To implement the network Security Architecture in OMNeT++ requires us to generate a simulation environment that should replicate the implementation of security features and techniques to safeguard a network against different threats. It contains firewall, intrusion detection/prevention systems (IDS/IPS), secure routing, encryption and access control mechanisms. We provided the details to implement the security architecture in the network:
Step-by-Step Implementation:
State a network topology which contains several security elements like firewalls, IDS/IPS, encryption modules, and secure servers. It will permit us to replicate the flow of network traffic over these security layers
network SecureNetworkArchitecture
{
submodules:
client1: StandardHost {
@display(“p=100,100”);
}
client2: StandardHost {
@display(“p=100,200”);
}
router: Router {
@display(“p=300,150”);
}
firewall: FirewallModule {
@display(“p=400,150”);
}
ids: IDSModule {
@display(“p=500,150”);
}
encryptionServer: EncryptionModule {
@display(“p=600,150”);
}
appServer: SecureAppServerModule {
@display(“p=700,150”);
}
dbServer: StandardHost {
@display(“p=800,150”);
}
connections:
client1.ethg++ <–> Eth100M <–> router.ethg++;
client2.ethg++ <–> Eth100M <–> router.ethg++;
router.ethg++ <–> Eth100M <–> firewall.in++;
firewall.out++ <–> ids.in++;
ids.out++ <–> encryptionServer.in++;
encryptionServer.out++ <–> appServer.ethg++;
appServer.ethg++ <–> Eth100M <–> dbServer.ethg++;
}
Based on the predefined security rules, we can filter the traffic by accomplishing the firewall module which is useful in blocking illicit access while permitting authorized traffic to pass through.
Firewall Module
// FirewallModule.cc
#include <omnetpp.h>
#include “inet/common/INETDefs.h”
#include “inet/common/packet/Packet.h”
#include “inet/networklayer/ipv4/Ipv4Header_m.h”
using namespace omnetpp;
using namespace inet;
class FirewallModule : public cSimpleModule
{
protected:
virtual void initialize() override;
virtual void handleMessage(cMessage *msg) override;
bool isAllowed(Packet *packet);
};
Define_Module(FirewallModule);
void FirewallModule::initialize()
{
EV << “Firewall Module Initialized” << endl;
}
void FirewallModule::handleMessage(cMessage *msg)
{
if (Packet *packet = dynamic_cast<Packet *>(msg)) {
if (isAllowed(packet)) {
send(packet, “out”);
} else {
EV << “Packet dropped by firewall.” << endl;
delete packet;
}
}
}
bool FirewallModule::isAllowed(Packet *packet)
{
const auto& networkHeader = packet->peekAtFront<Ipv4Header>();
std::string source = networkHeader->getSrcAddress().str();
std::string destination = networkHeader->getDestAddress().str();
// Example: Block traffic from specific IP addresses or to specific ports
if (source == “192.168.1.100” || destination == “192.168.1.200”) {
return false; // Block traffic
}
return true; // Allow all other traffic
}
An IDS observes network traffic for suspicious activities and capable threats. It can be set up to vigilant or take action when an intrusion is identified.
IDS Module
// IDSModule.cc
#include <omnetpp.h>
#include “inet/common/INETDefs.h”
#include “inet/common/packet/Packet.h”
#include “inet/networklayer/ipv4/Ipv4Header_m.h”
using namespace omnetpp;
using namespace inet;
class IDSModule : public cSimpleModule
{
protected:
virtual void initialize() override;
virtual void handleMessage(cMessage *msg) override;
void detectIntrusion(Packet *packet);
void logSecurityEvent(const std::string &event);
};
Define_Module(IDSModule);
void IDSModule::initialize()
{
EV << “IDS Module Initialized” << endl;
}
void IDSModule::handleMessage(cMessage *msg)
{
if (Packet *packet = dynamic_cast<Packet *>(msg)) {
detectIntrusion(packet);
send(msg, “out”);
}
}
void IDSModule::detectIntrusion(Packet *packet)
{
const auto& networkHeader = packet->peekAtFront<Ipv4Header>();
std::string source = networkHeader->getSrcAddress().str();
std::string destination = networkHeader->getDestAddress().str();
// Example: Detect unauthorized access attempts
if (source == “10.0.0.100” && destination == “192.168.1.200”) {
logSecurityEvent(“Unauthorized access attempt detected from ” + source + ” to ” + destination);
}
// Example: Detect potential DDoS attack by monitoring high traffic volume
if (packet->getByteLength() > 1000) { // Threshold for suspicious packet size
logSecurityEvent(“Potential DDoS attack detected from ” + source);
}
}
void IDSModule::logSecurityEvent(const std::string &event)
{
EV << “IDS Event: ” << event << endl;
// Additional logging to files or alerts can be implemented here
}
The encryption module is accountable for encrypting sensitive data before it is transmitted through the network. This helps in ensuring data privacy and integrity.
