DMZ - Demilitarized Zone
What is a DMZ?
A DMZ (Demilitarized Zone) is a physical or logical subnetwork that separates an internal local area network (LAN) from untrusted external networks (usually the internet). It acts as a buffer zone to add an extra layer of security.
Why is DMZ important?
Allows external users to access specific services (like web, email, or DNS) without exposing the internal network.
Limits damage in case of a breach.
Helps enforce strict access control and segmentation policies.
How DMZ works (in simple steps):
A firewall or router separates the DMZ from both the internal network and the internet.
Public-facing services (e.g., web servers) are placed in the DMZ.
External users access these services without touching the internal network.
Internal users can access the DMZ, but DMZ-to-internal access is restricted.
Where is DMZ used?
Hosting public web servers
Email gateways
DNS servers
Reverse proxies
VPN concentrators
Any publicly accessible services requiring isolation from internal networks
Which OSI Layer does this concept belong to?
DMZ is a network architecture concept that primarily operates at the Network Layer (Layer 3) because: * It controls routing and segmentation of IP-level traffic. * Implemented using routers, firewalls, and switches. * Defines trust boundaries between internal, external, and intermediary zones.
Topics in this section,
In this section, you are going to learn
Terminology
Version Info
DMZ version |
RFC/Reference / Source |
Year |
Core Idea / Contribution |
|---|---|---|---|
DMZ v1 Basic Perimeter |
|||
Industry Practice |
~1990s |
Introduced as a buffer zone between internal LAN and the internet using a single firewall |
|
DMZ v2 Three-Legged Firewall |
|||
Cisco/Juniper Network Designs |
~2000s |
Used a single firewall with three interfaces: |
|
|
|||
DMZ v3 Dual Firewall Model |
|||
NIST SP 800-41 Rev. 1 |
2009 |
Enhanced security using two firewalls to |
|
isolate DMZ from both internal and external |
|||
networks. |
|||
DMZ v4 Virtual DMZ (Cloud) |
|||
AWS, Azure, GCP Architecture Docs |
2010s |
Implemented DMZ principles in cloud environments using subnets, security groups, and NACLs. |
|
DMZ v5 Zero Trust DMZ |
|||
NIST SP 800-207 (Zero Trust) |
2020 |
Shifted from perimeter-based DMZ to micro- |
|
segmentation and identity-based access control. |
Setup
Setup
Inbound Request Packet
S.No |
Protocol Packets |
Description |
Size(Bytes) |
|---|---|---|---|
1 |
Inbound Request Packet |
External client sends a request (e.g., HTTP, SMTP, DNS) to a public-facing server in the DMZ. |
641500 |
Source IP |
IP address of the external client |
4 |
|
Destination IP |
Public IP of the DMZ server |
4 |
|
Protocol |
TCP/UDP (e.g., port 80 for HTTP, 25 for SMTP) |
1 |
|
Payload |
Application data (e.g., HTTP GET request) |
Variable |
DMZ Server Response Packet
S.No |
Protocol Packets |
Description |
Size(Bytes) |
|---|---|---|---|
2 |
DMZ Server Response Packet |
The DMZ server responds to the external client (e.g., web page, DNS reply) |
641500 |
Source IP |
IP of the DMZ server |
4 |
|
Destination IP |
IP of the external client |
4 |
|
Protocol |
TCP/UDP |
1 |
|
Payload |
Response data (e.g., HTML content, DNS answer) |
Variable |
Internal Request Packet (Controlled)
S.No |
Protocol Packets |
Description |
Size(Bytes) |
|---|---|---|---|
3 |
Internal Request Packet (Controlled) |
If allowed, DMZ server may initiate a request to internal |
641500 |
|
|||
Source IP |
DMZ server IP |
4 |
|
Destination IP |
Internal server IP |
4 |
|
Protocol |
TCP (e.g., port 3306 for MySQL) |
1 |
|
Payload |
Application-specific request |
Variable |
Firewall Control Packet
S.No |
Protocol Packets |
Description |
Size(Bytes) |
|---|---|---|---|
4 |
Firewall Control Packet |
Firewalls inspect and enforce rules on traffic between |
N/A (not a data packet) |
|
|||
Rule Match |
Evaluates packet headers to match rules based on: |
||
? Source IP |
IP address of the sender (IPv4 or IPv6) |
4 (IPv4) / 16 (IPv6) |
|
? Destination IP |
IP address of the receiver |
4 (IPv4) / 16 (IPv6) |
|
? Protocol |
Protocol type (e.g., TCP = 6, UDP = 17) |
1 |
|
? Source Port |
Port number of the sender (if applicable) |
2 |
|
? Destination Port |
Port number of the receiver (if applicable) |
2 |
|
Action |
Decision taken by the firewall (e.g., Allow, Deny, Log, NAT) |
(logical operation) |
|
Logging Info (optional) |
Metadata for audit/logging (timestamp, rule ID, interface, |
Variable |
|
etc.) |
(typically 32128 bytes) |
S.no |
Use Case |
Description |
|---|---|---|
1 |
Public Web Hosting |
Hosts websites that need to be accessible from the |
internet while isolating them from the internal network. |
||
2 |
Email Gateway |
Places mail servers (SMTP, IMAP, POP3) in the DMZ to |
handle external email traffic securely. |
||
3 |
DNS Services |
Hosts authoritative or caching DNS servers that respond |
to external queries without exposing internal DNS |
||
infrastructure. |
||
4 |
VPN Termination |
Hosts VPN concentrators or gateways that authenticate |
and tunnel remote access traffic before it reaches the |
||
internal network. |
||
5 |
Reverse Proxy / Load Balancer |
Forwards client requests to internal servers while hiding internal IPs and providing load balancing. |
6 |
Intrusion Detection / Prevention |
Deploys IDS/IPS sensors in the DMZ to monitor and |
analyze incoming traffic before it reaches internal systems. |
||
7 |
Application Gateways |
Hosts services like FTP, VoIP, or APIs that require |
controlled access from external clients. |
||
8 |
Security Isolation |
Acts as a buffer zone to contain breaches and prevent |
lateral movement into the internal network. |
S.no |
Feature |
Description |
|---|---|---|
1 |
Network Segmentation |
Separates public-facing services from the internal network to reduce attack surface. |
2 |
Firewall Enforcement |
Uses one or more firewalls to control traffic between |
external, DMZ, and internal zones. |
||
3 |
Public Service Hosting |
Hosts services like web, email, DNS, and FTP that must be |
