How to Implement Multi level Firewall in NS2

To implement the Multi-level firewall in ns2, we have to simulate various layers of access control (for instance: in terms of source IP, destination IP, Protocol, Port or Application) at different points in the network. Every layer will examine traffic and either permit or block it depends on pre-defined rules. The multi-level firewall can be positioned at various points in the network (like on a particular node, on routers or on gateways).

If you need specific help with implementing a multi-level firewall in the NS2 tool, get in touch with the ns2project.com team.

In this simulation, we can launch three levels of inspection:

  1. Layer 1: IP-based filtering (verifies if the source or destination IP address is permitted).
  2. Layer 2: Port-based filtering (validates if the traffic is granted depends on the port number).
  3. Layer 3: Protocol-based filtering (checks if the traffic is allowed according to the protocol used, for instance: TCP or UDP).

Steps to Implement a Multi-level Firewall in NS2

  1. Set Up NS2 Environment

Make certain NS2 is installed and properly configured. We will simulate multi-level firewalls by establishing a series of access control checks based on IP, port, and protocol.

  1. Create a TCL Script for Multi-level Firewall

Below is a sample TCL script that imitates a multi-level firewall in NS2. The firewall logic will be accomplished to packets relaying through a certain node, testing and filtering them in terms of IP, port, and protocol.

Example TCL Script for Multi-level Firewall:

# Create a new NS2 simulator

set ns [new Simulator]

# Open trace and NAM output files

set tracefile [open multilevel_firewall.tr w]

$ns trace-all $tracefile

set namfile [open multilevel_firewall.nam w]

$ns namtrace-all $namfile

# Define wireless network parameters

set val(chan)   Channel/WirelessChannel

set val(prop)   Propagation/TwoRayGround

set val(ant)    Antenna/OmniAntenna

set val(netif)  Phy/WirelessPhy

set val(mac)    Mac/802_11

set val(ifq)    Queue/DropTail/PriQueue

set val(ifqlen) 50

set val(ll)     LL

set val(rp)     AODV                       ;# Use AODV routing protocol

set val(x)      1000

set val(y)      1000

set val(num_nodes) 4                       ;# Number of nodes

# Create topography for the network

set topo [new Topography]

$topo load_flatgrid $val(x) $val(y)

# Configure node parameters

$ns node-config -adhocRouting $val(rp) \

-llType $val(ll) \

-macType $val(mac) \

-ifqType $val(ifq) \

-ifqLen $val(ifqlen) \

-antType $val(ant) \

-propType $val(prop) \

-phyType $val(netif) \

-channelType $val(chan) \

-topoInstance $topo \

-agentTrace ON \

-routerTrace ON \

-macTrace ON

# Create nodes and set initial positions

set node0 [$ns node]

set node1 [$ns node]

set node2 [$ns node]

set node3 [$ns node]  ;# Node acting as the firewall

$node0 set X_ 100

$node0 set Y_ 100

$node0 set Z_ 0

$node1 set X_ 300

$node1 set Y_ 300

$node1 set Z_ 0

$node2 set X_ 500

$node2 set Y_ 500

$node2 set Z_ 0

$node3 set X_ 250

$node3 set Y_ 250

$node3 set Z_ 0  ;# This node will act as a firewall

# Define IP filtering rules for Layer 1 (only allow traffic from node0 and node2)

set allowed_ips [list “192.168.1.1” “192.168.1.3”]

# Define Port filtering rules for Layer 2 (only allow port 80 for TCP and port 53 for UDP)

set allowed_ports_tcp [list 80]

set allowed_ports_udp [list 53]

# Function to check if the source IP is allowed (Layer 1)

proc check_ip_access {src_ip} {

global allowed_ips

if {[lsearch -exact $allowed_ips $src_ip] == -1} {

return 0  ;# Block the packet (IP not allowed)

} else {

return 1  ;# Allow the packet (IP allowed)

}

}

# Function to check if the destination port is allowed (Layer 2)

proc check_port_access {dst_port protocol} {

global allowed_ports_tcp allowed_ports_udp

if {$protocol == “TCP”} {

if {[lsearch -exact $allowed_ports_tcp $dst_port] == -1} {

return 0  ;# Block the packet (port not allowed)

}

} elseif {$protocol == “UDP”} {

if {[lsearch -exact $allowed_ports_udp $dst_port] == -1} {

return 0  ;# Block the packet (port not allowed)

}

}

return 1  ;# Allow the packet

}

# Function to check if the protocol is allowed (Layer 3)

proc check_protocol_access {protocol} {

if {($protocol == “TCP”) || ($protocol == “UDP”)} {

return 1  ;# Allow TCP and UDP packets

} else {

return 0  ;# Block other protocols

}

}

# Multi-level firewall function (applies IP, Port, and Protocol filtering)

proc multilevel_firewall {src_node dst_node src_ip dst_port protocol} {

if {[check_ip_access $src_ip] == 1} {

if {[check_protocol_access $protocol] == 1} {

if {[check_port_access $dst_port $protocol] == 1} {

puts “Packet allowed: IP $src_ip, Port $dst_port, Protocol $protocol”

