A Micro-Segmentation Method Based on VLAN-VxLAN Mapping Technology-Reference-Cited by-同舟云学术

A Micro-Segmentation Method Based on VLAN-VxLAN Mapping Technology

Published:2024-09-04 Issue:9 Volume:16 Page:320
ISSN:1999-5903
Container-title:Future Internet
language:en
Short-container-title:Future Internet

Author:

Li Di¹²^ORCID,Yang Zhibang³,Yu Siyang⁴,Duan Mingxing¹⁵,Yang Shenghong¹

Affiliation:

1. College of Computer Science and Electronic Engineering, Hunan University, Changsha 410082, China

2. Information & Network Center, Hunan Agricultural University, Changsha 410128, China

3. Hunan Province Key Laboratory of Industrial Internet Technology and Security, Changsha University, Changsha 410022, China

4. College of Information Technology and Management, Hunan University of Finance and Economics, Changsha 410205, China

5. Shenzhen Institute, Hunan University, Shenzhen 518063, China

Abstract

As information technology continues to evolve, cloud data centres have become increasingly prominent as the preferred infrastructure for data storage and processing. However, this shift has introduced a new array of security challenges, necessitating innovative approaches distinct from traditional network security architectures. In response, the Zero Trust Architecture (ZTA) has emerged as a promising solution, with micro-segmentation identified as a crucial component for enabling continuous auditing and stringent security controls. VxLAN technology is widely utilized in data centres for tenant isolation and virtual machine interconnection within tenant environments. Despite its prevalent use, limited research has focused on its application in micro-segmentation scenarios. To address this gap, we propose a method that leverages VLAN and VxLAN many-to-one mapping, requiring that all internal data centre traffic routes through the VxLAN gateway. This method can be implemented cost-effectively, without necessitating business modifications or causing service disruptions, thereby overcoming the challenges associated with micro-segmentation deployment. Importantly, this approach is based on standard public protocols, making it independent of specific product brands and enabling a network-centric framework that avoids software compatibility issues. To assess the effectiveness of our micro-segmentation approach, we provide a comprehensive evaluation that includes network aggregation and traffic visualization. Building on the implementation of micro-segmentation, we also introduce an enhanced asset behaviour algorithm. This algorithm constructs behavioural profiles based on the historical traffic of internal network assets, enabling the rapid identification of abnormal behaviours and facilitating timely defensive actions. Empirical results demonstrate that our algorithm is highly effective in detecting anomalous behaviour in intranet assets, making it a powerful tool for enhancing security in cloud data centres. In summary, the proposed approach offers a robust and efficient solution to the challenges of micro-segmentation in cloud data centres, contributing to the advancement of secure and reliable cloud infrastructure.

Funder

China University Industry-University-Research Innovation Fund-Cloud University Project

Shenzhen Science and Technology Program

Scientific Research Fund of Hunan Provincial Education Department

Provincial Natural Science Foundation of Hunan

Program of National Natural Science Foundation of China

Publisher

MDPI AG

Link

https://www.mdpi.com/1999-5903/16/9/320/pdf

Reference32 articles.

1. Energy-Efficient Stochastic Task Scheduling on Heterogeneous Computing Systems;Li;IEEE Trans. Parallel Distrib. Syst.,2014

2. A New Service Mechanism for Profit Optimizations of a Cloud Provider and Its Users;Liu;IEEE Trans. Cloud Comput.,2021

3. Liu, S., Liu, J., Wang, H., and Xian, M. (2020, January 17–19). Research on the Development of Cloud Computing. Proceedings of the 2020 International Conference on Computer Information and Big Data Applications (CIBDA), Guiyang, China.

4. CAICT Cloud Computing White Paper, China Academy of Information and Communications Technology. Available online: http://www.caict.ac.cn/kxyj/qwfb/bps/202407/t20240723_488241.htm.

5. Jericho Forum (2024, September 01). Jericho Forum Commandments Version 1.2; Technical Report; Jericho Forum. Available online: https://collaboration.opengroup.org/jericho/commandments_v1.2.pdf.