A method and a device for detecting shared access are provided in the present disclosure. The method comprises: receiving an application layer packet from a user terminal; extracting a public network IP accessed by the user terminal and a data stream feature from the received application layer packet, where the data stream feature may uniquely identify the user terminal; determining a number of user terminals which access the public network IP according to the data stream feature; and determining that there is shared access for the public network IP if the number of user terminals accessing the public network IP is greater than a first threshold.

Techniques for dynamically configuring a dynamic host configuration protocol (DHCP) server in a virtual network environment are described. In one example embodiment, DHCP bindings are configured using virtual machine (VM) inventory objects. Further, the configured DHCP bindings are transformed by replacing the VM inventory objects in the configured DHCP bindings with associated media access control (MAC) addresses using a VM object attribute table. Furthermore, the transformed DHCP bindings are sent to the DHCP sever for assigning Internet protocol (IP) addresses to multiple VMs running on a plurality of host computing systems in a computing network.

Provided herein are systems, devices and methods for applying address translation to network traffic originating from client devices having dynamic Internet Protocol (IP) addresses to support IP based security measures using a gateway configured to connect a plurality of client devices used by a plurality of users to a plurality of cloud based networks. The gateway may receive, from a client device assigned a dynamic IP address, credentials of a user using the respective client device, access a translation record mapping the user, identified by his credentials, to a respective unique static IP address, adjust a source address of each packet received from the client device to include the static IP address, and forward each adjusted packet to a security engine configured to apply security policy(s) to each adjusted packet before transmitting it to the cloud based network(s). The security policy(s) is applied according to the static IP address.

A network device discovery method receives registration information from the network devices which are registered to the cloud device, and generates a management list for recording the registration information and a management status of each of the registered network devices. When a request of searching for specified network devices of a specified network manager from a specified client device is received, the discovery method retrieves specified network devices managed by the specified network manager from the management list. The discovery method further searches for target network devices which have the same public Internet Protocol (IP) addresses with the specified network devices, and presents one or more target network devices which have not been managed by any network manager to the specified client device for the specified network manager.

A NAT method, apparatus and device are provided. According to the method, a target IP address and its reference port are obtained from a NAT resource pool, the reference port being a port in a corresponding consecutive port range. A first five-tuple is generated based on the target IP address, the reference port and an original five-tuple of the packet, and a second five-tuple is obtained by masking first-class bits of the reference port of the first five-tuple. Based on a hash result of the second five-tuple, a target bit indicating a non-conflicting state is determined from a pre-constructed bitmap. The state indicated by the target bit is set to be a conflicting state, and a target five-tuple is generated based on the target bit. The target five-tuple and the original five-tuple are recorded in a session table, and the packet is NAT-processed based on the target five-tuple.

Techniques for managing certificates in segregated networks are disclosed. One example technique includes upon receiving executable instructions of a software application and a reference table containing entries of reference objects in the software application, identifying a digital certificate independently obtained by the segregated network for each of the reference objects. The method also includes generating a mapping table having entries individually identifying the reference objects and data representing the digital certificates. The method further includes deploying for execution to one or more of the servers in the segregated network, the software application along with the generated mapping table. During execution, the software application can dereference one of the reference objects to locate one of the digital certificates in in the generated mapping table corresponding to one of the reference objects.

Techniques for performing NAT operations to send packets between networks are described. In an example, a network device receives a packet that comprises a header. The header indicates a source address of a first computing resource in a first network and a destination address of a second computing resource in a second network. The network device determines a pool of identifiers allocated for the first network and the second computing resource and identifies a packet flow based on the header. The network device also determines that no identifier from the pool of identifiers has been allocated for the packet flow and determines an identifier available to allocate for the packet flow from the pool of identifiers. The network device performs a NAT operation on the packet based on the identifier.

This application relates to the field of communication technologies, and discloses a communication method and apparatus, to improve a ratio of translation between an external network IP address and an internal network IP address, and improve utilization of the external network IP address. The method includes: receiving an outbound packet sent by an internal network device to an external network, where the outbound packet carries an internal network Transaction-ID, and the Transaction-ID marks a group including a domain name system DNS outbound packet and a corresponding inbound packet; assigning an external network IP, an external network port number, and an external network Transaction-ID to the outbound packet; and replacing a source IP, a source port number, and the internal network Transaction-ID of the outbound packet with the external network IP, the external network port number, and the external network Transaction-ID, and then sending the outbound packet.

The method of synchronizes network address translation (NAT) records between an active gateway and a standby gateway. The method of some embodiments synchronizes NAT records of long-term data flows more frequently than those of short-term flows. Multiple data flows pass between a device at an internal source address and a device at an external destination address through the active NAT gateway. For each flow, the method generates a NAT record. The method then determines whether the data flow is a short-term flow or a long-term flow and synchronizes the NAT records of the long-term flows, but not the NAT records of the short-term flows, with the standby gateway. The method of some embodiments synchronizing NAT records more frequently when NAT records are being generated quickly relative to prior generation rates and less frequently when NAT records are being generated slowly relative to the prior generation rates.

The method of synchronizes network address translation (NAT) records between an active gateway and a standby gateway. The method of some embodiments synchronizes NAT records of long-term data flows more frequently than those of short-term flows. Multiple data flows pass between a device at an internal source address and a device at an external destination address through the active NAT gateway. For each flow, the method generates a NAT record. The method then determines whether the data flow is a short-term flow or a long-term flow and synchronizes the NAT records of the long-term flows, but not the NAT records of the short-term flows, with the standby gateway. The method of some embodiments synchronizing NAT records more frequently when NAT records are being generated quickly relative to prior generation rates and less frequently when NAT records are being generated slowly relative to the prior generation rates.