A data packet verification method, system, device, equipment and medium
By obtaining the EIP address from the NAT gateway's data packets, identifying the target tenant, and replacing it with the internal network IP address, the problem of security devices being unable to locate internal network hosts is solved, thus ensuring the accuracy of data packet verification and network security.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- CHINA TELECOM NETWORK SECURITY TECH CO LTD
- Filing Date
- 2023-01-18
- Publication Date
- 2026-06-26
AI Technical Summary
In a cloud computing environment, when a NAT gateway performs network address translation on data packets, the use of dynamically configured EIP addresses causes security devices to be unable to accurately locate hosts within the VPC and thus cannot perform effective data packet verification.
By receiving data packets sent by the NAT gateway, the target EIP address is obtained, the target tenant is determined based on the saved tenant information, and the internal network IP address saved by the NAT gateway is obtained. The internal network IP address is used to replace the EIP address, and the data packet is sent to the target virtual security device for verification based on the relationship between the tenant and the virtual security device.
This enables security devices to accurately locate hosts on the internal network, enhances network access security, and ensures the accuracy of data packet verification.
Smart Images

Figure CN116192485B_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of network security technology, and in particular to a data packet verification method, system, device, equipment, and medium. Background Technology
[0002] In cloud computing environments, using Virtual Private Clouds (VPCs) to segment user networks is a common approach. Due to the limited availability of public Internet Protocol (IP) addresses, Elastic Compute Service (ECS) systems within a VPC typically use Network Address Translation (NAT) to enable internal network access to the public internet. In this network service model, all hosts within the VPC communicate with the external network through the same NAT gateway. The NAT gateway dynamically allocates available public IP addresses to hosts within the VPC by binding one or more Elastic IP (EIP) addresses. In other words, data packets for both internal and public internet access must pass through the NAT gateway. Failure to validate these packets could compromise the network security of hosts within the VPC. Therefore, to ensure network security, it is necessary to validate data packets passing through the NAT gateway. However, when the NAT gateway translates network addresses, it uses EIP addresses to hide the internal IP addresses of the hosts in the VPC. Since EIPs are dynamically configured, the security devices that verify data packets cannot determine the internal IP address corresponding to the data packets, thus making it impossible to locate the corresponding hosts within the VPC.
[0003] Therefore, how to ensure that security devices accurately locate internal network hosts when verifying data packets has become an urgent problem to be solved. Summary of the Invention
[0004] This application provides a data packet verification method, system, apparatus, device, and medium to solve the problem in the prior art that security devices cannot locate internal network hosts based on data packets flowing through a NAT gateway.
[0005] This application provides a data packet verification method, the method comprising:
[0006] Receive data packets sent by the Network Address Translation (NAT) gateway and obtain the target Elastic Internet Protocol (EIP) address from the data packets;
[0007] Based on the saved EIP address corresponding to each tenant, determine the target tenant corresponding to the target EIP address;
[0008] Obtain the internal network IP address stored by the NAT gateway for the target tenant, and replace the target EIP address with the internal network IP address;
[0009] Based on the stored relationship between each tenant and the virtual security device, the target virtual security device corresponding to the target tenant is determined, and the replaced data packet is sent to the target virtual security device so that the target virtual security device can verify the received data packet.
[0010] Furthermore, obtaining the internal network IP address stored by the NAT gateway for the target tenant includes:
[0011] Based on the stored relationship between each tenant and the gateway instance identifier, the target gateway instance identifier corresponding to the target tenant is determined;
[0012] Obtain the internal network IP address stored by the NAT gateway for the target gateway instance identifier.
[0013] Furthermore, before replacing the target EIP address with the internal network IP address, the method further includes:
[0014] Obtain the target port number from the data packet;
[0015] The step of replacing the target EIP address with the internal network IP address includes:
[0016] Obtain the internal network port number stored by the NAT gateway for the target tenant;
[0017] Replace the target EIP address with the internal network IP address, and replace the target port number with the internal network port number.
[0018] Furthermore, the method also includes:
[0019] If a target response data packet is received from the target virtual security device, the internal network IP address in the target response data packet is replaced with the target EIP address;
[0020] The replaced target response packet is sent to the NAT gateway.
[0021] Furthermore, the received target response data packet from the target virtual security device includes:
[0022] Receive response data packets returned by any virtual security device;
[0023] Obtain the Virtual Extended Local Area Network (VXLAN) identifier from the response data packet;
[0024] If the VXLAN identifier matches the target VXLAN identifier corresponding to the target virtual security device, then the response data packet is determined to be the target response data packet returned by the target virtual security device.
[0025] Furthermore, after replacing the internal network IP address in the target response packet with the target EIP address, and before sending the replaced target response packet to the NAT gateway, the method further includes:
[0026] Replace the internal network port number in the target response data packet with the target port number.
[0027] This application also provides a data packet verification system, the system comprising: a NAT gateway, a virtual machine, and at least one virtual security device;
[0028] The NAT gateway is used to send data packets to the virtual machine;
[0029] The virtual machine is configured to receive data packets sent by the NAT gateway and obtain the target EIP address in the data packets; determine the target tenant corresponding to the target EIP address based on the saved EIP address corresponding to each tenant; obtain the internal network IP address saved by the NAT gateway for the target tenant and replace the target EIP address with the internal network IP address; determine the target virtual security device corresponding to the target tenant based on the saved relationship between each tenant and the virtual security device, and send the replaced data packet to the target virtual security device.
[0030] The virtual security device is used to verify the received data packets.
[0031] Furthermore, the virtual security device is also configured to, if it determines that the verification result of the received data packet is valid, send the data packet as a response data packet to the virtual machine; otherwise, intercept the data packet.
[0032] The virtual machine is further configured to receive a response data packet returned by the virtual security device; obtain the Virtual Extended Local Area Network (VXLAN) identifier in the response data packet; and if the VXLAN identifier is consistent with the target VXLAN identifier corresponding to the target virtual security device, then the response data packet is determined to be the target response data packet returned by the target virtual security device.
[0033] Furthermore, the virtual machine is also configured to, upon receiving a target response data packet returned by the target virtual security device, replace the internal network IP address in the target response data packet with the target EIP address; and send the replaced target response data packet to the NAT gateway;
[0034] The NAT gateway is also used to receive target response data packets and perform network communication based on the target response data packets.