accessible from the internet. |
||
4 |
Access Control |
Implements strict rules to limit DMZ-to-internal and external to-DMZ communication. |
5 |
Intrusion Detection/Prevention |
Often includes IDS/IPS systems to monitor and block |
suspicious activity. |
||
6 |
Logging and Monitoring |
Tracks access and traffic patterns for auditing and threat |
detection. |
||
7 |
Reverse Proxy Support |
Uses reverse proxies to forward requests to internal servers while hiding internal IPs. |
8 |
VPN Termination Point |
Acts as a secure endpoint for VPN connections before |
allowing access to internal resources. |
||
9 |
Redundancy and High Availability |
Can be configured with redundant servers and firewalls to |
ensure service continuity. |
||
10 |
Cloud-Compatible Design |
Can be implemented virtually in cloud environments using |
subnets, security groups, and routing rules. |
Network Segmentation - Testcases
# |
Test Case |
Description |
Expected Result |
|---|---|---|---|
1 |
DMZ Device Isolation |
Place device in DMZ |
Device cannot access internal network |
2 |
Internal to DMZ Access |
Access DMZ service from internal network |
Access successful |
3 |
DMZ to Internal Block |
Attempt access from DMZ to internal |
Access denied |
4 |
DMZ to Internet Access |
Access external site from DMZ |
Access successful |
5 |
Internet to DMZ Access |
Access DMZ service from internet |
Access successful (if allowed) |
6 |
Port Forwarding to DMZ |
Configure NAT to DMZ device |
Port forwards correctly |
7 |
Blocked Port to DMZ |
Access blocked port on DMZ device |
Connection refused |
8 |
ICMP from DMZ |
Ping external IP from DMZ |
Ping successful |
9 |
ICMP to DMZ |
Ping DMZ device from internet |
Ping successful (if allowed) |
10 |
ICMP to Internal from DMZ |
Ping internal IP from DMZ |
Ping blocked |
11 |
DMZ Device DHCP |
Assign IP via DHCP |
IP assigned from DMZ range |
12 |
Static IP in DMZ |
Assign static IP to DMZ device |
Device reachable |
13 |
DMZ DNS Resolution |
Resolve domain from DMZ |
DNS resolves correctly |
14 |
DMZ DNS Leak Test |
Check for DNS leaks from DMZ |
No internal DNS exposed |
15 |
DMZ Firewall Rule Allow |
Allow specific port to DMZ |
Traffic allowed |
16 |
DMZ Firewall Rule Deny |
Deny specific port to DMZ |
Traffic blocked |
17 |
DMZ Logging |
Enable logging for DMZ traffic |
Logs show DMZ activity |
18 |
DMZ Device Scan |
Scan DMZ from internal network |
No response (if blocked) |
19 |
DMZ Device Update |
Perform firmware update from DMZ |
Update successful |
20 |
DMZ Device Reboot |
Reboot DMZ device |
Device rejoins DMZ |
21 |
DMZ Device Spoofing |
Attempt IP spoofing from DMZ |
Spoofing detected or blocked |
22 |
DMZ VLAN Isolation |
Place DMZ on separate VLAN |
VLAN traffic isolated |
23 |
DMZ ARP Inspection |
Enable ARP inspection in DMZ |
Invalid ARP blocked |
24 |
DMZ MAC Filtering |
Allow only specific MACs in DMZ |
Unauthorized MAC blocked |
25 |
DMZ Rate Limiting |
Apply bandwidth limit to DMZ |
Traffic rate limited |
26 |
DMZ IDS/IPS Alert |
Trigger suspicious activity in DMZ |
Alert generated |
27 |
DMZ Device Time Sync |
Sync time via NTP from DMZ |
Time synchronized |
28 |
DMZ Device Authentication |
Require login to DMZ service |
Auth prompt shown |
29 |
DMZ Device Enumeration |
Attempt to list DMZ devices |
Devices not listed (if secure) |
30 |
DMZ Device Isolation Test |
Try lateral movement in DMZ |
Movement blocked |
31 |
DMZ Port Scan Detection |
Scan DMZ ports from internet |
Scan detected/logged |
32 |
DMZ Device Backup |
Backup DMZ device config |
Backup successful |
33 |
DMZ Device Restore |
Restore config to DMZ device |
Restore successful |
34 |
DMZ Device Monitoring |
Monitor DMZ device via SNMP |
SNMP data visible |
35 |
DMZ Device Syslog |
Send logs to syslog server |
Logs received |
36 |
DMZ Device SSH Access |
SSH into DMZ device |
Access granted (if allowed) |
37 |
DMZ Device Web UI |
Access web interface of DMZ device |
UI loads correctly |
38 |
DMZ Device Certificate |
Use HTTPS with valid cert |
Cert trusted |
39 |
DMZ Device Invalid Cert |
Use HTTPS with invalid cert |
Warning shown |
40 |
DMZ Device Expired Cert |
Use expired cert on DMZ device |
Warning shown |
41 |
DMZ Device TLS Version |
Enforce TLS 1.2+ only |
Older versions blocked |
42 |
DMZ Device Weak Cipher |
Use weak cipher suite |
Connection refused |
43 |
DMZ Device Strong Cipher |
Use strong cipher suite |
Connection accepted |
44 |
DMZ Device Logging Disabled |
Disable logging on DMZ device |
No logs generated |
45 |
DMZ Device Logging Enabled |
Enable logging on DMZ device |
Logs generated |
46 |
DMZ Device Reconnection |
Disconnect and reconnect device |
Device rejoins DMZ |
47 |
DMZ Device NAT Traversal |
Test NAT traversal from DMZ |
Traversal successful |
48 |
DMZ Device VPN |
Connect VPN from DMZ |
VPN connects |
49 |
DMZ Device Proxy Use |
Use proxy from DMZ |
Proxy routes traffic |
50 |
DMZ Device Load Test |
Simulate high traffic to DMZ |
Device handles load or fails gracefully |
Firewall Enforcement - Testcases
# |
Test Case |
Description |
Expected Result |
|---|---|---|---|
1 |
Allow HTTP Traffic |
Allow TCP port 80 |
HTTP traffic passes through |
2 |
Block HTTP Traffic |
Block TCP port 80 |
HTTP traffic blocked |
3 |
Allow HTTPS Traffic |
Allow TCP port 443 |
HTTPS traffic passes through |
4 |
Block HTTPS Traffic |
Block TCP port 443 |
HTTPS traffic blocked |
5 |
Allow ICMP Ping |
Allow ICMP echo requests |
Ping successful |
6 |
Block ICMP Ping |
Block ICMP echo requests |
Ping blocked |
7 |
Allow DNS Queries |
Allow UDP port 53 |
DNS queries resolve |
8 |
Block DNS Queries |
Block UDP port 53 |
DNS queries fail |
9 |
Allow FTP Traffic |
Allow TCP port 21 |
FTP connection successful |
10 |
Block FTP Traffic |
Block TCP port 21 |
FTP connection blocked |
11 |
Allow SSH Access |
Allow TCP port 22 |
SSH connection successful |
12 |
Block SSH Access |
Block TCP port 22 |
SSH connection blocked |
13 |
Allow Custom Port |
Allow TCP port 8080 |
Traffic on port 8080 allowed |
14 |
