DETECTION OF INCONSISTENCIES IN FIREWALLS A Project
advertisement
DETECTION OF INCONSISTENCIES IN FIREWALLS
A Project
Presented to the faculty of the Department of Computer Science
California State University, Sacramento
Submitted in partial satisfaction of
the requirements for the degree of
MASTER OF SCIENCE
in
Computer Science
by
Lavanya Jujjavarapu
SPRING
2014
DETECTION OF INCONSISTENCIES IN FIREWALLS
A Project
by
Lavanya Jujjavarapu
Approved by:
__________________________________, Committee Chair
Du Zhang, Ph.D.
__________________________________, Second Reader
Meiliu Lu, Ph.D.
____________________________
Date
ii
Student: Lavanya Jujjavarapu
I certify that this student has met the requirements for format contained in the University
format manual, and that this project is suitable for shelving in the Library and credit is to
be awarded for the Project.
__________________________, Graduate Coordinator
Nikrouz Faroughi, Ph.D.
Department of Computer Science
iii
___________________
Date
Abstract
of
DETECTION OF INCONSISTENCIES IN FIREWALLS
By
Lavanya Jujjavarapu
The main focus of this project is to enable users to detect inconsistencies in firewall rules
and to help resolve them. Consistency refers to the fact that any possible packet should
not receive different fates in the same firewall or in the same network. Inconsistent
configuration might leave a security hole or cause intermittently disrupted services.
Detection of inconsistencies is the first step in resolving them, helping us to identify the
type of inconsistency detected. Resolving the inconsistency involves actions such as
deleting the inconsistent rule or moving the order in which they are executed. Not all
inconsistent firewall rules are deleted as this can result in loopholes within the firewall
and lead to security issues as well as denial of service. In this project, an algorithm to
detect inconsistencies in firewall would be implemented to detect and display the
different types of inconsistencies present in the firewall. Also, the heuristics rules
developed for inconsistency induced learning in firewall rules help the users to make a
decision on how to resolve the inconsistencies.
, Committee Chair
Du Zhang, Ph.D.
_______________________
Date
iv
ACKNOWLEDGEMENTS
I would like to take this opportunity to thank all the people who have been involved in
this project, without whose professional knowledge, guidance and encouragement, this
project would not have been successfully completed.
I would like to specially thank my project advisors Dr.Du Zhang and Dr. Meiliu Lu, for
giving me the opportunity to work under their guidance. Dr.Du Zhang’s valuable input
and constant support gave shape to my project. I appreciate my project advisors and Dr.
Nikrouz Faroughi for taking extra effort to review my project report.
I would also like to thank my parents J.V.V.Satyanarayana and J.Anantha Laxmi and my
sister J.Priyanka for believing in me and being my support system to overcome all
challenges.
v
TABLE OF CONTENTS
Page
Acknowledgements ............................................................................................................. v
List of Tables ................................................................................................................... viii
List of Figures ..................................................................................................................... x
Chapters
1. INTRODUCTION ........................................................................................................ 1
2. RELATED WORK ....................................................................................................... 8
3. DESIGN ...................................................................................................................... 10
3.1. Definitions ................................................................................................... 10
3.2. Algorithm for Detecting Intra-Firewall and Inter-Firewall Inconsistencies 12
3.3. Resolving Inconsistencies ........................................................................... 17
4. RESOLVING INCONSISTENCIES .......................................................................... 21
4.1. Program Implementation ............................................................................. 42
5. PERFORMANCE EVALUATION & COMPARISON ............................................. 56
6. CONCLUSION AND FUTURE WORK ................................................................... 59
6.1. Conclusion- ................................................................................................. 59
6.2. Future Work ................................................................................................ 60
vi
Appendix A ....................................................................................................................... 61
Shadow Inconsistency ......................................................................................... 61
Correlation Inconsistency .................................................................................... 65
Exception Inconsistency ...................................................................................... 70
Denial of Service ............................................................................................... 101
Appendix B ..................................................................................................................... 108
Appendix C ..................................................................................................................... 115
Appendix D ..................................................................................................................... 116
Appendix E ..................................................................................................................... 117
Appendix F...................................................................................................................... 118
Appendix G ..................................................................................................................... 140
Appendix H ..................................................................................................................... 159
Appendix I ...................................................................................................................... 180
Appendix K ..................................................................................................................... 194
Appendix L ..................................................................................................................... 202
Appendix M .................................................................................................................... 243
References ....................................................................................................................... 250
vii
LIST OF TABLES
Table
Page
Table 1.1 Access Control List ............................................................................................. 1
Table 1.2 Shadow Inconsistency......................................................................................... 4
Table 1.3 Correlation Inconsistency ................................................................................... 5
Table 1.4 Exception Inconsistency ..................................................................................... 6
Table 1.5 Denial Of Service Conflict ................................................................................. 7
Table 4.1 ACL Decomposed Allow File (A) .................................................................... 23
Table 4.2 ACL Decomposed Allow File Based on Protocol (Api) ................................... 23
Table 4.3 ACL Decomposed Deny File (D) ..................................................................... 23
Table 4.4 ACL Decomposed Deny File Based on Protocol (Dpi) ..................................... 24
Table 4.5 Depicting Comparison of Rules ........................................................................ 27
Table 4.6 Shadow Inconsistency Flag Definition ............................................................. 27
Table 4.7 Flags Fulfilling Shadow Inconsistency Definition ........................................... 28
Table 4.8 Correlation Inconsistency Flag Definition ........................................................ 30
Table 4.9 Flags Fulfilling Correlation Inconsistency Definition ...................................... 31
Table 4.10 Correlation Inconsistency ............................................................................... 32
Table 4.11 Resolved New Rules (Correlation Inconsistency) .......................................... 33
Table 4.12 Exception Inconsistency Flag Definition ........................................................ 34
Table 4.13 Flags Fulfilling Exception Inconsistency Definition ..................................... 35
Table 4.14 Exception Inconsistency ................................................................................. 38
viii
Table 4.15 Resolved New Rules (Exception Inconsistency) ............................................ 39
Table 4.16 Denial of Service Conflict Flag Definition ..................................................... 39
Table 4.17 Flags Fulfilling Denial of Service Conflict Definition ................................... 40
Table 4.18 Denial of Service Conflict .............................................................................. 41
Table 4.19 Resolved New Rules (Denial of Service Conflict) ......................................... 42
ix
LIST OF FIGURES
Figure
Page
Figure 4.1 Multi Firewall Network ................................................................................... 22
Figure 4.2 Intra-Firewall Comparison Flow Chart ........................................................... 24
Figure 4.3 Inter-Firewall Comparison Flow Chart ........................................................... 25
Figure 4.4 Login Table ..................................................................................................... 45
Figure 4.5 Master ACL Table ........................................................................................... 46
Figure 4.6 Report Summary Table.................................................................................... 48
Figure 4.7 Report Detail Table ......................................................................................... 50
Figure 4.8 Login Screen .................................................................................................... 52
Figure 4.9 Tab To View Access Control Master List ....................................................... 53
Figure 4.10 Tab To View Report Summary ..................................................................... 54
Figure 4.11 Tab To View Report Detail ........................................................................... 55
x
1
Chapter 1
INTRODUCTION
Firewalls have become an integral part of not only enterprise networks but also smallsized home networks, due to the increasing threat of network attacks. Firewalls act as a
defense mechanism for secure networks by preventing attacks and filtering out any
unauthorized traffic from accessing the network. The filtering action takes place with the
help of filtering rules written based on predefined security policy requirements.
Although, firewall rules help in securing the network, the complexity of managing the
rules might limit the effectiveness of firewall security. Inconsistency is one of the major
problems faced when deploying firewall rules. Consistency refers to the fact that any
possible packet should not receive different fates in the same firewall or in the same
network.
Table 1.1 Access Control List
PRIORITY
ID
PROTOCOL
SOURCE
IP
SOURCE
PORT
R1
tcp
R2
tcp
R3
tcp
192.168. Any
1.5
192.168. Any
1.*
*.*.*.*
Any
R4
tcp
R5
tcp
R6
tcp
R7
tcp
192.168.
1.*
192.168.
1.60
192.168.
1.*
192.168.
1.*
DESTINATION
IP
DESTINATION
PORT
ACTION
*.*.*.*
80
deny
*.*.*.*
80
allow
172.0.1.10
80
allow
Any
172.0.1.10
80
deny
Any
*.*.*.*
21
deny
Any
*.*.*.*
21
allow
Any
172.0.1.10
21
allow
2
R8
tcp
*.*.*.*
R9
udp
R10
udp
R11
udp
R12
udp
R13
tcp
R14
udp
R15
tcp
R16
tcp
R17
tcp
R18
tcp
R19
udp
R20
tcp
Any
*.*.*.*
any
deny
192.168. Any
1.*
*.*.*.*
Any
172.0.1.10
53
allow
172.0.1.10
53
allow
192.168. Any
2.*
*.*.*.*
Any
172.0.2.*
any
allow
*.*.*.*
any
deny
192.170.
1.1
209.157.
21.1
192.168.
1.34
192.168.
1.204
172.28.4
9.0
209.157.
21.0
140.192.
38.*
140.192.
37.*
Any
160.10.1.5
any
allow
Any
209.157.22.26
80
allow
Any
192.168.123.0
any
deny
Any
any
deny
Any
192.168.123.13
2
100.1.1.0
any
deny
24
209.157.22.0
24
deny
Any
161.120.35.*
any
allow
Any
161.120.33.40
80
deny
The above table depicts a sample Access Control List, which typically consists of Priority
ID to identify each rule distinctly, Protocol to specify the type of traffic (tcp, udp, smtp
etc), Source IP, Source Port, Destination IP, Destination Port and lastly Action to be
performed by each rule.
Inconsistencies within firewalls can be classified into two levels1. Inter Firewall Inconsistency
In general, an Inter-Firewall anomaly may exist if any two firewalls on a network path
take different filtering actions on the same traffic.
3
Referring to Figure 4.1, we assume a traffic stream flowing from Firewall 1 to Server 1
across multiple cascaded firewalls installed on the network path. At any point on this path
in the direction of flow, a preceding firewall is called an upstream firewall, whereas a
following firewall is called a downstream firewall. The four types of Inconsistencies
observed in Inter-firewall Inconsistency are Shadow, Correlation, Exception and Denial
of Service Conflict. [3]
2. Intra Firewall Inconsistency
Inconsistencies arise within a single firewall when some rules totally or partially
mask other rules. These intra-firewall inconsistencies can be one of the three
types: Shadowing, Exception and Correlation. [4]
Identifying the inconsistency is the first initial prerequisite to resolving the inconsistency.
There are various kinds of inconsistencies which can be observed in firewalls. The four
types of inconsistencies mainly dealt with in this project are1. Shadow Inconsistency A rule is shadowed when a previous rule matches all the packets that match this rule,
such that the shadowed rule will never be activated. Rule Ry is shadowed by rule Rx if Ry
follows Rx in the order, and Ry is a subset match of Rx, and the actions of Rx and Ry are
different. As illustrated in the rules in Table 1.2, rule 4 (R4) is a subset match of rule 2
(R2) with a different action. We say that rule 4 is shadowed by rule 2 as rule 4 will never
get activated.
4
Shadowing is a critical error in the policy, as the shadowed rule never takes effect. This
might cause a permitted traffic to be blocked and vice versa. It is important to discover
shadowed rules and alert the administrator who might correct this error by reordering or
removing the shadowed rule. [2]
Table 1.2 Shadow Inconsistency
PRIORITY
ID
R2
PROTOCOL
SOURCE
IP
tcp
192.168. Any
1.*
192.168. Any
1.*
(Upstream)
R4
tcp
(Downstream)
SOURCE
PORT
DESTINATION
IP
DESTINATION
PORT
ACTION
*.*.*.*
80
allow
172.0.1.10
80
deny
2. Correlation Inconsistency –
Two rules are correlated if the first rule in order matches some packets that match the
second rule and the second rule matches some packets that match the first rule. Rule Rx
and rule Ry have a correlation anomaly if Rx and Ry are correlated, and the actions of Rx
and Ry are different. As illustrated in the rules in Table 1.3, rule 5 (R5) is in correlation
with rule 7 (R7); if the order of the two rules is reversed, the effect of the resulting policy
will be different.
Correlation is considered an anomaly warning because the correlated rules imply an
action that is not explicitly handled by the filtering rules. Consider rules 5 and 7 in Table
1.3.
5
The two rules with this ordering imply that all HTTP traffic coming from address
192.168.1.60 and going to address 172.0.1.10 is denied. However, if their order is
reversed, the same traffic will be accepted.
Therefore, in order to resolve this conflict; we point out the correlation between the rules
and prompt the user to choose the proper solution that complies with the security policy
requirements. [2]
Table 1.3 Correlation Inconsistency
PRIORITY
ID
R5
PROTOCOL
SOURCE
IP
tcp
192.168. Any
1.60
192.168. Any
1.*
(Upstream)
R7
(Downstream)
tcp
SOURCE
PORT
DESTINATION
IP
DESTINATION
PORT
ACTION
*.*.*.*
21
deny
172.0.1.10
21
allow
3. Exception Inconsistency –
A rule is an Exception of another rule if this general rule can match all the packets that
match a specific rule that precedes it. Rule Ry is an Exception of rule Rx if Ry follows Rx
in the order, and Ry is a superset match of Rx, and the actions of Ry and Rx are different.
As illustrated in the rules in Table 1.4, rule 2 (R2) is an exception to rule 8 (R8); if the
order of the two rules is reversed, the effect of the resulting policy will be changed, and
rule 2 will not be effective anymore, as it will be shadowed by rule 8. Therefore, as a
general guideline, if there is an inclusive match relationship between two rules, the
superset (or general) rule should come after the subset (or specific) rule.
6
Exception is considered only an anomaly warning because the specific rule makes an
exception of the general rule, and thus it is important to highlight its action to the
administrator for confirmation. [2]
Table 1.4 Exception Inconsistency
PRIORITY
ID
R2
PROTOCOL
SOURCE
IP
tcp
192.168. Any
1.*
*.*.*.*
Any
(Upstream)
tcp
R8
SOURCE
PORT
DESTINATION
IP
DESTINATION
PORT
ACTION
*.*.*.*
80
allow
*.*.*.*
any
deny
(Downstream)
4. Denial Of Service Conflict –
Two rules Rx and Ry form a denial of service conflict if the upstream firewall rule (Rx)
denies traffic that is being allowed by the downstream firewall rule (Ry). This prevents
traffic from accessing the downstream firewall even though it is allowed as it is being
blocked in the upstream firewall. Denial of Service conflict can be considered a
conjunction of Shadow, Correlation and Exception Inconsistencies as Rx and Ry can
experience a denial of service conflict in following three cases –
1) Rx and Ry are exactly matching but have conflicting actions where the upstream
rule (Rx) action is always deny and the downstream rule (Ry) action is always
allow.
2) Rx and Ry are correlated to each other but have conflicting actions where the
upstream rule(Rx) action is always deny and the downstream rule (Ry) action is
always allow.
7
3) Rx forms a subset of Ry but have conflicting actions where the upstream rule (Rx)
action is always deny and the downstream rule (Ry) action is always allow.
In Table 1.5, Rule 1 (R1) and rule 2 (R2) form a Denial of service conflict as traffic
coming from source IP 192.168.1.5 is being blocked in R1 and prevented from passing through.
Here 192.168.1.5 is a subset of 192.168.1.* with upstream rule (R1) having deny action whereas
downstream rule (R2) has allow action giving rise to denial of service conflict.
Table 1.5 Denial of Service Conflict
PRIORITY
ID
R1
PROTOCOL
SOURCE
IP
tcp
192.168. Any
1.5
192.168. Any
1.*
(Upstream)
R2
(Downstream)
tcp
SOURCE
PORT
DESTINATION
IP
DESTINATION
PORT
ACTION
*.*.*.*
80
deny
*.*.*.*
80
allow
The goal of this project is to implement an algorithm to Detect Inconsistencies and also
define rules to help Resolve the Inconsistencies found in the firewalls. In the following
chapters we will see in detail how this concept has been implemented.
8
Chapter 2
RELATED WORK
In [2] Firewall Policy Advisor tool has been implemented which was used for anomalyfree policy editing for rule insertion, removal and modification. Here the rules are
represented with the help of a policy tree. The rules are added to the policy tree and the
branches compared sequentially. The paper limits discussion to intra-firewall
inconsistencies and is not clear on how this tool could be implemented in a multi-firewall
scenario. [3] is similar to [2] in that it uses same policy tree for rule insertion and
modification but it fails to identify all types of inconsistencies such as Exception
Inconsistency and Denial of Service Conflict. Also, ‘allow’ is considered the default
action which can cause a lot discrepancies and create security breaches. MIRAGE [5]
presented an audit process to set a distributed access control policy free of anomalies.
The paper proposed to delete all inconsistent rules from the firewall before proceeding to
inter firewall inconsistencies. The inconsistent rules are automatically removed from the
ACL. However, their definitions for detecting intra firewall inconsistencies don’t cover
all the types of inconsistencies and limited to only types – Redundancy and Shadowing.
Also, automatically deleting the rules without being reviewed by the administrator poses
a risk of deleting important rules; which even though are inconsistent can create a
security hole by being eliminated. [4][6][7][8][9][10][11] are some of the papers which
deal with detecting inconsistencies but are not complete as they fail to cover all types and
most importantly inter firewall inconsistencies and solutions to resolve them.
9
There are many algorithms proposed to detect inconsistencies within firewall. Each
algorithm employs a different approach to the same problem. The idea is to use the most
efficient algorithm which would help in detecting the inconsistencies.
The algorithm [1] chosen is very simple in nature and easy to understand. The concepts
described in [1] are more pertaining to detecting single firewall inconsistencies and it has
been modified to implement Detection of Inconsistencies in multi-firewalls.
Denial of Service Conflict has been added to the definition. Also, Rules have been
defined for suggested solution which would help the administrator in making a decision
as to what can be done to resolve the inconsistencies.
10
Chapter 3
DESIGN
The following describes the definitions and the algorithm implemented 3.1. Definitions
Definition 1: A firewall rule in an ACL can be represented by the following first order
atomic formula where ‘i’ represents Priority ID, ‘p’ represents Protocol, ‘sip’ and ‘dip’
represent Source IP and Destination IP respectively and ‘sp’ and ‘dp’ represent Source
Port and Destination Port respectively. Allow and Deny represent the action performed
by the rule. Given a firewall and its ACL, we can rewrite the rules in ACL in terms of
atomic formulas through the allow and deny predicates and use Ω ACL to denote the set of
formulas for the firewall. [1]
allow (i, p, sip, sp, dip, dp)
deny (i, p, sip, sp, dip, dp)
Definition 2: For two rules Rj and Rk with source and destination patterns SDj=<sipj, spj,
dipj, dpj> and SDk=<sipk, spk, dipk, dpk>, assuming α∈SDj and β∈SDk, we use α↔β to
denote that α and β are corresponding terms in SDj and SDk, respectively. When
(α⊈β)∧(β⊈α), we use α≢β to denote the disjointedness between the two [1].
