Network Security Architecture Validator

Validate network security architecture with firewall rule analysis, segmentation verification, and defense-in-depth assessment.

Best use case

Network Security Architecture Validator is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Validate network security architecture with firewall rule analysis, segmentation verification, and defense-in-depth assessment.

Teams using Network Security Architecture Validator should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/security-network-validator/SKILL.md --create-dirs "https://raw.githubusercontent.com/williamzujkowski/cognitive-toolworks/main/skills/security-network-validator/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/security-network-validator/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How Network Security Architecture Validator Compares

Feature / AgentNetwork Security Architecture ValidatorStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Validate network security architecture with firewall rule analysis, segmentation verification, and defense-in-depth assessment.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

## Purpose & When-To-Use

**Trigger conditions:**
- Network security architecture review before production deployment
- Network segmentation validation
- Firewall rule audit
- VPN security assessment
- Post-incident network security review

**Not for:**
- Real-time intrusion detection (use IDS/IPS tools)
- Network performance optimization (use network monitoring tools)
- Cloud network security (use security-cloud-analyzer)
- Application-level security (use security-appsec-validator)

---

## Pre-Checks

**Time normalization:**
- Compute `NOW_ET` using NIST/time.gov semantics (America/New_York, ISO-8601): 2025-10-26T01:33:55-04:00
- Use `NOW_ET` for all citation access dates

**Input validation:**
- `network_identifier` must be non-empty string
- `architecture_scope` must be one of: [perimeter, internal, vpn, all]
- `segmentation_model` must be one of: [dmz, zero-trust, hybrid] or omitted

**Source freshness:**
- NIST SP 800-53 Rev 5 (SC family - System and Communications Protection) (accessed 2025-10-26T01:33:55-04:00): https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
- CIS Controls v8 (Network Security) (accessed 2025-10-26T01:33:55-04:00): https://www.cisecurity.org/controls

---

## Procedure

### Step 1: Critical Network Security Controls Check

**Perimeter Security:**
1. Firewall rules documented and reviewed (NIST SP 800-53 SC-7, accessed 2025-10-26T01:33:55-04:00)
2. Default-deny firewall stance (explicit allow-list only)
3. No overly permissive rules (0.0.0.0/0 ingress on sensitive ports)
4. DMZ zone for internet-facing services

**Internal Segmentation:**
1. Network zones defined (production, staging, management, user)
2. Inter-zone traffic restrictions (east-west segmentation)
3. Micro-segmentation for critical assets
4. Broadcast domain isolation

**Encrypted Transit:**
1. VPN for remote access (IPsec or WireGuard)
2. TLS/SSL for sensitive data in transit
3. No cleartext protocols on sensitive networks (FTP, Telnet, HTTP)

**Monitoring and Detection:**
1. Network flow logging enabled
2. Intrusion Prevention System (IPS) deployed
3. DDoS protection mechanisms

### Step 2: Generate Remediation Rules

For each finding, provide:
- NIST SP 800-53 control reference (SC family)
- Firewall rule syntax (iptables, pf, cloud security groups)
- Network policy configuration (Kubernetes NetworkPolicy, Cisco ACL)

**Token budgets:**
- **T1:** ≤2k tokens (critical network security findings)
- **T2:** ≤6k tokens (full network architecture audit)
- **T3:** Not applicable for this skill (use security-auditor agent for comprehensive assessments)

---

## Decision Rules

**Ambiguity thresholds:**
- If network diagram unavailable → request architecture documentation
- If firewall rules inaccessible → assess based on observed traffic patterns

**Abort conditions:**
- No network identifier specified → cannot proceed
- No firewall rules or network policies accessible → limited to high-level assessment

**Severity classification:**
- Critical: Default-allow firewall, no segmentation (CVSS 9.0-10.0)
- High: Overpermissive rules, missing VPN encryption (CVSS 7.0-8.9)
- Medium: Logging gaps, weak segmentation (CVSS 4.0-6.9)
- Low: Documentation gaps, rule optimization (CVSS 0.1-3.9)

---

## Output Contract

**Required fields:**
```json
{
  "network_identifier": "string",
  "architecture_scope": "perimeter|internal|vpn|all",
  "segmentation_model": "dmz|zero-trust|hybrid or null",
  "timestamp": "ISO-8601 with timezone",
  "findings": [
    {
      "id": "unique identifier",
      "category": "firewall|segmentation|vpn|monitoring",
      "severity": "critical|high|medium|low",
      "cvss_score": 0.0,
      "title": "brief description",
      "description": "detailed finding",
      "nist_control": "SC-7 or similar",
      "affected_zones": ["network zones or segments"],
      "remediation": "specific fix steps",
      "remediation_rule": "firewall rule or policy config"
    }
  ],
  "segmentation_analysis": {
    "zones_defined": ["list of network zones"],
    "isolation_score": "0-100 (100=perfect isolation)",
    "gaps": ["list of segmentation gaps"]
  },
  "summary": {
    "total_findings": 0,
    "critical_count": 0,
    "high_count": 0,
    "overall_risk": "critical|high|medium|low"
  }
}
```

