How to Calculate Network Demilitarized Zone in NS2

To calculate the Network Demilitarized Zone (DMZ) in NS2, this is a physical or logical sub network that has and discloses an organization’s external-facing services to an untrusted network, typically the internet. it serves as a buffer zone amongst the external public network and the internal private network, guarding the internal network from external challenges. In NS2 (Network Simulator 2), you can replicate a DMZ by configuring a network with numerous subnets where one subnet behave like the DMZ, and you apply firewall policies to limit traffic amongst the DMZ and the internal network.

Steps to Simulate and Calculate a Network DMZ in NS2

To mimic a DMZ in NS2, you will design:

  • A DMZ subnet containing public-facing servers.
  • An internal subnet that indicates the internal network.
  • A firewall node (or a set of rules) that controls traffic amongst the internal subnet, the DMZ, and the external network (like the internet).
  1. Set Up the NS2 Simulation with DMZ

In this instance, we will set up a simple topology where:

  • A firewall node regulates traffic.
  • A DMZ subnet hosts publicly accessible services.
  • The internal subnet is defended against external network.

Example NS2 Script for a Network DMZ

# Create NS2 simulator instance

set ns [new Simulator]

# Open trace file for output

set tracefile [open out.tr w]

$ns trace-all $tracefile

# Define nodes

set firewall [$ns node]  ;# Firewall node between DMZ and internal network

set dmz_server [$ns node] ;# DMZ server

set internal_server [$ns node] ;# Internal network server

set external_client [$ns node]  ;# External client (internet)

# Create links between nodes

$ns duplex-link $firewall $dmz_server 1Mb 10ms DropTail  ;# DMZ server to firewall

$ns duplex-link $firewall $internal_server 1Mb 10ms DropTail  ;# Internal server to firewall

$ns duplex-link $external_client $firewall 1Mb 10ms DropTail  ;# External client to firewall

# Set up UDP traffic from external client to DMZ server

set udp0 [new Agent/UDP]

$ns attach-agent $external_client $udp0

set null0 [new Agent/Null]

$ns attach-agent $dmz_server $null0

$ns connect $udp0 $null0

set cbr0 [new Application/Traffic/CBR]

$cbr0 set packetSize_ 500

$cbr0 set interval_ 0.005

$cbr0 attach-agent $udp0

# Set up UDP traffic from DMZ server to internal server (simulating internal access)

set udp1 [new Agent/UDP]

$ns attach-agent $dmz_server $udp1

set null1 [new Agent/Null]

$ns attach-agent $internal_server $null1

$ns connect $udp1 $null1

set cbr1 [new Application/Traffic/CBR]

$cbr1 set packetSize_ 500

$cbr1 set interval_ 0.01

$cbr1 attach-agent $udp1

# Start and stop traffic

$ns at 0.5 “$cbr0 start”

$ns at 0.5 “$cbr1 start”

$ns at 4.5 “$cbr0 stop”

$ns at 4.5 “$cbr1 stop”

# Firewall logic to restrict traffic from external to internal

proc firewall_filter {src dst type} {

if {$src == “external_client” && $dst == “internal_server”} {

return 0  ;# Block external traffic from accessing the internal server

}

return 1  ;# Allow all other traffic

}

# Apply firewall filter at 0.5 seconds

$ns at 0.5 “$ns set-forwarding-filter firewall_filter”

# End simulation

$ns at 5.0 “finish”

proc finish {} {

global ns tracefile

$ns flush-trace

close $tracefile

exit 0

}

# Run the simulation

$ns run

Explanation of the Script:

  • Firewall Node: The firewall node controls traffic amongst the external client, DMZ server, and internal server.
  • DMZ Server: The dmz_server indicates a publicly accessible server positioned in the DMZ.
  • Internal Server: The internal_server denotes a machine within the private network.
  • Traffic:
    • The external client delivers traffic to the DMZ server.
    • The DMZ server sends traffic to the internal server.
    • Traffic from the external client to the internal server is congested by the firewall.
  1. Simulate Firewall Rules for the DMZ

The firewall_filter function is where you state firewall rules for controlling access amongst the external network, the DMZ, and the internal network. In this sample:

  • Traffic from the external client to the internal server is blocked.
  • Traffic from the external client to the DMZ server is permitted.

You can control traffic amongst various segments of the network by extending these policies.

  1. Capture Data from the Trace File

NS2 develops a trace file (out.tr) that logs packet transmission, drops, and other network events. You can use this file to compute key DMZ performance metrics like:

  • Packet drops: Calculate how many packets are congested by the firewall.
  • Throughput: Estimate how much traffic flows amongst the DMZ and external/internal networks.
  • Latency: Measure the delay for traffic conveying through the DMZ.
  1. Calculate DMZ Metrics

Packet Drops (Blocked Traffic)

Packet drops are important in analysing the effectiveness of the firewall in controlling access to the internal network. You can measure packet drops by summing up d (drop) events.

