Skip to content

Network Isolation Validation (NET-ISOLATE)

Validate that the secure sandbox is isolated from the host loopback interface and internal networks.

Objectives

  • Prevent access to host services running on localhost.
  • Block internal reconnaissance and lateral movement.

Controls Under Test

  • Network namespace isolation (loopback separation).
  • Internal network blocklists.

Test Scenarios

IDThreat / ScenarioUniversal ProcedureExpected Outcome & Audit
NET-ISOLATE-01Localhost IsolationAccessing host services from sandbox.
Attempt connection to a service running on the host loopback (127.0.0.1).
Pass: Connection failed (curl: (7)).
Audit: action: deny
NET-ISOLATE-02Inbound Isolation (Host→Sandbox)Start a listener inside the sandbox (for example, python -m http.server 8080 --bind 0.0.0.0).
From the host, attempt curl http://<sandbox-ip>:8080 or browse to the address.
Pass: Connection fails (timeout/refused). The host cannot reach services inside the sandbox.
Audit: action: deny
NET-ISOLATE-03Internal ReconnaissanceLateral movement via intranet scanning.
Attempt to connect to local gateway or peer IPs (e.g., 192.168.1.1 on port 80/445).
Pass: Connection timeout/refused.
Audit: action: deny, scope: internal
NET-ISOLATE-04Named Network SegmentsValidate intra-segment connectivity and extra-segment isolation.
1) Configure two named network segments (for example, --network=test for sandboxed apps).
2) Start a service inside one sandbox (for example, python -m http.server 8000).
3) From another sandboxed app on the same named segment, connect to the service.
4) From host or a sandbox on a different segment, attempt to connect.
Pass: Same-segment connection succeeds per policy; cross-segment and host access are denied (no lateral reach).
Audit: category: network, `action: allow

Evidence Requirements

  • Audit category: network
  • Required fields: action, scope