Exact matching, denoted Rj(SDj) = Rk(SDk), if we have:
11
(sipj = sipk) ∧ (spj = spk) ∧ (dipj = dipk) ∧ (dpj = dpk)
• Inclusive matching, denoted Rj(SDj)⊂Rk(SDk), when we have:
[(sipj⊆sipk)∧(spj⊆spk)∧(dipj⊆dipk)∧(dpj⊆dpk)] ∧ [∃α∈SDj∃β∈SDk((α↔β)∧(α⊂β)]
• Correlating matching, denoted as Rj(SDj)⟗Rk(SDk), if we have:
[∃α∈SDj∃β∈SDk((α↔β)∧(α≠β∧ (α∩β≠∅))∧ [∀μ∈(SDj−α∀ λ∈ (SDk−β(μ⊆λ)]
• Disjoint, denoted as Rj(SDj)≢Rk(SDk), when we have:
∀α∈SDj ∀β∈SDk [(α↔β) ∧ (α≢β)]
Definition 3. Given ΩACL for a firewall, we can decompose ΩACL into the following two
subsets [1]:
• 𝐃 = {deny(…)|deny(…)∈ΩACL}
• 𝐀= {allow(…)|allow(…)∈ΩACL}
We further decompose 𝐃 and 𝐀 into the following subsets according to the protocol
involved (assuming that there are m different types of protocols):
• 𝐃 = 𝐃p1 ∪…∪𝐃pm
• 𝐀= 𝐀p1 ∪…∪𝐀pm, where
12
𝐃pi = {deny(_, pi,…)| deny(_, pi,…)∈ΩACL} and
𝐀pi = {allow(_, pi,…)| allow(_, pi,…)∈ΩACL}
Definition 4. The domains for firewall inconsistencies with regard to a particular type of
traffic flow (protocol) can be defined as follows, where m is the number of protocols [1]:
• Ð(p1) = 𝐃p1×𝐀p1 ∪ 𝐀p1×𝐃p1
………
• Ð(pm) = 𝐃pm×𝐀pm ∪ 𝐀pm×𝐃pm
3.2. Algorithm for Detecting Intra-Firewall and Inter-Firewall inconsistencies
Input : ΩACL, 𝐃, 𝐀, m protocols involved in firewall rules, N : Network, firewall { fj,
fj+1, …fj+(k-1) : fj is a firewall in the Network and k is the total number of firewalls in the
network}, path{fp, fp+2, …. fp+(n-1) : fp is a firewall on the path from source_domain to
destination_domain and n is the total number of firewalls in the path};
Output : ConflictACL; //total number of conflicting cases for ACL
ConflictACL = ∅;
IntraFirewallConflictShadow = ∅;
IntraFirewallConflictCorre = ∅;
IntraFirewallConflictExcep = ∅;
13
InterFirewallConflictshadow = ∅;
InterFirewallConflictCorre = ∅;
InterFirewallConflictExcep = ∅;
InterFirewallConflictDenial = ∅;
∀ path ∈ N
{
//Intra-Firewall Comparison
∀ firewall ∈ path {
for (i=1; i<=m; i++) {
∀d∈𝐃pi ∃a∈𝐀pi {
if [[(d = deny(j, pi, sipj, spj, dipj, dpj)∈ 𝐃pi)) ∧ (a = allow(k, pi, sipk, spk, dipk, dpk)∈ 𝐀pi) ∧
(Rj(SDj) = Rk(SDk))]
∨ [(a = allow(j, pi, sipj, spj, dipj, dpj)∈ 𝐀pi) ∧ (d = deny(k, pi, sipk, spk, dipk, dpk)∈ 𝐃pi)) ∧
((Rj(SDj) = Rk(SDk))]]
then { IntraFirewallConflictShadow = IntraFirewallConflictShadow ∪ {Rj, Rk} }
if [[(d = deny(j, pi, sipj, spj, dipj, dpj)∈ 𝐃pi)) ∧ (a = allow(k, pi, sipk, spk, dipk, dpk)∈ 𝐀pi)
∧ (Rj(SDj)⟗Rk(SDk))]
14
∨ [(a = allow(j, pi, sipj, spj, dipj, dpj)∈ 𝐀pi) ∧ (d = deny(k, pi, sipk, spk, dipk, dpk)∈ 𝐃pi)) ∧
(Rj(SDj)⟗Rk(SDk))]]
then { IntraFirewallConflictCorre = IntraFirewallConflictCorre ∪ {Rj, Rk} }
if [[(d = deny(j, pi, sipj, spj, dipj, dpj)∈ 𝐃pi)) ∧ (a = allow(k, pi, sipk, spk, dipk, dpk)∈ 𝐀pi) ∧
(Rj(SDj)⊂ Rk(SDk))]
∨ [(a = allow(j, pi, sipj, spj, dipj, dpj)∈ 𝐀pi) ∧ (d = deny(k, pi, sipk, spk, dipk, dpk)∈ 𝐃pi)) ∧
(Rj(SDj)⊂ Rk(SDk))]]
then { IntraFirewallConflictExcep = IntraFirewallConflictExcep ∪ {Rj, Rk} }
}
}
}
//Inter-Firewall Comparison
//Add Firewall1 Allow file to Allow Master file
Amaster = f1 (Allow)
//Add Firewall1 Deny File to Deny Master fil
Dmaster = f1 (Deny)
for (j=2; j<=n; j++){
nextFirewallAllow = fj (Allow);
15
nextFirewallDeny = fj (Deny)
}
Amaster = Amaster ∪ nextFirewallAllow;
Dmaster = Dmaster ∪ nextFirewallDeny;
a = Amaster;
d = Dmaster;
for (i=1; i<=m; i++) {
∀d∈𝐃pi ∃a∈𝐀pi {
if [[(d = deny(j, pi, sipj, spj, dipj, dpj)∈ 𝐃pi)) ∧ (a = allow(k, pi, sipk, spk, dipk, dpk)∈ 𝐀pi) ∧
(Rj(SDj) = Rk(SDk))]
∨ [(a = allow(j, pi, sipj, spj, dipj, dpj)∈ 𝐀pi) ∧ (d = deny(k, pi, sipk, spk, dipk, dpk)∈ 𝐃pi)) ∧
((Rj(SDj) = Rk(SDk))]]
then { InterFirewallConflictshadow = InterFirewallConflictshadow ∪ {Rj, Rk} }
if [[(d = deny(j, pi, sipj, spj, dipj, dpj)∈ 𝐃pi)) ∧ (a = allow(k, pi, sipk, spk, dipk, dpk)∈ 𝐀pi)
∧ (Rj(SDj)⟗Rk(SDk))]
∨ [(a = allow(j, pi, sipj, spj, dipj, dpj)∈ 𝐀pi) ∧ (d = deny(k, pi, sipk, spk, dipk, dpk)∈ 𝐃pi)) ∧
(Rj(SDj)⟗Rk(SDk))]]
then { InterFirewallConflictCorre = InterFirewallConflictCorre ∪ {Rj, Rk} }
16
if [[(d = deny(j, pi, sipj, spj, dipj, dpj)∈ 𝐃pi)) ∧ (a = allow(k, pi, sipk, spk, dipk, dpk)∈ 𝐀pi) ∧
(Rj(SDj)⊂ Rk(SDk))]
∨ [(a = allow(j, pi, sipj, spj, dipj, dpj)∈ 𝐀pi) ∧ (d = deny(k, pi, sipk, spk, dipk, dpk)∈ 𝐃pi)) ∧
(Rj(SDj)⊂ Rk(SDk))]]
then { InterFirewallConflictExcep = InterFirewallConflictExcep ∪ {Rj, Rk} }
if [[(dupstream = deny(j, pi, sipj, spj, dipj, dpj)∈ 𝐃pi)) ∧ (adownstream = allow(k, pi, sipk, spk,
dipk, dpk)∈ 𝐀pi) ∧ (Rj(SDj)= Rk(SDk))]
∨ [[(dupstream = deny(j, pi, sipj, spj, dipj, dpj)∈ 𝐃pi)) ∧ (adownstream = allow(k, pi, sipk, spk,
dipk, dpk)∈ 𝐀pi) ∧ (Rj(SDj)⟗Rk(SDk))]
∨ [[(dupstream = deny(j, pi, sipj, spj, dipj, dpj)∈ 𝐃pi)) ∧ (adownstream = allow(k, pi, sipk, spk,
dipk, dpk)∈ 𝐀pi) ∧ (Rj(SDj)⊂Rk(SDk))]
then { InterFirewallConflictDenial = InterFirewallConflictDenial ∪ {Rj, Rk} }
}
}
}
}
ConflictACL
=
IntraFirewallConflictShadow
∪
IntraFirewallConflictCorre
∪
IntraFirewallConflictExcep ∪ InterFirewallConflictshadow ∪ InterFirewallConflictCorre ∪
InterFirewallConflictExcep ∪ InterFirewallConflictDenial
17
return (ConflictACL)
3.3. Resolving Inconsistencies
When dealing with resolving the inconsistencies in firewalls, there are some things we
have to keep in view that will allow us to have a consistent firewall.
When a few firewalls are chained together, a packet has to survive the filtering
action of all the firewalls on its path to reach its destination.
Ensure that none of the firewalls on the path will drop the packets.
Ensure that none of the possible paths will allow any malicious packets from
accessing the protected network.
Any nonconformance may result in undesired blocking, unauthorized access, or
even the potential for an unauthorized person to alter security configuration
parameters.
It could be a daunting task for a network administrator to make a decision on what action
to be taken for the inconsistencies detected and how to deal with the anomalies. The
solution I propose is to develop heuristics rules for thereby helping the administrator to
make a decision on how to resolve the inconsistencies.
It is useful to have a list of the possible relations between rules, which would help us to
understand where the inconsistencies are occurring and also to define a solution for the
18
inconsistencies. There are six possible relations between any two rules in different
firewalls
Completely Disjoint –
Two rules Rx and Ry, in the same network path are said to be Completely Disjoint
if the Source IP, Source Port, Destination IP, Destination Port fields in Rx are
neither a superset, subset nor equal to the corresponding fields in Ry. In such a
case we can say there is no inconsistency present.
Completely matching Two rules Rx and Ry, in the same network path are said to be completely matching
if the Source IP, Source Port, Destination IP, Destination Port fields in Rx is equal
to the corresponding field in Ry. We can categorize such a situation as Shadow
Inconsistency. However, two rules belonging to two distinct firewalls in different
network paths can have completely matching rules. In such a scenario, it would
not be considered an inconsistency as Rx would not be affected by Ry having
completely matching fields.
Inclusive matching –
Two rules Rx and Ry, in the same network path are said to be Inclusive matching if
the Source IP, Source Port, Destination IP, Destination Port fields don’t exactly
match and every field in Rx is a subset or equal to the corresponding field in Ry.
This can be categorized as Exception Inconsistency. Two rules belonging to two
distinct firewalls in different network paths would not be affected if the rules are
19
inclusive matching as traffic flowing from path1 has no interaction with path2
firewalls, whereby it could affect the action performed on the packet.
Correlated –
Two rules Rx and Ry, in the same network path are said to be Correlated if some
fields in Rx are subsets or equal to the corresponding fields in R y, and the rest of
the fields in Rx are supersets of the corresponding fields in Ry. This can be
categorized as Correlation Inconsistency. However, two rules belonging to two
distinct firewalls in different network paths would not be affected if the rules are
correlated for the same reason as stated above.
There are two possible actions that can be taken when resolving inconsistencies
Removal Not all inconsistent firewall rules are deleted as this can result in loopholes within
the firewall and lead to security issues as well as denial of service. However,
deletion can be the only optimized solution for inconsistency where two rules are
exactly same with all the fields matching, but performing contrary actions of
Allow and Deny. In such a situation we match the priority and delete the one with
least priority. In Inter-Firewall inconsistencies, the priority is established by the
unique-global Id, which not only helps in identifying the location of the
inconsistency, as to which rules of which firewalls are causing the inconsistency;
but also establishes the priority of the rule.
20
Essentially, Upstream Firewall has higher priority than Downstream Firewall.
Implying, a rule originating from an upstream firewall has higher priority than a
rule originating from downstream firewall. The report generated also specifies the
upstream and downstream rule along with the unique id. This makes it easier for
the administrator to make a decision.
Modification of Rule –
We can modify the firewall rules to eliminate the fields causing the inconsistency.
Essentially, when modifying rules it does involve introducing new rules in place
of the original rule but not changing the true meaning of the original rule.
Not all rules can be modified in the same way; the changes to be introduced
depend on the type of consistency. In the next section we will see how there are
different cases in which an inconsistency can occur and how to deal with them.
21
Chapter 4
RESOLVING INCONSISTENCIES
In this chapter, we will see how we can resolve inconsistency by deploying the respective
rules. Consider a multi firewall network as in Figure 4.1. Before we proceed, it is
essential to note the path of the packet which is why it is essential to know how the
firewalls are connected to each other. First step therefore, involves determining the list of
network paths between every two sub-domains in the network and determine all the
firewalls in the traffic flow. In figure 4.1 we have two network paths 1) Network 1 (N1) - consisting of Firewall 1, Firewall 2, Firewall 4, Firewall 6
2) Network 2 (N2) - consisting of Firewall 1, Firewall 3, Firewall 5, Firewall 7
Determining the network paths helps us to identify which firewalls should be considered
for comparing as comparing two unrelated firewalls will not give us optimum results and
is totally futile.
As we saw earlier that there are two levels of inconsistencies, Inter-Firewall and IntraFirewall we have to detect and resolve inconsistency in two levels. For every firewall in
the path, we first run the algorithm for detecting Inter-firewall inconsistencies and then
for Intra- Firewall inconsistencies.
22
Figure 4.1 Multi Firewall Network
23
For detecting and resolving inconsistencies, we have to decompose the rules for easy
comparison. The Access Control List in Table 1.1 is decomposed further into allow and
deny files and further down based on the protocol as follows –
Table 4.1 ACL Decomposed Allow File (A)
R2
R3
R6
R7
R9
R10
R11
R13
R14
R19
tcp
tcp
tcp
tcp
udp
udp
udp
tcp
Udp
Udp
192.168.1.*
*.*.*.*
192.168.1.*
192.168.1.*
192.168.1.*
*.*.*.*
192.168.2.*
192.170.1.1
209.157.21.1
140.192.38.*
any
any
any
any
any
any
any
any
any
any
*.*.*.*
172.0.1.10
*.*.*.*
172.0.1.10
172.0.1.10
172.0.1.10
172.0.2.*
160.10.1.5
209.157.22.26
161.120.35.*
80
80
21
21
53
53
any
any
80
any
ACL further decomposed according to protocol as (Api)Table 4.2 ACL Decomposed Allow File Based on Protocol (Api)
Allow(R2, tcp, 192.168.1.*, any, *.*.*.*, 80)
Allow(R3, tcp, *.*.*.*, any, 172.0.1.10, 80)
Allow(R6, tcp, 192.168.1.*, any, *.*.*.*, 21)
Allow(R7, tcp, 192.168.1.*, any, 172.0.1.10, 21)
Allow(R13, tcp, 192.170.1.1, any, 160.10.1.5,any)
Allow(R9, udp, 192.168.1.*, any, 172.0.1.10, 53)
Allow(R10, udp, *.*.*.*, any, 172.0.1.10, 53)
Allow(R11, udp, 192.168.2.*, any, 172.0.2.*, any)
Allow(R14, udp, 209.157.21.1, any, 209.157.22.26 , 80)
Allow(R19, udp, 140.192.38.* ,any, 161.120.35.*,any)
Table 4.3 ACL Decomposed Deny File (D)
R1
R4
R5
R8
R12
R15
tcp
tcp
tcp
tcp
udp
tcp
192.168.1.5
192.168.1.*
192.168.1.60
*.*.*.*
*.*.*.*
192.168.1.34
any
any
any
any
any
any
*.*.*.*
172.0.1.10
*.*.*.*
*.*.*.*
*.*.*.*
192.168.123.0
80
80
21
Any
Any
any
24
R16
R17
R18
tcp
tcp
tcp
192.168.1.204
172.28.49.0
209.157.21.0
any
any
24
192.168.123.132
100.1.1.0
209.157.22.0
ACL further decomposed according to protocol as (Dpi)Table 4.4 ACL Decomposed Deny File Based on Protocol (Dpi)
deny(R1, tcp, 192.168.1.5, any, *.*.*.*, 80)
deny(R4, tcp, 192.168.1.*, any, 172.0.1.10, 80)
deny(R5, tcp, 192.168.1.60, any, *.*.*.*, 21)
deny(R8, tcp, *.*.*.*, any, *.*.*.*, any)
deny(R12, udp, *.*.*.*, any, *.*.*.*, any)
deny(R15, tcp, 192.168.1.34, 192.168.123.0, any)
deny(R16, tcp, 192.168.1.204, 192.168.123.132,any)
deny(R17,tcp, 172.28.49.0,any, 100.1.1.0,any)
deny(R18, tcp, 172.28.49.0, 24, 209.157.22.0,24)
Figure 4.2 Intra-Firewall Comparison Flow Chart
any
any
24
25
Figure 4.3 Inter-Firewall Comparison Flow Chart
26
Referring to figure 4.1, we typically do the comparison for Networks N1 and N2 as
follows
N1 - Compare, the allow and deny files of Firewall 1, Firewall 2, Firewall 4,
Firewall 6 individually so we can detect the inconsistencies within the firewall
(Figure 4.2)
N1 – Compare allow and deny files of Firewall 1 and Firewall 2 to detect Interfirewall inconsistencies between the two. (Figure 4.3)
N1 – Concatenate Firewall 1 and Firewall 2 rules so we get (Firewall 1 + Firewall
2) rules and we compare this with Firewall 4.Since upstream firewalls have higher
priority when we are concatenating the downstream firewall rules are appended to
the upstream firewall rules. The presence of a unique global ID ensures that the
integrity of the rules is maintained. This helps in keeping track of which rules
came from which firewall and with what rules they are forming an inconsistency.
N1 - Concatenate Firewall 1, Firewall 2 and Firewall 4 rules so we get (Firewall 1
+ Firewall 2 + Firewall 4) rules and we compare this with Firewall 6. With this
step we complete the comparisons for Network N1
N2 - we compare, the allow and deny files of Firewall 1, Firewall 3, Firewall 5,
Firewall 7 individually so we can detect the consistencies within the firewall
(Figure 4.2)
N2 – Compare allow and deny files of Firewall 1 and Firewall 3 to detect Interfirewall inconsistencies between the two. (Figure 4.3)
27
N2 – Concatenate Firewall 1 and Firewall 3 rules so we get (Firewall 1 + Firewall
3) rules and we compare this with Firewall 5
N2 - Concatenate Firewall 1, Firewall 3 and Firewall 5 rules so we get (Firewall 1
+ Firewall 3 + Firewall 5) rules and we compare this with Firewall 7. With this
step we complete the comparisons for Network N2
For easy representation, we depict Source IP, Source port, Destination IP and Destination
port as follows
Source IP address = sa.sb.sc.sd
Source port = sp
Destination IP address = da.db.dc.dd
Destination port = dp
Example –
Table 4.5 Depicting Comparison of Rules
R1
R2
tcp
tcp
192.168.1.5
192.168.1.5
Any
Any
*.*.*.*
*.*.*.*
80
80
sa.sb.sc.sd
sp
da.db.dc.dd
dp
deny
allow
Table 4.6 Shadow Inconsistency Flag Definition
Condition (Compare R1, R2)
If Source IP = “R1.sa = R2.sa, R1.sb = R2.sb, R1.sc = R2.sc, R1.sd =
R2.sd”
If Source IP = “R1.* = R2.sa, R1.* = R2.sb, R1.* = R2.sc, R1.* =
R2.sd”
If Destination IP = “R1.da = R2.da, R1.db = R2.db, R1.dc = R2.dc, R1.
dd1 = R2.dd”
Flag
Flag 1 = true
Flag 2 = true
Flag 3 = true
28
If Destination IP = “R1.* = R2.da, R1.* = R2.db, R1.* = R2.dc, R1.* =
R2.dd”
If Source Port = “R1.sp = R2.sp”
If Source Port = “R1.* = R2.sp”
If Destination Port = “R1.dp = R2.dp”
If Destination Port = “R1.* = R2.dp”
Flag 4 = true
Flag 5 = true
Flag 6 = true
Flag 7 = true
Flag 8 = true
Table 4.7 Flags Fulfilling Shadow Inconsistency Definition
Flags Fulfilling Shadow Inconsistency Definition
(R1(action = allow) and R2(action = deny) or R2(action = allow) and R1(action =
deny))
Flag 1, Flag 3, Flag 5, Flag 7
Flag 1, Flag 3, Flag 5, Flag 8
Flag 1, Flag 3, Flag 6, Flag 7
Flag 1, Flag 3, Flag 6, Flag 8
Flag 1, Flag 4, Flag 5, Flag 7
Flag 1, Flag 4, Flag 5, Flag 8
Flag 1, Flag 4, Flag 6, Flag 7
Flag 1, Flag 4, Flag 6, Flag 8
Flag 2, Flag 3, Flag 5, Flag 7
Flag 2, Flag 3, Flag 5, Flag 8
Flag 2, Flag 3, Flag 6, Flag 7
Flag 2, Flag 3, Flag 6, Flag 8
Flag 2, Flag 4, Flag 5, Flag 7
Flag 2, Flag 4, Flag 5, Flag 8
Flag 2, Flag 4, Flag 6, Flag 7
Flag 2, Flag 4, Flag 6, Flag 8
A comparison, for two rules R1 and R2 would be for instance in such a way –
For Source IP - Compare R1, R2 If source IP = “R1.sa = R2.sa, R1.sb = R2.sb,
R1.sc = R2.sc, R1.sd = R2.sd”, then flag1=true (Compare 192 with 192, 168 with
168, 1 with 1, 5 with 5, flag1 = true). (Table 4.6)
For Source port - Compare R1, R2 If source port = “R1.sp= R2.sp”, then flag
5=true (Compare any with any, flag5 = true) (Table 4.6)
29
For Destination IP - Compare R1, R2 If destination IP = “R1.da = R2.da, R1.db
= R2.db, R1.dc = R2.dc, R1. dd1= R2.dd”, then the flag3=true ( Compare * with
*, * with *, * with *, * with *, flag3 = true) (Table 4.6)
For Destination port - Compare R1, R2 If destination port = “R1.dp= R2.dp” ,
then flag 7=true (Compare 80 with 80, flag 7 = true) (Table 4.6)
For each comparison we create a Flag e.g. Flag1 = true. At the end we use these flags for
detecting Inconsistencies. (Table 4.7) This is how we flag each comparison 1. Compare R1, R2 If source IP = “R1.sa = R2.sa, R1.sb = R2.sb, R1.sc = R2.sc,
R1.sd = R2.sd”, then flag1 = true
2. Compare R1, R2 If source IP = “R1.* = R2.sa, R1.* = R2.sb, R1.* = R2.sc, R1.*
= R2.sd” then flag2 = true
We then compare the flags to conclude which type of Inconsistency has been detected.
