IDEAS home Printed from https://ideas.repec.org/a/gam/jftint/v16y2024i9p320-d1471267.html
   My bibliography  Save this article

A Micro-Segmentation Method Based on VLAN-VxLAN Mapping Technology

Author

Listed:
  • Di Li

    (College of Computer Science and Electronic Engineering, Hunan University, Changsha 410082, China
    Information & Network Center, Hunan Agricultural University, Changsha 410128, China)

  • Zhibang Yang

    (Hunan Province Key Laboratory of Industrial Internet Technology and Security, Changsha University, Changsha 410022, China)

  • Siyang Yu

    (College of Information Technology and Management, Hunan University of Finance and Economics, Changsha 410205, China)

  • Mingxing Duan

    (College of Computer Science and Electronic Engineering, Hunan University, Changsha 410082, China
    Shenzhen Institute, Hunan University, Shenzhen 518063, China)

  • Shenghong Yang

    (College of Computer Science and Electronic Engineering, Hunan University, Changsha 410082, China)

Abstract

As information technology continues to evolve, cloud data centres have become increasingly prominent as the preferred infrastructure for data storage and processing. However, this shift has introduced a new array of security challenges, necessitating innovative approaches distinct from traditional network security architectures. In response, the Zero Trust Architecture (ZTA) has emerged as a promising solution, with micro-segmentation identified as a crucial component for enabling continuous auditing and stringent security controls. VxLAN technology is widely utilized in data centres for tenant isolation and virtual machine interconnection within tenant environments. Despite its prevalent use, limited research has focused on its application in micro-segmentation scenarios. To address this gap, we propose a method that leverages VLAN and VxLAN many-to-one mapping, requiring that all internal data centre traffic routes through the VxLAN gateway. This method can be implemented cost-effectively, without necessitating business modifications or causing service disruptions, thereby overcoming the challenges associated with micro-segmentation deployment. Importantly, this approach is based on standard public protocols, making it independent of specific product brands and enabling a network-centric framework that avoids software compatibility issues. To assess the effectiveness of our micro-segmentation approach, we provide a comprehensive evaluation that includes network aggregation and traffic visualization. Building on the implementation of micro-segmentation, we also introduce an enhanced asset behaviour algorithm. This algorithm constructs behavioural profiles based on the historical traffic of internal network assets, enabling the rapid identification of abnormal behaviours and facilitating timely defensive actions. Empirical results demonstrate that our algorithm is highly effective in detecting anomalous behaviour in intranet assets, making it a powerful tool for enhancing security in cloud data centres. In summary, the proposed approach offers a robust and efficient solution to the challenges of micro-segmentation in cloud data centres, contributing to the advancement of secure and reliable cloud infrastructure.

Suggested Citation

  • Di Li & Zhibang Yang & Siyang Yu & Mingxing Duan & Shenghong Yang, 2024. "A Micro-Segmentation Method Based on VLAN-VxLAN Mapping Technology," Future Internet, MDPI, vol. 16(9), pages 1-24, September.
    • Handle: RePEc:gam:jftint:v:16:y:2024:i:9:p:320-:d:1471267
    as

    Download full text from publisher

    File URL: https://www.mdpi.com/1999-5903/16/9/320/pdf
    Download Restriction: no
    File URL: https://www.mdpi.com/1999-5903/16/9/320/
    Download Restriction: no
    ---><---

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:gam:jftint:v:16:y:2024:i:9:p:320-:d:1471267. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    We have no bibliographic references for this item. You can help adding them by using this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: MDPI Indexing Manager (email available below). General contact details of provider: https://www.mdpi.com .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.