Design And Implementation Of Industry Network Protection System Based On Zero Trust

With the information-based transformation of enterprise(the widespread application of cloud computing,micro-service and virtualization technologies)and the climax of telecommuting caused by COVID-19 pandemic,the physical boundary of network protection is gradually blurred,making the traditional protection mode of building physical boundary based on firewall and intrusion detection face severe challenges.To solve the challenges above,zero trust technology is put forward.In zero trust,a “soft boundary” is newly defined to pre-certified and pre-authorize users in the way of "authentication first,access later".Moreover,continuous identity monitoring and authorization of users are also utilized to improve the performance of network security protection.However,since zero trust involves a lot of related technology categories,completely self-research will cost a lot of manpower and resources,relying on existing components to develop involves complex technology selection and compatibility problems.In addition,most of the existing zero trust solutions have a large system,for banks,operators and other enterprises with complex protection systems,the cost of redeploying protection systems is huge,how to design and develop an easy to implement zero trust system for the needs of the target enterprises is another problem in zero trust applications.To this end,this paper designs and implements a zero trust based protection system for industry networks.In this paper,existing protection technologies of banks,operators and other enterprises are investigated at first,and then a zero trust prototype system is designed based on complex technology selection.The system is designed and developed based on the software defined boundary framework,and combines existing technologies(such as firewalls)to improve protection capabilities.The functional test and performance test show that our system functions normally and stably.The contribution of this paper is summarized as follows:(1)A zero trust based network protection system is designed based on software defined boundary and identity access management technologies.The system is divided into three modules: Trusted Identity,Trusted Network,and Trusted Service,which are responsible for continuous identity authentication and single sign-on,data encryption and traffic audit,as well as user authorization and user behavior monitoring,respectively.(2)Determine the functional components required for system implementation through complex technology selection.In this paper,we compare and experimentally evaluate a variety of different available technologies and determine the technology selection for each function based on extensive experiments.The selection principles are open source components,mature technology,good scalability,and efficient performance,thus ensuring that the system has good stability and protection effects.(3)Different business protection logics are adapted for users to access different services.In order to meet user requirements,two business access processes are designed for user access to Web applications and user access to server devices,and a large number of scenario tests are conducted on the invocation sequence and trigger conditions between the system functions to ensure the rigor and integrity of the system business protection logic.