[0035] This application embodiment also provides a data packet verification device, the device comprising:
[0036] The receiving module is used to receive data packets sent by the Network Address Translation (NAT) gateway;
[0037] The acquisition module is used to acquire the target Elastic Internet Protocol (EIP) address in the data packet;
[0038] The determination module is used to determine the target tenant corresponding to the target EIP address based on the stored EIP address corresponding to each tenant.
[0039] The acquisition module is also used to acquire the internal network IP address stored by the NAT gateway for the target tenant;
[0040] The replacement module is used to replace the target EIP address with the internal network IP address;
[0041] The determining module is further configured to determine the target virtual security device corresponding to the target tenant based on the stored relationship between each tenant and the virtual security device;
[0042] The sending module is used to send the replaced data packet to the target virtual security device so that the target virtual security device can verify the received data packet.
[0043] This application also provides an electronic device, which includes at least a processor and a memory, wherein the processor is used to execute a computer program stored in the memory to implement the steps of the data packet verification method described in any of the preceding claims.
[0044] This application also provides a computer-readable storage medium storing a computer program that, when executed by a processor, implements the steps of the data packet verification method described in any of the preceding claims.
[0045] In this embodiment, after receiving the data packet sent by the NAT gateway, the target EIP address in the data packet is obtained. Based on the saved EIP address corresponding to each tenant, the target tenant corresponding to the target EIP address is determined. The internal network IP address saved by the NAT gateway for the target tenant is obtained, and the target EIP address is replaced with the internal network IP address. Based on the saved relationship between each tenant and the virtual security device, the replaced data packet is sent to the target virtual security device corresponding to the target tenant. This allows the target virtual security device to verify the received data packet, enabling it to clearly identify the internal network IP address of the internal host corresponding to the data packet being verified. This allows for accurate location of the corresponding internal host, enhancing the security of network access. Attached Figure Description
[0046] To more clearly illustrate the technical solutions of this application, the accompanying drawings used in the description of the embodiments will be briefly introduced below. Obviously, the accompanying drawings described below are only some embodiments of this application. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0047] Figure 1 This is a schematic diagram of the data packet verification process provided in an embodiment of this application;
[0048] Figure 2 This is a schematic diagram of the data packet verification process provided in an embodiment of this application;
[0049] Figure 3 This is a schematic diagram of the data packet verification process provided in an embodiment of this application;
[0050] Figure 4 This is a schematic diagram of the structure of a data packet verification system provided in an embodiment of this application;
[0051] Figure 5 This is a schematic diagram of the data packet verification device provided in the embodiments of this application;
[0052] Figure 6 This is another schematic diagram of the data packet verification device provided in the embodiments of this application;
[0053] Figure 7 This is a schematic diagram of an electronic device structure provided in an embodiment of this application. Detailed Implementation
[0054] To make the objectives, technical solutions, and advantages of this application clearer, the technical solutions of the embodiments of this application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this application, and not all embodiments. Based on the embodiments in this application, all other embodiments obtained by those skilled in the art are within the scope of protection of this application.
[0055] This application provides a data packet verification method, system, apparatus, device, and medium. The method receives a data packet sent by a Network Address Translation (NAT) gateway and obtains the target Elastic Internet Protocol (EIP) address from the data packet. Based on the stored EIP addresses corresponding to each tenant, the target tenant corresponding to the target EIP address is determined. The internal network IP address stored by the NAT gateway for the target tenant is obtained, and the target EIP address is replaced using this internal network IP address. Based on the stored relationship between each tenant and a virtual security device, the target virtual security device corresponding to the target tenant is determined. The replaced data packet is sent to the target virtual security device so that the target virtual security device can verify the received data packet.
[0056] Example 1:
[0057] Figure 1 This is a schematic diagram of the data packet verification process provided in an embodiment of this application. The process specifically includes the following steps:
[0058] S101: Receive the data packet sent by the Network Address Translation (NAT) gateway and obtain the target Elastic Internet Protocol (EIP) address in the data packet.
[0059] The data packet verification process provided in this application is applicable to electronic devices, such as servers and PCs.
[0060] Because the NAT gateway replaces the internal IP address in the data packets with the EIP address during address translation, and the EIP address is dynamically allocated, the virtual security device cannot determine the corresponding host's internal IP address based on the data packet during data packet verification, thus failing to accurately locate the host. Therefore, to enable the security device responsible for data packet verification to accurately determine the host's internal IP address, in this embodiment, the electronic device can receive data packets sent by the NAT gateway. These data packets include at least a 5-tuple, which includes the external IP address, external port number, target EIP address, the target port number corresponding to the target EIP address, and the transport layer protocol. In this embodiment, the security device responsible for data packet verification can be a server or a virtual security device configured on a server. This embodiment uses a virtual security device as an example for illustration.
[0061] After receiving the data packet, the target EIP address in the data packet is obtained so that the internal network IP address corresponding to the target EIP address can be used to replace the target EIP address in the data packet later.
[0062] S102: Determine the target tenant corresponding to the target EIP address based on the saved EIP address of each tenant.
[0063] After obtaining the target EIP address from the data packet, the target tenant corresponding to the target EIP address is determined based on the saved EIP addresses corresponding to each tenant. The saved EIP addresses corresponding to each tenant can be pre-saved by the user of the electronic device or obtained and saved from the cloud security management platform. In this embodiment, the electronic device can obtain and save the EIP addresses configured for each tenant from the cloud security management platform at startup, or it can obtain the EIP addresses configured for each tenant from the cloud security management platform at preset time intervals and update the saved EIP addresses corresponding to each tenant. In this embodiment, each tenant can correspond to one EIP address or multiple EIP addresses. Generally, EIP addresses between different tenants are not duplicated; that is, the same EIP address cannot be shared by multiple tenants.
[0064] S103: Obtain the internal network IP address stored by the NAT gateway for the target tenant, and replace the target EIP address with the internal network IP address.
[0065] After identifying the target tenant, in order to determine the internal network IP address corresponding to the target tenant, in this embodiment of the application, the internal network IP address stored by the NAT gateway for the target tenant can be obtained. When obtaining the internal network IP address, an instruction to obtain the internal network IP address can be sent to the NAT gateway, and this instruction carries the identifier of the target tenant.
[0066] In order for the virtual security device to accurately determine the internal IP address of the host corresponding to the data packet, the target EIP address in the data packet is replaced with the internal IP address corresponding to the target tenant.
