Appearance
Network Isolation Validation (NET-ISOLATE)
Validate that the secure sandbox is isolated from the host loopback interface and internal networks.
Objectives
- Prevent access to host services running on localhost.
- Block internal reconnaissance and lateral movement.
Controls Under Test
- Network namespace isolation (loopback separation).
- Internal network blocklists.
Test Scenarios
| ID | Threat / Scenario | Universal Procedure | Expected Outcome & Audit |
|---|---|---|---|
| NET-ISOLATE-01 | Localhost Isolation | Accessing host services from sandbox. Attempt connection to a service running on the host loopback ( 127.0.0.1). | Pass: Connection failed (curl: (7)).Audit: action: deny |
| NET-ISOLATE-02 | Inbound Isolation (Host→Sandbox) | Start a listener inside the sandbox (for example, python -m http.server 8080 --bind 0.0.0.0).From the host, attempt curl http://<sandbox-ip>:8080 or browse to the address. | Pass: Connection fails (timeout/refused). The host cannot reach services inside the sandbox. Audit: action: deny |
| NET-ISOLATE-03 | Internal Reconnaissance | Lateral movement via intranet scanning. Attempt to connect to local gateway or peer IPs (e.g., 192.168.1.1 on port 80/445). | Pass: Connection timeout/refused. Audit: action: deny, scope: internal |
| NET-ISOLATE-04 | Named Network Segments | Validate intra-segment connectivity and extra-segment isolation. 1) Configure two named network segments (for example, --network=test for sandboxed apps).2) Start a service inside one sandbox (for example, python -m http.server 8000).3) From another sandboxed app on the same named segment, connect to the service. 4) From host or a sandbox on a different segment, attempt to connect. | Pass: Same-segment connection succeeds per policy; cross-segment and host access are denied (no lateral reach). Audit: category: network, `action: allow |
Evidence Requirements
- Audit category:
network - Required fields:
action,scope