For Instance –
If (flag1=true, flag3=true, flag5=true, flag7=true) and R1 (action=allow) and R2
(action=deny) or R2 (action=allow) and R1 (action=deny) then create shadow
inconsistency.
Rules which conform to this condition can be seen in Table 4.8. In R1 and R2 each field
of source IP, Source port, Destination port and Destination IP of R1 matches with that of
30
R2 but they have contradicting action of ‘Allow’ and ‘Deny’. We therefore conclude that
R1 and R2 form shadow inconsistency.
Now that we have detected the inconsistency, we can proceed with resolving it. The
corresponding rule for resolving R1 and R2 inconsistency is as following
To resolve inconsistency compare priority level of R1 and R2 if priority level of
R1>R2 then keep R1 and delete R2. If priority level of R2>R1 then keep R2
delete R1
In confirming to the above rule, we compare R1 and R2 priority. Upstream traffic has
more priority than downstream traffic therefore R1 has greater priority than R2. We
therefore delete Rule R2 and keep R1.
Correlation Inconsistency Example –
Table 4.8 Correlation Inconsistency Flag Definition
Condition (Compare R1, R2)
Flag
If Source IP = “R1.sa = R2.*, R1.sb = R2.*, R1.sc = R2.*, R1.sd =
R2.*”
If Source IP = “R1.* = R2.sa, R1.* = R2.sb, R1.* = R2.sc, R1.* =
R2.sd”
If Source IP = “R1.sa = R2.sa, R1.sb = R2.sb, R1.sc = R2.sc, R1.sd =
R2.*”
If Source IP = “R1.sa = R2.sa, R1.sb = R2.sb, R1.sc = R2.sc, R1.* =
R2.sd”
If Source IP = “R1.sa = R2.sa, R1.sb = R2.sb, R1.sc = R2.*, R1.sd =
R2.*”
Flag 1 = true
If Source IP = “R1.sa = R2.sa, R1.sb = R2.sb, R1.* = R2.sc, R1.* =
R2.sd”
Flag 6 = true
Flag 2 = true
Flag 3 = true
Flag 4 = true
Flag 5 = true
31
If Destination IP = “R1.da = R2.*, R1.db = R2.*, R1.dc = R2.*, R1.dd
= R2.*”
If Destination IP = “R1.* = R2.da, R1.* = R2.db, R1.* = R2.dc, R1.*
= R2.dd”
If Destination IP = “R1.da = R2.da, R1.db = R2.db, R1.dc = R2.dc,
R1.dd = R2.*”
If Destination IP = “R1.da = R2.da, R1.db = R2.db, R1.dc = R2.dc,
R1.* = R2.dd”
If Destination IP = “R1.da = R2.da, R1.db = R2.db, R1.* = R2.dc,
R1.* = R2.dd”
If Destination IP = “R1.da = R2.da, R1.db = R2.db, R1.dc = R2.*,
R1.dd = R2.*”
If Source Port = “R1.sp = R2.sp”
If Source Port = “R1.sp = R2.*”
If Source Port = “R1.* = R2.sp”
If Destination Port = “R1.dp = R2.dp”
If Destination Port = “R1.dp = R2.*”
If Destination Port = “R1.* = R2.dp”
Flag 7 = true
Flag 8 = true
Flag 9 = true
Flag 10 = true
Flag 11 = true
Flag 12 = true
Flag 13 = true
Flag 14 = true
Flag 15 = true
Flag 16 = true
Flag 17 = true
Flag 18 = true
Table 4.9 Flags Fulfilling Correlation Inconsistency Definition
Flags Fulfilling Correlation Inconsistency Definition
(R1(action = allow) and R2(action = deny) or R2(action = allow) and R1(action =
deny))
Flag 1, Flag 8, Flag 13, Flag 16
Flag 2, Flag 7, Flag 13, Flag 16
Flag 3, Flag 10, Flag 13, Flag 16
Flag 4, Flag 9, Flag 13, Flag 16
Flag 5, Flag 11, Flag 13, Flag 16
Flag 6, Flag 12, Flag 13, Flag 16
Flag 1, Flag 10, Flag 13, Flag 16
Flag 1, Flag 11, Flag 13, Flag 16
Flag 2, Flag 9, Flag 13, Flag 16
Flag 2, Flag 12, Flag 13, Flag 16
Flag 3, Flag 8, Flag 13, Flag 16
Flag 3, Flag 11, Flag 13, Flag 16
Flag 4, Flag 7, Flag 13, Flag 16
Flag 4, Flag 12, Flag 13, Flag 16
Flag 5, Flag 9, Flag 13, Flag 16
Flag 5, Flag 8, Flag 13, Flag 16
Flag 6, Flag 7, Flag 13, Flag 16
Flag 6, Flag 12, Flag 13, Flag 16
32
1. Compare R1, R2 If source IP = “R1.sa = R2.sa, R1.sb = R2.sb, R1.sc = R2.sc,
R1.sd = R2.*”, then flag3=true (Table 4.8)
2. Compare R1, R2 If destination IP = “R1.* = R2.da, R1.* = R2.db, R1.* = R2.dc,
R1.* = R2.dd” then flag 8=true
3. Compare R1, R2 If source Port = “R1.sp= R2.sp”, then flag13=true
4. Compare R1, R2 If destination Port = “R1.dp= R2.dp” , then flag16=true
If (flag3=true, flag8=true, flag13=true, flag16=true) and R1 (action=allow) and R2
(action=deny) or R2 (action=allow) and R1 (action=deny) then create correlation
inconsistency (Table 4.9)
a. To resolve inconsistency Change R1 destination IP from * to < R2
destination IP
b. Introduce new rule with R1 destination IP > R2 destination IP
c. Change R2 source IP (sd) from * to < R1 source IP (sd)
d. Introduce new rule with R2 source IP (sd) > R1 source IP (sd)
The rules which confirm to the above definition of Correlation Inconsistency are rules R5
and R7
Table 4.10 Correlation Inconsistency
PRIORITY
ID
PROTOCOL
SOURCE
IP
SOURCE
PORT
R5
tcp
R7
tcp
192.168. Any
1.60
192.168. Any
1.*
DESTINATION
IP
DESTINATION
PORT
ACTION
*.*.*.*
21
deny
172.0.1.10
21
allow
33
To resolve the above inconsistency –
Change R7 source IP from * to < R5 source IP and introduce new rule with R7
source IP > R5. We do this since R5 forms a subset of R7 and they have
conflicting actions therefore we change R7 source IP to overcome this
inconsistency.
Change R5 destination IP from * to < R7 and introduce new rule with R5
destination IP > R7. It is not sufficient to just modify rule R7 as R7 also forms a
subset of R5 at destination IP. To take care of the inconsistency we have to
modify R7 as well.
Table 4.11 Resolved New Rules (Correlation Inconsistency)
PRIORITY
ID
PROTOCOL
SOURCE
IP
SOURCE
PORT
R5
tcp
R6
tcp
R7
tcp
192.168. Any
1.60
192.168. Any
1.60
192.168. Any
1.0/27
DESTINATION
IP
DESTINATION
PORT
ACTION
172.0.1.8
21
deny
172.0.1.55
21
deny
172.0.1.10
21
allow
By doing this we have introduced new rules R6 and modified rules R5 and R7 and
resolved the inconsistency. The priority ID of the new rules would be in confirming to the
existing Access Control List. When a rule is introduced in the ACL the priorities of
subsequent rules would have to be modified to conform to the new rule introduced. This
would not be a problem as the changes are made to the input files which are in text/excel
format.
34
Exception Inconsistency ExampleTable 4.12 Exception Inconsistency Flag Definition
Condition (Compare R1, R2)
If Source IP = “R1.sa = R2.sa, R1.sb = R2.sb, R1.sc = R2.sc, R1.sd =
R2.sd”
If Source IP = “R1.sa = R2.*, R1.sb = R2.*, R1.sc = R2.*, R1.sd =
R2.*”
If Source IP = “R1.* = R2.sa, R1.* = R2.sb, R1.* = R2.sc, R1.* =
R2.sd”
If Source IP = “R1.sa = R2.sa, R1.sb = R2.sb, R1.sc = R2.sc, R1.sd =
R2.*”
If Source IP = “R1.sa = R2.sa, R1.sb = R2.sb, R1.sc = R2.sc, R1.* =
R2.sd”
If Source IP = “R1.sa = R2.sa, R1.sb = R2.sb, R1.sc = R2.*, R1.sd =
R2.*”
If Source IP = “R1.sa = R2.sa, R1.sb = R2.sb, R1.* = R2.sc, R1.* =
R2.sd”
If Destination IP = “R1.da = R2.da, R1.db = R2.db, R1.dc = R2.dc,
R1. dd = R2.dd”
If Destination IP = “R1.da = R2.*, R1.db = R2.*, R1.dc = R2.*, R1.dd
= R2.*”
If Destination IP = “R1.* = R2.da, R1.* = R2.db, R1.* = R2.dc, R1.*
= R2.dd”
If Destination IP = “R1.da = R2.da, R1.db = R2.db, R1.dc = R2.dc,
R1.dd = R2.*”
If Destination IP = “R1.da = R2.da, R1.db = R2.db, R1.dc = R2.dc,
R1.* = R2.dd”
If Destination IP = “R1.da = R2.da, R1.db = R2.db, R1.* = R2.dc,
R1.* = R2.dd”
If Destination IP = “R1.da = R2.da, R1.db = R2.db, R1.dc = R2.*,
R1.dd = R2.*”
If Source Port = “R1.sp = R2.sp”
If Source Port = “R1.sp = R2.*”
If Source Port = “R1.* = R2.sp”
If Destination Port = “R1.dp = R2.dp”
If Destination Port = “R1.dp = R2.*”
If Destination Port = “R1.* = R2.dp”
Flag
Flag 1 = true
Flag 2 = true
Flag 3 = true
Flag 4 = true
Flag 5 = true
Flag 6 = true
Flag 7 = true
Flag 8 = true
Flag 9 = true
Flag 10 = true
Flag 11 = true
Flag 12 = true
Flag 13 = true
Flag 14 = true
Flag 15 = true
Flag 16 = true
Flag 17 = true
Flag 18 = true
Flag 19 = true
Flag 20 = true
35
Table 4.13 Flags Fulfilling Exception Inconsistency Definition
Flags Fulfilling Exception Inconsistency Definition
(R1(action = allow) and R2(action = deny) or R2(action = allow) and R1(action =
deny))
Flag 1, Flag 9, Flag 15, Flag 18
Flag 1, Flag 9, Flag 15, Flag 19
Flag 1, Flag 9, Flag 16, Flag 18
Flag 1, Flag 9, Flag 16, Flag 19
Flag 1, Flag 10, Flag 15,Flag 18
Flag 1, Flag 10, Flag 15, Flag 20
Flag 1, Flag 10, Flag 17, Flag 18
Flag 1, Flag 10, Flag 17, Flag 20
Flag 1, Flag 11, Flag 15, Flag 18
Flag 1, Flag 11, Flag 15, Flag 19
Flag 1, Flag 11, Flag 16, Flag 18
Flag 1, Flag 11, Flag 16, Flag 19
Flag 1, Flag 12, Flag 15, Flag 18
Flag 1, Flag 12, Flag 15, Flag 20
Flag 1, Flag 12, Flag 17, Flag 18
Flag 1, Flag 12, Flag 17, Flag 20
Flag 1, Flag 13, Flag 15, Flag 18
Flag 1, Flag 13, Flag 15, Flag 20
Flag 1, Flag 13, Flag 17, Flag 18
Flag 1, Flag 13, Flag 17, Flag 20
Flag 1, Flag 14, Flag 15, Flag 18
Flag 1, Flag 14, Flag 15, Flag 19
Flag 1, Flag 14, Flag 16, Flag 18
Flag 1, Flag 14, Flag 16, Flag 19
Flag 2, Flag 8, Flag 15, Flag 18
Flag 2, Flag 8, Flag 15, Flag 19
Flag 2, Flag 8, Flag 16, Flag 18
Flag 2, Flag 8, Flag 16, Flag 19
Flag 2, Flag 9, Flag 15, Flag 18
Flag 2, Flag 9, Flag 15, Flag 19
Flag 2, Flag 9, Flag 16, Flag 18
Flag 2, Flag 9, Flag 16, Flag 19
Flag 2, Flag 11, Flag 15, Flag 18
Flag 2, Flag 11, Flag 15, Flag 19
Flag 2, Flag 11, Flag 16, Flag 18
Flag 2, Flag 11, Flag 16, Flag 19
36
Flag 2, Flag 14, Flag 15, Flag 18
Flag 2, Flag 14, Flag 15, Flag 19
Flag 2, Flag 14, Flag 16, Flag 18
Flag 2, Flag 14, Flag 16, Flag 19
Flag 3, Flag 8, Flag 15, Flag 18
Flag 3, Flag 8, Flag 15, Flag 20
Flag 3, Flag 8, Flag 17, Flag 18
Flag 3, Flag 8, Flag 17, Flag 20
Flag 3, Flag 10, Flag 15, Flag 18
Flag 3, Flag 10, Flag 15, Flag 20
Flag 3, Flag 10, Flag 17, Flag 18
Flag 3, Flag 10, Flag 17, Flag 20
Flag 3, Flag 12, Flag 15, Flag 18
Flag 3, Flag 12, Flag 15, Flag 20
Flag 3, Flag 12, Flag 17, Flag 18
Flag 3, Flag 12, Flag 17, Flag 20
Flag 3, Flag 13, Flag 15, Flag 18
Flag 3, Flag 13, Flag 15, Flag 20
Flag 3, Flag 13, Flag 17, Flag 18
Flag 3, Flag 13, Flag 17, Flag 20
Flag 4, Flag 8, Flag 15, Flag 18
Flag 4, Flag 8, Flag 15, Flag 19
Flag 4, Flag 8, Flag 16, Flag 18
Flag 4, Flag 8, Flag 16, Flag 19
Flag 4, Flag 9, Flag 15, Flag 18
Flag 4, Flag 9, Flag 15, Flag 19
Flag 4, Flag 9, Flag 16, Flag 18
Flag 4, Flag 9, Flag 16, Flag 19
Flag 4, Flag 11, Flag 15, Flag 18
Flag 4, Flag 11, Flag 15, Flag 19
Flag 4, Flag 11, Flag 16, Flag 18
Flag 4, Flag 11, Flag 16, Flag 19
Flag 4, Flag 14, Flag 15, Flag 18
Flag 4, Flag 14, Flag 15, Flag 19
Flag 4, Flag 14, Flag 16, Flag 18
Flag 4, Flag 14, Flag 16, Flag 19
Flag 5, Flag 8, Flag 15, Flag 18
Flag 5, Flag 8, Flag 15, Flag 20
Flag 5, Flag 8, Flag 17, Flag 18
Flag 5, Flag 10, Flag 15, Flag 18
Flag 5, Flag 10, Flag 15, Flag 20
37
Flag 5, Flag 10, Flag 17, Flag 18
Flag 5, Flag 10, Flag 17, Flag 20
Flag 5, Flag 12, Flag 15, Flag 18
Flag 5, Flag 12, Flag 15, Flag 20
Flag 5, Flag 12, Flag 17, Flag 18
Flag 5, Flag 13, Flag 15, Flag 18
Flag 5, Flag 13, Flag 15, Flag 20
Flag 5, Flag 13, Flag 17, Flag 18
Flag 5, Flag 13, Flag 17, Flag 20
Flag 6, Flag 8, Flag 15, Flag 18
Flag 6, Flag 8, Flag 15, Flag 19
Flag 6, Flag 8, Flag 16, Flag 18
Flag 6, Flag 8, Flag 16, Flag 19
Flag 6, Flag 9, Flag 15, Flag 18
Flag 6, Flag 9, Flag 15, Flag 19
Flag 6, Flag 9, Flag 16, Flag 18
Flag 6, Flag 9, Flag 16, Flag 19
Flag 6, Flag 11, Flag 15, Flag 18
Flag 6, Flag 11, Flag 15, Flag 19
Flag 6, Flag 11, Flag 16, Flag 18
Flag 6, Flag 11, Flag 16, Flag 19
Flag 6, Flag 14, Flag 15, Flag 18
Flag 6, Flag 14, Flag 15, Flag 19
Flag 6, Flag 14, Flag 16, Flag 18
Flag 6, Flag 14, Flag 16, Flag 19
Flag 7, Flag 8, Flag 15, Flag 18
Flag 7, Flag 8, Flag 15, Flag 20
Flag 7, Flag 8, Flag 17, Flag 18
Flag 7, Flag 8, Flag 17, Flag 20
Flag 7, Flag 10, Flag 15, Flag 18
Flag 7, Flag 10, Flag 15, Flag 20
Flag 7, Flag 10, Flag 17, Flag 18
Flag 7, Flag 10, Flag 17, Flag 20
Flag 7, Flag 12, Flag 15, Flag 18
Flag 7, Flag 12, Flag 15, Flag 20
Flag 7, Flag 12, Flag 17, Flag 18
Flag 7, Flag 12, Flag 17, Flag 20
Flag 7, Flag 13, Flag 15, Flag 18
Flag 7, Flag 13, Flag 15, Flag 20
Flag 7, Flag 13, Flag 17, Flag 18
Flag 7, Flag 13, Flag 17, Flag 20
38
1. Compare R1, R2 If source IP = “R1.sa = R2.*, R1.sb = R2.*, R1.sc = R2.*, R1.sd =
R2.*”, then flag 2 = true (Table 4.12)
2. Compare R1, R2 If destination IP = “R1.da = R2.da, R1.db = R2.db, R1.dc = R2.dc,
R1. dd = R2.dd”, then the flag8=true
3. Compare R1, R2 If source port = “R1.sp= R2.sp”, then flag 15 = true
4. Compare R1, R2 If destination port = “R1.dp= R2.*”, then flag 19 = true
If (flag2=true, flag8=true, flag15=true, flag19=true) and R1(action=allow) and
R2(action=deny) or R2(action=allow) and R1(action=deny) then create exception
inconsistency (Table 4.13)
a. To resolve inconsistency change R2 source IP from * to < R1 source IP
and R2 destination port from * to < R1 destination port
b.
Introduce new rule with R2 source IP > R1 source IP and R2 destination
port > R1 destination port
The rules which confirm to the above definition of Correlation Inconsistency are rules R5
and R8. R5 is a subset of rule R8 at source IP and destination Port. Therefore we modify
R8 to eliminate the subset and introduce a new rule to resolve the inconsistency.
Table 4.14 Exception Inconsistency
PRIORITY
ID
PROTOCOL
SOURCE
IP
SOURCE
PORT
R5
tcp
R8
tcp
192.168. any
1.60
*.*.*.*
any
DESTINATION
IP
DESTINATION
PORT
ACTION
*.*.*.*
21
allow
*.*.*.*
any
deny
39
Table 4.15 Resolved New Rules (Exception Inconsistency)
PRIORITY
ID
PROTOCOL
SOURCE
IP
SOURCE
PORT
R5
tcp
R8
tcp
R9
tcp
192.168. any
1.60
192.168. any
1.0/27
192.168. any
1.32/28
DESTINATION
IP
DESTINATION
PORT
ACTION
*.*.*.*
21
allow
*.*.*.*
<21
deny
*.*.*.*
>21
deny
We modified R8 and introduced new rule R9 according to the resolving rule.
