To calculate the Network Demilitarized Zone in ns3, DMZ creates a network topology that contains DMZ, typically positioned between internal and external networks and it configures by firewalls, proxies, and other security measures. We need to track the performance metrics like throughput, latency, and packet loss to calculate the DMZ impact. Below are the procedures on how to achieve this in ns3:
Steps to Simulate and Calculate Performance of a DMZ in ns3:
- Set Up the ns3 Environment:
- Make certain ns3 is installed in the computer.
- Define the Network Topology:
- Create a network topology that includes a DMZ, typically with separate nodes for internal, DMZ, and external networks.
- Configure the DMZ:
- Implement firewall rules, routing, and possibly proxy servers to filter and control traffic between networks.
- Install Applications:
- Install traffic-generating applications on the nodes to simulate network traffic.
- Monitor Performance Metrics:
- Use trace sources or callbacks to monitor performance metrics such as throughput, latency, and packet loss.
- Analyze DMZ Performance:
- Calculate and log the performance metrics to evaluate the effectiveness of the DMZ.
Example Code
The given below is the sample on how to setup a basic ns3 simulation to estimate the performance of a network DMZ.
#include “ns3/core-module.h”
#include “ns3/network-module.h”
#include “ns3/internet-module.h”
#include “ns3/point-to-point-module.h”
#include “ns3/applications-module.h”
#include “ns3/flow-monitor-module.h”
using namespace ns3;
NS_LOG_COMPONENT_DEFINE (“NetworkDMZExample”);
void CalculateDMZPerformance (Ptr<FlowMonitor> flowMonitor, FlowMonitorHelper &flowHelper)
{
Ptr<Ipv4FlowClassifier> classifier = DynamicCast<Ipv4FlowClassifier> (flowHelper.GetClassifier ());
std::map<FlowId, FlowMonitor::FlowStats> stats = flowMonitor->GetFlowStats ();
double totalThroughput = 0.0;
double totalLatency = 0.0;
uint32_t totalPackets = 0;
uint32_t lostPackets = 0;
for (auto it = stats.begin (); it != stats.end (); ++it)
{
Ipv4FlowClassifier::FiveTuple t = classifier->FindFlow (it->first);
double throughput = it->second.rxBytes * 8.0 / (it->second.timeLastRxPacket.GetSeconds () – it->second.timeFirstTxPacket.GetSeconds ()) / 1024; // kbps
double latency = it->second.delaySum.GetSeconds () / it->second.rxPackets * 1000; // ms
uint32_t packets = it->second.rxPackets + it->second.lostPackets;
totalThroughput += throughput;
totalLatency += latency;
totalPackets += packets;
lostPackets += it->second.lostPackets;
}
double averageLatency = totalPackets > 0 ? totalLatency / stats.size () : 0;
double packetLoss = totalPackets > 0 ? (static_cast<double> (lostPackets) / totalPackets) * 100 : 0;
NS_LOG_UNCOND (“Total Throughput: ” << totalThroughput << ” kbps”);
NS_LOG_UNCOND (“Average Latency: ” << averageLatency << ” ms”);
NS_LOG_UNCOND (“Packet Loss: ” << packetLoss << ” %”);
}
void PacketFilter(Ptr<const Packet> packet, Ptr<Ipv4> ipv4, uint32_t interface)
{
Ipv4Header ipv4Header;
packet->PeekHeader(ipv4Header);
Ipv4Address srcAddr = ipv4Header.GetSource();
Ipv4Address dstAddr = ipv4Header.GetDestination();
// Example firewall rule: Drop packets from a specific IP address
if (srcAddr == Ipv4Address(“10.1.1.1”))
{
NS_LOG_UNCOND(“Packet from ” << srcAddr << ” to ” << dstAddr << ” dropped by firewall”);
ipv4->Drop(packet, Ipv4L3Protocol::DROP_FIREWALL);
}
}
int main (int argc, char *argv[])
{
CommandLine cmd;
cmd.Parse (argc, argv);
Time::SetResolution (Time::NS);
// Create nodes
NodeContainer nodes;
nodes.Create (5); // Client, Firewall, DMZ Server, Internal Server, External Server
// Create point-to-point links
PointToPointHelper pointToPoint;
pointToPoint.SetDeviceAttribute (“DataRate”, StringValue (“10Mbps”));
