A Micro-Segmentation Method Based on VLAN-VxLAN Mapping Technology
As information technology continues to evolve, cloud data centres have become increasingly prominent as the preferred infrastructure for data storage and processing. However, this shift has introduced a new array of security challenges, necessitating innovative approaches distinct from traditional n...
Saved in:
| Main Authors: | , , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
MDPI AG
2024-09-01
|
| Series: | Future Internet |
| Subjects: | |
| Online Access: | https://www.mdpi.com/1999-5903/16/9/320 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1850261369019957248 |
|---|---|
| author | Di Li Zhibang Yang Siyang Yu Mingxing Duan Shenghong Yang |
| author_facet | Di Li Zhibang Yang Siyang Yu Mingxing Duan Shenghong Yang |
| author_sort | Di Li |
| collection | DOAJ |
| description | As information technology continues to evolve, cloud data centres have become increasingly prominent as the preferred infrastructure for data storage and processing. However, this shift has introduced a new array of security challenges, necessitating innovative approaches distinct from traditional network security architectures. In response, the Zero Trust Architecture (ZTA) has emerged as a promising solution, with micro-segmentation identified as a crucial component for enabling continuous auditing and stringent security controls. VxLAN technology is widely utilized in data centres for tenant isolation and virtual machine interconnection within tenant environments. Despite its prevalent use, limited research has focused on its application in micro-segmentation scenarios. To address this gap, we propose a method that leverages VLAN and VxLAN many-to-one mapping, requiring that all internal data centre traffic routes through the VxLAN gateway. This method can be implemented cost-effectively, without necessitating business modifications or causing service disruptions, thereby overcoming the challenges associated with micro-segmentation deployment. Importantly, this approach is based on standard public protocols, making it independent of specific product brands and enabling a network-centric framework that avoids software compatibility issues. To assess the effectiveness of our micro-segmentation approach, we provide a comprehensive evaluation that includes network aggregation and traffic visualization. Building on the implementation of micro-segmentation, we also introduce an enhanced asset behaviour algorithm. This algorithm constructs behavioural profiles based on the historical traffic of internal network assets, enabling the rapid identification of abnormal behaviours and facilitating timely defensive actions. Empirical results demonstrate that our algorithm is highly effective in detecting anomalous behaviour in intranet assets, making it a powerful tool for enhancing security in cloud data centres. In summary, the proposed approach offers a robust and efficient solution to the challenges of micro-segmentation in cloud data centres, contributing to the advancement of secure and reliable cloud infrastructure. |
| format | Article |
| id | doaj-art-0ea508fe06ee4d0f84c13b29e66dab95 |
| institution | OA Journals |
| issn | 1999-5903 |
| language | English |
| publishDate | 2024-09-01 |
| publisher | MDPI AG |
| record_format | Article |
| series | Future Internet |
| spelling | doaj-art-0ea508fe06ee4d0f84c13b29e66dab952025-08-20T01:55:27ZengMDPI AGFuture Internet1999-59032024-09-0116932010.3390/fi16090320A Micro-Segmentation Method Based on VLAN-VxLAN Mapping TechnologyDi Li0Zhibang Yang1Siyang Yu2Mingxing Duan3Shenghong Yang4College of Computer Science and Electronic Engineering, Hunan University, Changsha 410082, ChinaHunan Province Key Laboratory of Industrial Internet Technology and Security, Changsha University, Changsha 410022, ChinaCollege of Information Technology and Management, Hunan University of Finance and Economics, Changsha 410205, ChinaCollege of Computer Science and Electronic Engineering, Hunan University, Changsha 410082, ChinaCollege of Computer Science and Electronic Engineering, Hunan University, Changsha 410082, ChinaAs information technology continues to evolve, cloud data centres have become increasingly prominent as the preferred infrastructure for data storage and processing. However, this shift has introduced a new array of security challenges, necessitating innovative approaches distinct from traditional network security architectures. In response, the Zero Trust Architecture (ZTA) has emerged as a promising solution, with micro-segmentation identified as a crucial component for enabling continuous auditing and stringent security controls. VxLAN technology is widely utilized in data centres for tenant isolation and virtual machine interconnection within tenant environments. Despite its prevalent use, limited research has focused on its application in micro-segmentation scenarios. To address this gap, we propose a method that leverages VLAN and VxLAN many-to-one mapping, requiring that all internal data centre traffic routes through the VxLAN gateway. This method can be implemented cost-effectively, without necessitating business modifications or causing service disruptions, thereby overcoming the challenges associated with micro-segmentation deployment. Importantly, this approach is based on standard public protocols, making it independent of specific product brands and enabling a network-centric framework that avoids software compatibility issues. To assess the effectiveness of our micro-segmentation approach, we provide a comprehensive evaluation that includes network aggregation and traffic visualization. Building on the implementation of micro-segmentation, we also introduce an enhanced asset behaviour algorithm. This algorithm constructs behavioural profiles based on the historical traffic of internal network assets, enabling the rapid identification of abnormal behaviours and facilitating timely defensive actions. Empirical results demonstrate that our algorithm is highly effective in detecting anomalous behaviour in intranet assets, making it a powerful tool for enhancing security in cloud data centres. In summary, the proposed approach offers a robust and efficient solution to the challenges of micro-segmentation in cloud data centres, contributing to the advancement of secure and reliable cloud infrastructure.https://www.mdpi.com/1999-5903/16/9/320zero-trustmicro-segmentationVxLAN |
| spellingShingle | Di Li Zhibang Yang Siyang Yu Mingxing Duan Shenghong Yang A Micro-Segmentation Method Based on VLAN-VxLAN Mapping Technology Future Internet zero-trust micro-segmentation VxLAN |
| title | A Micro-Segmentation Method Based on VLAN-VxLAN Mapping Technology |
| title_full | A Micro-Segmentation Method Based on VLAN-VxLAN Mapping Technology |
| title_fullStr | A Micro-Segmentation Method Based on VLAN-VxLAN Mapping Technology |
| title_full_unstemmed | A Micro-Segmentation Method Based on VLAN-VxLAN Mapping Technology |
| title_short | A Micro-Segmentation Method Based on VLAN-VxLAN Mapping Technology |
| title_sort | micro segmentation method based on vlan vxlan mapping technology |
| topic | zero-trust micro-segmentation VxLAN |
| url | https://www.mdpi.com/1999-5903/16/9/320 |
| work_keys_str_mv | AT dili amicrosegmentationmethodbasedonvlanvxlanmappingtechnology AT zhibangyang amicrosegmentationmethodbasedonvlanvxlanmappingtechnology AT siyangyu amicrosegmentationmethodbasedonvlanvxlanmappingtechnology AT mingxingduan amicrosegmentationmethodbasedonvlanvxlanmappingtechnology AT shenghongyang amicrosegmentationmethodbasedonvlanvxlanmappingtechnology AT dili microsegmentationmethodbasedonvlanvxlanmappingtechnology AT zhibangyang microsegmentationmethodbasedonvlanvxlanmappingtechnology AT siyangyu microsegmentationmethodbasedonvlanvxlanmappingtechnology AT mingxingduan microsegmentationmethodbasedonvlanvxlanmappingtechnology AT shenghongyang microsegmentationmethodbasedonvlanvxlanmappingtechnology |