[0067] S104: Based on the stored relationship between each tenant and the virtual security device, determine the target virtual security device corresponding to the target tenant, and send the replaced data packet to the target virtual security device so that the target virtual security device can verify the received data packet.
[0068] After replacing the target EIP address in the data packet with the obtained intranet IP address, the target virtual security device corresponding to the target tenant is determined based on the saved relationship between each tenant and the virtual security device. The saved relationship between each tenant and the virtual security device can be pre-saved by the user of the electronic device or obtained and saved from the cloud security management platform.
[0069] In this embodiment, each tenant can have one or more virtual security devices. Specifically, each tenant can correspond to a Virtual Extensible Local Area Network (VXLAN), which includes at least one virtual security device, such as a Virtual Web Application Firewall (vWAF), a Virtual Firewall (vFW), etc. If the VXLAN includes only one virtual security device, then the target virtual security device for the tenant corresponding to the VXLAN is that virtual security device. If the VXLAN includes multiple virtual security devices, these multiple virtual security devices are connected in pairs to form a security service chain for the tenant corresponding to the VXLAN. The connection order of each virtual security device is pre-configured, and the target virtual security device for the tenant corresponding to the VXLAN is the first virtual security device in the security service chain. In this embodiment, when storing the relationship between each tenant and the virtual security device, the security service chain mapping table shown in Table 1 below can be used for storage:
[0070]
[0071] Table 1
[0072] Once the target virtual security device is identified, the replaced data packet is sent to it for verification. Upon receiving the data packet, the target virtual security device verifies it. The specific methods for data packet verification are existing technologies and will not be elaborated upon here.
[0073] In this embodiment, after receiving the data packet sent by the NAT gateway, the target EIP address in the data packet is obtained. Based on the saved EIP address corresponding to each tenant, the target tenant corresponding to the target EIP address is determined. The internal network IP address saved by the NAT gateway for the target tenant is obtained, and the target EIP address is replaced with the internal network IP address. Based on the saved relationship between each tenant and the virtual security device, the replaced data packet is sent to the target virtual security device corresponding to the target tenant. This allows the target virtual security device to verify the received data packet, enabling it to clearly identify the internal network IP address of the internal host corresponding to the data packet being verified. This allows for accurate location of the corresponding internal host, enhancing the security of network access.
[0074] Example 2:
[0075] To accurately determine the host corresponding to the data packet, based on the above embodiments, in this embodiment, obtaining the internal network IP address stored by the NAT gateway for the target tenant includes:
[0076] Based on the stored relationship between each tenant and the gateway instance identifier, the target gateway instance identifier corresponding to the target tenant is determined;
[0077] Obtain the internal network IP address stored by the NAT gateway for the target gateway instance identifier.
[0078] To accurately identify the host corresponding to the data packet, after identifying the target tenant, when obtaining the internal network IP address stored by the NAT gateway for the target tenant, in this embodiment of the application, the target gateway instance identifier corresponding to the target tenant can be determined based on the stored relationship between each tenant and the gateway instance identifier. The stored relationship between each tenant and the gateway instance identifier can be pre-stored by the user of the electronic device in the electronic device, or it can be obtained and stored from a cloud security management platform. After determining the target gateway instance identifier, the application programming interface (API) corresponding to the NAT gateway can be called based on the target gateway instance identifier of the target tenant to obtain the internal network IP address stored by the NAT gateway for that target gateway instance identifier.
[0079] Specifically, after obtaining the EIP address and gateway instance identifier for each tenant from the cloud security management platform, an EIP address mapping table can be created for each tenant. This table includes the tenant identifier, EIP address, and gateway instance identifier. For ease of understanding, the EIP address mapping table is shown in Table 2 below. `tenant_id` represents the tenant identifier; `EIP` represents the pre-configured EIP address for the tenant `tenant_id`. One tenant identifier can correspond to one EIP address or multiple EIP addresses; `nat_gateway_id` represents the NAT gateway instance identifier corresponding to the tenant `tenant_id`.
[0080]
[0081] Table 2
[0082] After obtaining the target EIP address in the data packet, the target tenant corresponding to the target EIP address is searched in the saved EIP address mapping table of each tenant, and the gateway instance identifier in the EIP address mapping table of the target tenant is obtained. The gateway instance identifier is then identified as the target gateway instance identifier corresponding to the target tenant.
[0083] Example 3:
[0084] To further improve the accuracy of data packet verification, based on the above embodiments, in this embodiment of the application, before replacing the target EIP address with the internal network IP address, the method further includes:
[0085] Obtain the target port number from the data packet;
[0086] The step of replacing the target EIP address with the internal network IP address includes:
[0087] Obtain the internal network port number stored by the NAT gateway for the target tenant;
[0088] Replace the target EIP address with the internal network IP address, and replace the target port number with the internal network port number.
[0089] To further improve the accuracy of packet verification, not only can the target EIP address be replaced with the internal network IP address, but the target port number in the packet can also be replaced. In this embodiment, before replacing the target EIP address with the internal network IP address, the target port number in the packet can be obtained, and the internal network port number stored by the NAT gateway for the target tenant can be obtained. After determining the internal network port number, the target EIP address is replaced with the internal network IP address, and the target port number is replaced with the internal network port number.
[0090] Specifically, after determining the target tenant corresponding to the target EIP address in the data packet, the API corresponding to the NAT gateway is called based on the tenant identifier of the target tenant or the target gateway instance identifier of the target tenant to obtain the NAT mapping rules returned by the NAT gateway. The NAT mapping rules include the EIP address, the port number corresponding to the EIP address, the tenant's internal IP address, and the tenant's internal port number. For ease of understanding, in this embodiment, the obtained NAT mapping rules can be represented using the following Table 3:
[0091]
[0092] Table 3
[0093] Since the same tenant may correspond to multiple EIP addresses, after obtaining the NAT mapping table of the target tenant, it is determined whether the EIP address in the NAT mapping table is consistent with the target EIP address in the data packet. If they are consistent, it is further determined whether the port number corresponding to the EIP address in the NAT mapping table is consistent with the target port number in the data packet. If they are consistent, the internal network IP address in the NAT mapping table is used to replace the target EIP address in the data packet, and the internal network port number in the NAT mapping table is used to replace the target port number in the data packet.
[0094] Example 4:
[0095] In order to enable the NAT gateway to continue subsequent network communication, based on the above embodiments, the method in this application embodiment further includes:
[0096] If a target response data packet is received from the target virtual security device, the internal network IP address in the target response data packet is replaced with the target EIP address;
[0097] The replaced target response packet is sent to the NAT gateway.
