Programming Question

Option 1 (Research Writing & Presentation):

We may choose a topic related to Data Centers, Data Center Security,  or any subject connected to topics covered in class. Our goal is to  learn and summarize research ideas and proposed  systems/models/algorithms/architectures as well as the results from the  state-of-the-art.

Include simulation/app deployment, prototype, results and analysis  (even if not completed). Include descriptions of the overall design, use  flowcharts for sections of the design as needed, high-level pseudocode,  and architecture (if appropriate). 2022 2nd Asia-Pacific Conference on Communications Technology and Computer Science (ACCTCS)
2022 2nd Asia-Pacific Conference on Communications Technology and Computer Science (ACCTCS) | 978-1-6654-0034-3/22/$31.00 ©2022 IEEE | DOI: 10.1109/ACCTCS53867.2022.00030
Construction of Data Center Security System Based
on Micro Isolation under Zero Trust Architecture
Lin Ni
Huanqing Cui
Mingqian Wang
College of Information and
Communication
National University of Defense
Technology
Xi’an, China
nilin1008@sina.com
College of Information and
Communication
National University of Defense
Technology
Xi’an, China
huanqing_c@163.com
College of Information and
Communication
National University of Defense
Technology
Xi’an, China
245717004@qq.com
Depeng Zhi
Kun Han
Wangli Kou
College of Information and
Communication
National University of Defense
Technology
Xi’an, China
1124326101@qq.com
College of Information and
Communication
National University of Defense
Technology
Xi’an, China
hankundsp@163.com
College of Information and
Communication
National University of Defense
Technology
Xi’an, China
1791756227@qq.com
and traditional security measures are concentrated on the
network boundary. Once the security of the data center is
threatened, it will bring huge economic losses. [1-2]
Abstract—With the development of Internet technology, the
rapid growth of data volume strongly promotes the
construction of data centers, which also makes the security
threats to data centers more and more serious. The
architecture of the internal network of the data center has
changed from the traditional IT architecture to virtualization,
hybrid cloud and containerization, and the security isolation
inside the data center has become more and more difficult.
Aiming at the isolation of the internal network of the data
center, the paper builds a more reliable system with the help of
the zero-trust thought. On the basis of analyzing the key
technologies of micro-isolation and constructing a microisolation system, we design a zero-trust security architecture
based on micro-isolation propose a zero-trust security system
for data center based on micro-isolation, and provides a set of
security isolation scheme for the internal network of the data
center.
At present, with the development and application of
cloud computing, the data center infrastructure has gradually
undergone tremendous changes, and the internal network
architecture of the newly constructed data center has
developed from traditional IT architecture to virtualization,
hybrid cloud and containerization [3]. At the same time, the
attack methods are constantly evolving. The existing static
protection methods are difficult to play an effective role in
the face of the sudden increase of traffic in the network,
workload drift, cloning, expansion, shutdown, etc.,
traditional methods cannot solve the internal security
protection problems of data center networks brought about
by cloud computing and virtualization. [4] In order to meet
the requirements of offensive and defensive confrontation
protection, and meet the requirements of the new IT
architecture, the establishment of a data center zero-trust
security system based on micro-isolation is particularly
important for data center network protection, especially the
study of business-oriented network protection methods under
the zero-trust architecture, decoupling security control and
infrastructure, design a micro-isolation-based architecture at
the logical network level.
Keywords—Data center, Micro-isolation, Zero trust, Security
system
I. INTRODUCTION
With the rapid development of new-generation
information technologies such as the Internet of Things,
cloud computing, big data, and artificial intelligence, data
has exploded. As a global collaborative network of specific
devices, data centers are used to transmit, accelerate, display,
compute, and store data information on the Internet
infrastructure. As the infrastructure for storage and
computing, all countries are vigorously promoting the
construction of big data centers, and the trend of large-scale
and large-scale data centers continues to rise. Data centers
have the attributes of being open to the Internet, and data
centers have the attributes of high attack value, which makes
the data center construction process put forward higher
requirements for security. From the perspective of data
center traffic analysis, more than 75% of the flow in the data
center is server-server flow. with the application of cloud
computing, server-server access has further increased sharply,
978-1-6654-0034-3/22/$31.00 ©2022 IEEE
DOI 10.1109/ACCTCS53867.2022.00030
II. MICRO-ISOLATION KEY TECHNOLOGY
A. Micro Isolation Overview
In order to meet the network isolation requirements in the
cloud computing environment and solve the isolation
problem of server-server flow, the micro-segmentation
technology (Micro-Segmentation) is proposed by VMware in
response to the virtualization isolation technology. From the
definition point of view, micro-isolation refers to a network
isolation technology with a smaller granularity, which can
meet the requirements for east-west traffic isolation in
traditional environments, virtualized environments, hybrid
113
Authorized licensed use limited to: Temple University. Downloaded on June 06,2024 at 00:52:32 UTC from IEEE Xplore. Restrictions apply.