Block Custom Port |
Block TCP port 8080 |
Traffic on port 8080 blocked |
15 |
Allow Specific IP |
Allow traffic from 192.168.1.10 |
Only that IP can connect |
16 |
Block Specific IP |
Block traffic from 192.168.1.10 |
That IP is denied access |
17 |
Allow IP Range |
Allow 192.168.1.0/24 |
All IPs in range allowed |
18 |
Block IP Range |
Block 192.168.1.0/24 |
All IPs in range blocked |
19 |
Allow MAC Address |
Allow traffic from specific MAC |
Only that MAC allowed |
20 |
Block MAC Address |
Block traffic from specific MAC |
That MAC is denied |
21 |
Stateful Inspection |
Enable stateful firewall |
Only valid sessions allowed |
22 |
Stateless Filtering |
Use stateless rules |
Packets filtered without session awareness |
23 |
Allow Outbound Traffic |
Allow all outbound traffic |
Outbound traffic flows freely |
24 |
Block Outbound Traffic |
Block all outbound traffic |
Outbound traffic blocked |
25 |
Allow Inbound Traffic |
Allow all inbound traffic |
Inbound traffic flows freely |
26 |
Block Inbound Traffic |
Block all inbound traffic |
Inbound traffic blocked |
27 |
Logging Enabled |
Enable firewall logging |
Logs show traffic activity |
28 |
Logging Disabled |
Disable firewall logging |
No logs generated |
29 |
Port Scan Detection |
Simulate port scan |
Scan detected and logged |
30 |
SYN Flood Protection |
Simulate SYN flood attack |
Attack mitigated |
31 |
Allow VPN Traffic |
Allow UDP port 1194 (OpenVPN) |
VPN connects successfully |
32 |
Block VPN Traffic |
Block UDP port 1194 |
VPN connection fails |
33 |
Allow VoIP Traffic |
Allow SIP/RTP ports |
VoIP calls succeed |
34 |
Block VoIP Traffic |
Block SIP/RTP ports |
VoIP calls fail |
35 |
Time-Based Rule |
Allow traffic only during business hours |
Traffic allowed only in time window |
36 |
Geo-IP Blocking |
Block traffic from specific countries |
Traffic from blocked countries denied |
37 |
Application Control |
Block social media apps |
Access to apps denied |
38 |
Deep Packet Inspection |
Enable DPI for HTTP |
Content-based filtering applied |
39 |
URL Filtering |
Block specific URLs |
Access to URLs denied |
40 |
Content Filtering |
Block adult content |
Inappropriate content blocked |
41 |
Allow Multicast Traffic |
Allow multicast IP range |
Multicast traffic flows |
42 |
Block Multicast Traffic |
Block multicast IP range |
Multicast traffic blocked |
43 |
Allow Broadcast Traffic |
Allow broadcast packets |
Broadcasts received |
44 |
Block Broadcast Traffic |
Block broadcast packets |
Broadcasts blocked |
45 |
Firewall Rule Priority |
Test rule order precedence |
Higher priority rule enforced |
46 |
Rule Conflict Resolution |
Create conflicting rules |
Most specific rule applied |
47 |
Rule Backup and Restore |
Export and import firewall rules |
Rules restored correctly |
48 |
Firewall Failover |
Simulate primary firewall failure |
Secondary takes over |
49 |
Firewall Throughput Test |
Measure traffic throughput |
Meets expected performance |
50 |
Firewall Latency Test |
Measure latency introduced by firewall |
Latency within acceptable limits |
Public Service Hosting - Testcases
# |
Test Case |
Description |
Expected Result |
|---|---|---|---|
1 |
HTTP Service Availability |
Host public HTTP service |
Service accessible via browser |
2 |
HTTPS Service Availability |
Host public HTTPS service |
Secure connection established |
3 |
DNS Resolution |
Resolve public domain name |
Domain resolves to correct IP |
4 |
Port Forwarding Setup |
Forward public port to internal service |
External access successful |
5 |
NAT Traversal |
Access service behind NAT |
Service reachable externally |
6 |
Firewall Rule Allow |
Allow public access to service port |
Traffic allowed |
7 |
Firewall Rule Block |
Block public access to service port |
Traffic blocked |
8 |
TLS Certificate Validity |
Use valid TLS certificate |
No browser warnings |
9 |
TLS Certificate Expiry |
Use expired certificate |
Browser shows warning |
10 |
TLS Certificate Mismatch |
Use mismatched domain certificate |
Browser shows error |
11 |
Service Load Test |
Simulate high traffic |
Service remains responsive |
12 |
Service Latency Test |
Measure response time |
Latency within acceptable limits |
13 |
Service Downtime Detection |
Stop service manually |
Monitoring detects downtime |
14 |
Service Restart |
Restart public service |
Service resumes correctly |
15 |
Service Logging |
Enable access logs |
Logs show incoming requests |
16 |
Service Monitoring |
Monitor service health |
Alerts on failure |
17 |
Service Metrics Collection |
Collect performance metrics |
Metrics available |
18 |
Service Authentication |
Require login for access |
Auth prompt shown |
19 |
Anonymous Access |
Allow access without login |
Service accessible anonymously |
20 |
Rate Limiting |
Limit requests per IP |
Excess requests blocked |
21 |
IP Whitelisting |
Allow only specific IPs |
Other IPs denied |
22 |
IP Blacklisting |
Block specific IPs |
Blocked IPs denied |
23 |
Geo-IP Filtering |
Block access from specific countries |
Access denied from blocked regions |
24 |
Content Filtering |
Block specific content types |
Filtered content blocked |
25 |
Protocol Enforcement |
Enforce HTTPS only |
HTTP redirected or blocked |
26 |
Service Redirection |
Redirect HTTP to HTTPS |
Browser redirected |
27 |
Service Header Validation |
Check response headers |
Headers present and correct |
28 |
Service CORS Policy |
Test cross-origin requests |
CORS headers enforced |
29 |
Service Cache Control |
Set cache headers |
Browser caches as expected |
30 |
Service Compression |
Enable gzip compression |
Responses compressed |
31 |
Service Content-Type |
Serve correct MIME types |
Browser renders correctly |
32 |
Service Static Files |
Host static content |
Files accessible |
33 |
Service Dynamic Content |
Host dynamic web app |
App functions correctly |
34 |
Service API Hosting |
Host public REST API |
API responds to requests |
35 |
API Rate Limiting |
Limit API calls per user |
Excess calls blocked |
36 |
API Authentication |
Require API key |