pointToPoint.SetChannelAttribute (“Delay”, StringValue (“2ms”));
NetDeviceContainer devices01 = pointToPoint.Install (NodeContainer (nodes.Get (0), nodes.Get (1)));
NetDeviceContainer devices12 = pointToPoint.Install (NodeContainer (nodes.Get (1), nodes.Get (2)));
NetDeviceContainer devices13 = pointToPoint.Install (NodeContainer (nodes.Get (1), nodes.Get (3)));
NetDeviceContainer devices14 = pointToPoint.Install (NodeContainer (nodes.Get (1), nodes.Get (4)));
// Install the internet stack on nodes
InternetStackHelper stack;
stack.Install (nodes);
// Assign IP addresses to the devices
Ipv4AddressHelper address;
address.SetBase (“10.1.1.0”, “255.255.255.0”);
Ipv4InterfaceContainer interfaces01 = address.Assign (devices01);
address.SetBase (“10.1.2.0”, “255.255.255.0”);
Ipv4InterfaceContainer interfaces12 = address.Assign (devices12);
address.SetBase (“10.1.3.0”, “255.255.255.0”);
Ipv4InterfaceContainer interfaces13 = address.Assign (devices13);
address.SetBase (“10.1.4.0”, “255.255.255.0”);
Ipv4InterfaceContainer interfaces14 = address.Assign (devices14);
// Enable routing
Ipv4GlobalRoutingHelper::PopulateRoutingTables ();
// Create UDP server on DMZ Server (node 2)
UdpServerHelper serverDMZ (9);
ApplicationContainer serverAppDMZ = serverDMZ.Install (nodes.Get (2));
serverAppDMZ.Start (Seconds (1.0));
serverAppDMZ.Stop (Seconds (10.0));
// Create UDP client on External Server (node 4)
UdpClientHelper clientDMZ (interfaces12.GetAddress (1), 9);
clientDMZ.SetAttribute (“MaxPackets”, UintegerValue (320));
clientDMZ.SetAttribute (“Interval”, TimeValue (MilliSeconds (10)));
clientDMZ.SetAttribute (“PacketSize”, UintegerValue (1024));
ApplicationContainer clientAppDMZ = clientDMZ.Install (nodes.Get (4));
clientAppDMZ.Start (Seconds (2.0));
clientAppDMZ.Stop (Seconds (10.0));
// Configure packet filter on the firewall node (node 1)
Ptr<Ipv4> ipv4 = nodes.Get (1)->GetObject<Ipv4> ();
ipv4->TraceConnectWithoutContext (“Rx”, MakeCallback (&PacketFilter));
// Install flow monitor to capture performance metrics
FlowMonitorHelper flowHelper;
Ptr<FlowMonitor> flowMonitor = flowHelper.InstallAll ();
Simulator::Stop (Seconds (11.0));
Simulator::Run ();
CalculateDMZPerformance (flowMonitor, flowHelper);
Simulator::Destroy ();
return 0;
}
Explanation
- Setup: The code sets up a network topology with five nodes: a client, a firewall, a DMZ server, an internal server, and an external server, connected by point-to-point links.
- Internet Stack and Routing: The internet stack is installed on all nodes, and routing is enabled.
- Applications: A UDP server is installed on the DMZ server node (node 2), and a UDP client is installed on the external server node (node 4) to generate traffic.
- Firewall Configuration: A packet filter is configured on the firewall node (node 1) to drop packets from a specific IP address.
- Flow Monitor: The FlowMonitor is used to gather performance metrics like throughput, latency, and packet loss.
- CalculateDMZPerformance Function: This function calculates the total throughput, average latency, and packet loss, and logs these metrics to evaluate the performance of the DMZ.
Running the Simulation
Compile and run the simulation using the following commands in your ns3 environment:
./waf configure
./waf build
./waf –run your-script-name
Replace your-script-name with the actual name of your script file.
Here, we clearly see about how estimate the effectiveness of DMZ in ns3 simulation tool. We also provide further details about how the DMZ performs in other simulation tool. Share with ns3simulation.com all your parameters’ details related to Network Demilitarized Zone we will provide you with novel results.