Latticra

Home / Network exposure and remote access

Exposure Inventory, Remote Access, RMM, DNS/TLS, and Non-Claims

Network exposure and remote access

Latticra records network asset inventory, internet exposure, ingress and egress policy, firewall policy, segmentation, remote access, RMM, DNS/TLS lifecycle, logging, flow visibility, and exception requirements before hosted services, internet-facing services, remote administration, infrastructure automation, or production network claims can promote. It does not add network access, service listeners, network clients, DNS, TLS, firewall changes, routing changes, remote access, RMM tooling, segmentation, scanning, compliance, or runtime authority.

Current Rule

Network inventory is not network authority.

The baseline names the evidence a future network-capable lane would need: network assets, data-flow maps, exposed service inventory, inbound owners, outbound policy, firewall review, segmentation boundaries, remote-access tools, MFA and device posture, RMM allowlists, unauthorized RMM detection, DNS/TLS lifecycle, network log sources, flow visibility, incident handoff, and expiring exceptions.

01

Assets and exposure

Network assets, data flows, internet-exposed services, inbound ports, protocols, and accountable owners must be recorded.

02

Ingress, egress, and segmentation

Outbound policy, firewall policy review, boundary protection, and segmentation expectations are required before network claims expand.

03

Remote access and RMM

Remote-access tool inventory, approved paths, phishing-resistant MFA or exception records, device posture, and RMM allowlists are required.

04

DNS/TLS, flow, and exceptions

DNS resolver policy, TLS certificate lifecycle, network log sources, flow visibility, incident handoff, exception owner, and exception expiry must exist.

Current Snapshot

The baseline keeps network-service claims closed.

These fields describe required records and blocked behavior. They are not proof of service listeners, network clients, firewall policy, segmentation, DNS/TLS services, RMM, remote administration, or hosted network operations.

network_exposure_remote_access_baseline 1
network_asset_inventory_required 1
internet_exposure_inventory_required 1
remote_access_inventory_required 1
firewall_policy_required 1
network_listener_added 0
network_client_added 0
internet_facing_service_claim_allowed 0

Promotion Gate

No internet-facing wording can promote without exposure evidence.

Network language changes the risk profile of runtime, installer, hosted-service, update, and operator workflows. The current record allows source-tracked planning, while keeping listeners, clients, remote access, RMM, DNS/TLS, firewall, and segmentation behavior closed.

Present now

Baseline record, status record, guard script, high-assurance allocation, zero-trust runtime authority context, identity/access MFA context, logging and flow-visibility context, secure configuration context, supply-chain network-client restrictions, and metadata-only network posture.

Required before promotion

Network asset inventory, data-flow map, internet-exposed service inventory, inbound port/protocol owner, outbound egress policy, firewall policy review, segmentation boundary, remote-access tool inventory, approved remote-access path, phishing-resistant MFA or exception, device posture, RMM allowlist, unauthorized RMM detection plan, DNS resolver policy, TLS certificate lifecycle, network log source inventory, flow visibility plan, incident handoff, exception owner, exception expiration, and operator-visible non-claims.

Denied now

Network listeners, network clients, internet-facing service claims, remote administration claims, remote-access software claims, RMM claims, firewall-policy claims, network segmentation claims, egress-control claims, DNS/TLS service claims, compliance claims, routing changes, network scanning, and production network claims.

Latticra Boundary

Network-related records remain no-effect metadata.

Latticra can record network exposure requirements and denial posture. It does not grant runtime network authority, fetch installer payloads over the network, expose remote administration, open listeners, run network clients, add RMM, mutate firewalls, or operate DNS/TLS services.

Metadata

Exposure records

Network inventory, exposed-service lists, ingress/egress policy, and segmentation records are planning evidence only.

Denied

Runtime network authority

The current runtime boundary keeps network open, service listener, client, and hosted-service authority closed.

Denied

Installer network fetch

Installer records can name network-fetch blockers without adding download, update, staging, or remote payload authority.

Closed

Remote administration

No remote admin surface, RMM capability, firewall mutation, routing change, DNS/TLS runtime, scanner, or network authority is added.

Local Commands

Validate network requirements without opening the network.

These checks validate records and public alignment. They do not create listeners, contact networks, change firewall rules, configure DNS/TLS, run remote access, install RMM tools, or scan network targets.

Network baseline

sh scripts/test-network-exposure-remote-access-baseline.sh

Runtime and identity context

sh scripts/test-zero-trust-runtime-authority-baseline.sh
sh scripts/test-identity-credential-access-management-baseline.sh

Logging and configuration context

sh scripts/test-security-logging-monitoring-baseline.sh
sh scripts/test-secure-configuration-change-management-baseline.sh

Source Records

Use exact records before repeating network wording.

Network exposure and remote access baselineNetwork inventory, internet exposure, ingress/egress policy, remote access, RMM, DNS/TLS lifecycle, logging, flow visibility, and no network-service claims. Network baseline statusStatus fields and expected guard output for the network exposure and remote-access baseline. High-assurance baselineSource-tracked security posture and network exposure control allocation. Zero-trust runtime authority baselineRuntime network authority denial, per-request authority prerequisites, and no implicit trust. Identity and access baselineMFA, remote-access planning, service identity, privileged access, and hosted-access non-claims. Security logging baselineNetwork log source inventory, flow visibility, redaction, retention, and no monitoring-service claims. Secure configuration baselineConfiguration records, change control, drift planning, exceptions, and no hardening claims. Supply-chain baselineNetwork-client restrictions, release blockers, update gates, and runtime authority context. C/C++ security profileNetwork-facing code expectations and secure coding guardrails. Security overviewSafe testing, effect gates, runtime boundary, and security non-claims. Runtime boundaryDefault-deny runtime classification, policy matrix, and no-effect report surfaces. Identity and access managementRemote access, privileged access, MFA planning, credential handling, and no hosted identity claims. Security logging and monitoringNetwork event-source inventory, flow visibility, audit events, redaction, retention, and no detection-service claims. Secure configuration and change managementSecure baseline records, change control, drift planning, exception records, and hardening non-claims. Data classification and protectionData-flow mapping, PII review, minimization, redaction, retention, and no customer-data claims. Supply-chain gatesReader-facing release authority, updater, runtime-authority, and network-client blockers. Evidence modelPromotion levels, public claim boundaries, and exact source records. Status indexDetailed status records and current public status navigation.