Unauthorized access denied |
37 |
API Versioning |
Host multiple API versions |
Clients access correct version |
38 |
API Documentation |
Provide public API docs |
Docs accessible |
39 |
Service Backup |
Backup hosted service |
Backup completes successfully |
40 |
Service Restore |
Restore from backup |
Service resumes correctly |
41 |
Service Deployment |
Deploy new version |
New version accessible |
42 |
Service Rollback |
Rollback to previous version |
Previous version restored |
43 |
Service CI/CD Integration |
Automate deployment pipeline |
Code deployed automatically |
44 |
Service Containerization |
Host service in container |
Container runs and serves requests |
45 |
Service Orchestration |
Use orchestration tool (e.g., Kubernetes) |
Service scales and recovers |
46 |
Service Scaling |
Scale service horizontally |
More instances handle load |
47 |
Service Isolation |
Isolate service from internal network |
No internal access allowed |
48 |
Service Vulnerability Scan |
Scan for security issues |
Vulnerabilities reported |
49 |
Service Patch Management |
Apply security patches |
Service updated securely |
50 |
Service SLA Monitoring |
Monitor uptime against SLA |
SLA compliance verified |
Access Control - Testcases
# |
Test Case |
Description |
Expected Result |
|---|---|---|---|
1 |
User Login |
Attempt login with valid credentials |
Access granted |
2 |
Invalid Login |
Attempt login with invalid credentials |
Access denied |
3 |
Password Expiry |
Login with expired password |
Prompt to change password |
4 |
Password Complexity |
Set weak password |
Password rejected |
5 |
Role-Based Access |
Assign user a role |
Access limited to role permissions |
6 |
Permission Denied |
Access resource without permission |
Access denied |
7 |
Permission Granted |
Access resource with permission |
Access granted |
8 |
Multi-Factor Authentication |
Enable MFA and login |
Second factor required |
9 |
Session Timeout |
Stay idle beyond timeout limit |
Session expires |
10 |
Concurrent Session Limit |
Exceed allowed sessions |
New session denied |
11 |
Access Revocation |
Revoke user access |
User denied access |
12 |
Access Granting |
Grant access to new user |
User gains access |
13 |
Group-Based Access |
Assign user to group |
Inherits group permissions |
14 |
Time-Based Access |
Access outside allowed hours |
Access denied |
15 |
Location-Based Access |
Access from unauthorized location |
Access denied |
16 |
IP Whitelisting |
Access from whitelisted IP |
Access granted |
17 |
IP Blacklisting |
Access from blacklisted IP |
Access denied |
18 |
Device-Based Access |
Access from unauthorized device |
Access denied |
19 |
Access Logging |
Perform access operations |
Logs generated |
20 |
Access Audit Trail |
Review access history |
Complete audit trail available |
21 |
Temporary Access |
Grant temporary access |
Access expires after set time |
22 |
Access Request Workflow |
Submit access request |
Request routed for approval |
23 |
Access Approval |
Approve access request |
Access granted |
24 |
Access Rejection |
Reject access request |
Access denied |
25 |
Self-Service Access |
User requests access via portal |
Request submitted |
26 |
Access Notification |
Notify on access grant/revoke |
Notification received |
27 |
Access Policy Enforcement |
Apply access control policy |
Policy enforced |
28 |
Policy Violation Alert |
Attempt policy violation |
Alert triggered |
29 |
Access Control Backup |
Backup access control configuration |
Backup successful |
30 |
Access Control Restore |
Restore from backup |
Configuration restored |
31 |
Access Control Export |
Export access rules |
Export file generated |
32 |
Access Control Import |
Import access rules |
Rules applied |
33 |
Access Control API |
Use API to manage access |
API responds correctly |
34 |
Access Control UI |
Use UI to manage access |
UI updates reflected |
35 |
Access Control CLI |
Use CLI to manage access |
CLI commands executed |
36 |
Access Control Sync |
Sync access rules across systems |
Rules synchronized |
37 |
Access Control Conflict |
Create conflicting rules |
Conflict resolved per policy |
38 |
Access Control Testing |
Simulate access scenarios |
Results match expectations |
39 |
Access Control Reporting |
Generate access report |
Report generated |
40 |
Access Control Dashboard |
View access summary |
Dashboard displays data |
41 |
Access Control Alerting |
Enable alerts for access events |
Alerts triggered |
42 |
Access Control Threshold |
Exceed access threshold |
Alert or block triggered |
43 |
Access Control Tagging |
Tag users/resources for access |
Tags applied correctly |
44 |
Access Control Cleanup |
Remove unused access entries |
Entries removed |
45 |
Access Control Review |
Periodic review of access rights |
Review completed |
46 |
Access Control Certification |
Certify user access |
Certification recorded |
47 |
Access Control Delegation |
Delegate access management |
Delegate can manage access |
48 |
Access Control Escalation |
Escalate access request |
Escalation workflow triggered |
49 |
Access Control Exception |
Grant exception to policy |
Exception logged and applied |
50 |
Access Control Termination |
Terminate user access |
Access immediately revoked |
Intrusion Detection/Prevention - Testcases
# |
Test Case |
Description |
Expected Result |
|---|---|---|---|
1 |
Signature-Based Detection |
Trigger known attack signature |
Alert generated |
2 |
Anomaly-Based Detection |
Send abnormal traffic pattern |
Alert generated |
3 |
Port Scan Detection |
Perform port scan |
Scan detected and logged |
4 |
SYN Flood Attack |
Simulate SYN flood |
Attack detected and mitigated |
5 |
ICMP Flood Attack |
Send ICMP flood |
Alert generated |
6 |
UDP Flood Attack |
Send UDP flood |
Alert generated |
7 |
DNS Amplification Attack |
Simulate DNS amplification |
Attack detected |
8 |
HTTP GET Flood |
Send excessive GET requests |
Alert or block triggered |
9 |
SQL Injection Attempt |
Send SQL injection payload |
Alert generated |
10 |
XSS Injection Attempt |
