Do posture checks only ever apply to Dial (Service) policies or do they also apply to Bind (Service) policies?
Both. Posture checks don't know whether the identity is dialing or binding a service, only whether the policy is applicable for the identity. The policy then layers on the dial or bind capability. You can also apply posture checks to authentication such as requiring 2FA before allowing an identity to connect. On my windows based tunneler for example, that would look like this. Notice the mattermost identity hasn't entered the TOTP and is not allowed to dial nor bind ANY service at this time.
Interesting! I was under the impression that since the Bind side of a service is usually (always?) under full control of a "service provider", posture checks would have limited utility, if any, to be applied to host devices.
If you could give an example or two of how/when a posture check would be useful to be applied to a host device, that would be very helpful.
Thank you!
I suppose it's really up to you to determine 'usefulness'. One posture check verifies a process is running. Maybe you want to ensure your virus scanner or firewall or 'whatever' is running. That's one time a posture check might be useful.
Another posture check type verifies the OS is at a certain level. If you don't want to allow OS's that are known to have security problems bind a service, that might be another time it's useful.
I think one important point to keep in mind (that's not related to posture checks) is that with OpenZiti any identity "could" be a client (dial) or server (accepting connections -- "bind"). So there might be no "service provider". As long as the dialing identity is authorized to dial a given service, it doesn't matter where that service actually is. So my tunneler might be 'bind' an RDP service (I am running Windows) and you might be able to RDP to my computer... (this is how I support my mother who lives 8 hours away).
I see, yeah, that makes sense. Thank you!