yeah, agree, 'on the network' is a bad phrase. long form:
completely 'eliminate' the network by closing all inbound firewall ports (not even allowing dynamic hole punching), and then opening ephemeral, session-specific L3 outbound connects (from both sides* of the session) only for authorized sessions (strong auth - not IP-address based auth).
* requires intermediate 'gateways' which can bridge both sides to enable bidirectional data flow, initiated from either side
completely 'eliminate' the network by closing all inbound firewall ports (not even allowing dynamic hole punching), and then opening ephemeral, session-specific L3 outbound connects (from both sides* of the session) only for authorized sessions (strong auth - not IP-address based auth).
* requires intermediate 'gateways' which can bridge both sides to enable bidirectional data flow, initiated from either side