Send XSS payload |
Alert generated |
11 |
Command Injection Attempt |
Send OS command payload |
Alert generated |
12 |
Brute Force Login Attempt |
Attempt multiple logins |
Alert generated |
13 |
Malware File Transfer |
Transfer known malware file |
File blocked or alert triggered |
14 |
Suspicious User-Agent |
Use suspicious User-Agent string |
Alert generated |
15 |
Suspicious URL Access |
Access known malicious URL |
Alert generated |
16 |
Unauthorized Protocol Use |
Use unauthorized protocol (e.g., Telnet) |
Alert or block triggered |
17 |
Outbound Data Exfiltration |
Simulate data exfiltration |
Alert generated |
18 |
Internal Reconnaissance |
Scan internal network |
Activity detected |
19 |
Lateral Movement Detection |
Attempt lateral movement |
Alert generated |
20 |
Privilege Escalation Attempt |
Simulate privilege escalation |
Alert generated |
21 |
Zero-Day Exploit Simulation |
Use unknown exploit |
Anomaly alert generated |
22 |
IDS Logging Enabled |
Enable logging |
Logs show intrusion attempts |
23 |
IDS Logging Disabled |
Disable logging |
No logs generated |
24 |
IPS Blocking Enabled |
Enable prevention mode |
Malicious traffic blocked |
25 |
IPS Blocking Disabled |
Disable prevention mode |
Traffic only logged |
26 |
False Positive Test |
Send benign traffic |
No alert generated |
27 |
False Negative Test |
Send known malicious traffic |
Alert generated |
28 |
Alert Notification Test |
Trigger alert |
Notification sent |
29 |
Alert Severity Classification |
Trigger low/medium/high severity events |
Alerts classified correctly |
30 |
Rule Update Test |
Update IDS/IPS rules |
New rules applied |
31 |
Rule Backup and Restore |
Backup and restore rules |
Rules restored correctly |
32 |
Custom Rule Creation |
Create custom detection rule |
Rule triggers as expected |
33 |
Rule Conflict Resolution |
Create conflicting rules |
Conflict resolved per priority |
34 |
Encrypted Traffic Detection |
Send encrypted malicious traffic |
Alert generated (if supported) |
35 |
VPN Traffic Inspection |
Send traffic over VPN |
Traffic inspected or bypassed |
36 |
VLAN-Aware Detection |
Send attack from different VLAN |
Attack detected |
37 |
IDS/IPS Bypass Attempt |
Obfuscate payload |
Alert still triggered |
38 |
IDS/IPS Performance Test |
Send high traffic volume |
System remains stable |
39 |
IDS/IPS Latency Test |
Measure latency introduced |
Latency within acceptable limits |
40 |
IDS/IPS Failover Test |
Simulate primary failure |
Secondary takes over |
41 |
IDS/IPS High Availability |
Test HA configuration |
No packet loss or downtime |
42 |
IDS/IPS Integration with SIEM |
Forward alerts to SIEM |
Alerts visible in SIEM |
43 |
IDS/IPS Dashboard View |
View alerts on dashboard |
Alerts displayed correctly |
44 |
IDS/IPS Report Generation |
Generate intrusion report |
Report generated |
45 |
IDS/IPS Alert Correlation |
Correlate multiple alerts |
Correlation shown |
46 |
IDS/IPS Time Sync |
Sync time with NTP |
Timestamps accurate |
47 |
IDS/IPS Log Rotation |
Rotate logs |
Old logs archived |
48 |
IDS/IPS Rule Tuning |
Adjust rule sensitivity |
Fewer false positives |
49 |
IDS/IPS Maintenance Mode |
Enable maintenance mode |
Alerts suppressed temporarily |
50 |
IDS/IPS System Update |
Apply software update |
System updated without issues |
Logging and Monitoring - Testcases
# |
Test Case |
Description |
Expected Result |
|---|---|---|---|
1 |
Log File Creation |
Generate system event |
Log file created |
2 |
Log Entry Format |
Check log entry structure |
Entry follows defined format |
3 |
Timestamp Accuracy |
Verify log timestamps |
Timestamps are accurate |
4 |
Log Rotation |
Generate large logs |
Old logs archived, new file created |
5 |
Log Retention Policy |
Check log retention duration |
Logs retained as per policy |
6 |
Log Level Filtering |
Generate logs at various levels |
Only configured levels logged |
7 |
Debug Logging |
Enable debug mode |
Debug logs appear |
8 |
Info Logging |
Generate informational events |
Info logs recorded |
9 |
Warning Logging |
Trigger warning condition |
Warning log generated |
10 |
Error Logging |
Trigger error condition |
Error log generated |
11 |
Critical Logging |
Trigger critical failure |
Critical log generated |
12 |
Log File Permissions |
Check access rights to log files |
Only authorized users can access |
13 |
Log File Integrity |
Modify log file manually |
Tampering detected |
14 |
Log Encryption |
Enable log encryption |
Logs stored securely |
15 |
Log Compression |
Enable log compression |
Logs compressed |
16 |
Real-Time Log Streaming |
Stream logs to console or dashboard |
Logs appear in real-time |
17 |
Remote Log Forwarding |
Forward logs to remote server |
Logs received remotely |
18 |
Syslog Integration |
Send logs via syslog |
Syslog server receives logs |
19 |
SIEM Integration |
Forward logs to SIEM |
Events visible in SIEM |
20 |
Log Parsing |
Parse logs with tool |
Fields extracted correctly |
21 |
Log Search |
Search for specific event |
Event found |
22 |
Log Correlation |
Correlate related events |
Events linked correctly |
23 |
Log Alerting |
Trigger alert on specific log entry |
Alert generated |
24 |
Log Dashboard |
View logs on dashboard |
Logs displayed correctly |
25 |
Log Archiving |
Archive old logs |
Logs moved to archive |
26 |
Log Backup |
Backup log files |
Backup completed |
27 |
Log Restore |
Restore logs from backup |
Logs restored |
28 |
Log Anomaly Detection |
Detect unusual log patterns |
Anomaly alert generated |
29 |
Log Volume Monitoring |
Monitor log size |
Alert on threshold breach |
30 |
Log Source Identification |
Identify source of log entry |
Source correctly identified |
31 |
Application Log Capture |
Generate app-specific logs |
Logs captured |
32 |
System Log Capture |
Generate system-level logs |
Logs captured |
33 |
Network Log Capture |
Generate network events |
Logs captured |
34 |
User Activity Logging |
Perform user actions |
Actions logged |
35 |
Authentication Logging |
Login/logout attempts |
