Network Security Architecture Validator
Validate network security architecture with firewall rule analysis, segmentation verification, and defense-in-depth assessment.
Best use case
Network Security Architecture Validator is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Validate network security architecture with firewall rule analysis, segmentation verification, and defense-in-depth assessment.
Teams using Network Security Architecture Validator should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/security-network-validator/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How Network Security Architecture Validator Compares
| Feature / Agent | Network Security Architecture Validator | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Validate network security architecture with firewall rule analysis, segmentation verification, and defense-in-depth assessment.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
## Purpose & When-To-Use
**Trigger conditions:**
- Network security architecture review before production deployment
- Network segmentation validation
- Firewall rule audit
- VPN security assessment
- Post-incident network security review
**Not for:**
- Real-time intrusion detection (use IDS/IPS tools)
- Network performance optimization (use network monitoring tools)
- Cloud network security (use security-cloud-analyzer)
- Application-level security (use security-appsec-validator)
---
## Pre-Checks
**Time normalization:**
- Compute `NOW_ET` using NIST/time.gov semantics (America/New_York, ISO-8601): 2025-10-26T01:33:55-04:00
- Use `NOW_ET` for all citation access dates
**Input validation:**
- `network_identifier` must be non-empty string
- `architecture_scope` must be one of: [perimeter, internal, vpn, all]
- `segmentation_model` must be one of: [dmz, zero-trust, hybrid] or omitted
**Source freshness:**
- NIST SP 800-53 Rev 5 (SC family - System and Communications Protection) (accessed 2025-10-26T01:33:55-04:00): https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
- CIS Controls v8 (Network Security) (accessed 2025-10-26T01:33:55-04:00): https://www.cisecurity.org/controls
---
## Procedure
### Step 1: Critical Network Security Controls Check
**Perimeter Security:**
1. Firewall rules documented and reviewed (NIST SP 800-53 SC-7, accessed 2025-10-26T01:33:55-04:00)
2. Default-deny firewall stance (explicit allow-list only)
3. No overly permissive rules (0.0.0.0/0 ingress on sensitive ports)
4. DMZ zone for internet-facing services
**Internal Segmentation:**
1. Network zones defined (production, staging, management, user)
2. Inter-zone traffic restrictions (east-west segmentation)
3. Micro-segmentation for critical assets
4. Broadcast domain isolation
**Encrypted Transit:**
1. VPN for remote access (IPsec or WireGuard)
2. TLS/SSL for sensitive data in transit
3. No cleartext protocols on sensitive networks (FTP, Telnet, HTTP)
**Monitoring and Detection:**
1. Network flow logging enabled
2. Intrusion Prevention System (IPS) deployed
3. DDoS protection mechanisms
### Step 2: Generate Remediation Rules
For each finding, provide:
- NIST SP 800-53 control reference (SC family)
- Firewall rule syntax (iptables, pf, cloud security groups)
- Network policy configuration (Kubernetes NetworkPolicy, Cisco ACL)
**Token budgets:**
- **T1:** ≤2k tokens (critical network security findings)
- **T2:** ≤6k tokens (full network architecture audit)
- **T3:** Not applicable for this skill (use security-auditor agent for comprehensive assessments)
---
## Decision Rules
**Ambiguity thresholds:**
- If network diagram unavailable → request architecture documentation
- If firewall rules inaccessible → assess based on observed traffic patterns
**Abort conditions:**
- No network identifier specified → cannot proceed
- No firewall rules or network policies accessible → limited to high-level assessment
**Severity classification:**
- Critical: Default-allow firewall, no segmentation (CVSS 9.0-10.0)
- High: Overpermissive rules, missing VPN encryption (CVSS 7.0-8.9)
- Medium: Logging gaps, weak segmentation (CVSS 4.0-6.9)
- Low: Documentation gaps, rule optimization (CVSS 0.1-3.9)
---
## Output Contract
**Required fields:**
```json
{
"network_identifier": "string",
"architecture_scope": "perimeter|internal|vpn|all",
"segmentation_model": "dmz|zero-trust|hybrid or null",