Denial of Service Conflict Example–
Table 4.16 Denial of Service Conflict Flag Definition
Condition (Compare R1, R2)
If Source IP = “R1.sa = R2.sa, R1.sb = R2.sb, R1.sc = R2.sc, R1.sd =
R2.sd”
If Source IP = “R1.sa = R2.*, R1.sb = R2.*, R1.sc = R2.*, R1.sd =
R2.*”
If Source IP = “R1.* = R2.sa, R1.* = R2.sb, R1.* = R2.sc, R1.* =
R2.sd”
If Source IP = “R1.sa = R2.sa, R1.sb = R2.sb, R1.sc = R2.sc, R1.* =
R2.sd”
If Source IP = “R1.sa = R2.sa, R1.sb = R2.sb, R1.* = R2.sc, R1.* =
R2.sd”
If Source IP = “R1.sa = R2.sa, R1.* = R2.sb, R1.* = R2.sc, R1.* =
R2.sd”
If Source IP = “R1.sa = R2.sa, R1.sb = R2.sb, R1.sc = R2.sc, R1.sd =
R2.*”
If Source IP = “R1.sa = R2.sa, R1.sb = R2.sb, R1.sc = R2.*, R1.sd =
R2.*”
If Source IP = “R1.sa = R2.sa, R1.sb = R2.*, R1.sc = R2.*, R1.sd =
R2.*”
If Destination IP = “R1.da = R2.da, R1.db = R2.db, R1.dc = R2.dc,
R1. dd1= R2.dd”
If Destination IP = “R1.da = R2.*, R1.db = R2.*, R1.dc = R2.*, R1.dd
= R2.*”
Flag
Flag 1 = true
Flag 2 = true
Flag 3 = true
Flag 4 = true
Flag 5 = true
Flag 6 = true
Flag 7 = true
Flag 8 = true
Flag 9 = true
Flag 10 = true
Flag 11 = true
40
If Destination IP = “R1.da = R2.da, R1.db = R2.db, R1.dc = R2.dc,
R1.dd = R2.*”
If Destination IP = “R1.da = R2.da, R1.db = R2.db, R1.dc = R2.*,
R1.dd = R2.*”
If Destination IP = “R1.da = R2.da, R1.db = R2.*, R1.dc = R2.*,
R1.dd = R2.*”
If Destination IP = “R1.da = R2.da, R1.db = R2.db, R1.dc = R2.dc,
R1.* = R2.dd”
If Destination IP = “R1.da = R2.da, R1.db = R2.db, R1.* = R2.dc,
R1.* = R2.dd”
If Destination IP = “R1.da = R2.da, R1.* = R2.db, R1.* = R2.dc, R1.*
= R2.dd”
If Destination IP = “R1.* = R2.da, R1.* = R2.db, R1.* = R2.dc, R1.*
= R2.dd”
If Source Port = “R1.sp = R2.sp”
If Source Port = “R1.sp = R2.*”
If Source Port = “R1.* = R2.sp”
If Destination Port = “R1.dp = R2.dp”
If Destination Port = “R1.dp = R2.*”
If Destination Port = “R1.* = R2.dp”
Flag 12 = true
Flag 13 = true
Flag 14 = true
Flag 15 = true
Flag 16 = true
Flag 17 = true
Flag 18 = true
Flag 19 = true
Flag 20 = true
Flag 21 = true
Flag 22 = true
Flag 23 = true
Flag 24 = true
Table 4.17 Flags Fulfilling Denial of Service Conflict Definition
Flags Fulfilling Denial of Service Conflict Definition
(R1(action = deny) and R2(action = allow))
Flag 1, Flag 10, Flag 19, Flag 22
Flag 1, Flag 11, Flag 20, Flag 23
Flag 2, Flag 10, Flag 20, Flag 23
Flag 2, Flag 11, Flag 19, Flag 24
Flag 3, Flag 12, Flag 19, Flag 22
Flag 3, Flag 13, Flag 21, Flag 24
Flag 4, Flag 13, Flag 19, Flag 22
Flag 4, Flag 14, Flag 20, Flag 23
Flag 5, Flag 14, Flag 19, Flag 22
Flag 5, Flag 15, Flag 21, Flag 24
Flag 6, Flag 15, Flag 19, Flag 22
Flag 6, Flag 16, Flag 20, Flag 23
Flag 7, Flag 17, Flag 21, Flag 24
Flag 7, Flag 16, Flag 19, Flag 22
Flag 8, Flag 17, Flag 19, Flag 22
Flag 8, Flag 18, Flag 20, Flag 24
Flag 9, Flag 18, Flag 19, Flag 22
41
Flag 9, Flag 10, Flag 21, Flag 23
1. Compare R1, R2 If source IP = “R1.sa = R2.sa, R1.sb = R2.sb, R1.sc = R2.sc,
R1.sd = R2.*”, then flag 7 = true (Table 4.16)
2. Compare R1, R2 If destination IP = “R1.da = R2.da, R1.db = R2.db, R1.dc =
R2.dc, R1. dd = R2.dd”, then flag 10 = true
3. Compare R1, R2 If source port = “R1.sp = R2.sp”, then flag 19 = true
4. Compare R1, R2 If destination port = “R1.dp = R2.dp” , then flag 22 = true
If (flag7=true, flag10=true, flag19=true, flag22=true) and R1(action=deny) and
R2(action=allow) then create denial of service. (Table 4.17)
a. To resolve inconsistency change R2 source IP(sd) from * to < R1 source
IP, R1 destination IP(db, dc, dd) from * to < R2 destination IP
b. Introduce a new rule with R2 source IP (sd) > R1 source IP
The rules which confirm to the above definition of Denial of Service Conflict are rules
R1 and R2
Table 4.18 Denial of Service Conflict
PRIORITY
ID
PROTOCOL
SOURCE
IP
SOURCE
PORT
R1
tcp
R2
tcp
192.168. Any
1.5
192.168. Any
1.*
DESTINATION
IP
DESTINATION
PORT
ACTION
*.*.*.*
80
deny
*.*.*.*
80
allow
42
Table 4.19 Resolved New Rules (Denial of Service Conflict)
PRIORITY
ID
PROTOCOL
SOURCE
IP
SOURCE
PORT
R1
tcp
R2
tcp
192.168. Any
1.5
192.168. Any
1.4
DESTINATION
IP
DESTINATION
PORT
ACTION
*.*.*.*
80
deny
*.*.*.*
80
allow
4.1. Program implementation
Tools Used - mysql-5.6.16, Eclipse Java EE IDE, Visual Studio 2010
In the config file (Appendix B) we define the firewalls and how they are connected to
each other
1) When we run the program, the config file is checked for the number of networks
in the following way –
Networks=N1, N2
2) We can also define which networks are active by N1.active=true
N2.active=false
This gives us option if we want to refine the comparison to one particular
network. A false flag indicates that the comparison will not indicate that particular
firewall.
3) It is possible that firewalls within a network can have multiple zones therefore
define it as –
43
N1.zones=N1-Z1, N1-Z2, N1-Z3
Where N1 is Network 1, Z1 is Zone 1 and so on.
4) The paths or the connections to the different firewalls is defined in the following
way –
N1.path.1=N1-Z1-A1, N2-Z2-B1, N3-Z3-C1
N1.path.2=N1-Z1-A1, N2-Z2-B2, N3-Z3-C1
N1.path.3=N1-Z1-A2, N2-Z2-B1, N3-Z3-C1
N1.path.4=N1-Z1-A2, N2-Z2-B2, N3-Z3-C1
Where A1, A2, B1, B2, C1 are identifiers for different firewalls
5) We can even control which zones to monitor by specifying them with the help of
a flag which when set to false will remove that particular zone from the
comparison.
N1-Z1.active=true
N1-Z2.active=true
N1-Z3.active=true
6) The firewalls present in that particular zone are indicated by –
N1-Z1.firewalls=N1-Z1-A1, N1-Z1-A2
N1-Z2.firewalls=N1-Z1-B1, N1-Z1-B2
N1-Z3.firewalls=N1-Z1-C1
Implying, Zone 1 consists of firewalls A1 and A2, Zone 2 consists of firewalls B1
and B2 and Zone 3 consists of firewall C1.
44
7) The config file consists of additional details such specifying the path of the input
file, output file, the database connections etc. The detailed config file can be
found in Appendix A.
MySQL Setup –
1) Create a database called firewallacl.
create database firewallacl;
2) download mysql connector for .net 6.6.6 version
3) Create and Insert values into Login Table. This table is used for storing values
used for logging into the interface.
CREATE TABLE LOGIN
(
USERNAME VARCHAR(20) NOT NULL,
PASSWORD VARCHAR (20) NOT NULL,
PRIMARY KEY(USERNAME)
);
INSERT INTO LOGIN
(
USERNAME,
PASSWORD
)
45
VALUES
(
'ADMIN',
'PASSWORD'
);
Figure 4.4 Login Table
4) Create table MASTER_ACL. This table stores the master list of all the ACL’s of
all the firewalls.
CREATE TABLE MASTER_ACL
(
NETWORK_ID VARCHAR(15) NOT NULL,
FIREWALL_ID VARCHAR(15) NOT NULL,
PRIORITY_ID INT NOT NULL AUTO_INCREMENT,
PROTOCOL VARCHAR(15) NOT NULL,
SOURCE_IP VARCHAR(30) NOT NULL,
46
SOURCE_PORT VARCHAR(15) NOT NULL,
DESTINATION_IP VARCHAR(30) NOT NULL,
DESTINATION_PORT VARCHAR(15) NOT NULL,
ACTION VARCHAR(15) NOT NULL,
PRIMARY KEY (PRIORITY_ID)
);
Figure 4.5 Master ACL Table
5) Create REPORT_SUMMARY TABLE. This table consists of essential
information pertaining to the report such as report type, report date and total
number of inconsistencies found in each type of inconsistency.
CREATE TABLE REPORT_SUMMARY
(
REPORT_ID INT NOT NULL AUTO_INCREMENT,
STATUS VARCHAR(15) NOT NULL,
47
REPORT_TYPE VARCHAR(15) NOT NULL,
REPORT_BATCH_ID VARCHAR(20) NOT NULL,
REPORT_PARAMETERS VARCHAR(256) NOT NULL,
REPORT_DATE DATE NOT NULL,
REPORT_START_TIME DATETIME NOT NULL,
REPORT_END_TIME DATETIME NULL,
SHADOW_CONFLICT_COUNT INT(50) NULL,
CORRELATION_CONFLICT_COUNT INT(50) NULL,
EXCEPTION_CONFLICT_COUNT INT(50) NULL,
DENIALOFSRVC_CONFLICT_COUNT INT(50) NULL,
CREATED_DATE DATETIME NOT NULL,
CREATED_BY VARCHAR(20) NOT NULL,
MODIFIED_DATE DATETIME NULL,
MODIFIED_BY VARCHAR(20) NULL,
PRIMARY KEY (REPORT_ID),
UNIQUE KEY (REPORT_BATCH_ID)
);
48
Figure 4.6 Report Summary Table
6) Create table REPORT_DETAIL. This Table consists of information such the rules
compared, which is the upstream rule and which downstream, the type of
inconsistency found and the suggested solution.
CREATE TABLE REPORT_DETAIL
(
DETAIL_ID INT NOT NULL AUTO_INCREMENT,
REPORT_ID INT NOT NULL,
NETWORK_ID VARCHAR(15) NULL,
INCONSISTENCY_NUM INT NOT NULL,
COMPARED_RULES VARCHAR(30) NOT NULL,
COMPARED_SOURCE_RULE VARCHAR(15) NOT NULL,
COMPARED_DEST_RULE VARCHAR(15) NOT NULL,
49
INCONSISTENCY_TYPE VARCHAR(20) NOT NULL,
FIREWALL_ID1 VARCHAR(256) NULL,
FIREWALL_ID2 VARCHAR(256) NULL,
PRIORITY_ID1 VARCHAR(15) NOT NULL,
PROTOCOL1 VARCHAR(15) NOT NULL,
SOURCE_IP1 VARCHAR(20) NOT NULL,
SOURCE_PORT1 VARCHAR(15) NOT NULL,
DESTINATION_IP1 VARCHAR(20) NOT NULL,
DESTINATION_PORT1 VARCHAR(15) NOT NULL,
ACTION1 VARCHAR(15) NOT NULL,
FULLCONFLICTLINEORIG1 VARCHAR(256) NOT NULL,
PRIORITY_ID2 VARCHAR(15) NOT NULL,
PROTOCOL2 VARCHAR(15) NOT NULL,
SOURCE_IP2 VARCHAR(20) NOT NULL,
SOURCE_PORT2 VARCHAR(15) NOT NULL,
DESTINATION_IP2 VARCHAR(20) NOT NULL,
DESTINATION_PORT2 VARCHAR(15) NOT NULL,
ACTION2 VARCHAR(15) NOT NULL,
FULLCONFLICTLINEORIG2 VARCHAR(256) NOT NULL,
SUGGESTED_SOLUTION VARCHAR(1024) NULL,
CREATED_DATE DATETIME NOT NULL,
CREATED_BY VARCHAR(20) NOT NULL,
50
MODIFIED_DATE DATETIME NULL,
MODIFIED_BY VARCHAR(20) NULL,
PRIMARY KEY (DETAIL_ID),
FOREIGN KEY (REPORT_ID) REFERENCES
REPORT_SUMMARY(REPORT_ID)
);
Figure 4.7 Report Detail Table
To run the program –
51
1) Download the files in c:\Workspace2 and import the project in the eclipse.
2) Run the files – TestClassIdentifyAndLoadConflictsForAllNetworks.java
(Appendix C),
TestClassIdentifyAndLoadConflictsForMultiFirewallsCompare.java
(Appendix D),
TestClassIdentifyAndLoadConflictsForMultiFirewallsGroupCompare.java
(Appendix E),
3) This would create 2 files in the output folder, one as a text file one as an xml file,
used to load data into the database. A section of the report is shown below.
######################################################
################## REPORT BEGIN ###################
######################################################
-----------------------------------------------------Rules N1-Z1-A1-R8,N1-Z1-A1-R2 shadow inconsistency
-----------------------------------------------------N1-Z1-A1-R8,tcp,*.*.*.*,any,*.*.*.*,any,deny
N1-Z1-A1-R2,tcp,192.168.1.*,any,*.*.*.*,80,allow
Note: a. To resolve inconsistency change N1-Z1-A1-R8 source IP from * to < N1Z1-A1-R2 source IP and N1-Z1-A1-R8 destination port from * to < N1-Z1-A1R2 destination port b. Introduce a new rule with N1-Z1-A1-R8 source IP > N1Z1-A1-R2 source IP and N1-Z1-A1-R8 destination port > N1-Z1-A1-R2
destination port.
52
4) To view the reports, run the visual studio solution and the first screen we see is
the login screen where we enter the credentials to go further.
Figure 4.8 Login Screen
5) After login we see three tabs, Access Control Master List, Report Summary and
Report detail. The Access control master list consists of report of
all the ACL’s of all the firewalls. The reports can be exported to Excel, pdf or
word and saved on the computer.
53
Figure 4.9 Tab To View Access Control Master List
6) Second tab is the report summary tab where we can filter the reports according the
report id. The report parameters field indicates where the comparisons were done
within the firewall or specifies the networks and firewalls involved in the
comparison.
54
Figure 4.10 Tab To View Report Summary
7) The report detail tab enables us to view the report details filtered by their
respective report id.
55
Figure 4.11 Tab To View Report Detail
56
Chapter 5
PERFORMANCE EVALUATION & COMPARISON
Consider there are ‘n’ rules in the ACL and assuming that there are equal number of
allow and deny rules, the total number of comparisons without taking into consideration
the protocols would be 𝑛 2 𝑛2
( ) =
2
4
Considering there are ‘m’ protocols the total number of comparisons for a single firewall
would be 𝑛 2
𝑛2
𝑚( ) =
2𝑚
4𝑚
In a network when we have multiple firewalls, we would have to not only compare the
rules within the firewall but also between two firewalls. The total number of comparisons
in such a scenario would be –
𝑛2
Number of comparisons with concatenation: (2𝑙 − 1) (4𝑚)
where 𝑙 = number of firewalls
Since we are concatenating the rules after the comparison before moving onto the next
firewall, we are reducing the number of comparisons. If we don’t concatenate the number
of comparisons would be –
57
𝑛2
Number of comparisons without concatenation: 2𝑙 (4𝑚)
For instance, if we have 3 firewalls (𝑙) with 2 rules in the ACL (𝑛) and just one protocol
(𝑚) then substituting in the above formula, we get total number of comparisons as 5
when we take the concatenation of rules approach whereas the traditional approach gives
us 6 comparisons.
For instance, let us consider that we have 3 firewalls F1, F2, F3. We have three
comparisons taking place for each individual firewalls. Then we have F1 compared to F2
and then concatenate F1 and F2 and compare it to F3 resulting in 5 comparisons. The
traditional approach would be three individual firewall comparisons, then F1 compared to
F2, F2 compared to F3, F1 compared to F3 resulting in 6 total comparisons assuming
there is only one protocol.
The tool has been successful in detecting intra-firewall as well as inter-firewall
inconsistencies. Both the cases have been tested by giving different firewall rules for each
firewall. It has been tested for three firewalls connected together in a path over same
network.
In multifirewall with 23 rules in the ACL these are the results obtained –
-----------------------------------------------------COUNT of DIFFERENT TYPES OF CONFLICTS IDENTIFIED
------------------------------------------------------
58
Shadow Conflicts: 28
Correlation Conflicts: 16
Exception Conflicts: 60
Denial of Service Conflicts: 20
In Intra-Firewall the following number of inconsistencies were observed –
----------------------------------------------------------COUNT of DIFFERENT TYPES OF CONFLICTS IDENTIFIED
-----------------------------------------------------------Shadow Conflicts: 7
Correlation Conflicts: 4
Exception Conflicts: 15
Denial of Service Conflicts: 5
The suggested solution also has been tested to see if the solution matches with the
inconsistent rule and it has been displaying the correct solution. These solutions help the
administrator to make a decision as to what changes need to be imposed to resolve the
inconsistencies. It saves a lot of time and effort in analyzing the firewalls when we are
dealing with a large number of rules and large number of firewalls in a network. Even the
algorithm implemented is easy to understand and complete in the sense that it defines all
the possible definitions for different types of inconsistencies.
59
Chapter 6
CONCLUSION AND FUTURE WORK
6.1. ConclusionThe tool developed has been very efficient in detecting inconsistencies not only
within a single firewall but also in a scenario where we have multiple firewalls in a
network. When dealing with firewalls on such a large scale it becomes difficult to
track which rules are causing the inconsistency and this tool helps in pointing out the
exact location of the inconsistency and also provides a suggested solution to the
administrator. The rules developed for resolving inconsistency are very useful as they
provide the Network Administrator, a course of action to be taken, to resolve the
inconsistency. Since, all the possible scenarios have been defined and a solution
proposed for each, it becomes easier in decision making when dealing with a large
number of firewall rules and Firewalls. Decision making is one of the most complex
and tedious job and deploying these rules makes the job manageable. Also, the
performance analysis indicates that it reduces the number of comparisons the tool
needs to make in order to cover all the firewalls. The reports generated help the
administrator to do an in-depth analysis and also have a time stamped record of which
inconsistency was discovered at what time and make appropriate changes to the ACL.
60
6.2. Future Work
In future, a more interactive interface could be developed allowing the administrator
to even the run the program from the interface. Currently, the interface is being used
only for report generation. Also, more rules can be defined for Denial of Service
Conflict to cover all the possible scenarios in which such a conflict can occur. There
are a total of 723 such cases and due to time constraint only a part of them have been
implemented.