Events logged |
36 |
Authorization Logging |
Access control events |
Access attempts logged |
37 |
File Access Logging |
Access sensitive file |
Access logged |
38 |
Configuration Change Logging |
Modify system config |
Change logged |
39 |
Service Start/Stop Logging |
Start/stop service |
Event logged |
40 |
Crash Logging |
Simulate application crash |
Crash details logged |
41 |
Monitoring Agent Installation |
Install monitoring agent |
Agent reports data |
42 |
Resource Usage Monitoring |
Monitor CPU/memory/disk |
Metrics collected |
43 |
Network Traffic Monitoring |
Monitor bandwidth usage |
Traffic metrics visible |
44 |
Process Monitoring |
Monitor running processes |
Process list updated |
45 |
Service Health Monitoring |
Monitor service status |
Health status reported |
46 |
Threshold Alerting |
Exceed resource threshold |
Alert triggered |
47 |
Uptime Monitoring |
Track system uptime |
Uptime metrics visible |
48 |
SLA Monitoring |
Monitor against SLA targets |
SLA compliance reported |
49 |
Monitoring Dashboard |
View metrics on dashboard |
Data displayed correctly |
50 |
Monitoring Report Generation |
Generate periodic report |
Report generated and exported |
Reverse Proxy Support - Testcases
# |
Test Case |
Description |
Expected Result |
|---|---|---|---|
1 |
Basic Proxy Routing |
Route request to backend server |
Response received from correct backend |
2 |
Host-Based Routing |
Route based on hostname |
Request routed to correct virtual host |
3 |
Path-Based Routing |
Route based on URL path |
Request routed to correct backend |
4 |
HTTPS Termination |
Terminate SSL at proxy |
Backend receives HTTP |
5 |
SSL Passthrough |
Forward SSL to backend |
Backend handles SSL |
6 |
HTTP to HTTPS Redirect |
Redirect HTTP to HTTPS |
Client redirected to HTTPS |
7 |
Load Balancing |
Distribute requests across servers |
Requests balanced evenly |
8 |
Sticky Sessions |
Maintain session affinity |
Same client hits same backend |
9 |
Health Checks |
Monitor backend health |
Unhealthy backends removed from pool |
10 |
Backend Failover |
Failover to secondary backend |
Traffic rerouted on failure |
11 |
Caching Enabled |
Enable caching at proxy |
Cached responses served |
12 |
Caching Disabled |
Disable caching |
All requests forwarded to backend |
13 |
Header Forwarding |
Forward headers to backend |
Headers received correctly |
14 |
Header Rewriting |
Modify headers before forwarding |
Headers rewritten as configured |
15 |
URL Rewriting |
Rewrite URL before forwarding |
Backend receives modified URL |
16 |
IP Whitelisting |
Allow only specific IPs |
Other IPs blocked |
17 |
IP Blacklisting |
Block specific IPs |
Blocked IPs denied |
18 |
Rate Limiting |
Limit requests per client |
Excess requests blocked |
19 |
Geo-IP Blocking |
Block traffic from specific regions |
Access denied |
20 |
Authentication Required |
Require auth before proxying |
Auth prompt shown |
21 |
Basic Auth Support |
Use HTTP Basic Auth |
Authenticated successfully |
22 |
JWT Token Forwarding |
Forward JWT to backend |
Token received and validated |
23 |
WebSocket Proxying |
Proxy WebSocket connection |
Connection established |
24 |
gRPC Proxying |
Proxy gRPC traffic |
gRPC calls succeed |
25 |
Static File Serving |
Serve static files from proxy |
Files served directly |
26 |
Custom Error Pages |
Show custom error pages |
Custom page displayed |
27 |
Timeout Handling |
Backend timeout |
Proxy returns timeout error |
28 |
Retry on Failure |
Retry failed requests |
Request retried automatically |
29 |
Logging Enabled |
Enable access logs |
Logs generated |
30 |
Logging Disabled |
Disable logging |
No logs generated |
31 |
Access Log Format |
Customize log format |
Logs follow new format |
32 |
TLS Version Enforcement |
Enforce minimum TLS version |
Older versions blocked |
33 |
Cipher Suite Restriction |
Restrict to strong ciphers |
Weak ciphers rejected |
34 |
HSTS Header Injection |
Add HSTS header |
Header present in response |
35 |
CORS Header Injection |
Add CORS headers |
CORS headers visible |
36 |
Compression Support |
Enable gzip/brotli compression |
Compressed responses sent |
37 |
Proxy Protocol Support |
Forward client IP using proxy protocol |
Backend sees real client IP |
38 |
IPv6 Support |
Handle IPv6 requests |
IPv6 traffic proxied correctly |
39 |
DNS Resolution |
Resolve backend hostname |
Correct IP used |
40 |
Dynamic Backend Discovery |
Discover backends dynamically |
New backends added automatically |
41 |
TLS Certificate Validation |
Validate backend cert |
Invalid certs rejected |
42 |
Self-Signed Cert Handling |
Allow self-signed certs |
Connection succeeds (if allowed) |
43 |
Proxy Chain Support |
Use proxy behind another proxy |
Requests routed through chain |
44 |
Request Body Size Limit |
Enforce max request size |
Large requests rejected |
45 |
Response Size Limit |
Enforce max response size |
Large responses truncated or blocked |
46 |
Proxy Restart |
Restart proxy service |
Service resumes without error |
47 |
Config Reload |
Reload config without downtime |
New config applied |
48 |
High Availability |
Failover between proxy nodes |
No downtime observed |
49 |
Performance Benchmark |
Measure proxy throughput |
Meets expected performance |
50 |
Security Audit Logging |
Log security-related events |
Security logs generated |
VPN Termination Point - Testcases
# |
Test Case |
Description |
Expected Result |
|---|---|---|---|
1 |
VPN Tunnel Establishment |
Initiate VPN connection |
Tunnel established successfully |
2 |
VPN Authentication Success |
Authenticate with valid credentials |
Access granted |
3 |
VPN Authentication Failure |
Authenticate with invalid credentials |
Access denied |
4 |
VPN Protocol Support |
Use supported protocol (e.g., IPsec, OpenVPN) |
Connection successful |
5 |
Unsupported Protocol |
Use unsupported VPN protocol |
Connection rejected |
6 |
VPN Encryption Validation |
Verify encryption in tunnel |
Data encrypted |
7 |
VPN Tunnel Timeout |
Leave tunnel idle |
Tunnel times out |
8 |
VPN Reconnection |
