffic routing, and access policies across distributed environments. By leveraging WireGuard for secure data transport, the platform enables authenticated access to internal web applications, terminal sessions, and remote desktops without exposing services to the public internet. The platform distinguishes itself through a declarative infrastructure model that synchronizes n
Manages WireGuard tunnel connectivity and ingress routing through integrated controller support.
Containerd is a daemon-based container runtime that manages the complete lifecycle of containers on a host system. It functions as a core orchestration backend, handling image distribution, storage, and process execution while adhering to industry-standard specifications for container execution and configuration. The project is distinguished by its modular, plugin-based architecture, which allows for the extension of storage, runtime, and networking capabilities without requiring a full daemon recompile. It utilizes a shim-based execution model to delegate low-level operations, ensuring isola
Permits containers to bind to low-numbered ports or perform network diagnostics without requiring elevated system capabilities.
The Gemini Cookbook is a comprehensive collection of implementation patterns, code samples, and development guides designed for building applications with Google Gemini models. It serves as a central resource for developers to integrate multimodal generative artificial intelligence into their software, providing the necessary frameworks to manage model interactions, stateful workflows, and structured data extraction. The repository distinguishes itself by offering specialized toolkits for autonomous agent orchestration, enabling the construction of agents that can execute code, browse the web
Restricts outbound network access for agents using allowlists and credential injection.
Nebula is a scalable, decentralized overlay networking tool designed to create secure, encrypted peer-to-peer connections between distributed hosts. By utilizing a certificate-based identity authority, it enables the construction of private communication fabrics across disparate physical infrastructures, such as multiple cloud providers or on-premises data centers, without requiring central authentication servers. The project distinguishes itself through a zero-trust architecture that enforces granular, policy-driven firewall filtering based on certificate-derived group memberships. It facili
Defines inbound and outbound firewall rules to control traffic flow and enforce security policies at the host level.
Neko is a virtual desktop infrastructure platform that provides containerized browser isolation and remote desktop environments. It enables users to host secure, ephemeral browser instances that can be accessed and managed through a standard web browser, ensuring consistent execution across different host systems. The platform distinguishes itself through its collaborative capabilities, allowing multiple users to view and interact with a single shared browser session in real time. It synchronizes keyboard, mouse, and gamepad inputs from multiple participants while providing integrated tools f
Manages network settings to enable remote browser access across local and public network environments.
This project is a multi-protocol proxy server and network tunneling tool designed to manage traffic across heterogeneous infrastructure. It functions as a traffic management gateway, providing the core infrastructure to route, filter, and secure network connections through a unified interface. The software distinguishes itself through its support for cascading proxy chaining and dynamic upstream load balancing, which allow for the creation of complex, multi-hop network paths. It provides granular control over traffic flow by normalizing diverse protocols, enabling transparent port forwarding,
Enforces granular security policies and resource limits on network connections to prevent unauthorized access and manage usage.
Rust-analyzer is a language server implementation that provides real-time code intelligence, static analysis, and development productivity tools for the Rust programming language. It functions as a backend engine that communicates with text editors to deliver deep structural understanding of source code, enabling features like semantic analysis, symbol navigation, and automated refactoring. The project distinguishes itself through a core engine designed for high-performance responsiveness, utilizing incremental query-based compilation and lazy demand-driven evaluation to minimize resource con
Operates offline by default while managing external build tool interactions.
ZeroTierOne is a software-defined networking engine that creates virtual local area networks by emulating Ethernet switches across distributed devices. It functions as a peer-to-peer platform, establishing encrypted tunnels directly between endpoints to bypass the need for centralized gateways or hub-and-spoke architectures. The system distinguishes itself through a decentralized approach to network discovery and identity management. By utilizing a distributed hash table and public key infrastructure, it authenticates devices and maps virtual addresses to physical endpoints without relying on
Applies security rules and access controls directly at each device to remove the need for centralized network chokepoints.
shadowsocks-libev is an event-driven network daemon that provides an encrypted SOCKS5 proxy. It functions as a lightweight proxy server using a non-blocking event loop to route TCP and UDP traffic through encrypted tunnels to bypass network restrictions. The project implements a transparent proxy gateway capable of intercepting outbound packets at the network layer, allowing system traffic to be redirected through the encrypted tunnel without per-application configuration. It also includes a daemon process manager to control multiple proxy server instances as child processes via local communi
Defines and enforces security policies to regulate which client IPs can connect to the proxy.