61
APPENDIX A
SHADOW INCONSISTENCY
Structure Comparison 1. Compare R1, R2 If Source IP = “R1.sa = R2.sa, R1.sb = R2.sb, R1.sc = R2.sc,
R1.sd = R2.sd”, then Flag 1 = true
2. Compare R1, R2 If Source IP = “R1.* = R2.sa, R1.* = R2.sb, R1.* = R2.sc, R1.*
= R2.sd”, then Flag 2 = true
3. Compare R1, R2 If Destination IP = “R1.da = R2.da, R1.db = R2.db, R1.dc =
R2.dc, R1. dd = R2.dd”, then the Flag 3 = true
4. Compare R1, R2 If Destination IP = “R1.* = R2.da, R1.* = R2.db, R1.* = R2.dc,
R1.* = R2.dd”, then Flag 4 = true
5. Compare R1, R2 If Source Port = “R1.sp = R2.sp”, then Flag 5 = true
6. Compare R1, R2 If Source Port = “R1.* = R2.sp”, then Flag 6 = true
7. Compare R1, R2 If Destination Port = “R1.dp = R2.dp” , then Flag 7 = true
8. Compare R1, R2 If Destination Port = “R1.* = R2.dp” , then Flag 8 = true
Rule Definition for Detection and Resolving 1. If (Flag 1 = true, Flag 3 = true, Flag 5 = true, Flag 7 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create shadow inconsistency
a. To resolve inconsistency compare priority level of R1 and R2 if priority
level of R1 > R2 then keep R1 and delete R2. If priority level of R2 > R1
then keep R2 delete R1
OR
2. If (Flag 1 = true, Flag 3 = true, Flag 5 = true, Flag 8 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create shadow inconsistency
a. To resolve inconsistence change R1 Destination Port from * to > or < R2
Destination Port
b. introduce new rule with R1 Destination Port > R2 Destination Port
OR
3. If (Flag 1 = true, Flag 3 = true, Flag 6 = true, Flag 7 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create shadow inconsistency
62
a. To resolve inconsistency if R1(action = allow) and R2(action = deny)
change R1 Source Port < R2 Source Port
b. If R2(action = allow) and R1(action = deny) change R1 Source Port < R2
Source Port
c. Introduce new rule with R1 Source Port > R2 Source Port
OR
4. If (Flag 1 = true, Flag 3 = true, Flag 6 = true, Flag 8 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create shadow inconsistency
a. To resolve inconsistency change R1 Source Port to < R2 Source Port and
R1 Destination Port to < R2 Destination Port
b. Introduce a new rule with R1 Source Port >R2 Source Port and R1
Destination Port > R2 Destination Port
OR
5. If (Flag 1 = true, Flag 4 = true, Flag 5 = true, Flag 7 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create shadow inconsistency
a. To resolve inconsistency change R1 Destination IP from * to < R2
Destination IP
b. Introduce a new rule with R1 Destination IP > R2 Destination IP
OR
6. If (Flag 1 = true, Flag 4 = true, Flag 5 = true, Flag 8 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create shadow inconsistency
a. To resolve inconsistency change R1 Destination IP from * to < R2
Destination IP and R1 Destination Port < R2 Destination Port
b. Introduce a new rule with R1 Destination IP > R2 Destination IP and R1
Destination Port > R2 Destination Port
OR
7. If (Flag 1 = true, Flag 4 = true, Flag 6 = true, Flag 7 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create shadow inconsistency
a. To resolve inconsistency change R1 Destination IP from * to < R2
Destination IP and R1 Source Port < R2 Source Port
b. Introduce a new rule with R1 Destination IP > R2 Destination IP and R1
Source Port > R2 Source Port
63
OR
8. If (Flag 1 = true, Flag 4 = true, Flag 6 = true, Flag 8 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create shadow inconsistency
a. To resolve inconsistency change R1 Destination IP from * to < R2
Destination IP, R1 Source Port < R2 Source Port and R1 Destination Port
< R2 Destination Port
b. Introduce a new rule with R1 Destination IP > R2 Destination IP and R1
Source Port > R2 Source Port and R1 Destination Port > R2 Destination
Port
OR
9. If (Flag 2 = true, Flag 3 = true, Flag 5 = true, Flag 7 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create shadow inconsistency
a. To resolve inconsistency change R1 Source IP from * to < R2 Source IP
b. Introduce a new rule with R1 Source IP > R2 Source IP
OR
10. If (Flag 2 = true, Flag 3 = true, Flag 5 = true, Flag 8 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create shadow inconsistency
a. To resolve inconsistency change R1 Source IP from * to < R2 Source IP
and R1 Destination Port from * to < R2 Destination Port
b. Introduce a new rule with R1 Source IP > R2 Source IP and R1
Destination Port > R2 Destination Port
OR
11. If (Flag 2 = true, Flag 3 = true, Flag 6 = true, Flag 7 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create shadow inconsistency
a. To resolve inconsistency change R1 Source IP from * to < R2 Source IP
and R1 Source Port from * to < R2 Source Port
b. Introduce a new rule with R1 Source IP > R2 Source IP and R1 Source
Port > R2 Source Port
OR
12. If (Flag 2 = true, Flag 3 = true, Flag 6 = true, Flag 8 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create shadow inconsistency
64
a. To resolve inconsistency change R1 Source IP from * to < R2 Source IP,
R1 Source Port from * to < R2 Source Port and R1 Destination Port from
* to < R2 Destination Port
b. Introduce a new rule with R1 Source IP > R2 Source IP, R1 Source Port >
R2 Source Port and R1 Destination Port > R2 Destination Port
OR
13. If (Flag 2 = true, Flag 4 = true, Flag 5 = true, Flag 7 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create shadow inconsistency
a. To resolve inconsistency change R1 Source IP from * to < R2 Source IP
and R1 Destination IP from * to < R2 Destination IP
b. Introduce a new rule with R1 Source IP > R2 Source IP and R1
Destination IP > R2 Destination IP
OR
14. If (Flag 2 = true, Flag 4 = true, Flag 5 = true, Flag 8 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create shadow inconsistency
a. To resolve inconsistency change R1 Source IP from * to < R2 Source IP,
R1 Destination IP from * to < R2 Destination IP and R1 Destination Port
from * to < R2 Destination Port
b. Introduce a new rule with R1 Source IP > R2 Source IP, R1 Destination IP
> R2 Destination IP and R1 Destination Port > R2 Destination Port
OR
15. If (Flag 2 = true, Flag 4 = true, Flag 6 = true, Flag 7 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create shadow inconsistency
a. To resolve inconsistency change R1 Source IP from * to < R2 Source IP,
R1 Destination IP from * to < R2 Destination IP and R1 Source Port from
* to < R2 Source Port
b. Introduce a new rule with R1 Source IP > R2 Source IP, R1 Destination IP
> R2 Destination IP and R1 Source Port > R2 Source Port
OR
16. If (Flag 2 = true, Flag 4 = true, Flag 6 = true, Flag 8 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create shadow inconsistency
65
a. To resolve inconsistency change R1 Source IP from * to < R2 Source IP,
R1 Destination IP from * to < R2 Destination IP, R1 Source Port from * to
< R2 Source Port and R1 Destination Port from * to < R2 Destination Port
b. Introduce a new rule with R1 Source IP > R2 Source IP, R1 Destination IP
> R2 Destination IP, R1 Source Port > R2 Source Port and R1 Destination
Port > R2 Destination Port
CORRELATION INCONSISTENCY
Structure Comparison 1. Compare R1, R2 If Source IP = “R1.sa = R2.* , R1.sb = R2.*, R1.sc = R2.*,
R1.sd = R2.*”, then Flag 1 = true
2. Compare R1, R2 If Source IP = “R1.* = R2.sa, R1.* = R2.sb, R1.* = R2.sc, R1.*
= R2.sd” then Flag 2 = true
3. Compare R1, R2 If Source IP = “R1.sa = R2.sa, R1.sb = R2.sb, R1.sc = R2.sc,
R1.sd = R2.*”, then Flag 3 = true
4. Compare R1, R2 If Source IP = “R1.sa = R2.sa, R1.sb = R2.sb, R1.sc = R2.sc,
R1.* = R2.sd”, then Flag 4 = true
5. Compare R1, R2 If Source IP = “R1.sa = R2.sa, R1.sb = R2.sb, R1.sc = R2.*,
R1.sd = R2.*”, then Flag 5 = true
6. Compare R1, R2 If Source IP = “R1.sa = R2.sa, R1.sb = R2.sb, R1.* = R2.sc,
R1.* = R2.sd”, then Flag 6 = true
7. Compare R1, R2 If Destination IP = “R1.da = R2.*, R1.db = R2.*, R1.dc =
R2.*, R1.dd = R2.*”, then Flag 7 = true
8. Compare R1, R2 If Destination IP = “R1.* = R2.da, R1.* = R2.db, R1.* = R2.dc,
R1.* = R2.dd” then Flag 8 = true
9. Compare R1, R2 If Destination IP = “R1.da = R2.da, R1.db = R2.db, R1.dc =
R2.dc, R1.dd = R2.*”, then Flag 9 = true
10. Compare R1, R2 If Destination IP = “R1.da = R2.da, R1.db = R2.db, R1.dc =
R2.dc, R1.* = R2.dd”, then Flag 10 = true
11. Compare R1, R2 If Destination IP = “R1.da = R2.da, R1.db = R2.db, R1.* =
R2.dc, R1.* = R2.dd”, then Flag 11 = true
12. Compare R1, R2 If Destination IP = “R1.da = R2.da, R1.db = R2.db, R1.dc =
R2.*, R1.dd = R2.*”, then Flag 12 = true
13. Compare R1, R2 If Source Port = “R1.sp= R2.sp”, then Flag 13 = true
14. Compare R1, R2 If Source Port = “R1.sp= R2.* ”, then Flag 14 = true
15. Compare R1, R2 If Source Port = “R1.* = R2.sp”, then Flag 15 = true
66
16. Compare R1, R2 If Destination Port = “R1.dp= R2.dp” , then Flag 16 = true
17. Compare R1, R2 If Destination Port = “R1.dp= R2.*” , then Flag 17 = true
18. Compare R1, R2 If Destination Port = “R1.* = R2.dp” , then Flag 18 = true
Rule Definition for Detection and Resolving –
1. If (Flag 1 = true, Flag 8 = true, Flag 13 = true, Flag 16 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create correlation inconsistency
a. To resolve inconsistency change R1 Destination IP from * to < R2
Destination IP
b. Introduce new rule with R1 Destination IP > R2 Destination IP
c. Change R2 Source IP from * to < R1 Source IP
d. Introduce new rule with R2 Source IP > R1 Source IP
OR
2. If (Flag 2 = true, Flag 7 = true, Flag 13 = true, Flag 16 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create correlation inconsistency
a. To resolve inconsistency change R1 Source IP from * to < R2 Source IP
b. Introduce new rule with R1 Source IP > R2 Source IP
c. Change R2 Destination IP from * to < R2 Destination IP
d. Introduce new rule with R2 destination > R2 Destination IP
OR
3. If (Flag 3 = true, Flag 10 = true, Flag 13 = true, Flag 16 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create correlation inconsistency
a. To resolve inconsistency change R1 Destination IP (dd) from * to < R1
Destination IP (dd)
b. Introduce new rule with R1 Destination IP (dd) > R1 Destination IP (dd)
c. Change R2 Source IP (sd) from * to < R1 Source IP (sd)
d. Introduce new rule with R2 Source IP (sd) > R1 Source IP (sd)
OR
4. If (Flag 4 = true, Flag 9 = true, Flag 13 = true, Flag 16 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create correlation inconsistency
a. To resolve inconsistency change R1 Source IP(sd) from * to < R2 Source
IP (sd)
b. Introduce new rule with R1 Source IP(sd) > R2 Source IP (sd)
67
c. Change R2 Destination IP(dp) from * to < R1 Destination IP(dp)
d. Introduce new rule with R2 Destination IP(dp) > R1 destination (dp)
OR
5. If (Flag 5 = true, Flag 11 = true, Flag 13 = true, Flag 16 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create correlation inconsistency
a. To resolve inconsistency change R1 Destination IP(dc, dp) from * to <
R2 Destination IP(dc, dp)
b. Introduce new rule with R1 Destination IP(dc, dp) > R1 destination (dc,
dp)
c. Change R2 Source IP(sc,sd) from * to < R1 Source IP (sc, sd)
d. Introduce new rule with R2 Source IP(sc, sd) > R1 Source IP (sc, sd)
OR
6. If (Flag 6 = true, Flag 12 = true, Flag 13 = true, Flag 16 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create correlation inconsistency.
a. To resolve inconsistency change R1Source IP (sc, sd) from * to < R2
Source IP (sc, sd) and R1 Source Port from * to < R2 Source Port
b. Introduce new rule with R1Source IP (sc, sd) > R2 Source IP (sc, sd) and
R1 Source Port > R2 Source Port
c. Change R2 Destination IP (dc, dd) from * to < R1 Destination IP (sc, sd)
d. Introduce new rule with R2 Destination IP (dc, dd) > R1 Destination IP
(sc, sd)
OR
7. If (Flag 1 = true, Flag 10 = true, Flag 13 = true, Flag 16 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create correlation inconsistency
a. To resolve inconsistency change R1 Destination IP (dd) from * to < R2
Destination IP (dd)
b. Introduce new rule with R1 Destination IP (dd) > R2 Destination IP (dd)
c. Change R2 Source IP from * to < R1 Source IP
d. Introduce new rule with R2 Source IP > R1 Source IP
OR
8. If (Flag 1 = true, Flag 11 = true, Flag 13 = true, Flag 16 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create correlation inconsistency
68
a. To resolve inconsistency change R1 Destination IP (dc, dd) from * to <
R2 Destination IP (dc, dd)
b. Introduce new rule with R1 Destination IP (dc, dd) > R2 Destination IP
(dc, dd)
c. Change R2 Source IP from * to < R1 Source IP
d. Introduce new rule with R2 Source IP > R1 Source IP
OR
9. If (Flag 2 = true, Flag 9 = true, Flag 13 = true, Flag 16 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create correlation inconsistency
a. To resolve inconsistency change R2 Destination IP (dd) from * to < R1
Destination IP (dd)
b. Introduce new rule with R2 Destination IP (dd) > R1 Destination IP (dd)
c. Change R1 Source IP from * to < R2 Source IP
d. Introduce new rule with R1 Source IP > R2 Source IP
OR
10. If (Flag 2 = true, Flag 12 = true, Flag 13 = true, Flag 16 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create correlation inconsistency
a. To resolve inconsistency change R2 Destination IP (dc, dd) from * to <
R1 Destination IP (dc, dd)
b. Introduce new rule with R2 Destination IP (dc, dd) > R1 Destination IP
(dc, dd)
c. Change R1 Source IP from * to < R2 Source IP
d. Introduce new rule with R1 Source IP > R2 Source IP
OR
11. If (Flag 3 = true, Flag 8 = true, Flag 13 = true, Flag 16 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create correlation inconsistency
a. To resolve inconsistency Change R1 Destination IP from * to < R2
Destination IP
b. Introduce new rule with R1 Destination IP > R2 Destination IP
c. Change R2 Source IP (sd) from * to < R1 Source IP (sd)
d. Introduce new rule with R2 Source IP (sd) > R1 Source IP (sd)
OR
69
12. If (Flag 3 = true, Flag 11 = true, Flag 13 = true, Flag 16 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create correlation inconsistency
a. To resolve inconsistency change R1 Destination IP (dc, dd) from * to <
R2 Destination IP (dc, dd)
b. Introduce new rule with R1 Destination IP (dc, dd) > R2 Destination IP
(dc, dd)
c. Change R2 Source IP (sd) from * to < R1 Source IP (sd)
d. Introduce new rule with R2 Source IP (sd) > R1 Source IP (sd)
OR
13. If (Flag 4 = true, Flag 7 = true, Flag 13 = true, Flag 16 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create correlation inconsistency
a. To resolve inconsistency change R2 Destination IP from * to < R1
Destination IP
b. Introduce new rule with R2 Destination IP > R1 Destination IP
c. Change R1 Source IP (sd) from * to < R2 Source IP (sd)
d. Introduce new rule with R1 Source IP (sd) > R2 Source IP (sd)
OR
14. If (Flag 4 = true, Flag 12 = true, Flag 13 = true, Flag 16 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create correlation inconsistency
a. To resolve inconsistency Change R1 Source IP (sd) from * to < R2
Source IP (sd)
b. Introduce new rule with R1 Source IP (sd) > R2 Source IP (sd)
c. Change R2 Destination IP (dc, dd) from * to < R1 Destination IP (dc, dd)
d. Introduce new rule with R2 Destination IP (dc, dd) > R1 Destination IP
(dc, dd)
OR
15. If (Flag 5 = true, Flag 9 = true, Flag 13 = true, Flag 16 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create correlation inconsistency
a. To resolve inconsistency change R2 Source IP (sc, sd) from * to < R1
Source IP (sc, sd)
b. Introduce a new rule with R2 Source IP (sc, sd) > R1 Source IP (sc, sd)
c. Change R2 Destination IP (dd) from * to < R1 Destination IP(dd)
d. Introduce a new rule R2 Destination IP (dd) > R1 Destination IP(dd)
70
OR
16. If (Flag 5 = true, Flag 8 = true, Flag 13 = true, Flag 16 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create correlation inconsistency
a. To resolve inconsistency Change R1 Destination IP from * to < R2
Destination IP
b. Introduce new rule with R1 Destination IP > R2 Destination IP
c. Change R2 Source IP (sc, sd) from * to < R1 Source IP (sc, sd)
d. Introduce a new rule with R2 Source IP (sc, sd) > R1 Source IP (sc, sd)
OR
17. If (Flag 6 = true, Flag 7 = true, Flag 13 = true, Flag 16 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create correlation inconsistency
a. To resolve inconsistency Change R2 Destination IP from * to < R1
Destination IP
b. Introduce new rule with R2 Destination IP > R1 Destination IP
c. Change R1 Source IP (sc, sd) from * to < R2 Source IP (sc, sd)
d. Introduce a new rule with R1 Source IP (sc, sd) > R2 Source IP (sc, sd)
OR
18. If (Flag 6 = true, Flag 12 = true, Flag 13 = true, Flag 16 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create correlation inconsistency
a. To resolve inconsistency change R1 Source IP (sc, sd) from * to < R2
Source IP (sc, sd)
b. Introduce a new rule with R1 Source IP (sc, sd) > R2 Source IP (sc, sd)
c. Change R2 Destination IP (dc, dd) from * to < R1 Destination IP (dc, dd)
d. Introduce new rule with R2 Destination IP (dc, dd) > R1 Destination IP
(dc, dd)
EXCEPTION INCONSISTENCY
Structure Comparison 1. Compare R1, R2 If Source IP = “R1.sa = R2.sa, R1.sb = R2.sb, R1.sc = R2.sc, R1.sd
= R2.sd”, then Flag 1 = true
2. Compare R1, R2 If Source IP = “R1.sa = R2.*, R1.sb = R2.*, R1.sc = R2.*, R1.sd
= R2.*”, then Flag 2 = true
71
3. Compare R1, R2 If Source IP = “R1.* = R2.sa, R1.* = R2.sb, R1.* = R2.sc, R1.* =
R2.sd” then Flag 3 = true
4. Compare R1, R2 If Source IP = “R1.sa = R2.sa, R1.sb = R2.sb, R1.sc = R2.sc,
R1.sd = R2.*”, then Flag 4 = true
5. Compare R1, R2 If Source IP = “R1.sa = R2.sa, R1.sb = R2.sb, R1.sc = R2.sc, R1.*
= R2.sd”, then Flag 5 = true
6. Compare R1, R2 If Source IP = “R1.sa = R2.sa, R1.sb = R2.sb, R1.sc = R2.*, R1.sd
= R2.*”, then Flag 6 = true
7. Compare R1, R2 If Source IP = “R1.sa = R2.sa, R1.sb = R2.sb, R1.* = R2.sc, R1.*
= R2.sd”, then Flag 7 = true
8. Compare R1, R2 If Destination IP = “R1.da = R2.da, R1.db = R2.db, R1.dc =
R2.dc, R1. dd = R2.dd”, then the Flag 8 = true
9. Compare R1, R2 If Destination IP = “R1.da = R2.*, R1.db = R2.*, R1.dc = R2.*,
R1.dd = R2.*”, then Flag 9 = true
10. Compare R1, R2 If Destination IP = “R1.* = R2.da, R1.* = R2.db, R1.* = R2.dc,
R1.* = R2.dd” then Flag 10 = true
11. Compare R1, R2 If Destination IP = “R1.da = R2.da, R1.db = R2.db, R1.dc =
R2.dc, R1.dd = R2.*”, then Flag 11 = true
12. Compare R1, R2 If Destination IP = “R1.da = R2.da, R1.db = R2.db, R1.dc =
R2.dc, R1.* = R2.dd”, then Flag 12 = true
13. Compare R1, R2 If Destination IP = “R1.da = R2.da, R1.db = R2.db, R1.* = R2.dc,
R1.* = R2.dd”, then Flag 13 = true
14. Compare R1, R2 If Destination IP = “R1.da = R2.da, R1.db = R2.db, R1.dc = R2.*,
R1.dd = R2.*”, then Flag 14 = true
15. Compare R1, R2 If Source Port = “R1.sp= R2.sp”, then Flag 15 = true
16. Compare R1, R2 If Source Port = “R1.sp= R2.* ”, then Flag 16 = true
17. Compare R1, R2 If Source Port = “R1.* = R2.sp”, then Flag 17 = true
18. Compare R1, R2 If Destination Port = “R1.dp= R2.dp” , then Flag 18 = true
19. Compare R1, R2 If Destination Port = “R1.dp= R2.*” , then Flag 19 = true
20. Compare R1, R2 If Destination Port = “R1.* = R2.dp” , then Flag 20 = true
Rule Definition for Detection and Resolving –
1. If (Flag 1 = true, Flag 9 = true, Flag 15 = true ,Flag 18 = true) and R1(action = allow)
and R2(action = deny) or R2(action = allow) and R1(action = deny) then create
exception inconsistency
a. To resolve inconsistency change R2 Destination IP from * to < R1
Destination IP
72
b. Introduce new rule with R2 Destination IP > R1 Destination IP
2.
3.
4.
5.
6.