Disconnect and reconnect |
Tunnel re-established |
9 |
VPN Split Tunneling |
Enable split tunneling |
Only specific traffic routed through VPN |
10 |
Full Tunnel Mode |
Route all traffic through VPN |
All traffic encrypted |
11 |
VPN IP Assignment |
Check assigned IP address |
IP from VPN pool assigned |
12 |
DNS Leak Test |
Perform DNS queries |
No DNS leak detected |
13 |
VPN Kill Switch |
Enable kill switch and disconnect VPN |
Internet access blocked |
14 |
VPN Logging Enabled |
Enable logging |
Connection logs generated |
15 |
VPN Logging Disabled |
Disable logging |
No logs generated |
16 |
VPN Certificate Validation |
Use valid certificate |
Connection succeeds |
17 |
VPN Certificate Expired |
Use expired certificate |
Connection fails |
18 |
VPN Certificate Revoked |
Use revoked certificate |
Connection denied |
19 |
VPN Multi-Factor Authentication |
Enable MFA |
Second factor required |
20 |
VPN User Group Policy |
Apply group-based access rules |
Access controlled by group |
21 |
VPN Bandwidth Limiting |
Apply bandwidth cap |
Traffic limited |
22 |
VPN QoS Enforcement |
Prioritize VPN traffic |
QoS rules applied |
23 |
VPN NAT Traversal |
Connect behind NAT |
Tunnel established |
24 |
VPN Port Forwarding |
Enable port forwarding |
Ports accessible through VPN |
25 |
VPN Firewall Integration |
Block unauthorized traffic |
Firewall rules enforced |
26 |
VPN Access Control List |
Apply ACLs to VPN traffic |
Access restricted as per ACL |
27 |
VPN Device Fingerprinting |
Identify connecting device |
Device recognized |
28 |
VPN Client OS Compatibility |
Connect from various OS (Windows, Linux, macOS) |
All clients connect successfully |
29 |
VPN Mobile Client Support |
Connect from mobile device |
Tunnel established |
30 |
VPN Load Balancing |
Distribute connections across gateways |
Load balanced |
31 |
VPN High Availability |
Failover to backup gateway |
No session drop |
32 |
VPN Session Logging |
Log session start/end |
Session logs recorded |
33 |
VPN Session Timeout |
Set session timeout |
Session ends after timeout |
34 |
VPN Concurrent Session Limit |
Exceed allowed sessions |
New session denied |
35 |
VPN Geo-Blocking |
Block connections from specific countries |
Access denied |
36 |
VPN IP Blacklisting |
Block specific IPs |
Blocked IPs denied |
37 |
VPN IP Whitelisting |
Allow only specific IPs |
Others denied |
38 |
VPN Traffic Inspection |
Inspect VPN traffic |
Traffic analyzed |
39 |
VPN Compression Support |
Enable compression |
Traffic compressed |
40 |
VPN MTU Size Test |
Adjust MTU size |
Optimal size determined |
41 |
VPN Packet Fragmentation |
Send large packets |
Packets fragmented and reassembled |
42 |
VPN IPv6 Support |
Connect using IPv6 |
Tunnel established |
43 |
VPN IPv4 Support |
Connect using IPv4 |
Tunnel established |
44 |
VPN Client Certificate Auth |
Authenticate using client cert |
Authenticated successfully |
45 |
VPN Server Certificate Auth |
Validate server certificate |
Server trusted |
46 |
VPN Policy Enforcement |
Apply security policies |
Policies enforced |
47 |
VPN Monitoring Dashboard |
View active sessions |
Dashboard displays real-time data |
48 |
VPN Alerting |
Trigger alert on suspicious activity |
Alert generated |
49 |
VPN Usage Reporting |
Generate usage report |
Report generated |
50 |
VPN Configuration Backup/Restore |
Backup and restore VPN settings |
Configuration restored successfully |
Redundancy and High Availability - Testcases
# |
Test Case |
Description |
Expected Result |
|---|---|---|---|
1 |
Primary Node Failure |
Simulate failure of primary node |
Secondary takes over without service interruption |
2 |
Secondary Node Activation |
Bring secondary node online |
Node joins cluster and syncs |
3 |
Heartbeat Monitoring |
Monitor heartbeat between nodes |
Heartbeat detected and logged |
4 |
Failover Time Measurement |
Measure time to failover |
Failover within defined SLA |
5 |
Load Balancer Redundancy |
Fail primary load balancer |
Backup load balancer takes over |
6 |
Database Replication |
Check data sync between primary and replica |
Data consistent across nodes |
7 |
Split-Brain Scenario |
Simulate network partition |
One node isolated, no data corruption |
8 |
Cluster Node Join |
Add new node to cluster |
Node joins and syncs correctly |
9 |
Cluster Node Leave |
Remove node from cluster |
Cluster rebalances |
10 |
Service Continuity Test |
Restart services on primary |
No downtime observed |
11 |
Active-Passive Mode |
Test failover in active-passive setup |
Passive becomes active on failure |
12 |
Active-Active Mode |
Test load distribution in active-active setup |
Load shared across nodes |
13 |
Manual Failover |
Trigger manual failover |
Secondary becomes primary |
14 |
Automatic Failover |
Simulate failure |
Failover occurs automatically |
15 |
Data Consistency Check |
Compare data across nodes |
Data matches |
16 |
Configuration Sync |
Change config on primary |
Config replicated to secondary |
17 |
Network Latency Impact |
Introduce latency between nodes |
Failover still functional |
18 |
Packet Loss Impact |
Simulate packet loss |
HA mechanism remains stable |
19 |
Node Resource Monitoring |
Monitor CPU/memory of nodes |
Metrics collected |
20 |
Alert on Node Failure |
Simulate node crash |
Alert triggered |
21 |
Alert on Failover Event |
Trigger failover |
Alert generated |
22 |
Log Failover Event |
Check logs after failover |
Event logged |
23 |
Log Node Join/Leave |
Add/remove node |
Events logged |
24 |
Backup Node Sync |
Sync backup node with primary |
Sync successful |
25 |
Redundant Power Supply Test |
Disconnect one power source |
System remains online |
26 |
Redundant Network Interface |
Disconnect one NIC |
Traffic rerouted through backup NIC |
27 |
Redundant Storage Path |
Disconnect one storage path |
I/O continues via alternate path |
28 |
Redundant Internet Connection |
Disconnect primary WAN |
Traffic switches to backup WAN |
29 |
Load Distribution Test |
Send traffic to HA setup |
Load balanced across nodes |
30 |