Encryption Module
// EncryptionModule.cc
#include <omnetpp.h>
#include “inet/common/INETDefs.h”
#include “inet/common/packet/Packet.h”
#include <string>
#include <openssl/evp.h>
#include <openssl/aes.h>
using namespace omnetpp;
using namespace inet;
class EncryptionModule : public cSimpleModule
{
protected:
virtual void initialize() override;
virtual void handleMessage(cMessage *msg) override;
std::string encryptData(const std::string &data);
std::string decryptData(const std::string &data);
};
Define_Module(EncryptionModule);
void EncryptionModule::initialize()
{
EV << “Encryption Module Initialized” << endl;
}
void EncryptionModule::handleMessage(cMessage *msg)
{
if (Packet *packet = dynamic_cast<Packet *>(msg)) {
const auto& payload = packet->peekData();
std::string data(payload->str());
std::string encryptedData = encryptData(data);
EV << “Data encrypted: ” << encryptedData << endl;
// Simulate sending the encrypted data
send(packet, “out”);
}
}
std::string EncryptionModule::encryptData(const std::string &data)
{
// Example: Simple AES encryption (in reality, use secure keys and initialization vectors)
unsigned char key[16] = “mysecretkey12345”;
unsigned char iv[16] = “initialvector123”;
EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
EVP_EncryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv);
unsigned char encrypted[1024];
int len;
EVP_EncryptUpdate(ctx, encrypted, &len, (unsigned char*)data.c_str(), data.length());
int ciphertext_len = len;
EVP_EncryptFinal_ex(ctx, encrypted + len, &len);
ciphertext_len += len;
EVP_CIPHER_CTX_free(ctx);
return std::string((char*)encrypted, ciphertext_len);
}
std::string EncryptionModule::decryptData(const std::string &data)
{
// Example: Simple AES decryption (in reality, use secure keys and initialization vectors)
unsigned char key[16] = “mysecretkey12345”;
unsigned char iv[16] = “initialvector123”;
EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
EVP_DecryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv);
unsigned char decrypted[1024];
int len;
EVP_DecryptUpdate(ctx, decrypted, &len, (unsigned char*)data.c_str(), data.length());
int plaintext_len = len;
EVP_DecryptFinal_ex(ctx, decrypted + len, &len);
plaintext_len += len;
EVP_CIPHER_CTX_free(ctx);
return std::string((char*)decrypted, plaintext_len);
}
This module indicates an application server that is guarded by all the security measures in the network architecture. It should process requests securely later they have passed through all the security layers.
Secure Application Server Module
// SecureAppServerModule.cc
#include <omnetpp.h>
#include “inet/common/INETDefs.h”
#include “inet/common/packet/Packet.h”
using namespace omnetpp;
using namespace inet;
class SecureAppServerModule : public cSimpleModule
{
protected:
virtual void initialize() override;
virtual void handleMessage(cMessage *msg) override;
void processSecureRequest(Packet *packet);
};
Define_Module(SecureAppServerModule);
void SecureAppServerModule::initialize()
{
EV << “Secure Application Server Initialized” << endl;
}
void SecureAppServerModule::handleMessage(cMessage *msg)
{
if (Packet *packet = dynamic_cast<Packet *>(msg)) {
EV << “Secure request received. Processing…” << endl;
processSecureRequest(packet);
send(packet, “out”);
}
}
void SecureAppServerModule::processSecureRequest(Packet *packet)
{
// Process the secure request (this is where business logic would be implemented)
EV << “Request processed securely: ” << packet->str() << endl;
}
Generate the security architecture by integrating the firewall, IDS, encryption and secure application server modules inside the network.