OR
If (Flag 1 = true, Flag 9 = true, Flag 15 = true ,Flag 19 = true) and R1(action = allow)
and R2(action = deny) or R2(action = allow) and R1(action = deny) then create
exception inconsistency
a. To resolve inconsistency change R2 Destination IP from * to < R1
Destination IP and R2 Destination Port from * to < R1 Destination Port
b. Introduce new rule with R2 Destination IP > R1 Destination IP and R2
Destination Port to > R1 Destination Port
OR
If (Flag 1 = true, Flag 9 = true, Flag 16 = true ,Flag 18 = true) and R1(action = allow)
and R2(action = deny) or R2(action = allow) and R1(action = deny) then create
exception inconsistency
a. To resolve inconsistency change R2 Destination IP from * to < R1
Destination IP and R2 Source Port from * to < R1 Source Port
b. Introduce new rule with R2 Destination IP > R1 Destination IP and R2
Source Port to > R1 Source Port
OR
If (Flag 1 = true, Flag 9 = true, Flag 16 = true ,Flag 19 = true) and R1(action = allow)
and R2(action = deny) or R2(action = allow) and R1(action = deny) then create
exception inconsistency
a. To resolve inconsistency change R2 Destination IP from * to < R1
Destination IP, R2 Source Port from * to < R1 Source Port and R2
Destination Port from * to < R1 Destination Port
b. Introduce new rule with R2 Destination IP > R1 Destination IP, R2 Source
Port to > R1 Source Port and R2 Destination Port to > R1 Destination Port
OR
If (Flag 1 = true, Flag 10 = true, Flag 15 = true ,Flag 18 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R1 Destination IP from * to < R2
Destination IP
b. Introduce new rule with R1 Destination IP > R2 Destination IP
OR
If (Flag 1 = true, Flag 10 = true, Flag 15 = true ,Flag 20 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
73
a. To resolve inconsistency change R1 Destination IP from * to < R2
Destination IP and R1 Destination Port from * to < R2 Destination Port
b. Introduce new rule with R1 Destination IP > R2 Destination IP and R1
Destination Port to > R2 Destination Port
OR
7. If (Flag 1 = true, Flag 10 = true, Flag 17 = true ,Flag 18 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R1 Destination IP from * to < R2
Destination IP, R1 Destination Port from * to < R2 Destination Port and
R1 Source Port from * to < R2 Source Port
b. Introduce new rule with R1 Destination IP > R2 Destination IP and R1
Source Port to > R2 Source Port
OR
8. If (Flag 1 = true, Flag 10 = true, Flag 17 = true ,Flag 20 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R1 Destination IP from * to < R2
Destination IP and R1 Source Port from * to < R2 Source Port
b. Introduce new rule with R1 Destination IP > R2 Destination IP, R1
Destination Port to > R2 Destination Port and R1 Source Port to > R2
Source Port
OR
9. If (Flag 1 = true, Flag 11 = true, Flag 15 = true ,Flag 18 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R2 Destination IP (dd) from * to < R1
Destination IP (dd)
b. Introduce new rule with R2 Destination IP (dd) > R1 Destination IP (dd)
OR
10. If (Flag 1 = true, Flag 11 = true, Flag 15 = true ,Flag 19 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R2 Destination IP (dd) from * to < R1
Destination IP (dd) and R2 Destination Port from * to < R1 Destination
Port
74
b. Introduce new rule with R2 Destination IP (dd) > R1 Destination IP (dd)
and R2 Destination Port to > R1 Destination Port
OR
11. If (Flag 1 = true, Flag 11 = true, Flag 16 = true ,Flag 18 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R2 Destination IP (dd) from * to < R1
Destination IP (dd) and R2 Source Port from * to < R1 Source Port
b. Introduce new rule with R2 Destination IP (dd) > R1 Destination IP (dd)
and R2 Source Port to > R1 Source Port
OR
12. If (Flag 1 = true, Flag 11 = true, Flag 16 = true ,Flag 19 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R2 Destination IP (dd) from * to < R1
Destination IP (dd), R2 Destination Port from * to < R1 Destination Port
and R2 Source Port from * to < R1 Source Port
b. Introduce new rule with R2 Destination IP (dd) > R1 Destination IP (dd),
R2 Destination Port to > R1 Destination Port and R2 Source Port to > R1
Source Port
OR
13. If (Flag 1 = true, Flag 12 = true, Flag 15 = true ,Flag 18 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R1 Destination IP (dd) from * to < R2
Destination IP (dd)
b. Introduce new rule with R1 Destination IP (dd) > R2 Destination IP (dd)
OR
14. If (Flag 1 = true, Flag 12 = true, Flag 15 = true ,Flag 20 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R1 Destination IP (dd) from * to < R2
Destination IP (dd) and R1 Destination Port from * to < R2 Destination
Port
b. Introduce new rule with R1 Destination IP (dd) > R2 Destination IP (dd)
and R1 Destination Port > R2 Destination Port
OR
75
15. If (Flag 1 = true, Flag 12 = true, Flag 17 = true ,Flag 18 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R1 Destination IP (dd) from * to < R2
Destination IP (dd) and R1 Source Port from * to < R2 Source Port
b. Introduce new rule with R1 Destination IP (dd) > R2 Destination IP (dd)
and R1 Source Port > R2 Source Port
OR
16. If (Flag 1 = true, Flag 12 = true, Flag 17 = true ,Flag 20 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R1 Destination IP (dd) from * to < R2
Destination IP (dd), R1 Destination Port from * to < R2 Destination Port
and R1 Source Port from * to < R2 Source Port
b. Introduce new rule with R1 Destination IP (dd) > R2 Destination IP (dd),
R1 Destination Port > R2 Destination Port and R1 Source Port > R2
Source Port
OR
17. If (Flag 1 = true, Flag 13 = true, Flag 15 = true ,Flag 18 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R1 Destination IP (dc, dd) from * to <
R2 Destination IP (dc, dd)
b. Introduce new rule with R1 Destination IP (dc, dd) > R2 Destination IP
(dc, dd)
OR
18. If (Flag 1 = true, Flag 13 = true, Flag 15 = true ,Flag 20 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R1 Destination IP (dc, dd) from * to <
R2 Destination IP (dc, dd) and R1 Destination Port from * to < R2
Destination Port
b. Introduce new rule with R1 Destination IP (dc, dd) > R2 Destination IP
(dc, dd) and R1 Destination Port > R2 Destination Port
OR
76
19. If (Flag 1 = true, Flag 13 = true, Flag 17 = true ,Flag 18 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R1 Destination IP (dc, dd) from * to <
R2 Destination IP (dc, dd) and R1 Source Port from * to < R2 Source Port
b. Introduce new rule with R1 Destination IP (dc, dd) > R2 Destination IP
(dc, dd) and R1 Source Port > R2 Source Port
OR
20. If (Flag 1 = true, Flag 13 = true, Flag 17 = true ,Flag 20 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R1 Destination IP (dc, dd) from * to <
R2 Destination IP (dc, dd), R1 Destination Port from * to < R2
Destination Port and R1 Source Port from * to < R2 Source Port
b. Introduce new rule with R1 Destination IP (dc, dd) > R2 Destination IP
(dc, dd), R1 Destination Port > R2 Destination Port and R1 Source Port >
R2 Source Port
OR
21. If (Flag 1 = true, Flag 14 = true, Flag 15 = true ,Flag 18 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R2 Destination IP (dc, dd) from * to <
R1 Destination IP (dc, dd)
b. Introduce new rule with R2 Destination IP (dc, dd) > R1 Destination IP
(dc, dd)
OR
22. If (Flag 1 = true, Flag 14 = true, Flag 15 = true ,Flag 19 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R2 Destination IP (dc, dd) from * to <
R1 Destination IP (dc, dd) and R2 Destination Port from * to < R1
Destination Port
b. Introduce new rule with R2 Destination IP (dc, dd) > R1 Destination IP
(dc, dd) and R2 Destination Port > R1 Destination Port
OR
77
23. If (Flag 1 = true, Flag 14 = true, Flag 16 = true ,Flag 18 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R2 Destination IP (dc, dd) from * to <
R1 Destination IP (dc, dd) and R2 Source Port from * to < R1 Source Port
b. Introduce new rule with R2 Destination IP (dc, dd) > R1 Destination IP
(dc, dd) and R2 Source Port > R1 Source Port
OR
24. If (Flag 1 = true, Flag 14 = true, Flag 16 = true ,Flag 19 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R2 Destination IP (dc, dd) from * to <
R1 Destination IP (dc, dd), R2 Destination Port from * to < R1
Destination Port and R2 Source Port from * to < R1 Source Port
b. Introduce new rule with R2 Destination IP (dc, dd) > R1 Destination IP
(dc, dd), R2 Destination Port > R1 Destination Port and R2 Source Port >
R1 Source Port
OR
25. If (Flag 2 = true, Flag 8 = true, Flag 15 = true ,Flag 18 = true) and R1(action = allow)
and R2(action = deny) or R2(action = allow) and R1(action = deny) then create
exception inconsistency
a. To resolve inconsistency change R2 Source IP from * to < R1 Source IP
b. Introduce new rule with R2 Source IP > R1 Source IP
OR
26. If (Flag 2 = true, Flag 8 = true, Flag 15 = true ,Flag 19 = true) and R1(action = allow)
and R2(action = deny) or R2(action = allow) and R1(action = deny) then create
exception inconsistency
a. To resolve inconsistency change R2 Source IP from * to < R1 Source IP
and R2 Destination Port from * to < R1 Destination Port
b. Introduce new rule with R2 Source IP > R1 Source IP and R2 Destination
Port > R1 Destination Port
OR
27. If (Flag 2 = true, Flag 8 = true, Flag 16 = true ,Flag 18 = true) and R1(action = allow)
and R2(action = deny) or R2(action = allow) and R1(action = deny) then create
exception inconsistency
a. To resolve inconsistency change R2 Source IP from * to < R1 Source IP
and R2 Source Port from * to < R1 Source Port
78
b.
Introduce new rule with R2 Source IP > R1 Source IP and R2 Source Port
> R1 Source Port
OR
28. If (Flag 2 = true, Flag 8 = true, Flag 16 = true ,Flag 19 = true) and R1(action = allow)
and R2(action = deny) or R2(action = allow) and R1(action = deny) then create
exception inconsistency
a. To resolve inconsistency change R2 Source IP from * to < R1 Source IP,
R2 Destination Port from * to < R1 Destination Port and R2 Source Port
from * to < R1 Source Port
b. Introduce new rule with R2 Source IP > R1 Source IP, R2 Destination
Port > R1 Destination Port and R2 Source Port > R1 Source Port
OR
29. If (Flag 2 = true, Flag 9 = true, Flag 15 = true ,Flag 18 = true) and R1(action = allow)
and R2(action = deny) or R2(action = allow) and R1(action = deny) then create
exception inconsistency
a. To resolve inconsistency change R2 Source IP from * to < R1 Source IP
and R2 Destination IP from * to < R1 Destination IP
b. Introduce new rule with R2 Source IP > R1 Source IP and R2 Destination
IP > R1 Destination IP
OR
30. If (Flag 2 = true, Flag 9 = true, Flag 15 = true ,Flag 19 = true) and R1(action = allow)
and R2(action = deny) or R2(action = allow) and R1(action = deny) then create
exception inconsistency
a. To resolve inconsistency change R2 Source IP from * to < R1 Source IP
and R2 Destination IP from * to < R1 Destination IP and R2 Destination
Port from * to < R1 Destination Port
b. Introduce new rule with R2 Source IP > R1 Source IP and R2 Destination
IP > R1 Destination IP and R2 Destination Port > R1 Destination Port
OR
31. If (Flag 2 = true, Flag 9 = true, Flag 16 = true ,Flag 18 = true) and R1(action = allow)
and R2(action = deny) or R2(action = allow) and R1(action = deny) then create
exception inconsistency
a. To resolve inconsistency change R2 Source IP from * to < R1 Source IP
and R2 Destination IP from * to < R1 Destination IP and R2 Source Port
from * to < R1 Source Port
b. Introduce new rule with R2 Source IP > R1 Source IP and R2 Destination
IP > R1 Destination IP and R2 Source Port > R1 Source Port
79
OR
32. If (Flag 2 = true, Flag 9 = true, Flag 16 = true ,Flag 19 = true) and R1(action = allow)
and R2(action = deny) or R2(action = allow) and R1(action = deny) then create
exception inconsistency
a. To resolve inconsistency change R2 Source IP from * to < R1 Source IP
and R2 Destination IP from * to < R1 Destination IP, R2 Destination Port
from * to < R1 Destination Port and R2 Source Port from * to < R1
Source Port
b. Introduce new rule with R2 Source IP > R1 Source IP, R2 Destination
Port > R1 Destination Port and R2 Destination IP > R1 Destination IP and
R2 Source Port > R1 Source Port
OR
33. If (Flag 2 = true, Flag 11 = true, Flag 15 = true ,Flag 18 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R2 Source IP from * to < R1 Source IP
and R2 Destination IP (dd) from * to < R1 Destination IP (dd)
b. Introduce new rule with R2 Source IP > R1 Source IP and R2 Destination
IP (dd) > R1 Destination IP (dd)
OR
34. If (Flag 2 = true, Flag 11 = true, Flag 15 = true ,Flag 19 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R2 Source IP from * to < R1 Source IP,
R2 Destination IP (dd) from * to < R1 Destination IP (dd) and R2
Destination Port from * to < R1 Destination Port
b. Introduce new rule with R2 Source IP > R1 Source IP, R2 Destination IP
(dd) > R1 Destination IP (dd) and R2 Destination Port > R1 Destination
Port
OR
35. If (Flag 2 = true, Flag 11 = true, Flag 16 = true ,Flag 18 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R2 Source IP from * to < R1 Source IP,
R2 Destination IP (dd) from * to < R1 Destination IP (dd) and R2 Source
Port from * to < R1 Source Port
80
b.
Introduce new rule with R2 Source IP > R1 Source IP, R2 Destination IP
(dd) > R1 Destination IP (dd) and R2 Source Port > R1 Source Port
OR
36. If (Flag 2 = true, Flag 11 = true, Flag 16 = true ,Flag 19 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R2 Source IP from * to < R1 Source IP,
R2 Destination IP (dd) from * to < R1 Destination IP (dd), R2 Source Port
from * to < R1 Source Port and R2 Destination Port from * to < R1
Destination Port
b. Introduce new rule with R2 Source IP > R1 Source IP, R2 Destination IP
(dd) > R1 Destination IP (dd), R2 Source Port > R1 Source Port and R2
Destination Port > R1 Destination Port
OR
37. If (Flag 2 = true, Flag 14 = true, Flag 15 = true ,Flag 18 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R2 Source IP from * to < R1 Source IP
and R2 Destination IP (dc, dd) > R1 Destination IP (dc, dd)
b. Introduce new rule with R2 Source IP > R1 Source IP and R2 Destination
IP (dc, dd) > R1 Destination IP (dc, dd)
OR
38. If (Flag 2 = true, Flag 14 = true, Flag 15 = true ,Flag 19 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R2 Source IP from * to < R1 Source IP,
R2 Destination IP (dc, dd) > R1 Destination IP (dc, dd) and R2
Destination Port from * to < R1 Destination Port
b. Introduce new rule with R2 Source IP > R1 Source IP, R2 Destination IP
(dc, dd) > R1 Destination IP (dc, dd) and R2 Destination Port > R1
Destination Port
OR
39. If (Flag 2 = true, Flag 14 = true, Flag 16 = true ,Flag 18 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
81
a. To resolve inconsistency change R2 Source IP from * to < R1 Source IP,
R2 Destination IP (dc, dd) > R1 Destination IP (dc, dd) and R2 Source
Port from * to < R1 Source Port
b. Introduce new rule with R2 Source IP > R1 Source IP, R2 Destination IP
(dc, dd) > R1 Destination IP (dc, dd) and R2 Source Port > R1 Source Port
OR
40. If (Flag 2 = true, Flag 14 = true, Flag 16 = true ,Flag 19 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R2 Source IP from * to < R1 Source IP,
R2 Destination IP (dc, dd) > R1 Destination IP (dc, dd), R2 Source Port
from * to < R1 Source Port and R2 Destination Port from * to < R1
Destination Port
b. Introduce new rule with R2 Source IP > R1 Source IP, R2 Destination IP
(dc, dd) > R1 Destination IP (dc, dd), R2 Source Port > R1 Source Port
and R2 Destination Port > R1 Destination Port
OR
41. If (Flag 3 = true, Flag 8 = true, Flag 15 = true ,Flag 18 = true) and R1(action = allow)
and R2(action = deny) or R2(action = allow) and R1(action = deny) then create
exception inconsistency
a. To resolve inconsistency change R1 Source IP from * to < R2 Source IP
b. Introduce new rule with R1 Source IP > R2 Source IP
OR
42. If (Flag 3 = true, Flag 8 = true, Flag 15 = true ,Flag 20 = true) and R1(action = allow)
and R2(action = deny) or R2(action = allow) and R1(action = deny) then create
exception inconsistency
a. To resolve inconsistency change R1 Source IP from * to < R2 Source IP
and R1 Destination Port from * to < R2 Destination Port
b. Introduce new rule with R1 Source IP > R2 Source IP and R1 Destination
Port > R2 Destination Port
OR
43. If (Flag 3 = true, Flag 8 = true, Flag 17 = true ,Flag 18 = true) and R1(action = allow)
and R2(action = deny) or R2(action = allow) and R1(action = deny) then create
exception inconsistency
a. To resolve inconsistency change R1 Source IP from * to < R2 Source IP
and R1 Source Port from * to < R2 Source Port
82
b.
Introduce new rule with R1 Source IP > R2 Source IP and R1 Source Port
> R2 Source Port
OR
44. If (Flag 3 = true, Flag 8 = true, Flag 17 = true ,Flag 20 = true) and R1(action = allow)
and R2(action = deny) or R2(action = allow) and R1(action = deny) then create
exception inconsistency
a. To resolve inconsistency change R1 Source IP from * to < R2 Source IP,
R1 Source Port from * to < R2 Source Port and and R1 Destination Port
from * to < R2 Destination Port
b. Introduce new rule with R1 Source IP > R2 Source IP, R1 Source Port >
R2 Source Port and R1 Destination Port > R2 Destination Port
OR
45. If (Flag 3 = true, Flag 10 = true, Flag 15 = true ,Flag 18 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R1 Source IP from * to < R2 Source IP
and R1 Destination IP from * to < R2 Destination IP
b. Introduce new rule with R1 Source IP > R2 Source IP and R1 Destination
IP > R2 Destination IP
OR
46. If (Flag 3 = true, Flag 10 = true, Flag 15 = true ,Flag 20 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R1 Source IP from * to < R2 Source IP,
R1 Destination IP from * to < R2 Destination IP and R1 Destination Port
from * to < R2 Destination Port
b. Introduce new rule with R1 Source IP > R2 Source IP, R1 Destination IP
> R2 Destination IP and R1 Destination Port > R2 Destination Port
OR
47. If (Flag 3 = true, Flag 10 = true, Flag 17 = true ,Flag 18 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R1 Source IP from * to < R2 Source IP,
R1 Destination IP from * to < R2 Destination IP and R1 Source Port from
* to < R2 Source Port
b. Introduce new rule with R1 Source IP > R2 Source IP, R1 Destination IP
> R2 Destination IP and R1 Source Port > R2 Source Port
83
OR
48. If (Flag 3 = true, Flag 10 = true, Flag 17 = true ,Flag 20 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R1 Source IP from * to < R2 Source IP,
R1 Destination IP from * to < R2 Destination IP, R1 Source Port from *
to < R2 Source Port and R1 Destination Port from * to < R2 Destination
Port
b. Introduce new rule with R1 Source IP > R2 Source IP, R1 Destination IP
> R2 Destination IP, R1 Source Port > R2 Source Port and R1 Destination
Port > R2 Destination Port
OR
49. If (Flag 3 = true, Flag 12 = true, Flag 15 = true ,Flag 18 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R1 Source IP from * to < R2 Source IP
and R1 Destination IP (dd) from * to < R2 Destination IP (dd)
b. Introduce new rule with R1 Source IP > R2 Source IP and R1 Destination
IP (dd) > R2 Destination IP (dd)
OR
50. If (Flag 3 = true, Flag 12 = true, Flag 15 = true ,Flag 20 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R1 Source IP from * to < R2 Source IP,
R1 Destination IP (dd) from * to < R2 Destination IP (dd) and R1
Destination Port from * to < R2 Destination Port
b. Introduce new rule with R1 Source IP > R2 Source IP, R1 Destination IP
(dd) > R2 Destination IP (dd) and R1 Destination Port > R2 Destination
Port
OR
51. If (Flag 3 = true, Flag 12 = true, Flag 17 = true ,Flag 18 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R1 Source IP from * to < R2 Source IP,
R1 Destination IP (dd) from * to < R2 Destination IP (dd) and R1 Source
Port from * to < R2 Source Port
84
b.
