Zero Trust — Dentite

5 min readMar 12, 2022

The story is as old as any other… an after hours patient makes an emergency call to their dentist…. yada yada yada… the dentist responds to the issue.

Only in a lot of cases with medical professionals, the “yada yada yada” is a giant nightmare of steps to get into their appropriate systems to respond to the patient.

Personally, I am a bit of an anti-dentite, although I love how a nice set of clean healthy teeth feel and with the exception of the two years I had a really pretty and fun to talk to dental hygienist, I am never too excited when it comes time for that appointment. That said, a very good friend of mine is a well known dentist (sadist with better magazines) in my area and being the “giant nerd friend” that I am, he came to me with an issue that plagued their office for the past few months.

From $10,000 to Free in a few open source steps.

The system, Dentrix, which is a modern application that they use to access all their patient records and appoints, etc, was extremely slow at times throughout the day. His normal IT firm told him, without really assessing things, that it would be nearly $10,000 for a new server.

I asked if we could take a look at his system from home to which he let me know he did not have any type of remote access setup.

So this may or may not be a photo of his practice.

After a moment of scoffing at that response I decided I would go meet him at the office and take a look at things.

His server was actually quite nice, it was better than my largest client that gets millions of unique hits a month. He never had more than say 15 employees on it at once, and his resources were never used more than 5% so I quickly determined it was not the hardware. To further determine what was going on I had to setup some logging and some utilities. I asked him about remote desktop setup for which he had none.

<sarcasm>So how was a buddy suppose to skeef downtime medical imaging processing power to mine my cyber coins?!</sarcasm>

This is where I was informed, if he had an after hours patient and had to look up records… his “yada” was to drive into the office and open the application.

Although he did mention at one point he had Cisco VPN, he further explained that the costs were not anywhere near sustainable to the usage they would use it. With various standards and practices and laws and complicated regulations I was not fully versed on; I was not about to touch the technology side of granting remote access to a medical system through flawed systems like VPN or opening a firewall port.

Enter his nerdy friend that is well-versed in setting up Open Ziti technology!

I am going to skip the initial, controller and router setup. From here on out, it is assumed that you have the basic Ziti network setup and have ZAC in place to add access to systems. Click Here for more info.

First things first, we will need remote desktop and remote file access and it needs to be secure so that no one has any chance of accessing it. I install Windows Desktop Edge on a host PC inside of the medical office and create a “server identity” for us to host services on.

Server Identity

(Please note, I am showing you the edit view, at this point you would just be giving it a name and a “role” which is conveniently labelled a “role” in Ziti Admin Console, “roleAttribute” in the Open Ziti API)

Now lets setup a couple of services to define what the server identity will host.

Rdp to the Dentrix Server

RDP Will be used to manage the Virtual Machine settings and watch event logs, network traffic, etc. Mostly for IT to help manage the system without something like TeamViewer.

File System Access to the Dentrix Server

File Share access is required by the Dentrix Application for it to serve its files to itself, for things like medical imaging and patient documents.

Dentrix Server Config (Host)

And the Dentrix Software itself. Which is a bit more complicated as it has database access needs, and file share access (which the above service was needed for) and various other ports and such that means we had to use the more complicated configuration style as seen below.

Dentrix Client Access Config (Intercept)

Although, your attribute policy can be used to set these policies, I am going to hard code the who and the what so you can see the overall setup for dial and bind. The Dentrix Server has the file system share and the application, I added the Rdp to another server that had access to rdp info the VM Host of the server for managing the VM itself.

Now my Dentist friend can access his patient information from anywhere, even apparently from his DeLorean in 1998!

And if he needs his buddy with a tech company to help him assess application issues, I can do it remotely, so yada yada yada…. I need another excuse to talk to pretty dental hygienists. :(

Hello There

Whats next?!

The next step would be for someone to contact these medical systems and get them to embed OpenZiti SDK right into their software so the offices can maintain this layer of physical security, and still remotely access their systems without the expensive, time consuming, giant mess that comes along with VPNs!