---

## Examples

**Example: Firewall Rule Audit**

```yaml
# Input
network_identifier: "production-network"
architecture_scope: "perimeter"
segmentation_model: "dmz"

# Output (abbreviated)
{
  "network_identifier": "production-network",
  "findings": [
    {
      "id": "NET-001",
      "category": "firewall",
      "severity": "high",
      "cvss_score": 7.5,
      "title": "Overly permissive SSH ingress rule",
      "nist_control": "SC-7(5)",
      "remediation_rule": "iptables -A INPUT -p tcp --dport 22 -s 10.0.0.0/8 -j ACCEPT"
    }
  ],
  "summary": {"high_count": 1, "overall_risk": "high"}
}
```

---

## Quality Gates

**Token budgets:**
- T1 ≤2k tokens (critical network security findings)
- T2 ≤6k tokens (full network architecture audit)

**Safety:**
- No actual IP addresses in public examples
- No sensitive network topology details

**Auditability:**
- Findings cite NIST SP 800-53 SC controls
- Firewall rules follow security best practices

**Determinism:**
- Same network state + inputs = consistent findings

---

## Resources

**NIST Standards:**
- NIST SP 800-53 Rev 5 (SC family): https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final (accessed 2025-10-26T01:33:55-04:00)

**CIS Controls:**
- CIS Controls v8 (Network Security): https://www.cisecurity.org/controls (accessed 2025-10-26T01:33:55-04:00)

**Network Security Best Practices:**
- NIST SP 800-41 Rev 1 (Firewall and Network Security): https://csrc.nist.gov/publications/detail/sp/800-41/rev-1/final (accessed 2025-10-26T01:33:55-04:00)
- NIST SP 800-77 (VPN Security): https://csrc.nist.gov/publications/detail/sp/800-77/final (accessed 2025-10-26T01:33:55-04:00)

Related Skills

Service Level Objective Validator

5
from williamzujkowski/cognitive-toolworks

Validate SLO definitions against actual metrics, generate alerting rules, and design error budget policies with burn rate calculations.

Zero Trust Architecture Designer

5
from williamzujkowski/cognitive-toolworks

Design zero-trust architectures with identity-centric security, micro-segmentation, continuous verification, and CISA ZTMM maturity assessment.

Software Supply Chain Security Validator

5
from williamzujkowski/cognitive-toolworks

Validate software supply chain security with SBOM generation, dependency scanning, provenance verification, and SLSA attestation.

Operating System Security Hardening Checker

5
from williamzujkowski/cognitive-toolworks

Verify operating system hardening using CIS benchmarks with patch management, kernel hardening, and host-based firewall validation.

IAM Security Reviewer

5
from williamzujkowski/cognitive-toolworks

Review identity and access management using NIST SP 800-63B guidelines with MFA enforcement, password policy, and least privilege validation.

Cryptographic Security Validator

5
from williamzujkowski/cognitive-toolworks

Validate cryptographic implementations using NIST standards with TLS configuration, cipher suite analysis, and certificate lifecycle checks.

Container Security Checker

5
from williamzujkowski/cognitive-toolworks

Validate container and Kubernetes security using CIS benchmarks with pod security standards, RBAC review, and image vulnerability checks.

Cloud Security Posture Analyzer

5
from williamzujkowski/cognitive-toolworks

Evaluate cloud security posture across AWS, Azure, and GCP with storage exposure checks, IAM policy review, and encryption validation.

Security Assessment Orchestrator

5
from williamzujkowski/cognitive-toolworks

Comprehensive security assessment across application, cloud, container, IAM, network, OS, supply chain, and zero trust using NIST CSF 2.0.

Application Security Validator

5
from williamzujkowski/cognitive-toolworks

Validate application security using OWASP Top 10 2021 and API Security Top 10 guidelines with injection prevention and access control checks.

RabbitMQ Architecture Designer

5
from williamzujkowski/cognitive-toolworks

Design RabbitMQ architectures with exchanges, quorum queues, routing patterns, clustering, dead letter exchanges, and AMQP best practices.

UX Design System Validator

5
from williamzujkowski/cognitive-toolworks

Validate design systems for accessibility (WCAG), responsive design, and component consistency with design token analysis.