Security Considerations for Torus Pro (1:1 NAT)
Understanding Torus Pro
Torus Pro provides a dedicated public IP address mapped directly to your device. This means your equipment is reachable from anywhere on the internet — exactly as if it were plugged directly into a public network.
How Pro Differs from Other Tiers
| Feature | Basic/Plus | Pro |
|---|---|---|
| External IP | None / Shared | Dedicated |
| All ports accessible | No | Yes |
| Inbound connections | No | Yes |
| Outbound connections | Yes (Plus) | Yes |
| Use case | Private mesh, outbound only | Hosting public services |
Security Considerations for Vintage Hardware
Retro and legacy systems are typically designed for trusted networks. These systems often:
- Predate modern network-based threats
- Fail to meet modern encryption standards
- Are unpatched for years if not decades
- Have little to no protection against brute-force attacks
- Transmit credentials in plaintext
Before You Enable Public Access
Ask yourself:
- Do I need this system reachable from the entire internet, or just from specific locations?
- What services am I exposing, and do they transmit credentials in plaintext?
- Would a compromise of this system affect other devices on my network?
- Am I prepared to monitor logs and respond to incidents?
If you simply want to access your retro equipment remotely yourself, full public exposure may not be necessary.
Protection Options
SSH Tunnelling
Run a small Linux box (Raspberry Pi, VM) on your network that accepts SSH connections. Access legacy services by tunnelling through it. The retro systems never need direct exposure.
IP Whitelisting
Apply restrictive access controls to limit who can reach your services. The Nekotopia dashboard allows you to configure basic firewall rules for your public IP.
Teleport ZTNA
Nekotopia offers Teleport for zero-trust access. Instead of exposing services directly, users authenticate through Teleport and access your services via a secure proxy. This provides:
- Authentication with 2FA
- Audit logging of all access
- No direct port exposure
- Fine-grained access control
Bastion Host with Fail2ban
If you have a Linux gateway in front of your legacy gear, deploy fail2ban to block IPs after failed authentication attempts.
Recommendations
| Risk Level | Recommendation |
|---|---|
| Low | Internal services only (Basic tier) |
| Medium | Use Teleport ZTNA for remote access |
| High | Full public exposure with monitoring |
When in doubt, start with less exposure and expand only as needed.