Introduce new rule with R1 Source IP > R2 Source IP, R1 Destination IP
(dd) > R2 Destination IP (dd) and R1 Source Port > R2 Source Port
OR
52. If (Flag 3 = true, Flag 12 = true, Flag 17 = true ,Flag 20 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R1 Source IP from * to < R2 Source IP,
R1 Destination IP (dd) from * to < R2 Destination IP (dd), R1 Source Port
from * to < R2 Source Port and R1 Destination Port from * to < R2
Destination Port
b. Introduce new rule with R1 Source IP > R2 Source IP, R1 Destination IP
(dd) > R2 Destination IP (dd), R1 Source Port > R2 Source Port and R1
Destination Port > R2 Destination Port
OR
53. If (Flag 3 = true, Flag 13 = true, Flag 15 = true ,Flag 18 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R1 Source IP from * to < R2 Source IP
and R1 Destination IP (dc, dd) from * to < R2 Destination IP (dc, dd)
b. Introduce new rule with R1 Source IP > R2 Source IP and R1 Destination
IP (dc, dd) > R2 Destination IP (dc, dd)
OR
54. If (Flag 3 = true, Flag 13 = true, Flag 15 = true ,Flag 20 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R1 Source IP from * to < R2 Source IP,
R1 Destination IP (dc, dd) from * to < R2 Destination IP (dc, dd) and R1
Destination Port from * to < R2 Destination Port
b. Introduce new rule with R1 Source IP > R2 Source IP, R1 Destination IP
(dc, dd) > R2 Destination IP (dc, dd) and R1 Destination Port > R2
Destination Port
OR
55. If (Flag 3 = true, Flag 13 = true, Flag 17 = true ,Flag 18 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
85
a. To resolve inconsistency change R1 Source IP from * to < R2 Source IP,
R1 Destination IP (dc, dd) from * to < R2 Destination IP (dc, dd) and R1
Source Port from * to < R2 Source Port
b. Introduce new rule with R1 Source IP > R2 Source IP, R1 Destination IP
(dc, dd) > R2 Destination IP (dc, dd) and R1 Source Port > R2 Source Port
OR
56. If (Flag 3 = true, Flag 13 = true, Flag 17 = true ,Flag 20 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R1 Source IP from * to < R2 Source IP,
R1 Destination IP (dc, dd) from * to < R2 Destination IP (dc, dd), R1
Source Port from * to < R2 Source Port and R1 Destination Port from * to
< R2 Destination Port
b. Introduce new rule with R1 Source IP > R2 Source IP, R1 Destination IP
(dc, dd) > R2 Destination IP (dc, dd), R1 Source Port > R2 Source Port
and R1 Destination Port > R2 Destination Port
OR
57. If (Flag 4 = true, Flag 8 = true, Flag 15 = true ,Flag 18 = true) and R1(action = allow)
and R2(action = deny) or R2(action = allow) and R1(action = deny) then create
exception inconsistency
a. To resolve inconsistency change R2 Source IP (sd) from * to < R1
Source IP(sd)
b. Introduce a new rule with R2 Source IP (sd) > R1 Source IP (sd)
OR
58. If (Flag 4 = true, Flag 8 = true, Flag 15 = true ,Flag 19 = true) and R1(action = allow)
and R2(action = deny) or R2(action = allow) and R1(action = deny) then create
exception inconsistency
a. To resolve inconsistency change R2 Source IP (sd) from * to < R1
Source IP(sd) and R2 Destination Port from * to < R1 Destination Port
b. Introduce a new rule with R2 Source IP (sd) > R1 Source IP (sd) and R2
Destination Port > R1 Destination Port
OR
59. If (Flag 4 = true, Flag 8 = true, Flag 16 = true ,Flag 18 = true) and R1(action = allow)
and R2(action = deny) or R2(action = allow) and R1(action = deny) then create
exception inconsistency
a. To resolve inconsistency change R2 Source IP (sd) from * to < R1
Source IP (sd) and R2 Source Port from * to < R1 Source Port
86
b. Introduce a new rule with R2 Source IP (sd) > R1 Source IP (sd) and R2
Source Port > R1 Source Port
OR
60. If (Flag 4 = true, Flag 8 = true, Flag 16 = true ,Flag 19 = true) and R1(action = allow)
and R2(action = deny) or R2(action = allow) and R1(action = deny) then create
exception inconsistency
a. To resolve inconsistency change R2 Source IP (sd) from * to < R1
Source IP (sd), R2 Source Port from * to < R1 Source Port and R2
Destination Port from * to < R1 Destination Port
b. Introduce a new rule with R2 Source IP (sd) > R1 Source IP (sd), R2
Source Port > R1 Source Port and R2 Destination Port > R1 Destination
Port
OR
61. If (Flag 4 = true, Flag 9 = true, Flag 15 = true ,Flag 18 = true) and R1(action = allow)
and R2(action = deny) or R2(action = allow) and R1(action = deny) then create
exception inconsistency
a. To resolve inconsistency change R2 Source IP (sd) from * to < R1
Source IP(sd) and R2 Destination IP from * to < R1 Destination IP
b. Introduce a new rule with R2 Source IP (sd) > R1 Source IP (sd) and R2
Destination IP > R1 Destination IP
OR
62. If (Flag 4 = true, Flag 9 = true, Flag 15 = true ,Flag 19 = true) and R1(action = allow)
and R2(action = deny) or R2(action = allow) and R1(action = deny) then create
exception inconsistency
a. To resolve inconsistency change R2 Source IP (sd) from * to < R1
Source IP(sd), R2 Destination IP from * to < R1 Destination IP and R2
Destination Port from * to < R1 Destination Port
b. Introduce a new rule with R2 Source IP (sd) > R1 Source IP (sd), R2
Destination IP > R1 Destination IP and R2 Destination Port > R1
Destination Port
OR
63. If (Flag 4 = true, Flag 9 = true, Flag 16 = true ,Flag 18 = true) and R1(action = allow)
and R2(action = deny) or R2(action = allow) and R1(action = deny) then create
exception inconsistency
a. To resolve inconsistency change R2 Source IP (sd) from * to < R1
Source IP(sd), R2 Destination IP from * to < R1 Destination IP and R2
Source Port from * to < R1 Source Port
87
b. Introduce a new rule with R2 Source IP (sd) > R1 Source IP (sd), R2
Destination IP > R1 Destination IP and R2 Source Port > R1 Source Port
OR
64. If (Flag 4 = true, Flag 9 = true, Flag 16 = true ,Flag 19 = true) and R1(action = allow)
and R2(action = deny) or R2(action = allow) and R1(action = deny) then create
exception inconsistency
a. To resolve inconsistency change R2 Source IP (sd) from * to < R1
Source IP(sd), R2 Destination IP from * to < R1 Destination IP, R2
Source Port from * to < R1 Source Port and R2 Destination Port from * to
< R1 Destination Port
b. Introduce a new rule with R2 Source IP (sd) > R1 Source IP (sd), R2
Destination IP > R1 Destination IP, R2 Source Port > R1 Source Port and
R2 Destination Port > R1 Destination Port
OR
65. If (Flag 4 = true, Flag 11 = true, Flag 15 = true ,Flag 18 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R2 Source IP (sd) from * to < R1
Source IP(sd) and R2 Destination IP (dd) from * to < R1 Destination
IP(dd)
b. Introduce a new rule with R2 Source IP (sd) > R1 Source IP (sd) and R2
Destination IP (dd) > R1 Destination IP(dd)
OR
66. If (Flag 4 = true, Flag 11 = true, Flag 15 = true ,Flag 19 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R2 Source IP (sd) from * to < R1
Source IP(sd), R2 Destination IP (dd) from * to < R1 Destination IP(dd)
and R2 Destination Port from * to < R1 Destination Port
b. Introduce a new rule with R2 Source IP (sd) > R1 Source IP (sd), R2
Destination IP (dd) > R1 Destination IP(dd) and R2 Destination Port > R1
Destination Port
OR
67. If (Flag 4 = true, Flag 11 = true, Flag 16 = true ,Flag 18 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
88
a. To resolve inconsistency change R2 Source IP (sd) from * to < R1
Source IP(sd), R2 Destination IP (dd) from * to < R1 Destination IP(dd)
and R2 Source Port from * to < R1 Source Port
b. Introduce a new rule with R2 Source IP (sd) > R1 Source IP (sd), R2
Destination IP (dd) > R1 Destination IP(dd) and R2 Source Port > R1
Source Port
OR
68. If (Flag 4 = true, Flag 11 = true, Flag 16 = true ,Flag 19 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R2 Source IP (sd) from * to < R1
Source IP(sd), R2 Destination IP (dd) from * to < R1 Destination IP(dd),
R2 Source Port from * to < R1 Source Port and R2 Destination Port from
* to < R1 Destination Port
b. Introduce a new rule with R2 Source IP (sd) > R1 Source IP (sd), R2
Destination IP (dd) > R1 Destination IP(dd), R2 Source Port > R1 Source
Port and R2 Destination Port > R1 Destination Port
OR
69. If (Flag 4 = true, Flag 14 = true, Flag 15 = true ,Flag 18 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R2 Source IP (sd) from * to < R1
Source IP(sd) and R2 Destination IP (dc, dd) from * to < R1 Destination
IP(dc, dd)
b. Introduce a new rule with R2 Source IP (sd) > R1 Source IP (sd) and R2
Destination IP (dc, dd) > R1 Destination IP(dc, dd)
OR
70. If (Flag 4 = true, Flag 14 = true, Flag 15 = true ,Flag 19 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R2 Source IP (sd) from * to < R1
Source IP(sd), R2 Destination IP (dc, dd) from * to < R1 Destination
IP(dc, dd) and R2 Destination Port from * to < R1 Destination Port
b. Introduce a new rule with R2 Source IP (sd) > R1 Source IP (sd), R2
Destination IP (dc, dd) > R1 Destination IP(dc, dd) and R2 Destination
Port > R1 Destination Port
OR
89
71. If (Flag 4 = true, Flag 14 = true, Flag 16 = true ,Flag 18 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R2 Source IP (sd) from * to < R1
Source IP(sd), R2 Destination IP (dc, dd) from * to < R1 Destination
IP(dc, dd) and R2 Source Port from * to < R1 Source Port
b. Introduce a new rule with R2 Source IP (sd) > R1 Source IP (sd), R2
Destination IP (dc, dd) > R1 Destination IP(dc, dd) and R2 Source Port >
R1 Source Port
OR
72. If (Flag 4 = true, Flag 14 = true, Flag 16 = true ,Flag 19 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R2 Source IP (sd) from * to < R1
Source IP(sd), R2 Destination IP (dc, dd) from * to < R1 Destination
IP(dc, dd), R2 Source Port from * to < R1 Source Port and R2 Destination
Port from * to < R1 Destination Port
b. Introduce a new rule with R2 Source IP (sd) > R1 Source IP (sd), R2
Destination IP (dc, dd) > R1 Destination IP(dc, dd), R2 Source Port > R1
Source Port and R2 Destination Port > R1 Destination Port
OR
73. If (Flag 5 = true, Flag 8 = true, Flag 15 = true ,Flag 18 = true) and R1(action = allow)
and R2(action = deny) or R2(action = allow) and R1(action = deny) then create
exception inconsistency
a. To resolve inconsistency change R1 Source IP (sd) from * to < R2
Source IP(sd)
b. Introduce a new rule with R1Source IP (sd) > R2 Source IP (sd)
OR
74. If (Flag 5 = true, Flag 8 = true, Flag 15 = true ,Flag 20 = true) and R1(action = allow)
and R2(action = deny) or R2(action = allow) and R1(action = deny) then create
exception inconsistency
a. To resolve inconsistency change R1 Source IP (sd) from * to < R2
Source IP(sd) and R1 Destination Port from * to < R2 Destination Port
b. Introduce a new rule with R1Source IP (sd) > R2 Source IP (sd) and R1
Destination Port > R2 Destination Port
OR
90
75. If (Flag 5 = true, Flag 8 = true, Flag 17 = true ,Flag 18 = true) and R1(action = allow)
and R2(action = deny) or R2(action = allow) and R1(action = deny) then create
exception inconsistency
a. To resolve inconsistency change R1 Source IP (sd) from * to < R2
Source IP(sd) and R1 Source Port from * to < R2 Source Port
b. Introduce a new rule with R1Source IP (sd) > R2 Source IP (sd) and R1
Source Port > R2 Source Port
OR
76. If (Flag 5 = true, Flag 10 = true, Flag 15 = true ,Flag 18 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R1 Source IP (sd) from * to < R2
Source IP(sd) and R1 Destination IP from * to < R2 Destination IP
b. Introduce a new rule with R1Source IP (sd) > R2 Source IP (sd) and R1
Destination IP > R2 Destination IP
OR
77. If (Flag 5 = true, Flag 10 = true, Flag 15 = true ,Flag 20 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R1 Source IP (sd) from * to < R2
Source IP(sd), R1 Destination IP from * to < R2 Destination IP and R1
Destination Port from * to < R2 Destination Port
b. Introduce a new rule with R1Source IP (sd) > R2 Source IP (sd) and R1
Destination IP > R2 Destination IP and R1 Destination Port > R2
Destination Port
OR
78. If (Flag 5 = true, Flag 10 = true, Flag 17 = true ,Flag 18 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R1 Source IP (sd) from * to < R2
Source IP(sd), R1 Destination IP from * to < R2 Destination IP and R1
Source Port from * to < R2 Source Port
b. Introduce a new rule with R1Source IP (sd) > R2 Source IP (sd) and R1
Destination IP > R2 Destination IP and R1 Source Port > R2 Source Port
OR
91
79. If (Flag 5 = true, Flag 10 = true, Flag 17 = true ,Flag 20 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R1 Source IP (sd) from * to < R2
Source IP(sd), R1 Destination IP from * to < R2 Destination IP, R1
Source Port from * to < R2 Source Port and R1 Destination Port from * to
< R2 Destination Port
b. Introduce a new rule with R1Source IP (sd) > R2 Source IP (sd) and R1
Destination IP > R2 Destination IP, R1 Source Port > R2 Source Port and
R1 Destination Port > R2 Destination Port
OR
80. If (Flag 5 = true, Flag 12 = true, Flag 15 = true ,Flag 18 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R1 Source IP (sd) from * to < R2
Source IP(sd) and R1 Destination IP (dd) from * to < R2 Destination IP
(dd)
b. Introduce a new rule with R1Source IP (sd) > R2 Source IP (sd) and R1
Destination IP (dd) > R2 Destination IP (dd)
OR
81. If (Flag 5 = true, Flag 12 = true, Flag 15 = true ,Flag 20 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R1 Source IP (sd) from * to < R2
Source IP(sd), R1 Destination IP (dd) from * to < R2 Destination IP (dd)
and R1 Destination Port from * to < R2 Destination Port
b. Introduce a new rule with R1Source IP (sd) > R2 Source IP (sd), R1
Destination IP (dd) > R2 Destination IP (dd) and R1 Destination Port >
R2 Destination Port
OR
82. If (Flag 5 = true, Flag 12 = true, Flag 17 = true ,Flag 18 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R1 Source IP (sd) from * to < R2
Source IP(sd), R1 Destination IP (dd) from * to < R2 Destination IP (dd)
and R1 Source Port from * to < R2 Source Port
92
b. Introduce a new rule with R1Source IP (sd) > R2 Source IP (sd), R1
Destination IP (dd) > R2 Destination IP (dd) and R1 Source Port > R2
Source Port
OR
83. If (Flag 5 = true, Flag 12 = true, Flag 17 = true ,Flag 20 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R1 Source IP (sd) from * to < R2
Source IP(sd), R1 Destination IP (dd) from * to < R2 Destination IP (dd),
R1 Source Port from * to < R2 Source Port and R1 Destination Port from
* to < R2 Destination Port
b. Introduce a new rule with R1Source IP (sd) > R2 Source IP (sd), R1
Destination IP (dd) > R2 Destination IP (dd), R1 Source Port > R2 Source
Port and R1 Destination Port > R2 Destination Port
OR
84. If (Flag 5 = true, Flag 13 = true, Flag 15 = true ,Flag 18 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R1 Source IP (sd) from * to < R2
Source IP(sd) and R1 Destination IP (dc, dd) from * to < R2 Destination
IP (dc, dd)
b. Introduce a new rule with R1Source IP (sd) > R2 Source IP (sd) and R1
Destination IP (dc, dd) > R2 Destination IP (dc, dd)
OR
85. If (Flag 5 = true, Flag 13 = true, Flag 15 = true ,Flag 20 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R1 Source IP (sd) from * to < R2
Source IP(sd), R1 Destination IP (dc, dd) from * to < R2 Destination IP
(dc, dd) and R1 Destination Port from * to < R2 Destination Port
b. Introduce a new rule with R1Source IP (sd) > R2 Source IP (sd), R1
Destination IP (dc, dd) > R2 Destination IP (dc, dd) and R1 Destination
Port > R2 Destination Port
OR
86. If (Flag 5 = true, Flag 13 = true, Flag 17 = true ,Flag 18 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
93
a. To resolve inconsistency change R1 Source IP (sd) from * to < R2
Source IP(sd), R1 Destination IP (dc, dd) from * to < R2 Destination IP
(dc, dd) and R1 Source Port from * to < R2 Source Port
b. Introduce a new rule with R1Source IP (sd) > R2 Source IP (sd), R1
Destination IP (dc, dd) > R2 Destination IP (dc, dd) and R1 Source Port >
R2 Source Port
OR
87. If (Flag 5 = true, Flag 13 = true, Flag 17 = true ,Flag 20 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R1 Source IP (sd) from * to < R2
Source IP(sd), R1 Destination IP (dc, dd) from * to < R2 Destination IP
(dc, dd), R1 Source Port from * to < R2 Source Port and R1 Destination
Port from * to < R2 Destination Port
b. Introduce a new rule with R1Source IP (sd) > R2 Source IP (sd), R1
Destination IP (dc, dd) > R2 Destination IP (dc, dd), R1 Source Port > R2
Source Port and R1 Destination Port > R2 Destination Port
OR
88. If (Flag 6 = true, Flag 8 = true, Flag 15 = true ,Flag 18 = true) and R1(action = allow)
and R2(action = deny) or R2(action = allow) and R1(action = deny) then create
exception inconsistency
a. To resolve inconsistency change R2 Source IP (sc, sd) from * to < R1
Source IP(sc, sd)
b. Introduce a new rule with R2 Source IP (sc, sd) > R1 Source IP (sc, sd)
OR
89. If (Flag 6 = true, Flag 8 = true, Flag 15 = true ,Flag 19 = true) and R1(action = allow)
and R2(action = deny) or R2(action = allow) and R1(action = deny) then create
exception inconsistency
a. To resolve inconsistency change R2 Source IP (sc, sd) from * to < R1
Source IP(sc, sd) and R2 Destination Port from * to < R1 Destination Port
b. Introduce a new rule with R2 Source IP (sc, sd) > R1 Source IP (sc, sd)
and R2 Destination Port > R1 Destination Port
OR
90. If (Flag 6 = true, Flag 8 = true, Flag 16 = true ,Flag 18 = true) and R1(action = allow)
and R2(action = deny) or R2(action = allow) and R1(action = deny) then create
exception inconsistency
94
a. To resolve inconsistency change R2 Source IP (sc, sd) from * to < R1
Source IP(sc, sd) and R2 Source Port from * to < R1 Source Port
b. Introduce a new rule with R2 Source IP (sc, sd) > R1 Source IP (sc, sd)
and R2 Source Port > R1 Source Port
OR
91. If (Flag 6 = true, Flag 8 = true, Flag 16 = true ,Flag 19 = true) and R1(action = allow)
and R2(action = deny) or R2(action = allow) and R1(action = deny) then create
exception inconsistency
a. To resolve inconsistency change R2 Source IP (sc, sd) from * to < R1
Source IP(sc, sd), R2 Source Port from * to < R1 Source Port and R2
Destination Port from * to < R1 Destination Port
b. Introduce a new rule with R2 Source IP (sc, sd) > R1 Source IP (sc, sd),
R2 Source Port > R1 Source Port and R2 Destination Port > R1
Destination Port
OR
92. If (Flag 6 = true, Flag 9 = true, Flag 15 = true ,Flag 18 = true) and R1(action = allow)