[0098] In order for the NAT gateway to continue to complete subsequent network communication, in this embodiment of the application, after receiving the target response data packet returned by the target virtual security device, the internal network IP address in the target response data packet can be replaced by the target EIP address.
[0099] Since an electronic device may simultaneously receive response data packets returned by multiple virtual security devices, in order to determine which response data packet is the target response data packet returned by the target virtual security device, based on the above embodiments, in this embodiment, receiving the target response data packet returned by the target virtual security device includes:
[0100] Receive response data packets returned by any virtual security device;
[0101] Obtain the Virtual Extended Local Area Network (VXLAN) identifier from the response data packet;
[0102] If the VXLAN identifier matches the target VXLAN identifier corresponding to the target virtual security device, then the response data packet is determined to be the target response data packet returned by the target virtual security device.
[0103] After receiving a response data packet from any virtual security device, in order to determine whether the response data packet is a target response data packet returned by the target virtual security device, in this embodiment of the application, the electronic device can obtain the VXLAN identifier in the response data packet. The VXLAN identifier in the data packet is sent to the target virtual security device along with the VXLAN identifier of the target virtual security device after the electronic device has identified the target virtual security device. In this embodiment of the application, the VXLAN identifier corresponding to the target virtual security device can be pre-stored or obtained from the cloud security management platform.
[0104] After obtaining the VXLAN identifier in the response data packet, it can be determined whether the VXLAN identifier is consistent with the target VXLAN identifier corresponding to the target virtual security device. If they are consistent, the received response data packet can be considered to be the target response data packet returned by the target virtual security device.
[0105] Specifically, in this embodiment, the security service chain information for each tenant can be obtained from the cloud security management platform. This information includes the tenant identifier, the tenant's corresponding VXLAN identifier, and the IP address of the target security device in the security service chain corresponding to that VXLAN identifier. Upon receiving a response data packet from any virtual security device, the VXLAN identifier in the response data packet is obtained, and the target VXLAN identifier corresponding to the target virtual security device is obtained from the security service chain information corresponding to the target tenant. If the VXLAN identifier in the response data packet matches the target VXLAN identifier, the response data packet can be identified as the target response data packet returned by the target virtual security device.
[0106] In order for the NAT gateway to continue to complete subsequent network communication, the replaced target response packet is sent to the NAT gateway.
[0107] Since the electronic device replaces the target port number in the data packet before sending the replaced data packet to the target virtual security device, in order to enable the NAT gateway to perform network communication correctly, based on the above embodiments, in this embodiment of the application, after replacing the internal network IP address in the target response data packet with the target EIP address and before sending the replaced target response data packet to the NAT gateway, the method further includes:
[0108] Replace the internal network port number in the target response data packet with the target port number.
[0109] Before sending the replaced target response packet to the NAT gateway, you can also replace the port number in the target response packet with the target port number.
[0110] Specifically, after receiving the returned response data packet, the VXLAN identifier included in the data packet is obtained. Then, the tenant identifier corresponding to the VXLAN identifier is searched in each saved security service chain mapping table, and the target gateway instance identifier corresponding to the tenant identifier is searched in the EIP mapping table. Based on the target gateway instance identifier, the corresponding NAT mapping table is found. The target EIP address and target port number corresponding to the internal IP address and internal port number in the target response data packet are obtained from the NAT mapping table. The internal IP address in the target response data packet is replaced with the target EIP address, and the internal port number in the target response data packet is replaced with the target port number.
[0111] The data verification process is illustrated below with a specific example. Figure 2 This is a schematic diagram of the data packet verification process provided in an embodiment of this application, such as... Figure 2As shown, the network configuration is as follows: Virtual security devices vFW1 and vWAF2 are connected to vtep1 and deployed on server 1; virtual security devices vFW2 and vWAF1 are connected to vtep2 and deployed on server 2; host1 and host2 are in tenant 1's VPC, and host3 and host4 are in tenant 2's VPC; virtual security devices vFW1 and vWAF1 are the virtual security devices corresponding to tenant 1, where vFW1 is the first virtual security device in the security service chain corresponding to tenant 1, i.e., the target virtual security device of tenant 1; virtual security devices vFW2 and vWAF2 are the virtual security devices corresponding to tenant 2, where vFW2 is the first virtual security device in the security service chain corresponding to tenant 2, i.e., the target virtual security device of tenant 2.
[0112] Electronic devices obtain tenant information from the cloud security management platform, including each tenant's tenant_id, the EIP address assigned to the tenant, the NAT gateway instance identifier nat_gateway_id configured in the tenant's VPC, and the tenant's security service chain information. The tenant's security service chain information includes the connection order of virtual security devices on the service chain and the network configuration of each virtual security device.
[0113] After obtaining tenant information from the cloud security management platform, an EIP mapping table and a tenant security service chain mapping table are generated. If there are tenant 1 and tenant 2, the EIP mapping table and the tenant security service chain mapping table are represented as follows:
[0114]
[0115] Table 4
[0116] Where tenant_id represents the tenant identifier, EIP represents the EIP address corresponding to the tenant, and nat_gateway_id represents the gateway instance identifier corresponding to the tenant.
[0117]
[0118] Table 5
[0119] Where tenant_id represents the tenant identifier, VIN represents the VXLAN identifier corresponding to the tenant, vtep0_ip represents the IP address of the electronic device in the VXLAN, and vtep1_ip represents the IP address of the target virtual security device corresponding to the tenant.
[0120] Based on the obtained gateway instance identifier for each tenant, the NAT gateway's AIP is invoked to retrieve the NAT mapping rules for each tenant and generate a NAT mapping table:
[0121]
[0122] Table 6
[0123] Where tenant_id represents the tenant identifier, EIP represents the EIP address corresponding to the tenant, transit_service_port represents the port number corresponding to the EIP address, private_ip represents the internal network IP address, and private_service_port represents the internal network port number.
[0124] After the electronic device receives the data packet sent by the NAT gateway, the five-tuple in the data packet includes the external IP, external port, EIP1, 80, and TCP protocol. The target EIP address is obtained from the data packet as EIP1, and the tenant identifier: tenant_id1 is obtained from the EIP mapping table using EIP1.