Session Persistence Test |
Maintain session during failover |
Session remains active |
31 |
Application State Retention |
Failover during active session |
Application state preserved |
32 |
HA Configuration Backup |
Backup HA settings |
Backup file created |
33 |
HA Configuration Restore |
Restore from backup |
Settings restored |
34 |
HA Dashboard Monitoring |
View HA status on dashboard |
Status displayed correctly |
35 |
HA Metrics Export |
Export HA metrics |
File generated |
36 |
HA SLA Compliance |
Measure uptime |
SLA met |
37 |
HA Policy Enforcement |
Apply HA policy |
Policy enforced |
38 |
HA Rule Conflict Resolution |
Create conflicting HA rules |
Conflict resolved |
39 |
HA Testing in Maintenance Mode |
Enable maintenance mode |
Failover disabled temporarily |
40 |
HA Testing in Production Mode |
Test failover in live environment |
No service disruption |
41 |
HA Testing with Load |
Simulate high traffic |
Failover still functional |
42 |
HA Testing with Updates |
Apply updates to primary |
Secondary takes over during update |
43 |
HA Testing with Patching |
Patch one node |
No downtime |
44 |
HA Testing with Reboot |
Reboot primary node |
Secondary handles traffic |
45 |
HA Testing with Storage Failure |
Simulate disk failure |
Redundant storage used |
46 |
HA Testing with DB Failover |
Fail primary DB node |
Secondary DB takes over |
47 |
HA Testing with App Failover |
Fail application process |
App restarted on backup node |
48 |
HA Testing with Network Outage |
Disconnect primary network |
Backup network used |
49 |
HA Testing with Power Outage |
Simulate power loss |
UPS or backup node active |
50 |
HA Testing with Disaster Recovery |
Simulate full site failure |
DR site takes over |
Cloud-Compatible Design - Testcases
# |
Test Case |
Description |
Expected Result |
|---|---|---|---|
1 |
Stateless Service Design |
Deploy stateless service |
Scales horizontally without issues |
2 |
State Management Externalized |
Store state in external DB/cache |
State persists across instances |
3 |
Containerized Deployment |
Deploy app in container |
Container runs successfully |
4 |
Orchestration Compatibility |
Deploy on Kubernetes |
App runs and scales |
5 |
Environment Variable Config |
Use env vars for config |
App reads config correctly |
6 |
Secrets Management Integration |
Use cloud secrets manager |
Secrets retrieved securely |
7 |
Cloud Storage Integration |
Store files in cloud storage |
Files uploaded and retrieved |
8 |
Cloud Database Connectivity |
Connect to cloud DB |
Connection successful |
9 |
Auto-Scaling Enabled |
Simulate load |
Instances scale up/down |
10 |
Load Balancer Integration |
Route traffic via cloud LB |
Requests distributed evenly |
11 |
Health Check Endpoint |
Configure health check |
Endpoint responds with 200 OK |
12 |
Readiness Probe |
Configure readiness probe |
App marked ready when initialized |
13 |
Liveness Probe |
Configure liveness probe |
App restarted on failure |
14 |
Logging to Cloud Service |
Send logs to cloud logging |
Logs visible in dashboard |
15 |
Monitoring Integration |
Send metrics to cloud monitor |
Metrics displayed |
16 |
Alerting Setup |
Configure alert rules |
Alerts triggered on threshold breach |
17 |
CI/CD Pipeline Integration |
Deploy via CI/CD |
App deployed automatically |
18 |
Infrastructure as Code |
Use Terraform/CloudFormation |
Resources provisioned |
19 |
Multi-Region Deployment |
Deploy in multiple regions |
App accessible globally |
20 |
High Availability Test |
Simulate zone failure |
App remains available |
21 |
Disaster Recovery Test |
Simulate region failure |
App recovers in backup region |
22 |
Backup and Restore |
Backup and restore data |
Data restored successfully |
23 |
Horizontal Scaling Test |
Add more instances |
Load distributed |
24 |
Vertical Scaling Test |
Increase instance size |
App performance improves |
25 |
Cost Monitoring |
Track resource usage |
Costs visible in billing |
26 |
Budget Alerting |
Set budget threshold |
Alert triggered on breach |
27 |
IAM Role Assignment |
Assign roles to services |
Access controlled |
28 |
Least Privilege Enforcement |
Restrict permissions |
Unauthorized access denied |
29 |
API Gateway Integration |
Expose service via API Gateway |
API accessible publicly |
30 |
Rate Limiting |
Apply rate limits via gateway |
Excess requests throttled |
31 |
Caching Layer Integration |
Use cloud cache (e.g., Redis) |
Response time reduced |
32 |
CDN Integration |
Serve static content via CDN |
Faster global access |
33 |
DNS Configuration |
Map domain to cloud service |
Domain resolves correctly |
34 |
TLS Certificate Management |
Use managed TLS certs |
HTTPS enabled |
35 |
Blue-Green Deployment |
Deploy new version in parallel |
Traffic switched with no downtime |
36 |
Canary Deployment |
Gradually shift traffic |
Errors detected early |
37 |
Rollback Capability |
Rollback to previous version |
App restored to stable state |
38 |
Version Tagging |
Tag deployments with version |
Versions traceable |
39 |
Audit Logging |
Enable audit logs |
User actions logged |
40 |
Compliance Check |
Run compliance scan |
No violations found |
41 |
Penetration Testing |
Perform security test |
No critical vulnerabilities |
42 |
Data Encryption at Rest |
Store data encrypted |
Data unreadable without key |
43 |
Data Encryption in Transit |
Use HTTPS/TLS |
Data encrypted during transfer |
44 |
Cloud Firewall Rules |
Apply security groups |
Only allowed traffic passes |
45 |
VPC/Subnet Isolation |
Deploy in private subnet |
No public access unless allowed |
46 |
Service Mesh Compatibility |
Integrate with Istio/Linkerd |
Traffic managed and secured |
47 |
Observability Dashboard |
View logs, metrics, traces |
Full visibility achieved |
48 |
Cloud CLI/SDK Access |
Manage via CLI or SDK |
Commands execute successfully |
49 |
Cloud Marketplace Deployment |
Publish app to marketplace |
App listed and installable |
50 |
Cloud-Native Design Review |
Evaluate architecture |
Meets cloud-native principles |
Reference links