How to Begin Implement Network Demilitarized Zone in NS3

To begin implementing a Demilitarized Zone (DMZ) using NS3, we will want to replicate the network architecture in which a DMZ segment occurs among an internal network and the external internet. A DMZ offers limited access to specific services such as web servers, mail servers whereas defending the internal network.

Below is a stepwise technique to implement the DMZ using NS3:

Steps to Begin Implement Network Demilitarized Zone in NS3

1. Understand the DMZ Concept

• DMZ Topology: This topology contains subnet in which accessible services such as web servers, mail servers are positioned in public.
• Purpose:
  • From internal network resources, DMZ needs to separate public-facing services.
  • Refine the security through handling the access among internal network, DMZ, and external network.
• Key Components:
  • Firewall Rules: Isolate internal and DMZ networks.
  • Routing Rules: It focuses traffic properly.

2. Set Up ns3

• We can install ns3 simulator, if not already done:

./waf configure –build-profile=debug –enable-examples –enable-tests

./waf build

• Confirm the installation by running:

./waf –run hello-simulator

3. Design DMZ Topology

• Nodes: Create DMZ topology that contains internal nodes, DMZ server, and external nodes like internet clients.
• Routers: Isolate the internal network, DMZ, and external network.

Example:

[Internal Nodes] — [Router1] — [DMZ Server] — [Router2] — [External Nodes]

4. Implement DMZ Topology in ns3

Basic Topology Code:

#include “ns3/core-module.h”

#include “ns3/network-module.h”

#include “ns3/internet-module.h”

#include “ns3/point-to-point-module.h”

#include “ns3/applications-module.h”

using namespace ns3;

int main(int argc, char *argv[])

{

Time::SetResolution(Time::NS);

// Create nodes

NodeContainer internalNodes, router1, dmzServer, router2, externalNodes;

internalNodes.Create(1); // Internal network

router1.Create(1);

dmzServer.Create(1);

router2.Create(1);

externalNodes.Create(1); // External network

// Configure point-to-point links

PointToPointHelper p2p;

p2p.SetDeviceAttribute(“DataRate”, StringValue(“10Mbps”));

p2p.SetChannelAttribute(“Delay”, StringValue(“2ms”));

// Connect internal nodes to Router1

NetDeviceContainer devices1 = p2p.Install(internalNodes.Get(0), router1.Get(0));

// Connect Router1 to DMZ Server

NetDeviceContainer devices2 = p2p.Install(router1.Get(0), dmzServer.Get(0));

// Connect DMZ Server to Router2

NetDeviceContainer devices3 = p2p.Install(dmzServer.Get(0), router2.Get(0));

// Connect Router2 to External nodes

NetDeviceContainer devices4 = p2p.Install(router2.Get(0), externalNodes.Get(0));

// Install Internet stack

InternetStackHelper stack;

stack.Install(internalNodes);

stack.Install(router1);

stack.Install(dmzServer);

stack.Install(router2);

stack.Install(externalNodes);

// Assign IP addresses

Ipv4AddressHelper address;

address.SetBase(“10.1.1.0”, “255.255.255.0”); // Internal network

Ipv4InterfaceContainer internalInterfaces = address.Assign(devices1);

address.SetBase(“10.1.2.0”, “255.255.255.0”); // Router1 to DMZ Server

Ipv4InterfaceContainer dmzInterfaces1 = address.Assign(devices2);

address.SetBase(“10.1.3.0”, “255.255.255.0”); // DMZ Server to Router2

Ipv4InterfaceContainer dmzInterfaces2 = address.Assign(devices3);

address.SetBase(“10.1.4.0”, “255.255.255.0”); // Router2 to External network

Ipv4InterfaceContainer externalInterfaces = address.Assign(devices4);

// Configure Routing

Ipv4GlobalRoutingHelper::PopulateRoutingTables();

// Set up a UDP echo server on the DMZ server

uint16_t port = 9;

UdpEchoServerHelper echoServer(port);

ApplicationContainer serverApp = echoServer.Install(dmzServer.Get(0));

serverApp.Start(Seconds(1.0));

serverApp.Stop(Seconds(10.0));

// Set up a UDP echo client on the external node

UdpEchoClientHelper echoClient(dmzInterfaces2.GetAddress(0), port);

echoClient.SetAttribute(“MaxPackets”, UintegerValue(5));

echoClient.SetAttribute(“Interval”, TimeValue(Seconds(1.0)));

echoClient.SetAttribute(“PacketSize”, UintegerValue(1024));

ApplicationContainer clientApp = echoClient.Install(externalNodes.Get(0));

clientApp.Start(Seconds(2.0));

clientApp.Stop(Seconds(10.0));

// Run simulation

Simulator::Run();

Simulator::Destroy();

return 0;

}

5. Implement Firewall Rules

• Execute the access controls to leverage packet filtering at routers.
• Example: Obstruct internal access to the DMZ.

Packet Filtering Hook:

void FirewallCallback(Ptr<Socket> socket, Ptr<Packet> packet, const Address &from)

{

Ipv4Header ipv4Header;

packet->PeekHeader(ipv4Header);

Ipv4Address source = ipv4Header.GetSource();

Ipv4Address destination = ipv4Header.GetDestination();

// Block packets from internal network to external network

if (source == Ipv4Address(“10.1.1.1”) && destination == Ipv4Address(“10.1.4.1”))

{

NS_LOG_UNCOND(“Firewall: Blocked packet from ” << source << ” to ” << destination);

return; // Drop packet

}

NS_LOG_UNCOND(“Firewall: Allowed packet from ” << source << ” to ” << destination);

socket->ForwardUp(packet, from);

}

void InstallFirewall(Ptr<Node> routerNode)

{

Ptr<Socket> socket = Socket::CreateSocket(routerNode, TypeId::LookupByName(“ns3::UdpSocketFactory”));

socket->SetRecvCallback(MakeCallback(&FirewallCallback));

}

Attach Firewall to Router1:

InstallFirewall(router1.Get(0));

6. Run the Simulation

• Construct the script then run the simulation:

./waf –run scratch/dmz-simulation

• Confirm the functionality of DMZ through monitoring the traffic flows.

7. Enhance the DMZ

• To enhance the DMZ, we can integrate:
  • Web server or mail server simulations within the DMZ.
  • Stateful packet filtering, permitting the response packets.
• Examine the traffic models and confirm that DMZ policies are applied with FlowMonitor.

Finally, we indicated about how the Network Demilitarized Zone will perform and implemented in NS3 simulation tool by using structured execution steps. We will also be delivered required insights and advanced concepts on this topic.