[0125] Using tenant_id1, EIP1, and the destination port number 80 in the packet, we can find the corresponding private_ip and private_service_port in the NAT mapping table: 192.168.0.2 and 8080. Then, using tenant_id1, we can find the corresponding VNI, vtep0_ip, and vtep1_ip in the security service chain mapping table: VNI1, vtep0_ip1, and vtep1_ip1.
[0126] Replace the destination EIP address EIP1 in the data packet with 192.168.0.2 and the destination port number 80 with 8080. Then use vtep0_ip1 and vtep1_ip1 as the source IP address and destination IP address of the VXLAN data packet, respectively. Add VNI1 to the data packet, encapsulate the VXLAN data packet, and send the data packet to vtep1.
[0127] Since the virtual security device vFW1 connected to vtep1 is the target virtual security device for tenant 1, after the data packet is received by vtep1, vtep1 sends the data packet to vFW1. vFW1 will determine whether the access to port 8080 of 192.168.0.2 is allowed. If the data packet is allowed, it will be sent out from vFW1, and its destination IP will be set to vtep2 where the next hop vWAF1 in the security service chain is located. After being verified by vWAF1 in the same way, the VXLAN destination IP of the data packet will be set to vtep0_ip1, and a response data packet will be obtained. The response data packet will be sent to the electronic device.
[0128] After receiving the response data packet, the electronic device removes the VXLAN encapsulation from the data packet and extracts VNI1. It then uses VNI1 to find the corresponding tenant ID: tenant_id1 in the security service chain mapping table. Next, it extracts the internal network IP address and port number, namely 192.168.0.2 and 8080, from the data packet after removing the VXLAN encapsulation. It then uses VNI1, 192.168.0.2, and 8080 to find the corresponding EIP and transit_service_port: EIP1 and 80 in the NAT mapping table, and replaces 192.168.0.2 and 8080 with EIP1 and 80 respectively.
[0129] Send the replaced response packet to the NAT gateway.
[0130] The data packet verification process will now be described using another specific embodiment. Figure 3 This is a schematic diagram of the data packet verification process provided in an embodiment of this application, such as... Figure 3 As shown, the process includes the following steps:
[0131] S301: Obtain tenant information from the cloud security management platform, generate and save EIP mapping table and security service chain mapping table based on the tenant information.
[0132] S302: Obtain the NAT mapping rules stored for each tenant from the NAT gateway, generate a NAT mapping table, and save it.
[0133] S303: Receives data packets sent by the NAT gateway, obtains the target EIP address in the data packets, and uses the target EIP address to obtain the corresponding tenant identifier in the EIP mapping table.
[0134] S304: Based on the tenant identifier, the target EIP address, and the target port number in the data packet, obtain the corresponding internal network IP address and internal network port number from the NAT mapping table.
[0135] S305: Based on the tenant identifier, obtain the VXLAN identifier corresponding to the target tenant, the IP address vtep0_ip of the electronic device in the VXLAN, and the IP address vtep1_ip of the target virtual security device from the security service chain mapping table.
[0136] S306: Replace the target EIP address and its corresponding target port number of the data packet with the internal network IP address and internal network port number, encapsulate the data table with vtep0_ip as the external source IP of the VXLAN protocol and vtep1_ip as the external destination IP address of the VXLAN protocol, and send the encapsulated data packet to the target virtual security device.
[0137] S307: After receiving the returned target response data packet, remove the VXLAN encapsulation of the response data packet, replace the internal network IP address in the response data packet with the target EIP address, replace the internal network source port number with the target port number, and send the replaced response data packet to the NAT gateway.
[0138] Example 5:
[0139] To ensure network security, based on the above embodiments, this application provides a data packet verification system. Figure 4 This is a schematic diagram of the structure of a data packet verification system provided in an embodiment of this application, as shown below. Figure 4 As shown, the system includes: a NAT gateway 401, a virtual machine 402, and at least one virtual security device 403;
[0140] The NAT gateway 401 is used to send data packets to the virtual machine 402;
[0141] The virtual machine 402 is configured to receive data packets sent by the NAT gateway 401 and obtain the target EIP address in the data packets; determine the target tenant corresponding to the target EIP address based on the stored EIP address corresponding to each tenant; obtain the internal network IP address stored by the NAT gateway for the target EIP address and replace the target EIP address with the internal network IP address; determine the target virtual security device corresponding to the target tenant based on the stored relationship between each tenant and the virtual security device, and send the replaced data packets to the target virtual security device 403.
[0142] The virtual security device 403 is used to verify the received data packets.
[0143] In order to verify the data packets flowing through the NAT gateway 401 and ensure network security, the NAT gateway replaces the IP address and port in the data packets and can then send data packets to the virtual machine 402 after network communication.
[0144] After receiving the data packet sent by the NAT gateway 401, the virtual machine 402 obtains the target EIP address in the data packet. Based on the stored EIP addresses corresponding to each tenant, it determines the target tenant corresponding to the target EIP address. It then obtains the internal network IP address stored by the NAT gateway for the target tenant and replaces the target EIP address with the internal network IP address. Based on the stored relationship between each tenant and the virtual security device, it determines the target virtual security device 403 corresponding to the target tenant and sends the replaced data packet to the target virtual security device 403. Specifically, how the virtual machine 402 replaces the EIP address in the data packet has been described in detail in the above embodiments and will not be repeated here.
[0145] After receiving a data packet, the virtual security appliance 403 verifies the data packet according to pre-configured rules.
[0146] To further ensure network security, based on the above embodiments, in this embodiment of the application, the virtual security device 403 is further configured to send the data packet as a response data packet to the virtual machine 402 if the verification result of the received data packet is determined to be valid; otherwise, the data packet is intercepted.
[0147] The virtual machine 402 is further configured to receive a response data packet returned by the virtual security device; obtain the Virtual Extended Local Area Network (VXLAN) identifier in the response data packet; and if the VXLAN identifier is consistent with the target VXLAN identifier corresponding to the target virtual security device, then determine the response data packet as the target response data packet returned by the target virtual security device.
[0148] When transmitting the replaced data packet, it can be based on the VXLAN protocol. The virtual machine uses VXLAN to send the replaced data packet to the virtual security device corresponding to the first node in the security service chain of the target tenant. That is, the replaced data packet is sent to the target virtual security device. The virtual security device then forwards the data packet cascading through the pre-configured security service chain to the virtual security devices corresponding to subsequent nodes. After passing through the virtual security device corresponding to the last node in the security service chain, the virtual security device returns a response data packet to the electronic device. How the virtual device 303 verifies the data packet and how it processes the data packet based on the pre-configured security service chain are existing technologies will not be elaborated here.
