Is there even such a thing if there are no incoming/listening ports?
Does it end at nmap?
It's a matter of perspective. The world runs on IP/TCP/UDP. that's unlikely to change any time soon and the OpenZiti controllers and routers will likely always need to have ports that can accept incoming connections. However, that's not the full story.
When I say or write this, I'm always very careful to write it within the scope of your applications and not the OpenZiti overlay itself. If all your firewalls are set to deny all inbound connections, those devices effectively have no open ports to the network. BUT, that's doesn't mean that there are no listening ports on the machines themselves, listening on the local loopback for example.
This is when I'll take it the next step to processes that can only accept connections via the overlay network itself, not the ip-based underlay network. Those are "application embedded" zero trust. Those applications truly have no inbound ports listening.
So, I always state that if your application uses OpenZiti on both sides, there are truly no application ports to scan and truly no open ports for your solution. The overlay network Itself still has ports open, we cannot avoid that, but those ports do not lead directly to your application without bypassing the mountain of OpenZiti's security... Hth
3 Likes