Here’s an AWK script to estimate packet drops because of the firewall:

awk ‘

{

if ($1 == “d” && $3 == “firewall” && $4 == “internal_server”) {  # Drop traffic to internal server

dropped_packets++;

}

}

END { print “Total Packets Dropped by Firewall:”, dropped_packets; }’ out.tr

This script sums up the amount of packets dropped by the firewall that were trying to reach the internal server.

Throughput Between DMZ and External Network

Throughput can be computed as the total amount of bytes dispatched amongst the external network and the DMZ.

Here’s an AWK script to calculate throughput:

awk ‘

{

if ($1 == “-” && $3 == “firewall” && $4 == “dmz_server”) {  # Forwarded to DMZ server

total_bytes += $6;  # Count total bytes forwarded by firewall to DMZ server

}

}

END { print “Throughput from External to DMZ:”, total_bytes / 5.0, “bytes/sec”; }’ out.tr

This script estimates the throughput by counting the bytes forwarded by the firewall to the DMZ server and dividing by the simulation time (5 seconds).

Latency Through the DMZ

You can calculate the latency for traffic relaying through the DMZ by estimating the time difference amongst when a packet leaves the external client and when it reaches the DMZ server.

Here’s an AWK script to calculate average latency:

awk ‘

{

if ($1 == “+”) {

send_time[$7] = $2;  # Record when packet is sent from external client

}

if ($1 == “-” && $3 == “firewall” && $4 == “dmz_server”) {

if (send_time[$7] != “”) {

latency = $2 – send_time[$7];  # Calculate latency through the DMZ

total_latency += latency;

count++;

}

}

}

END { print “Average DMZ Latency:”, total_latency / count, “seconds”; }’ out.tr

This script quantifies the time it takes for packets to move from the external client to the DMZ server and computes the average latency.

  1. Enhance the DMZ Simulation

You can optimize the simulation by attaching more modern firewall policies or by replicating certain attacks and calculating how the DMZ manages them. For instance:

  • Establish rules that block particular ports or protocols (like blocking all traffic on port 80).
  • Mimic a DDoS attack and estimate how the firewall and DMZ server manage rised traffic loads.

Example: Blocking Specific Port Traffic in the DMZ

You can fine-tune the firewall_filter approach to block traffic on certain ports, like port 80 (HTTP).

proc firewall_filter {src dst type src_port dst_port} {

if {$dst_port == 80} {

return 0  ;# Block all traffic on port 80

}

return 1  ;# Allow all other traffic

}

  1. Visualize DMZ Performance

You can visualize key DMZ metrics including packet drops, throughput, and latency using tools like Python (matplotlib) or Excel. Here’s an example of how to plot the throughput from the external client to the DMZ over time:

Example Python Plot for DMZ Throughput:

import matplotlib.pyplot as plt

# Example data for throughput from external client to DMZ over time

time = [0.5, 1.0, 1.5, 2.0, 2.5, 3.0, 3.5, 4.0, 4.5]

throughput = [500, 600, 650, 700, 750, 800, 850, 900, 950]  # Example throughput data (bytes/sec)

plt.plot(time, throughput, marker=’o’)

plt.title(‘Throughput from External Client to DMZ Over Time’)

plt.xlabel(‘Time (seconds)’)

plt.ylabel(‘Throughput (bytes/sec)’)

plt.grid(True)

plt.show()

Summary

To replicate and calculate network DMZ activities in NS2:

  1. Set up a simulation: Configure nodes for the firewall, DMZ server, internal network, and external network.
  2. Apply firewall rules: Use custom rules to control traffic amongst the DMZ, internal network, and external network in the firewall.
  3. Calculate metrics: Assess the trace file to compute packet drops, throughput, and latency.
  4. Enhance the simulation: Execute latest firewall policies or simulate network attacks.
  5. Visualize performance: Plot metrics to inspect the DMZ’s effectiveness in guarding the internal network and handling external traffic.

Overall, we have shown the expounded details including snippet codes for the computational process of network demilitarized Zone (DMZ) in the ns2 simulation environment. We also provide the simulation process of firewalls policies and estimation of DMZ metrics with examples.

If you’re looking to explore a customized Network Demilitarized Zone using the NS2 tool for your research, feel free to reach out to us! We’re here to deliver the best results. Just share your parameter details, and we’ll assist you every step of the way.