you know ,ths SDP only open a controller udp port,the gateway port only open a moment for spa client;ziti edge router open a port 8442 for client https connection,this may cause edge router be attacked。
Hi @kittysammy123, welcome to the OpenZiti community! Glad to have you.
Yes - the edge router port (8442 from the quickstart) as well as the controller’s API client port (port 8441 from the quickstart) are available on the open internet for attack. That is correct. Both require a certificate to be presented (a strong, cryptographically verifiable identity) in order to be authorized to connect to the service (mTLS).
Thanks for the post! Hopefully we’ll see you around the community in the coming months as well. Cheers.
I would note @kittysammy123 that while @TheLumberjack is correct on edge router and controller ports being open (but not responding to unauthenticated requests), these components act as the ‘fabric’ as data and control planes, respectively (following an SDN architecture). OpenZiti also has the ‘edge’ (tunnelers, SDKs, Edge Routers without their ‘link listener’ turned on), which are deployed at source and destination. The edge makes outbound only connections into the fabric and thus has no open inbound ports, even when establishing connectivity - the edge outbound connects into the fabric on both sides that either source or destination can establish bi-directional connectivity with e2e encryption. Thus external network attacks cannot be done against source and destination.
1 Like