cloud environments, and container environments. It is
different from the boundary isolation function of traditional
firewalls. Micro-isolation technology is mainly used to
prevent attackers from lateral translational attack activities
after entering the data center network [5-6].
analysis results, the three isolation methods are different in
policy execution unit, policy management unit and protocol.
The method of network isolation is relatively extensive. The
host agent method needs a self-developed policy
management platform, which has strong adaptability and
pertinence; In terms of network transformation, the method
based on Virtualization monitoring program needs SDN
transformation of the network, and the cost is high. The other
two methods do not need network transformation; In terms
of support for container and hybrid cloud scenarios, the
methods based on Virtualization devices and network
isolation are difficult to support, but the method based on
host agent is not limited by specific environment and has
good support for container and hybrid cloud scenarios.
At present, the research on micro-isolation technology is
widely carried out, mainly focusing on three types of microisolation based on host-agent-based micro-isolation, virtual
machine-based monitoring program and network isolation.
(1)Virtual machine-based monitoring program
Virtual machine-based monitoring program approach, at
its core, all traffic flows through the hypervisor. But for the
management of the data center’s internal network, this
approach to hypervisor segmentation is generally not suitable
for cloud environments, containers, or bare metal.
Most of the data center construction process considers
support for virtualized environment and hybrid cloud
environment, and business cross-cloud interaction. The
scheme based on host agent is widely used. In addition, the
scheme can also be combined with host vulnerability risk
discovery and host intrusion detection capabilities to form a
more three-dimensional security solution
(2) Network isolation
The network isolation-based approach is an extension of
the existing security architecture. The implementation is
subdivided by access control lists (ACLs) and other timetested methods. It is a common method for network
administrators, but it is not suitable for Large networks and
data center networks.
B. Composition of micro-isolation system
Traditional border isolation devices (such as firewalls),
whose control platform and isolation policy execution unit
are integrated in one device. The control platform and policy
execution unit of the micro-isolation system are separated.
Part of the prototype system of the micro-isolation system is
the control software security management terminal installed
on the host.
(3) Host-based agent.
This method relies on agent software installed in the
terminal computer. The data flow is transparent to the agent.
The agent aggregates all data to the central manager for
analysis and strategy of decision. This method is more
adaptable to the discovery of challenging protocols or
encrypted traffic. A good host strategy of decision can
prevent problems from entering the network and spreading
laterally, which is an efficient micro-isolation method.
One part is the centralized policy calculation engine. The
security management terminal continuously monitors the
host connection information and some runtime statistics and
continuously transmits these information to the policy
calculation engine. The policy calculation engine
continuously performs policy calculation according to the
connection information from the security management
terminal. The generated policy is delivered to the security
management terminal, and the security management terminal
completes the policy update to the host. In general, the
micro-isolation system consists of a central manager and a
policy execution unit, with distributed and adaptive
characteristics. The schematic diagram of the system
architecture is shown in Figure 1.
TABLE I. COMPARISON OF THREE ISOLATION METHODS
Attributes
Virtualized
appliance
Network
isolation
Policy execution
unit
Virtualization
device’s own
firewall
ACL
Policy
management
unit
SDNPolicy
Dashboard
Safety
controller
Adopt a
protocol
Achieve(type)
Vxlan related
protocols
TCP/IP
protocol
group
Network
transformation
SDN equipment
Container scene
support
Difficult to
support
Hybrid
cloud
scenario support
Difficult
support
to
No need
for
correction
Difficult to
support
Difficult to
support
Host agent
Deploy using
a hostfirewall
Selfdeveloped
strategy
management
platform
Follow the IP
protocol stack
that comes
with the
system
No need for
correction
Support
Easy
to
support, not
limited by the
environment
Figure 1. Composition diagram of micro isolation system
Table Ⅰ compares the three isolation methods in detail,
mainly from six aspects: whether the policy execution unit,
policy management unit, protocol and network are
transformed, whether the container scenario is supported, and
whether the mixed meta scenario is supported. From the
(1) Central manager
The policy management center is the central brain of the
micro-isolation system. It mainly has the following functions:
visualize the access relationship between internal systems
114
Authorized licensed use limited to: Temple University. Downloaded on June 06,2024 at 00:52:32 UTC from IEEE Xplore. Restrictions apply.
and business applications, and quickly clarify the internal
access relationship; quickly group workloads that need to be
isolated according to multi-dimensional labels such as roles
and business functions; flexible configuration Isolation
policies between workloads and business applications, and
adaptive policy configuration and policy migration based on
workgroups and workloads.
zero-trust applications. The paper designs a zero-trust
security architecture based on micro-isolation as shown in
Figure 2, which provides a reference for improving the
security design of data centers.
