Research On Automatic Generation And Dynamic Convergence Method Of Firewall Rules For Data Centers

As the carriers of an enterprise’s most critical data assets,data centers play a pivotal role in the organization’s digital transformation journey.Firewalls,one of the most common security devices in data centers,typically provide protection based on the border security model.In the initial stages of data center planning,it is necessary to partition the network into distinct security zones based on certain constraints and deploy firewalls at the boundaries of these zones.While border firewalls provide convenient and effective security protection for data centers,they also come with some issues.Firstly,border firewalls,deployed at the network boundaries,can provide depth defense from inter-zone threats but fall short in guarding against attacks from within the security zones.Secondly,border firewalls typically use static rules for access control,and the timeliness and sufficiency of those rules cannot be guaranteed.Finally,the rules of the border firewall lack necessary validation,and overly permissive rules can allow unexpected traffic to pass through.To address these problems,this thesis proposes an endpoint-based access control method that combines dynamic and static rules,achieving secure protection within zones;a traffic-based rule generation method,achieving automatic generation of rules for an endpoint firewall;and a dynamic convergence of rules method based on service call chains,achieving necessary verification of rules.Specifically,this thesis aims to:(1)To tackle the limitation of border security models in preventing internal attacks,based on the endpoint security model,this thesis proposes an access control method that combines dynamic and static rules.By migrating the protection capability of border firewalls to each endpoint system to form an endpoint firewall,which obtains information from a control platform,generates local static and dynamic rules,and enforces security protection on each endpoint system.Endpoint-oriented access control eliminates the concepts of security zones and network boundaries,and all traffic in the network is uniformly controlled,effectively preventing the lateral spread of attacks within the zone.(2)While static rules are typically manually configured by administrators,posing challenges in ensuring the timeliness and sufficiency of rule implementation.Manually configured rules may also be inconsistent with actual security requirements,and the sufficiency of rules cannot be guaranteed.This thesis proposes a traffic-based rule generation method.It triggers business traffic by dial testing services,and the endpoint system firewall identifies sessions within the network.Sessions that fall within the scope of rule generation are then converted into dynamic rules,which are associated with services to create a service call chain.Dynamic rules are automatically generated based on business traffic,which can meet the timeliness requirements of the business for the rules.By relying on the results returned from the dial test,ensures that dynamic rules adequately fulfill the business’ s access requirements.(3)Overly permissive rules introduce unnecessary access privileges.To ensure the necessity of rules,this thesis proposes a dynamic convergence of rules method based on service call chains.By dynamically converging rules within the service call chain,rules dependent on services are retained,while rules unrelated to services will be deleted.When a service goes offline,its associated rules will be deleted.If a particular rule is not relied upon by any services,that rule will be removed from the endpoint system firewall.Dynamic convergence of rules,the minimum access privileges are provided while meeting the requirements of business access.