[0149] After verifying the data packet based on pre-configured rules, the virtual security appliance 403 determines that the verification result of the data packet is valid if it finds that the received data packet is not abnormal. It can then send the data packet as a response data packet to the virtual machine 402. If it finds that the data packet is abnormal, it can either intercept the data packet or send a message to the virtual machine indicating that the data packet is abnormal.
[0150] After receiving the response data packet returned by the virtual security device, virtual machine 402 obtains the Virtual Extended Local Area Network (VXLAN) identifier from the response data packet. If the VXLAN identifier matches the target VXLAN identifier corresponding to the target virtual security device, the response data packet is determined to be the target response data packet returned by the target virtual security device. The specific method for determining whether a response data packet is a target response data packet has been explained in detail in the above embodiments and will not be repeated here.
[0151] In order to ensure the smooth operation of network communication, based on the above embodiments, in this embodiment of the application, the virtual machine 402 is further configured to, if it receives a target response data packet returned by the target virtual security device 403, replace the internal network IP address in the target response data packet with the target EIP address; and send the replaced target response data packet to the NAT gateway 401;
[0152] The NAT gateway 401 is also used to receive target response data packets and perform network communication based on the target response data packets.
[0153] After confirming that it has received the target response data returned by the target virtual security device 403, virtual machine 402 replaces the internal network IP address in the target response data packet with the target EIP address, and sends the replaced target response data packet to NAT gateway 401.
[0154] After receiving the target response data packet, the NAT gateway 401 performs network communication based on the target response data packet. The NAT gateway 401's network communication based on data packets is existing technology and will not be described in detail here.
[0155] Example 6:
[0156] Figure 5 This is a schematic diagram of the data packet verification device provided in the embodiments of this application, as shown below. Figure 5 As shown, the device includes:
[0157] The receiving module 501 is used to receive data packets sent by the Network Address Translation (NAT) gateway;
[0158] The acquisition module 502 is used to acquire the target Elastic Internet Protocol (EIP) address in the data packet;
[0159] The determining module 503 is used to determine the target tenant corresponding to the target EIP address based on the stored EIP address corresponding to each tenant.
[0160] The acquisition module 502 is also used to acquire the internal network IP address stored by the NAT gateway for the target tenant;
[0161] Replacement module 504 is used to replace the target EIP address with the internal network IP address;
[0162] The determining module 503 is further configured to determine the target virtual security device corresponding to the target tenant based on the stored relationship between each tenant and the virtual security device;
[0163] The sending module 505 is used to send the replaced data packet to the target virtual security device so that the target virtual security device can verify the received data packet.
[0164] In one possible implementation, the determining module 503 is specifically used to determine the target gateway instance identifier corresponding to the target tenant based on the stored relationship between each tenant and the gateway instance identifier;
[0165] The acquisition module 502 is specifically used to acquire the internal network IP address stored by the NAT gateway for the target gateway instance identifier.
[0166] In one possible implementation, the acquisition module 502 is further configured to acquire the target port number in the data packet; acquire the internal network port number stored by the NAT gateway for the target tenant; replace the target EIP address with the internal network IP address; and replace the target port number with the internal network port number.
[0167] In one possible implementation, the replacement module 504 is further configured to replace the internal network IP address in the target response data packet with the target EIP address if a target response data packet returned by the target virtual security device is received;
[0168] The sending module 505 is also used to send the replaced target response data packet to the NAT gateway.
[0169] In one possible implementation, the receiving module 501 is specifically configured to receive a response data packet returned by any virtual security device;
[0170] The acquisition module 502 is further configured to acquire the Virtual Extended Local Area Network (VXLAN) identifier in the response data packet;
[0171] The determining module is specifically used to determine the response data packet as the target response data packet returned by the target virtual security device if the VXLAN identifier is consistent with the target VXLAN identifier corresponding to the target virtual security device.
[0172] In one possible implementation, the replacement module 504 is further configured to replace the internal network port number in the target response data packet with the target port number.
[0173] In the embodiments of this application, Figure 6 This is another structural schematic diagram of the data packet verification device provided in the embodiments of this application, as shown below. Figure 6 As shown:
[0174] The device includes a NAT gateway information synchronization module 601, a tenant information synchronization module 602, an EIP mapping management module 603, a NAT mapping management module 604, a packet conversion module 605, and a packet sending and receiving module 606.
[0175] Among them, the NAT gateway information synchronization module 601 is used to obtain the mapping rules saved by the NAT gateway for the tenant.
[0176] The tenant information synchronization module 602 is used to synchronize tenant information with the cloud security management platform, including obtaining the tenant's EIP address configuration information, the tenant's NAT gateway instance identifier, and the tenant's security service chain information.
[0177] The EIP mapping management module 603 is used to maintain the correspondence between the EIP addresses of each tenant and the security service chain mapping table of each tenant. It can query the tenant based on the target EIP address, determine the gateway instance identifier corresponding to the tenant, and determine the target virtual security device corresponding to the tenant.
[0178] The NAT mapping management module 604 is used to maintain and manage the mapping rules stored by the NAT gateway for each tenant. It determines the corresponding internal network IP address and internal network port number based on the target EIP address and target port number in the data packet, and determines the corresponding target EIP address and target port number based on the internal network IP address and internal network port number in the response data packet.
[0179] The packet translation module 605 executes an IP address translation strategy, including replacing the destination EIP address and destination port number in packets received from the NAT gateway with the VPC internal IP address and internal service port number, and setting the destination external IP address of the destination VXLAN and encapsulating it based on the IP address of the first virtual security device in the tenant security service chain corresponding to the EIP. For response packets, the VPC internal IP address and internal service port number in the response packet are replaced back with the corresponding destination EIP address and destination port number.
[0180] The data packet transceiver module 606 is used to receive and send data packets.
[0181] Example 7:
[0182] Figure 7 This application provides a schematic diagram of an electronic device structure as an embodiment of the present application. Based on the above embodiments, the present application also provides an electronic device, such as... Figure 7 As shown, it includes: processor 701, communication interface 702, memory 703 and communication bus 704, wherein processor 701, communication interface 702 and memory 703 communicate with each other through communication bus 704.