In the agent-based micro isolation system, the central
manager is generally an independently developed platform
and a set of policy computing center. It needs to master the
current state of the secure terminal in real time, complete the
policy calculation according to the policy management
model, and complete the host policy update relying on the
terminal agent, which is the core of the implementation of
the whole micro isolation system.
(2) Policy execution unit
The security management terminal is installed on the host
under the control of the data center network. It is a work unit
that implements traffic data monitoring and isolation policies.
For example, when the IP address of the host changes, the
security management terminal will monitor the change and
promptly report the change. This change is passed to the
policy calculation engine, and the policy configuration is
updated according to the calculation result of the policy
calculation engine.
Figure 2. Zero trust security architecture based on micro isolation
The micro-isolation-based zero-trust security architecture
focuses on the security challenges of unauthorized lateral
movement while considering perimeter protection. Using
micro-isolation technology to isolate assets, all assets must
be authenticated and authorized before a business connection
to another asset can be initiated [8]. That is, the business
system first passes the agent for identity authentication, and
after the authentication is passed, the gateway will release
the business system to obtain data resources, which can
safely isolate the workload and realize fine-grained network
protection.
In the implementation process of micro isolation system,
whether physical machine or virtual machine, the policy
execution unit needs to be installed on each managed
terminal. On the basis of monitoring the host state, the
isolation operation is completed with the help of the host
firewall.
III. DESIGN OF ZERO-TRUST SECURITY ARCHITECTURE BESED
ON MICRO-ISOLATION
In the process of system implementation, the zero trust
security architecture based on micro isolation proposed in
this paper fully considers the idea of “everything is
untrusted”. authentication is required for users, equipment
and communication process. Facing the complexity and
dynamics of the network structure of the data center, we do
not consider the specific architecture of the network and
conduct fine-grained network management and control for
business. This zero trust security architecture based on micro
isolation is an effective network security control measure for
data center. It can minimize the authority allocation of the
terminal through policy arrangement, provide optimal policy
updates for business roles, complete fine-grained IP level and
port level control at the terminal in combination with the
agent, and also carry out system reinforcement for the
weakness of errors in the network, Minimize the attack
surface of hackers on the data center.
With the continuous development of cloud computing
technology, the architecture of data center has also changed
to meet the emerging needs. The three-tier architecture of
traditional data center can not meet the configuration of
massive virtual machines and the expanding business needs.
More and more enterprises adopt virtualization technology in
the design of data center. Traditional security protection
focuses on the establishment of a secure border fortress. The
concept of zero trust breaks the thinking of traditional border
protection. It is a brand-new security mechanism and concept,
trying to build a logical management network on top of the
original physical network. The data center carries the core
business and stores the key data in the network, which is
very important to the construction of the data center security
system [7-8].
For data centers, no matter how the adopted network
architecture and infrastructure change, the business logic
itself is determined. The internal network security protection
of the data center needs to make corresponding changes in
the security policy according to its own business logic, and
realize self-adaptation in terms of policies. adjust. As a
typical security structure, micro-isolation calculates policies
through a unified management platform, and completes
adaptive policy recalculation in real time according to
changes in the virtualized environment of the data center. In
addition, the data center relies on business management, and
zero trust is business-oriented rather than network-oriented
management and control, which is a typical scenario of
IV. CONSTRUCTION OF DATA CENTER ZERO TRUST SECURITY
SYSTEM BASED ON MICRO-ISOLATION
The construction of a zero-trust security system for data
centers based on micro-isolation is based on the concept of
zero-trust, which changes “to be trusted through
authentication” into “to be authenticated and not to be
trusted”. Any data access must be authenticated and given
minimum authorization. The most granular controls block
the spread of threats. This paper constructs a data center
zero-trust security system based on micro-isolation in terms
of the presentation of business logic relationships within the
115
Authorized licensed use limited to: Temple University. Downloaded on June 06,2024 at 00:52:32 UTC from IEEE Xplore. Restrictions apply.
ensures the real-time and accurate policy.
data center network, abnormal traffic identification, finegrained access control, adaptive dynamic adjustment, and
quantitative analysis and reinforcement of system
vulnerabilities. As shown in Figure 3, the system
construction is embodied in an architecture and five aspects
from the specific implementation, which are mainly divided
into analysis, monitoring, operation and maintenance,
isolation and reinforcement.