"timestamp": "ISO-8601 with timezone",
"findings": [
{
"id": "unique identifier",
"category": "firewall|segmentation|vpn|monitoring",
"severity": "critical|high|medium|low",
"cvss_score": 0.0,
"title": "brief description",
"description": "detailed finding",
"nist_control": "SC-7 or similar",
"affected_zones": ["network zones or segments"],
"remediation": "specific fix steps",
"remediation_rule": "firewall rule or policy config"
}
],
"segmentation_analysis": {
"zones_defined": ["list of network zones"],
"isolation_score": "0-100 (100=perfect isolation)",
"gaps": ["list of segmentation gaps"]
},
"summary": {
"total_findings": 0,
"critical_count": 0,
"high_count": 0,
"overall_risk": "critical|high|medium|low"
}
}
```
---
## Examples
**Example: Firewall Rule Audit**
```yaml
# Input
network_identifier: "production-network"
architecture_scope: "perimeter"
segmentation_model: "dmz"
# Output (abbreviated)
{
"network_identifier": "production-network",
"findings": [
{
"id": "NET-001",
"category": "firewall",
"severity": "high",
"cvss_score": 7.5,
"title": "Overly permissive SSH ingress rule",
"nist_control": "SC-7(5)",
"remediation_rule": "iptables -A INPUT -p tcp --dport 22 -s 10.0.0.0/8 -j ACCEPT"
}
],
"summary": {"high_count": 1, "overall_risk": "high"}
}
```
---
## Quality Gates
**Token budgets:**
- T1 ≤2k tokens (critical network security findings)
- T2 ≤6k tokens (full network architecture audit)
**Safety:**
- No actual IP addresses in public examples
- No sensitive network topology details
**Auditability:**
- Findings cite NIST SP 800-53 SC controls
- Firewall rules follow security best practices
**Determinism:**
- Same network state + inputs = consistent findings
---
## Resources
**NIST Standards:**
- NIST SP 800-53 Rev 5 (SC family): https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final (accessed 2025-10-26T01:33:55-04:00)
**CIS Controls:**
- CIS Controls v8 (Network Security): https://www.cisecurity.org/controls (accessed 2025-10-26T01:33:55-04:00)
**Network Security Best Practices:**
- NIST SP 800-41 Rev 1 (Firewall and Network Security): https://csrc.nist.gov/publications/detail/sp/800-41/rev-1/final (accessed 2025-10-26T01:33:55-04:00)
- NIST SP 800-77 (VPN Security): https://csrc.nist.gov/publications/detail/sp/800-77/final (accessed 2025-10-26T01:33:55-04:00)Related Skills
Service Level Objective Validator
Validate SLO definitions against actual metrics, generate alerting rules, and design error budget policies with burn rate calculations.
Zero Trust Architecture Designer
Design zero-trust architectures with identity-centric security, micro-segmentation, continuous verification, and CISA ZTMM maturity assessment.
Software Supply Chain Security Validator
Validate software supply chain security with SBOM generation, dependency scanning, provenance verification, and SLSA attestation.
Operating System Security Hardening Checker
Verify operating system hardening using CIS benchmarks with patch management, kernel hardening, and host-based firewall validation.
IAM Security Reviewer
Review identity and access management using NIST SP 800-63B guidelines with MFA enforcement, password policy, and least privilege validation.
Cryptographic Security Validator
Validate cryptographic implementations using NIST standards with TLS configuration, cipher suite analysis, and certificate lifecycle checks.
Container Security Checker
Validate container and Kubernetes security using CIS benchmarks with pod security standards, RBAC review, and image vulnerability checks.
Cloud Security Posture Analyzer
Evaluate cloud security posture across AWS, Azure, and GCP with storage exposure checks, IAM policy review, and encryption validation.
Security Assessment Orchestrator
Comprehensive security assessment across application, cloud, container, IAM, network, OS, supply chain, and zero trust using NIST CSF 2.0.
Application Security Validator
Validate application security using OWASP Top 10 2021 and API Security Top 10 guidelines with injection prevention and access control checks.
RabbitMQ Architecture Designer
Design RabbitMQ architectures with exchanges, quorum queues, routing patterns, clustering, dead letter exchanges, and AMQP best practices.
UX Design System Validator
Validate design systems for accessibility (WCAG), responsive design, and component consistency with design token analysis.