e-mail address: omnetmanual@gmail.com

Phone number: +91 9444856435
DEFENDER

How to Implement Network Device Security in OMNeT++

To implement the network device security in OMNeT++, we have to guard the network form unauthorized access, malware and other security threats by simulating a network that has several devices (example: routers, switches, IoT devices). It can be accomplished by integrating security features like firewalls, intrusion detection systems (IDS), access control, secure communication protocols and device-level security measure. Make sure to follow the demonstration of network device security in the following below:

Step-by-Step Implementation:

  1. Define the Network Topology

First, we have to describe the network topology that contains different network devices like routers, switches, and endpoints (e.g., PCs, IoT devices). Also, has security components like firewalls and IDS.

network DeviceSecurityNetwork

{

submodules:

pc1: StandardHost {

@display(“p=100,100”);

}

pc2: StandardHost {

@display(“p=100,200”);

}

router: Router {

@display(“p=300,150”);

}

switch: Switch {

@display(“p=500,150”);

}

firewall: FirewallModule {

@display(“p=400,150”);

}

ids: IDSModule {

@display(“p=600,150”);

}

server: SecureServerModule {

@display(“p=700,150”);

}

connections:

pc1.ethg++ <–> Eth100M <–> router.ethg++;

pc2.ethg++ <–> Eth100M <–> router.ethg++;

router.ethg++ <–> Eth100M <–> firewall.in++;

firewall.out++ <–> switch.ethg++;

switch.ethg++ <–> ids.in++;

ids.out++ <–> server.ethg++;

}

  1. Implement the Firewall Module

According to the predefined security rules, the firewall will observe and control incoming and outgoing network traffic, averting unauthorized access to network devices.

Firewall Module Implementation

#include <omnetpp.h>

#include “inet/common/INETDefs.h”

#include “inet/common/packet/Packet.h”

#include “inet/networklayer/ipv4/Ipv4Header_m.h”

using namespace omnetpp;

using namespace inet;

class FirewallModule : public cSimpleModule

{

protected:

virtual void initialize() override;

virtual void handleMessage(cMessage *msg) override;

bool isAllowed(Packet *packet);

};

Define_Module(FirewallModule);

void FirewallModule::initialize()

{

EV << “Firewall Module Initialized” << endl;

}

void FirewallModule::handleMessage(cMessage *msg)

{

if (Packet *packet = dynamic_cast<Packet *>(msg)) {

if (isAllowed(packet)) {

send(packet, “out”);

} else {

EV << “Packet dropped by firewall.” << endl;

delete packet;

}

}

}

bool FirewallModule::isAllowed(Packet *packet)

{

const auto& networkHeader = packet->peekAtFront<Ipv4Header>();

std::string source = networkHeader->getSrcAddress().str();

std::string destination = networkHeader->getDestAddress().str();

// Example: Allow only specific device-to-device communications

if ((source == “192.168.1.10” && destination == “192.168.1.20”) ||

(source == “192.168.1.20” && destination == “192.168.1.30”)) {

return true; // Allow traffic

}

return false; // Block all other traffic

}

  1. Implement the Intrusion Detection System (IDS) Module

In network devices, we have to detect suspicious activities or capable security breaches by implement the IDS that will observe the network traffic.

IDS Module Implementation

#include <omnetpp.h>

#include “inet/common/INETDefs.h”

#include “inet/common/packet/Packet.h”

#include “inet/networklayer/ipv4/Ipv4Header_m.h”

using namespace omnetpp;

using namespace inet;

class IDSModule : public cSimpleModule

{

protected:

virtual void initialize() override;

virtual void handleMessage(cMessage *msg) override;

void detectIntrusion(Packet *packet);

void logSecurityEvent(const std::string &event);

};

Define_Module(IDSModule);

void IDSModule::initialize()

{

EV << “IDS Module Initialized” << endl;

}

void IDSModule::handleMessage(cMessage *msg)