This project provides a shell-based automation utility for deploying and managing OpenVPN servers on Linux hosts. It functions as an orchestration tool that handles the installation of networking software, the configuration of system-level routing rules, and the generation of cryptographic credentials required to establish secure, encrypted tunnels for remote network access. The tool distinguishes itself by automating the entire lifecycle of a private network gateway, including the management of peer identities and the distribution of standardized configuration profiles. It simplifies the set
Enforces peer access control by managing client connections and defining allowed IP ranges.
Brook is a cross-platform proxy server designed to secure network traffic and manage multi-user access. It functions as a proxy manager that facilitates connectivity across diverse hardware architectures, including desktop, mobile, and router environments. The system distinguishes itself through integrated identity and administrative controls, utilizing email-based token authentication to verify users and enforce granular, role-based access policies. It also provides a white-label build pipeline that allows for the customization of client application branding, enabling the replacement of defa
Regulates network traffic for multiple users through granular permission settings and subscription management.
Amass is an attack surface management tool designed to identify, map, and inventory an organization's internet-facing digital assets. It functions as a security asset discovery engine that systematically expands an organization's known infrastructure footprint through recursive domain name resolution and the collection of intelligence from diverse public data sources. The platform distinguishes itself by utilizing a graph-based modeling approach to organize discovered resources. By maintaining a persistent graph database, it tracks the relationships between infrastructure components and norma
Visualizes relationships between digital resources to map complex network topologies and service interactions.
Termix is a centralized web-based gateway for managing remote SSH connections and terminal sessions. It provides a browser-based interface that enables users to access, control, and monitor remote servers, containerized applications, and file systems from a single, unified dashboard. The platform distinguishes itself through robust security and session management capabilities. It integrates with external identity providers for single sign-on and enforces role-based access control to manage user permissions. To ensure reliable administration, it maintains stateful session persistence, allowing
The platform provides a graphical representation of connected hosts and their network relationships to help users understand infrastructure layout.
Coturn is a network server that facilitates peer-to-peer media traffic for real-time communication applications. It functions as a relay platform for voice, video, and data transmission, enabling direct connections between clients located behind restrictive firewalls and network address translators. The server implements standard network traversal protocols to manage media packet exchange and client authentication. It utilizes a multi-threaded architecture and event-driven polling to handle high-throughput traffic, while employing hash-based message authentication codes to verify client ident
Authenticates client requests and manages user credentials to ensure only authorized devices access relay services.
go2rtc is a media streaming server that functions as a protocol-agnostic gateway for video and audio feeds. It ingests media from diverse sources and redistributes them across multiple streaming standards, enabling compatibility between proprietary camera hardware and web-based playback clients. The system utilizes a centralized configuration schema to manage stream routing and lifecycle orchestration based on client demand. The platform distinguishes itself through its focus on low-latency delivery, utilizing peer-to-peer connections to facilitate sub-second playback directly within web brow
Controls network exposure by binding media services to specific interfaces and ports.
nock is a Node.js HTTP mocking library and request interceptor. It captures outgoing network traffic to specific hosts and paths, returning predefined responses to decouple applications from external servers during automated testing. The project functions as an API expectation framework to verify that specific calls were made with correct parameters. It includes a traffic recorder that captures real network interactions as fixtures for playback and a network simulation tool to introduce artificial latency or trigger network errors. Its capabilities cover request matching via hostnames, paths
Blocks all outgoing HTTP requests to non-mocked hosts or allows specific hostnames to bypass the interceptor.