Appearance
Network Validation
Validate that network egress cannot bypass enforced boundaries (deny-by-default, proxy, pinning, IPv6 parity, localhost separation).
Overview
- Enforce
egressDefaultAction: "deny"across IPv4 and IPv6. - Require proxy routing and certificate pinning.
- Fail closed on proxy/audit outages.
- Block UDP-based channels (QUIC, STUN/TURN) and shadow networks.
- Prevent protocol smuggling and domain fronting.
Controls Catalog
runtime.networking.egressDefaultAction- Proxy enforcement and pinning
- Protocol allowlists (TCP/HTTPS only)
- SNI/Host matching
- UDP disablement
Evidence Standards
- Audit category:
network - Required fields:
protocol,destination,action,outcome - Conditional fields:
rule.id,alpn,sni,proxyEnforced,reason,integrity.hash
In This Section
| Area | Description | Test IDs | Link |
|---|---|---|---|
| DNS | Resolution control, evasion prevention, and exfiltration blocking. | NET-DNS-* | DNS Validation |
| Egress | Default deny, proxy enforcement, and bypass prevention. | NET-EGRESS-* | Egress Validation |
| Protocols | Restrictions on UDP, IPv6, and protocol smuggling. | NET-PROTO-* | Protocol Validation |
| Isolation | Localhost separation and internal reconnaissance blocking. | NET-ISOLATE-* | Network Isolation |
| Encryption | Certificate pinning, SNI validation, and ECH control. | NET-ENCRYPT-* | Encryption Validation |