The protection part is mainly to realize vulnerability
discovery and reinforcement. The number of nodes in the
data center network is large, and the business connection
relationship is complex. On the basis of visual presentation
and isolation of business relationships, the weaknesses of
data center protection can be found, and the probability of
being attacked by workloads within the data center network
can be assessed, thereby further strengthening the system and
improving data center security.
V. CONCLUSION
Now network attacks mainly use the weakness of
network design. Once the attack breaks through the boundary
protection, there is basically no internal protection means. In
the data center attack chain, attackers rely heavily on internal
horizontal transfer to expand the attack scope , and in the
early stage of data center construction, the internal network
security protection measures of the data center are relatively
lacking. For the core assets of the data center, a protective
boundary needs to be established between key applications
and data,the zero trust model is designed with the idea of
“from the inside out”, This paper builds a security system
based on micro-isolation under a zero-trust architecture,
takes advantage of software-defined data centers and
virtualized network function technologies, and monitors
malicious traffic on the basis of visualization of data center
business logic to achieve fine-grained access control and
Strategy adjustment. Reinforce risk weaknesses and reduce
data center attack surface.
Figure 3. Zero trust security system of data center based on micro isolation
The analysis part mainly realizes the visualization of
business logic. Through the collection of the server-server
flow connection relationship and host data in the data center
network, on the basis of data classification and extraction,
through the application identification and port identification,
the business logic topology is constructed. At the same time,
through the introduction of visualization related ideas, the
internal business logic of the data center network is
constructed, and the visualization of the internal business
logic relationship of the data center network is realized by
combining the adaptive visualization layout algorithm and
related development technologies. Generate a network-wide
workload ledger to provide a basis for deploying microisolation access control policies.
REFERENCES
[1]
[2]
The monitoring part mainly realizes the monitoring of
abnormal traffic. On the basis of analyzing and filtering
traffic, it focuses on monitoring abnormal behavior and
realizes suspicious behavior alarm. At the same time,
combined with the access key of the internal business logic
of the data center, it also provides an analysis method for
abnormal behavior connections.
[3]
[4]
[5]
The operation and maintenance part mainly realizes finegrained access control policy management, builds a rolebased access control model for business, achieves the
purpose of decoupling policy and infrastructure, and realizes
the adaptive adjustment of access control policy following
the state of the host.
[6]
[7]
The isolation part is to achieve self-adaptive microisolation, through continuous monitoring by the Agent, the
identification system of the workload business role is
combined with the policy adaptive calculation engine, to
isolate abnormal nodes, and the policy adaptive calculation
[8]
Wang Fang, Geng Xueyu, Wang Suyang. Construction of security
protection system for Nangang Data Center[J]. Modern Industrial
Economy and Informatization, 2021,11(10):126-127.
Li Fuyu.Research on Cloud Computing Security Based on Distributed
Micro-Isolation[J].Journal of Liaoning University(Natural Science
Edition),2018,45(01):19-22..
Zhong Guoxin, Liu Luhao, Wang Huipeng, Feng Jie, He Han, Zhu
Zhenyan.Research on automatic generation method of self-adaptive
host micro-isolation security policy[J].Automation Technology and
Application,2021,40(12):54-57.
You Yifeng. Research on Micro-Isolation Technology for
Virtualization Environment [D]. University of Electronic Science and
Technology of China, 2019.
Zhang Zheng. Security isolation and protection of virtual machines
based on cloud platform [J]. Information and Computer (Theoretical
Edition), 2018(23):174-177.
He Jing. Micro-isolation can reduce network attack surface [J].
Computer and Network, 2018, 44(22): 56.
Guan Jiwei, Zhu Lingjun, Zhang Wenyong. Research on public cloud
micro-isolation security based on zero trust [J]. Telecommunications
Engineering Technology and Standardization, 2021,34(12):46-50+56.
Wang Yijun, Huang Changhui, Zhang Zihan, Li Tianchi. Research on
a comprehensive protection scheme for government website groups
based on micro-isolation technology [J]. Police Technology,
2017(02):8-11
116
Authorized licensed use limited to: Temple University. Downloaded on June 06,2024 at 00:52:32 UTC from IEEE Xplore. Restrictions apply.