# Allow connection

if {$protocol == “TCP”} {

set tcp [new Agent/TCP]

$ns attach-agent $src_node $tcp

set sink [new Agent/TCPSink]

$ns attach-agent $dst_node $sink

$ns connect $tcp $sink

return $tcp

} elseif {$protocol == “UDP”} {

set udp [new Agent/UDP]

$ns attach-agent $src_node $udp

set null [new Agent/Null]

$ns attach-agent $dst_node $null

$ns connect $udp $null

return $udp

}

} else {

puts “Packet blocked: Port $dst_port not allowed”

}

} else {

puts “Packet blocked: Protocol $protocol not allowed”

}

} else {

puts “Packet blocked: IP $src_ip not allowed”

}

return 0  ;# Block the packet

}

# Simulate TCP traffic from node0 to node1 on port 80 (HTTP)

set tcp80 [multilevel_firewall $node0 $node1 “192.168.1.1” 80 “TCP”]

# Simulate TCP traffic from node0 to node1 on port 443 (HTTPS) (should be blocked)

set tcp443 [multilevel_firewall $node0 $node1 “192.168.1.1” 443 “TCP”]

# Simulate UDP traffic from node2 to node1 on port 53 (DNS)

set udp53 [multilevel_firewall $node2 $node1 “192.168.1.3” 53 “UDP”]

# Simulate UDP traffic from node2 to node1 on port 500 (Non-allowed port) (should be blocked)

set udp500 [multilevel_firewall $node2 $node1 “192.168.1.3” 500 “UDP”]

# Create traffic sources

if {$tcp80 != 0} {

set ftp0 [new Application/FTP]

$ftp0 attach-agent $tcp80

$ns at 1.0 “$ftp0 start”

$ns at 9.0 “$ftp0 stop”

}

if {$udp53 != 0} {

set cbr0 [new Application/Traffic/CBR]

$cbr0 attach-agent $udp53

$cbr0 set packetSize_ 512

$cbr0 set rate_ 1Mb

$ns at 2.0 “$cbr0 start”

$ns at 9.0 “$cbr0 stop”

}

# Schedule simulation end

$ns at 10.0 “finish”

# Finish procedure to close trace and NAM files

proc finish {} {

global ns tracefile namfile

$ns flush-trace

close $tracefile

close $namfile

exec nam multilevel_firewall.nam &

exit 0

}

# Run the simulation

$ns run

  1. Explanation of Key Components
  • Layer 1 (IP Filtering): The check_ip_access function checks if the source IP is in the list of permitted IP addresses. If the IP is allowed, the packet can permit to the next layer.
  • Layer 2 (Port Filtering): The check_port_access function checks if the destination port is in the list of allowed ports. We have individual lists for TCP and UDP protocols.
  • Layer 3 (Protocol Filtering): The check_protocol_access function checks if the protocol used (TCP or UDP) is permitted. Other protocols are congestion.
  • Multi-Level Firewall Logic: The multilevel_firewall function establishes the firewall checks in sequence: IP, protocol, and port filtering. Only packets that relay all three layers of checks are granted to continue, and a corresponding TCP or UDP agent is generated to replicate the connection.
  1. Run the Simulation

Store the script as multilevel_firewall.tcl and execute it in NS2:

ns multilevel_firewall.tcl

After the simulation is done, you can visualize the network and traffic activities using NAM:

nam multilevel_firewall.nam

  1. Simulation Output

The script will output messages in the console representing whether a packet was allowed or blocked at each level of the firewall. For instance:

Packet allowed: IP 192.168.1.1, Port 80, Protocol TCP

Packet blocked: Port 443 not allowed

Packet allowed: IP 192.168.1.3, Port 53, Protocol UDP

Packet blocked: Port 500 not allowed

  1. Advanced Features for the Multi-Level Firewall

You can expand this simulation by including more features such as:

  • Dynamic Rules: Attach functionality to dynamically update firewall rules in terms of network conditions (for instance: including or removing permitted IPs, ports, or protocols).
  • Logging and Monitoring: Replicate firewall logging and observing, where every allowed or blocked packet is stored to a file.
  • Stateful Filtering: Imitate stateful firewalls that track connection states and permit or block traffic in terms of the connection state.
  • Intrusion Detection: Incorporate basic intrusion detection systems (IDS) into the firewall to jamming apprehensive traffic.

The given approach will breakdown into three steps which is IP-based, Port-based, Protocol-based Filtering for implementation of the Multi level Firewall in the ns2 tool. You have to include the latest mechanisms into the simulation network.