[0183] The memory 703 stores a computer program, which, when executed by the processor 701, causes the processor 701 to perform the following steps:
[0184] Receive data packets sent by the Network Address Translation (NAT) gateway and obtain the target Elastic Internet Protocol (EIP) address from the data packets;
[0185] Based on the saved EIP address corresponding to each tenant, determine the target tenant corresponding to the target EIP address;
[0186] Obtain the internal network IP address stored by the NAT gateway for the target tenant, and replace the target EIP address with the internal network IP address;
[0187] Based on the stored relationship between each tenant and the virtual security device, the target virtual security device corresponding to the target tenant is determined, and the replaced data packet is sent to the target virtual security device so that the target virtual security device can verify the received data packet.
[0188] In one possible implementation, the processor 701 is further configured to determine the target gateway instance identifier corresponding to the target tenant based on the stored relationship between each tenant and the gateway instance identifier;
[0189] Obtain the internal network IP address stored by the NAT gateway for the target gateway instance identifier.
[0190] In one possible implementation, the processor 701 is further configured to obtain the target port number in the data packet;
[0191] The step of replacing the target EIP address with the internal network IP address includes:
[0192] Obtain the internal network port number stored by the NAT gateway for the target tenant;
[0193] Replace the target EIP address with the internal network IP address, and replace the target port number with the internal network port number.
[0194] In one possible implementation, the processor 701 is further configured to, if a target response data packet returned by the target virtual security device is received, replace the internal network IP address in the target response data packet with the target EIP address;
[0195] The replaced target response packet is sent to the NAT gateway.
[0196] In one possible implementation, the processor 701 is further configured to receive a response data packet returned by any virtual security device;
[0197] Obtain the Virtual Extended Local Area Network (VXLAN) identifier from the response data packet;
[0198] If the VXLAN identifier matches the target VXLAN identifier corresponding to the target virtual security device, then the response data packet is determined to be the target response data packet returned by the target virtual security device.
[0199] In one possible implementation, the processor 701 is further configured to replace the internal network port number in the target response data packet with the target port number.
[0200] The communication bus mentioned in the above-mentioned electronic device can be a Peripheral Component Interconnect (PCI) bus or an Extended Industry Standard Architecture (EISA) bus, etc. This communication bus can be divided into address bus, data bus, control bus, etc. For ease of representation, only one thick line is used in the figure, but this does not indicate that there is only one bus or one type of bus. The communication interface 702 is used for communication between the above-mentioned electronic device and other devices. The memory can include random access memory (RAM), or non-volatile memory (NVM), such as at least one disk storage device. Optionally, the memory can also be at least one storage device located remotely from the aforementioned processor. The aforementioned processor can be a general-purpose processor, including a central processing unit (CPU), a network processor (NP), etc.; it can also be a digital signal processing unit (DSP), an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc.
[0201] Example 8:
[0202] Based on the above embodiments, this application also provides a computer-readable storage medium storing a computer program executable by a processor. When the program is run on the processor, the processor executes the following steps:
[0203] Receive data packets sent by the Network Address Translation (NAT) gateway and obtain the target Elastic Internet Protocol (EIP) address from the data packets;
[0204] Based on the saved EIP address corresponding to each tenant, determine the target tenant corresponding to the target EIP address;
[0205] Obtain the internal network IP address stored by the NAT gateway for the target tenant, and replace the target EIP address with the internal network IP address;
[0206] Based on the stored relationship between each tenant and the virtual security device, the target virtual security device corresponding to the target tenant is determined, and the replaced data packet is sent to the target virtual security device so that the target virtual security device can verify the received data packet.
[0207] In one possible implementation, obtaining the internal network IP address stored by the NAT gateway for the target tenant includes:
[0208] Based on the stored relationship between each tenant and the gateway instance identifier, the target gateway instance identifier corresponding to the target tenant is determined;
[0209] Obtain the internal network IP address stored by the NAT gateway for the target gateway instance identifier.
[0210] In one possible implementation, before replacing the target EIP address with the internal network IP address, the method further includes:
[0211] Obtain the target port number from the data packet;
[0212] The step of replacing the target EIP address with the internal network IP address includes:
[0213] Obtain the internal network port number stored by the NAT gateway for the target tenant;
[0214] Replace the target EIP address with the internal network IP address, and replace the target port number with the internal network port number.
[0215] In one possible implementation, the method further includes:
[0216] If a target response data packet is received from the target virtual security device, the internal network IP address in the target response data packet is replaced with the target EIP address;
[0217] The replaced target response packet is sent to the NAT gateway.
[0218] In one possible implementation, receiving the target response data packet returned by the target virtual security device includes:
[0219] Receive response data packets returned by any virtual security device;
[0220] Obtain the Virtual Extended Local Area Network (VXLAN) identifier from the response data packet;
[0221] If the VXLAN identifier matches the target VXLAN identifier corresponding to the target virtual security device, then the response data packet is determined to be the target response data packet returned by the target virtual security device.
[0222] In one possible implementation, after replacing the internal network IP address in the target response packet with the target EIP address and before sending the replaced target response packet to the NAT gateway, the method further includes:
[0223] Replace the internal network port number in the target response data packet with the target port number.
[0224] Those skilled in the art will understand that embodiments of this application can be provided as methods, systems, or computer program products. Therefore, this application can take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, this application can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.
[0225] For system / device embodiments, since they are basically similar to method embodiments, the description is relatively simple, and relevant parts can be referred to in the description of the method embodiments.
[0226] This application is described with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to this application. It should be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, special-purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, generate instructions for implementing the flowchart illustrations and / or block diagrams. Figure 1 One or more processes and / or boxes Figure 1 A device that provides the functions specified in one or more boxes.
[0227] These computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable data processing device to function in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means, which are implemented in a process Figure 1 One or more processes and / or boxes Figure 1 The function specified in one or more boxes.
[0228] These computer program instructions may also be loaded onto a computer or other programmable data processing equipment to cause a series of operational steps to be performed on the computer or other programmable equipment to produce a computer-implemented process, thereby providing instructions that execute on the computer or other programmable equipment for implementing the process. Figure 1One or more processes and / or boxes Figure 1 The steps of the function specified in one or more boxes.
[0229] Although preferred embodiments of this application have been described, those skilled in the art, once they have learned the basic inventive concept, can make other changes and modifications to these embodiments.
[0230] Obviously, those skilled in the art can make various modifications and variations to this application without departing from the spirit and scope of this application. Therefore, if such modifications and variations fall within the scope of the claims of this application and their equivalents, this application also intends to include such modifications and variations.