{

if (Packet *packet = dynamic_cast<Packet *>(msg)) {

detectIntrusion(packet);

send(msg, “out”);

}

}

void IDSModule::detectIntrusion(Packet *packet)

{

const auto& networkHeader = packet->peekAtFront<Ipv4Header>();

std::string source = networkHeader->getSrcAddress().str();

std::string destination = networkHeader->getDestAddress().str();

// Example: Detect unauthorized access or abnormal traffic

if (source == “192.168.1.100” || destination == “192.168.1.100”) {

logSecurityEvent(“Suspicious activity detected from ” + source + ” to ” + destination);

}

}

void IDSModule::logSecurityEvent(const std::string &event)

{

EV << “IDS Event: ” << event << endl;

// Additional logging to files or alerts can be implemented here

}

  1. Implement Secure Communication for Network Devices

Make certain that network devices use secure communication protocols like SSL/TLS, to guard data integrity and confidentiality.

Secure Server Module Implementation

#include <omnetpp.h>

#include “inet/common/INETDefs.h”

#include “inet/common/packet/Packet.h”

#include <string>

#include <openssl/evp.h>

#include <openssl/aes.h>

using namespace omnetpp;

using namespace inet;

class SecureServerModule : public cSimpleModule

{

protected:

virtual void initialize() override;

virtual void handleMessage(cMessage *msg) override;

std::string encryptData(const std::string &data);

std::string decryptData(const std::string &data);

void processSecureRequest(Packet *packet);

};

Define_Module(SecureServerModule);

void SecureServerModule::initialize()

{

EV << “Secure Server Initialized” << endl;

}

void SecureServerModule::handleMessage(cMessage *msg)

{

if (Packet *packet = dynamic_cast<Packet *>(msg)) {

const auto& payload = packet->peekData();

std::string data(payload->str());

std::string decryptedData = decryptData(data);

EV << “Data decrypted: ” << decryptedData << endl;

processSecureRequest(packet);

}

}

std::string SecureServerModule::encryptData(const std::string &data)

{

unsigned char key[16] = “serverkey1234567”;

unsigned char iv[16] = “initialvector12”;

EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();

EVP_EncryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv);

unsigned char encrypted[1024];

int len;

EVP_EncryptUpdate(ctx, encrypted, &len, (unsigned char*)data.c_str(), data.length());

int ciphertext_len = len;

EVP_EncryptFinal_ex(ctx, encrypted + len, &len);

ciphertext_len += len;

EVP_CIPHER_CTX_free(ctx);

return std::string((char*)encrypted, ciphertext_len);

}

std::string SecureServerModule::decryptData(const std::string &data)

{

unsigned char key[16] = “serverkey1234567”;

unsigned char iv[16] = “initialvector12”;

EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();

EVP_DecryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv);

unsigned char decrypted[1024];

int len;

EVP_DecryptUpdate(ctx, decrypted, &len, (unsigned char*)data.c_str(), data.length());

int plaintext_len = len;

EVP_DecryptFinal_ex(ctx, decrypted + len, &len);

plaintext_len += len;

EVP_CIPHER_CTX_free(ctx);

return std::string((char*)decrypted, plaintext_len);

}

void SecureServerModule::processSecureRequest(Packet *packet)

{

// Process the request securely (e.g., serve a web page, handle a database query)

EV << “Secure request processed: ” << packet->str() << endl;

}

  1. Simulate Network Device Attacks

Simulate potential attacks on network devices involves unauthorized access attempts, malware infections, and denial-of-service (DoS) attacks.

