Skip to content

Network Validation

Validate that network egress cannot bypass enforced boundaries (deny-by-default, proxy, pinning, IPv6 parity, localhost separation).

Overview

  • Enforce egressDefaultAction: "deny" across IPv4 and IPv6.
  • Require proxy routing and certificate pinning.
  • Fail closed on proxy/audit outages.
  • Block UDP-based channels (QUIC, STUN/TURN) and shadow networks.
  • Prevent protocol smuggling and domain fronting.

Controls Catalog

  • runtime.networking.egressDefaultAction
  • Proxy enforcement and pinning
  • Protocol allowlists (TCP/HTTPS only)
  • SNI/Host matching
  • UDP disablement

Evidence Standards

  • Audit category: network
  • Required fields: protocol, destination, action, outcome
  • Conditional fields: rule.id, alpn, sni, proxyEnforced, reason, integrity.hash

In This Section

AreaDescriptionTest IDsLink
DNSResolution control, evasion prevention, and exfiltration blocking.NET-DNS-*DNS Validation
EgressDefault deny, proxy enforcement, and bypass prevention.NET-EGRESS-*Egress Validation
ProtocolsRestrictions on UDP, IPv6, and protocol smuggling.NET-PROTO-*Protocol Validation
IsolationLocalhost separation and internal reconnaissance blocking.NET-ISOLATE-*Network Isolation
EncryptionCertificate pinning, SNI validation, and ECH control.NET-ENCRYPT-*Encryption Validation