network SecureNetworkArchitecture
{
submodules:
client1: StandardHost {
@display(“p=100,100”);
}
client2: StandardHost {
@display(“p=100,200”);
}
router: Router {
@display(“p=300,150”);
}
firewall: FirewallModule {
@display(“p=400,150”);
}
ids: IDSModule {
@display(“p=500,150”);
}
encryptionServer: EncryptionModule {
@display(“p=600,150”);
}
appServer: SecureAppServerModule {
@display(“p=700,150”);
}
dbServer: StandardHost {
@display(“p=800,150”);
}
connections:
client1.ethg++ <–> Eth100M <–> router.ethg++;
client2.ethg++ <–> Eth100M <–> router.ethg++;
router.ethg++ <–> Eth100M <–> firewall.in++;
firewall.out++ <–> ids.in++;
ids.out++ <–> encryptionServer.in++;
encryptionServer.out++ <–> appServer.ethg++;
appServer.ethg++ <–> Eth100M <–> dbServer.ethg++;
}
Simulate several network operations like data transmission, access attempts, and encryption/decryption processes to assess the efficiency of the security architecture.
Network Security Simulation Module
// NetworkSecuritySimulationModule.cc
#include <omnetpp.h>
#include “inet/applications/tcpapp/TcpAppBase.h”
using namespace omnetpp;
using namespace inet;
class NetworkSecuritySimulationModule : public TcpAppBase
{
protected:
virtual void initialize(int stage) override;
virtual void handleMessageWhenUp(cMessage *msg) override;
void simulateSecureTransmission();
void simulateUnauthorizedAccess();
};
Define_Module(NetworkSecuritySimulationModule);
void NetworkSecuritySimulationModule::initialize(int stage)
{
TcpAppBase::initialize(stage);
if (stage == inet::INITSTAGE_APPLICATION_LAYER) {
scheduleAt(simTime() + 3, new cMessage(“simulateSecureTransmission”));
scheduleAt(simTime() + 5, new cMessage(“simulateUnauthorizedAccess”));
}
}
void NetworkSecuritySimulationModule::handleMessageWhenUp(cMessage *msg)
{
if (strcmp(msg->getName(), “simulateSecureTransmission”) == 0) {
simulateSecureTransmission();
delete msg;
} else if (strcmp(msg->getName(), “simulateUnauthorizedAccess”) == 0) {
simulateUnauthorizedAccess();
delete msg;
} else {
TcpAppBase::handleMessageWhenUp(msg);
}
}
void NetworkSecuritySimulationModule::simulateSecureTransmission()
{
EV << “Simulating secure data transmission…” << endl;
sendRequest(“GET /secureData HTTP/1.1\r\nHost: appServer\r\n\r\nSensitive data here”);
}
void NetworkSecuritySimulationModule::simulateUnauthorizedAccess()
{
EV << “Simulating unauthorized access attempt…” << endl;
sendRequest(“GET /secureData HTTP/1.1\r\nHost: appServer\r\n\r\nUnauthorized access”);
}
Compile and run the simulation in OMNeT++. The firewall will filter traffic, the IDS will observe for intrusions, the encryption module will manage secure data transmission, and the secure application server will process requests securely.
Check the OMNeT++ simulation log to monitor how the security architecture managed various operations. Attest that:
You can extend this setup by:
Throughout this process, we provided the essential information like simulation process, security mechanisms, evaluation process and implementation of security architecture in the network using OMNeT++ including their extended features. Download the Implementation on Network Security Architecture in OMNeT++ tool for your projects from omnet-manual.com , if you face any difficulties then contact us. Stay in touch with us; we will provide you with novel services. Get your project simulation performance by sharing your parameter details with us, and we will compare them and provide you with the best results.