Network Device Attack Simulation Module

#include <omnetpp.h>

#include “inet/applications/tcpapp/TcpAppBase.h”

using namespace omnetpp;

using namespace inet;

class DeviceAttackModule : public TcpAppBase

{

protected:

virtual void initialize(int stage) override;

virtual void handleMessageWhenUp(cMessage *msg) override;

void simulateUnauthorizedAccess();

void simulateDoSAttack();

};

Define_Module(DeviceAttackModule);

 

void DeviceAttackModule::initialize(int stage)

{

TcpAppBase::initialize(stage);

if (stage == inet::INITSTAGE_APPLICATION_LAYER) {

scheduleAt(simTime() + 3, new cMessage(“simulateUnauthorizedAccess”));

scheduleAt(simTime() + 5, new cMessage(“simulateDoSAttack”));

}

}

void DeviceAttackModule::handleMessageWhenUp(cMessage *msg)

{

if (strcmp(msg->getName(), “simulateUnauthorizedAccess”) == 0) {

simulateUnauthorizedAccess();

delete msg;

} else if (strcmp(msg->getName(), “simulateDoSAttack”) == 0) {

simulateDoSAttack();

delete msg;

} else {

TcpAppBase::handleMessageWhenUp(msg);

}

}

void DeviceAttackModule::simulateUnauthorizedAccess()

{

EV << “Simulating unauthorized access attempt on router…” << endl;

sendRequest(“POST /admin_login HTTP/1.1\r\nHost: router\r\n\r\nusername=admin&password=wrongpassword”);

}

void DeviceAttackModule::simulateDoSAttack()

{

EV << “Simulating DoS attack on server…” << endl;

for (int i = 0; i < 100; i++) {

sendRequest(“GET / HTTP/1.1\r\nHost: server\r\n\r\n”);

}

}

  1. Integrate the Network Device Security Components

Integrate the firewall, IDS, secure communication, and attack simulation modules within the network to generate a comprehensive network device security replication.

network DeviceSecurityNetwork

{

submodules:

pc1: StandardHost {

@display(“p=100,100”);

}

pc2: StandardHost {

@display(“p=100,200”);

}

router: Router {

@display(“p=300,150”);

}

switch: Switch {

@display(“p=500,150”);

}

firewall: FirewallModule {

@display(“p=400,150”);

}

ids: IDSModule {

@display(“p=600,150”);

}

server: SecureServerModule {

@display(“p=700,150”);

}

attacker: DeviceAttackModule {

@display(“p=100,300”);

}

connections:

pc1.ethg++ <–> Eth100M <–> router.ethg++;

pc2.ethg++ <–> Eth100M <–> router.ethg++;

router.ethg++ <–> Eth100M <–> firewall.in++;

firewall.out++ <–> switch.ethg++;

switch.ethg++ <–> ids.in++;

ids.out++ <–> server.ethg++;

attacker.ethg++ <–> Eth100M <–> firewall.in++;

}

  1. Run the Simulation

Compile and run the simulation in OMNeT++. The IDS should identify abnormal behaviors, the firewall should block illegal traffic, and network devices should securely communicate and respond to requests.

  1. Analyze the Results

Check the OMNeT++ simulation log to monitor how the network devices reacted to different simulated attacks. Verify that:

  • Unauthorized access tries were blocked by the firewall.
  • Suspicious activities were identified by the IDS.
  • Legitimate data was securely processed by the network devices.
  1. Extend the Network Device Security Simulation

You can extend this setup by:

  • Implementing device-specific security measures: Simulate security mechanisms include access control lists (ACLs) on routers, MAC filtering on switches, and antivirus protection on PCs.
  • Enhancing secure communication: Use more advanced encryption protocols and key management techniques.
  • Simulating complex attack scenarios: Concatenate multiple attack vectors like physical tampering with cyber-attacks.
  • Integrating with physical simulations: Monitor the effects of cyber-attacks on the physical devices and processes controlled by the network by using co-simulation with physical process simulators.

From this approach, we comprehensively learned the overall concept of network device security and their implementation process in the OMNeT++ and how to include the security mechanisms. If needed, we will offer additional details on this topic.omnet-manual.com will provide you all types of research solutions in this area.

Related Topics