Claims
1. A data packet verification method, characterized in that, The method includes: Receive data packets sent by the Network Address Translation (NAT) gateway and obtain the target Elastic Internet Protocol (EIP) address from the data packets; Based on the saved EIP address corresponding to each tenant, determine the target tenant corresponding to the target EIP address; Obtain the internal network IP address stored by the NAT gateway for the target tenant, and replace the target EIP address with the internal network IP address; Based on the stored relationship between each tenant and the virtual security device, the target virtual security device corresponding to the target tenant is determined, and the replaced data packet is sent to the target virtual security device so that the target virtual security device can verify the received data packet; The step of determining the target virtual security device corresponding to the target tenant based on the stored relationship between each tenant and the virtual security device includes: Based on the virtual extended LAN corresponding to each tenant, the target virtual extended LAN corresponding to the target tenant is determined, wherein the virtual extended LAN includes at least one virtual security device; If the target virtual extended LAN includes a virtual security device, then the virtual security device shall be used as the target virtual security device corresponding to the target tenant; If the target virtual extended LAN includes multiple virtual security devices, and the multiple virtual security devices are connected in pairs to form a security service chain, the first virtual security device in the security service chain is taken as the target virtual security device corresponding to the target tenant.
2. The method according to claim 1, characterized in that, The step of obtaining the internal network IP address stored by the NAT gateway for the target tenant includes: Based on the stored relationship between each tenant and the gateway instance identifier, the target gateway instance identifier corresponding to the target tenant is determined; Obtain the internal network IP address stored by the NAT gateway for the target gateway instance identifier.
3. The method according to claim 1, characterized in that, Before replacing the target EIP address with the internal network IP address, the method further includes: Obtain the target port number from the data packet; The step of replacing the target EIP address with the internal network IP address includes: Obtain the internal network port number stored by the NAT gateway for the target tenant; Replace the target EIP address with the internal network IP address, and replace the target port number with the internal network port number.
4. The method according to claim 3, characterized in that, The method further includes: If a target response data packet is received from the target virtual security device, the internal network IP address in the target response data packet is replaced with the target EIP address; The replaced target response packet is sent to the NAT gateway.
5. The method according to claim 4, characterized in that, The target response data packet received from the target virtual security device includes: Receive response data packets returned by any virtual security device; Obtain the Virtual Extended Local Area Network (VXLAN) identifier from the response data packet; If the VXLAN identifier matches the target VXLAN identifier corresponding to the target virtual security device, then the response data packet is determined to be the target response data packet returned by the target virtual security device.
6. The method according to claim 4, characterized in that, After replacing the internal network IP address in the target response packet with the target EIP address, and before sending the replaced target response packet to the NAT gateway, the method further includes: Replace the internal network port number in the target response data packet with the target port number.
7. A data packet verification system, characterized in that, The system includes: a NAT gateway, a virtual machine, and at least one virtual security device; The NAT gateway is used to send data packets to the virtual machine; The virtual machine is configured to receive data packets sent by the NAT gateway and obtain the target EIP address in the data packets; determine the target tenant corresponding to the target EIP address based on the saved EIP address corresponding to each tenant; obtain the internal network IP address saved by the NAT gateway for the target tenant and replace the target EIP address with the internal network IP address; determine the target virtual security device corresponding to the target tenant based on the saved relationship between each tenant and the virtual security device, and send the replaced data packet to the target virtual security device. The virtual security device is used to verify the received data packets; The virtual machine is specifically used to determine the target virtual extended LAN corresponding to the target tenant based on the virtual extended LAN corresponding to each tenant, wherein the virtual extended LAN includes at least one virtual security device; if the target virtual extended LAN includes one virtual security device, that virtual security device is used as the target virtual security device corresponding to the target tenant; if the target virtual extended LAN includes multiple virtual security devices, and the multiple virtual security devices are connected in pairs to form a security service chain, the first virtual security device in the security service chain is used as the target virtual security device corresponding to the target tenant.
8. The system according to claim 7, characterized in that, The virtual security device is further configured to, if it determines that the verification result of the received data packet is valid, send the data packet as a response data packet to the virtual machine; otherwise, intercept the data packet. The virtual machine is further configured to receive a response data packet returned by the virtual security device; obtain the Virtual Extended Local Area Network (VXLAN) identifier in the response data packet; and if the VXLAN identifier is consistent with the target VXLAN identifier corresponding to the target virtual security device, then the response data packet is determined to be the target response data packet returned by the target virtual security device.
9. The system according to claim 8, characterized in that, The virtual machine is further configured to, upon receiving a target response data packet returned by the target virtual security device, replace the internal network IP address in the target response data packet with the target EIP address; and send the replaced target response data packet to the NAT gateway. The NAT gateway is also used to receive target response data packets and perform network communication based on the target response data packets.
10. A data packet verification device, characterized in that, The device includes: The receiving module is used to receive data packets sent by the Network Address Translation (NAT) gateway; The acquisition module is used to acquire the target Elastic Internet Protocol (EIP) address in the data packet; The determination module is used to determine the target tenant corresponding to the target EIP address based on the stored EIP address corresponding to each tenant. The acquisition module is also used to acquire the internal network IP address stored by the NAT gateway for the target tenant; The replacement module is used to replace the target EIP address with the internal network IP address; The determining module is further configured to determine the target virtual security device corresponding to the target tenant based on the stored relationship between each tenant and the virtual security device; The sending module is used to send the replaced data packet to the target virtual security device so that the target virtual security device can verify the received data packet; The determining module is specifically used to determine the target virtual extended LAN corresponding to the target tenant based on the virtual extended LAN corresponding to each tenant, wherein the virtual extended LAN includes at least one virtual security device; if the target virtual extended LAN includes one virtual security device, that virtual security device is used as the target virtual security device corresponding to the target tenant; if the target virtual extended LAN includes multiple virtual security devices, and the multiple virtual security devices are connected in pairs to form a security service chain, the first virtual security device in the security service chain is used as the target virtual security device corresponding to the target tenant.
11. An electronic device, characterized in that, The electronic device includes at least a processor and a memory, wherein the processor is configured to execute a computer program stored in the memory to implement the steps of the data packet verification method according to any one of claims 1-6.
12. A computer-readable storage medium, characterized in that, It stores a computer program that, when executed by a processor, implements the steps of the data packet verification method according to any one of claims 1-6.