and R2(action = deny) or R2(action = allow) and R1(action = deny) then create
exception inconsistency
a. To resolve inconsistency change R2 Source IP (sc, sd) from * to < R1
Source IP(sc, sd) and R2 Destination IP from * to < R1 Destination IP
b. Introduce a new rule with R2 Source IP (sc, sd) > R1 Source IP (sc, sd)
and R2 Destination IP > R1 Destination IP
OR
93. If (Flag 6 = true, Flag 9 = true, Flag 15 = true ,Flag 19 = true) and R1(action = allow)
and R2(action = deny) or R2(action = allow) and R1(action = deny) then create
exception inconsistency
a. To resolve inconsistency change R2 Source IP (sc, sd) from * to < R1
Source IP(sc, sd), R2 Destination IP from * to < R1 Destination IP and R2
Destination Port from * to < R1 Destination Port
b. Introduce a new rule with R2 Source IP (sc, sd) > R1 Source IP (sc, sd),
R2 Destination IP > R1 Destination IP and R2 Destination Port > R1
Destination Port
OR
94. If (Flag 6 = true, Flag 9 = true, Flag 16 = true ,Flag 18 = true) and R1(action = allow)
and R2(action = deny) or R2(action = allow) and R1(action = deny) then create
exception inconsistency
95
a. To resolve inconsistency change R2 Source IP (sc, sd) from * to < R1
Source IP(sc, sd), R2 Destination IP from * to < R1 Destination IP and R2
Source Port from * to < R1 Source Port
b. Introduce a new rule with R2 Source IP (sc, sd) > R1 Source IP (sc, sd),
R2 Destination IP > R1 Destination IP and R2 Source Port > R1 Source
Port
OR
95. If (Flag 6 = true, Flag 9 = true, Flag 16 = true ,Flag 19 = true) and R1(action = allow)
and R2(action = deny) or R2(action = allow) and R1(action = deny) then create
exception inconsistency
a. To resolve inconsistency change R2 Source IP (sc, sd) from * to < R1
Source IP(sc, sd), R2 Destination IP from * to < R1 Destination IP, R2
Source Port from * to < R1 Source Port and R2 Destination Port from * to
< R1 Destination Port
b. Introduce a new rule with R2 Source IP (sc, sd) > R1 Source IP (sc, sd),
R2 Destination IP > R1 Destination IP, R2 Source Port > R1 Source Port
and R2 Destination Port > R1 Destination Port
OR
96. If (Flag 6 = true, Flag 11 = true, Flag 15 = true ,Flag 18 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R2 Source IP (sc, sd) from * to < R1
Source IP(sc, sd) and R2 Destination IP (dd) from * to < R1 Destination
IP (dd)
b. Introduce a new rule with R2 Source IP (sc, sd) > R1 Source IP (sc, sd)
and R2 Destination IP (dd) > R1 Destination IP (dd)
OR
97. If (Flag 6 = true, Flag 11 = true, Flag 15 = true ,Flag 19 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R2 Source IP (sc, sd) from * to < R1
Source IP(sc, sd), R2 Destination IP (dd) from * to < R1 Destination IP
(dd) and R2 Destination Port from * to < R1 Destination Port
b. Introduce a new rule with R2 Source IP (sc, sd) > R1 Source IP (sc, sd),
R2 Destination IP (dd) > R1 Destination IP (dd) and R2 Destination Port >
R1 Destination Port
OR
96
98. If (Flag 6 = true, Flag 11 = true, Flag 16 = true ,Flag 18 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R2 Source IP (sc, sd) from * to < R1
Source IP(sc, sd), R2 Destination IP (dd) from * to < R1 Destination IP
(dd) and R2 Source Port from * to < R1 Source Port
b. Introduce a new rule with R2 Source IP (sc, sd) > R1 Source IP (sc, sd),
R2 Destination IP (dd) > R1 Destination IP (dd) and R2 Source Port > R1
Source Port
OR
99. If (Flag 6 = true, Flag 11 = true, Flag 16 = true ,Flag 19 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R2 Source IP (sc, sd) from * to < R1
Source IP(sc, sd), R2 Destination IP (dd) from * to < R1 Destination IP
(dd), R2 Source Port from * to < R1 Source Port and R2 Destination Port
from * to < R1 Destination Port
b. Introduce a new rule with R2 Source IP (sc, sd) > R1 Source IP (sc, sd),
R2 Destination IP (dd) > R1 Destination IP (dd), R2 Source Port > R1
Source Port and R2 Destination Port > R1 Destination Port
OR
100. If (Flag 6 = true, Flag 14 = true, Flag 15 = true ,Flag 18 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R2 Source IP (sc, sd) from * to < R1
Source IP(sc, sd) and R2 Destination IP (dc, dd) from * to < R1
Destination IP (dc, dd)
b. Introduce a new rule with R2 Source IP (sc, sd) > R1 Source IP (sc, sd)
and R2 Destination IP (dc, dd) > R1 Destination IP (dc, dd)
OR
101. If (Flag 6 = true, Flag 14 = true, Flag 15 = true ,Flag 19 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R2 Source IP (sc, sd) from * to < R1
Source IP(sc, sd), R2 Destination IP (dc, dd) from * to < R1 Destination
IP (dc, dd) and R2 Destination Port from * to < R1 Destination Port
97
b. Introduce a new rule with R2 Source IP (sc, sd) > R1 Source IP (sc, sd),
R2 Destination IP (dc, dd) > R1 Destination IP (dc, dd) and R2
Destination Port > R1 Destination Port
OR
102. If (Flag 6 = true, Flag 14 = true, Flag 16 = true ,Flag 18 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R2 Source IP (sc, sd) from * to < R1
Source IP(sc, sd), R2 Destination IP (dc, dd) from * to < R1 Destination
IP (dc, dd) and R2 Source Port from * to < R1 Source Port
b. Introduce a new rule with R2 Source IP (sc, sd) > R1 Source IP (sc, sd),
R2 Destination IP (dc, dd) > R1 Destination IP (dc, dd) and R2 Source
Port > R1 Source Port
OR
103. If (Flag 6 = true, Flag 14 = true, Flag 16 = true ,Flag 19 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R2 Source IP (sc, sd) from * to < R1
Source IP(sc, sd), R2 Destination IP (dc, dd) from * to < R1 Destination
IP (dc, dd), R2 Source Port from * to < R1 Source Port and R2 Destination
Port from * to < R1 Destination Port
b. Introduce a new rule with R2 Source IP (sc, sd) > R1 Source IP (sc, sd),
R2 Destination IP (dc, dd) > R1 Destination IP (dc, dd), R2 Source Port >
R1 Source Port and R2 Destination Port > R1 Destination Port
OR
104. If (Flag 7 = true, Flag 8 = true, Flag 15 = true ,Flag 18 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R1 Source IP (sc, sd) from * to < R2
Source IP(sc, sd)
b. Introduce a new rule with R1 Source IP (sc, sd) > R2 Source IP (sc, sd)
OR
105. If (Flag 7 = true, Flag 8 = true, Flag 15 = true ,Flag 20 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R1 Source IP (sc, sd) from * to < R2
Source IP(sc, sd) and R1 Destination Port from * to < R2 Destination Port
98
b. Introduce a new rule with R1 Source IP (sc, sd) > R2 Source IP (sc, sd)
and R1 Destination Port > R2 Destination Port
OR
106. If (Flag 7 = true, Flag 8 = true, Flag 17 = true ,Flag 18 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R1 Source IP (sc, sd) from * to < R2
Source IP(sc, sd) and R1 Source Port from * to < R2 Source Port
b. Introduce a new rule with R1 Source IP (sc, sd) > R2 Source IP (sc, sd)
and R1 Source Port > R2 Source Port
OR
107. If (Flag 7 = true, Flag 8 = true, Flag 17 = true ,Flag 20 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R1 Source IP (sc, sd) from * to < R2
Source IP(sc, sd), R1 Source Port from * to < R2 Source Port and R1
Destination Port from * to < R2 Destination Port
b. Introduce a new rule with R1 Source IP (sc, sd) > R2 Source IP (sc, sd),
R1 Source Port > R2 Source Port and R1 Destination Port > R2
Destination Port
OR
108. If (Flag 7 = true, Flag 10 = true, Flag 15 = true ,Flag 18 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R1 Source IP (sc, sd) from * to < R2
Source IP(sc, sd) and R1 Destination IP from * to < R2 Destination IP
b. Introduce a new rule with R1 Source IP (sc, sd) > R2 Source IP (sc, sd)
and R1 Destination IP > R2 Destination IP
OR
109. If (Flag 7 = true, Flag 10 = true, Flag 15 = true ,Flag 20 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R1 Source IP (sc, sd) from * to < R2
Source IP(sc, sd), R1 Destination IP from * to < R2 Destination IP and R1
Destination Port from * to < R2 Destination Port
99
b. Introduce a new rule with R1 Source IP (sc, sd) > R2 Source IP (sc, sd),
R1 Destination IP > R2 Destination IP and R1 Destination Port > R2
Destination Port
OR
110. If (Flag 7 = true, Flag 10 = true, Flag 17 = true ,Flag 18 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R1 Source IP (sc, sd) from * to < R2
Source IP(sc, sd), R1 Destination IP from * to < R2 Destination IP and R1
Source Port from * to < R2 Source Port
b. Introduce a new rule with R1 Source IP (sc, sd) > R2 Source IP (sc, sd),
R1 Destination IP > R2 Destination IP and R1 Source Port > R2 Source
Port
OR
111. If (Flag 7 = true, Flag 10 = true, Flag 17 = true ,Flag 20 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R1 Source IP (sc, sd) from * to < R2
Source IP(sc, sd), R1 Destination IP from * to < R2 Destination IP, R1
Source Port from * to < R2 Source Port and R1 Destination Port from * to
< R2 Destination Port
b. Introduce a new rule with R1 Source IP (sc, sd) > R2 Source IP (sc, sd),
R1 Destination IP > R2 Destination IP, R1 Source Port > R2 Source Port
and R1 Destination Port > R2 Destination Port
OR
112. If (Flag 7 = true, Flag 12 = true, Flag 15 = true ,Flag 18 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R1 Source IP (sc, sd) from * to < R2
Source IP(sc, sd) and R1 Destination IP (dd) from * to < R2 Destination
IP (dd)
b. Introduce a new rule with R1 Source IP (sc, sd) > R2 Source IP (sc, sd)
and R1 Destination IP (dd) > R2 Destination IP (dd)
OR
113. If (Flag 7 = true, Flag 12 = true, Flag 15 = true ,Flag 20 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
100
a. To resolve inconsistency change R1 Source IP (sc, sd) from * to < R2
Source IP(sc, sd), R1 Destination IP (dd) from * to < R2 Destination IP
(dd) and R1 Destination Port from * to < R2 Destination Port
b. Introduce a new rule with R1 Source IP (sc, sd) > R2 Source IP (sc, sd),
R1 Destination IP (dd) > R2 Destination IP (dd) and R1 Destination Port
> R2 Destination Port
OR
114. If (Flag 7 = true, Flag 12 = true, Flag 17 = true ,Flag 18 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R1 Source IP (sc, sd) from * to < R2
Source IP(sc, sd), R1 Destination IP (dd) from * to < R2 Destination IP
(dd) and R1 Source Port from * to < R2 Source Port
b. Introduce a new rule with R1 Source IP (sc, sd) > R2 Source IP (sc, sd),
R1 Destination IP (dd) > R2 Destination IP (dd) and R1 Source Port > R2
Source Port
OR
115. If (Flag 7 = true, Flag 12 = true, Flag 17 = true ,Flag 20 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R1 Source IP (sc, sd) from * to < R2
Source IP(sc, sd), R1 Destination IP (dd) from * to < R2 Destination IP
(dd), R1 Source Port from * to < R2 Source Port and R1 Destination Port
from * to < R2 Destination Port
b. Introduce a new rule with R1 Source IP (sc, sd) > R2 Source IP (sc, sd),
R1 Destination IP (dd) > R2 Destination IP (dd), R1 Source Port > R2
Source Port and R1 Destination Port > R2 Destination Port
OR
116. If (Flag 7 = true, Flag 13 = true, Flag 15 = true ,Flag 18 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R1 Source IP (sc, sd) from * to < R2
Source IP(sc, sd) and R1 Destination IP (dc, dd) from * to < R2
Destination IP (dc, dd)
b. Introduce a new rule with R1 Source IP (sc, sd) > R2 Source IP (sc, sd)
and R1 Destination IP (dc, dd) > R2 Destination IP (dc, dd)
OR
101
117. If (Flag 7 = true, Flag 13 = true, Flag 15 = true ,Flag 20 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R1 Source IP (sc, sd) from * to < R2
Source IP(sc, sd), R1 Destination IP (dc, dd) from * to < R2 Destination
IP (dc, dd) and R1 Destination Port from * to < R2 Destination Port
b. Introduce a new rule with R1 Source IP (sc, sd) > R2 Source IP (sc, sd),
R1 Destination IP (dc, dd) > R2 Destination IP (dc, dd) and R1
Destination Port > R2 Destination Port
OR
118. If (Flag 7 = true, Flag 13 = true, Flag 17 = true ,Flag 18 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R1 Source IP (sc, sd) from * to < R2
Source IP(sc, sd), R1 Destination IP (dc, dd) from * to < R2 Destination
IP (dc, dd) and R1 Source Port from * to < R2 Source Port
b. Introduce a new rule with R1 Source IP (sc, sd) > R2 Source IP (sc, sd),
R1 Destination IP (dc, dd) > R2 Destination IP (dc, dd) and R1 Source
Port > R2 Source Port
OR
119. If (Flag 7 = true, Flag 13 = true, Flag 17 = true ,Flag 20 = true) and R1(action =
allow) and R2(action = deny) or R2(action = allow) and R1(action = deny) then
create exception inconsistency
a. To resolve inconsistency change R1 Source IP (sc, sd) from * to < R2
Source IP(sc, sd), R1 Destination IP (dc, dd) from * to < R2 Destination
IP (dc, dd), R1 Source Port from * to < R2 Source Port and R1 Destination
Port from * to < R2 Destination Port
b. Introduce a new rule with R1 Source IP (sc, sd) > R2 Source IP (sc, sd),
R1 Destination IP (dc, dd) > R2 Destination IP (dc, dd), R1 Source Port >
R2 Source Port and R1 Destination Port > R2 Destination Port
DENIAL OF SERVICE
Structure Comparison 1. Compare R1, R2 If Source IP = “R1.sa = R2.sa, R1.sb = R2.sb, R1.sc = R2.sc,
R1.sd = R2.sd”, then Flag 1 = true
102
2. Compare R1, R2 If Source IP = “R1.sa = R2.* , R1.sb = R2.*, R1.sc = R2.* or,
R1.sd = R2.*”, then Flag 2 = true
3. Compare R1, R2 If Source IP = “R1.* = R2.sa, R1.* = R2.sb, R1.* = R2.sc, R1.*
= R2.sd” then Flag 3 = true
4. Compare R1, R2 If Source IP = “R1.sa = R2.sa, R1.sb = R2.sb, R1.sc = R2.sc,
R1.* = R2.sd”, then Flag 4 = true
5. Compare R1, R2 If Source IP = “R1.sa = R2.sa, R1.sb = R2.sb, R1.* = R2.sc,
R1.* = R2.sd”, then Flag 5 = true
6. Compare R1, R2 If Source IP = “R1.sa = R2.sa, R1.* = R2.sb, R1.* = R2.sc,
R1.* = R2.sd”, then Flag 6 = true
7. Compare R1, R2 If Source IP = “R1.sa = R2.sa, R1.sb = R2.sb, R1.sc = R2.sc,
R1.sd = R2.*”, then Flag 7 = true
8. Compare R1, R2 If Source IP = “R1.sa = R2.sa, R1.sb = R2.sb, R1.sc = R2.*,
R1.sd = R2.*”, then Flag 8 = true
9. Compare R1, R2 If Source IP = “R1.sa = R2.sa, R1.sb = R2.*, R1.sc = R2.*,
R1.sd = R2.*”, then Flag 9 = true
10. Compare R1, R2 If Destination IP = “R1.da = R2.da, R1.db = R2.db, R1.dc =
R2.dc, R1. dd1= R2.dd”, then the Flag 10 = true
11. Compare R1, R2 If Destination IP = “R1.da = R2.*, R1.db = R2.*, R1.dc =
R2.*, R1.dd = R2.*”, then Flag 11 = true
12. Compare R1, R2 If Destination IP = “R1.da = R2.da, R1.db = R2.db, R1.dc =
R2.dc, R1.dd = R2.*”, then Flag 12 = true
13. Compare R1, R2 If Destination IP = “R1.da = R2.da, R1.db = R2.db, R1.dc =
R2.*, R1.dd = R2.*”, then Flag 13 = true
14. Compare R1, R2 If Destination IP = “R1.da = R2.da, R1.db = R2.*, R1.dc =
R2.*, R1.dd = R2.*”, then Flag 14 = true
15. Compare R1, R2 If Destination IP = “R1.da = R2.da, R1.db = R2.db, R1.dc =
R2.dc, R1.* = R2.dd” then Flag 15 = true
16. Compare R1, R2 If Destination IP = “R1.da = R2.da, R1.db = R2.db, R1.* =
R2.dc, R1.* = R2.dd” then Flag 16 = true
17. Compare R1, R2 If Destination IP = “R1.da = R2.da, R1.* = R2.db, R1.* =
R2.dc, R1.* = R2.dd” then Flag 17 = true
18. Compare R1, R2 If Destination IP = “R1.* = R2.da, R1.* = R2.db, R1.* = R2.dc,
R1.* = R2.dd” then Flag 18 = true
19. Compare R1, R2 If Source Port = “R1.sp= R2.sp”, then Flag 19 = true
20. Compare R1, R2 If Source Port = “R1.sp= R2.*”, then Flag 20 = true
21. Compare R1, R2 If Source Port = “R1.* = R2.sp”, then Flag 21 = true
103
22. Compare R1, R2 If Destination Port = “R1.dp= R2.dp” , then Flag 22 = true
23. Compare R1, R2 If Destination Port = “R1.dp= R2.*” , then Flag 23 = true
24. Compare R1, R2 If Destination Port = “R1.* = R2.dp” , then Flag 24 = true
Rule Definition for Detection and Resolving1. If (Flag 1 = true, Flag 10 = true, Flag 19 = true, Flag 22 = true) and R1(action = deny)
and R2(action = allow) then create denial of service.
a. To resolve inconsistency compare priority level of R1 and R2 if priority
level of R1>R2 then keep R1 and delete R2. If priority level of R2>R1
then keep R2 delete R1
OR
2. If (Flag 1 = true, Flag 11 = true, Flag 20 = true, Flag 23 = true) and R1(action = deny)
and R2(action = allow) then create denial of service.
a. To resolve inconsistency change R2 Destination IP from * to < R1
Destination IP, R2 Source Port < R1 Source Port and R2 Destination Port
< R1 Destination Port
b. Introduce a new rule with R2 Destination IP > R1 Destination IP, R2
Source Port > R1 Source Port and R2 Destination Port > R1 Destination
Port
OR
3. If (Flag 2 = true, Flag 10 = true, Flag 20 = true, Flag 23 = true) and R1(action = deny)
and R2(action = allow) then create denial of service.
a. To resolve inconsistency change R2 Source IP from * to < R1 Source IP,
R2 Source Port < R1 Source Port and R2 Destination Port < R1
Destination Port
b. Introduce a new rule with R2 Destination IP > R1 Destination IP, R2
Source Port > R1 Source Port and R2 Destination Port > R1 Destination
Port
OR
4. If (Flag 2 = true, Flag 11 = true, Flag 19 = true, Flag 24 = true) and R1(action = deny)
and R2(action = allow) then create denial of service.
a. To resolve inconsistency change R2 Source IP from * to < R1 Source IP,
R2 Destination IP from * to < R1 Destination IP and R1 Destination Port
< R2 Destination Port
b. Introduce a new rule with R2 Source IP > R1 Source IP, R2 Destination IP
> R1 Destination IP and R1 Destination Port > R2 Destination Port
OR
104
5. If (Flag 3 = true, Flag 12 = true, Flag 19 = true, Flag 22 = true) and R1(action = deny)
and R2(action = allow) then create denial of service.
a. To resolve inconsistency change R1 Source IP from * to < R2 Source IP
and R2 Destination IP(dd) from * to < R1 Destination IP
b. Introduce a new rule with R1 Source IP > R2 Source IP and R2
Destination IP(dd) > R1 Destination IP
OR
6. If (Flag 3 = true, Flag 13 = true, Flag 21 = true, Flag 24 = true) and R1(action = deny)
and R2(action = allow) then create denial of service.
a. To resolve inconsistency change R1 Source IP from * to < R2 Source IP,
R2 Destination IP(dc, dd) from * to < R1 Destination IP, R1 Source Port <
R2 Source Port and R1 Destination Port < R2 Destination Port
b. Introduce a new rule with R1 Source IP > R2 Source IP, R2 Destination
IP(dc, dd) > R1 Destination IP, R1 Source Port > R2 Source Port and R1
Destination Port > R2 Destination Port
OR
7. If (Flag 4 = true, Flag 13 = true, Flag 19 = true, Flag 22 = true) and R1(action = deny)
and R2(action = allow) then create denial of service.
a. To resolve inconsistency change R1 Source IP(sd) from * to < R2 Source
IP and R2 Destination IP(dc, dd) from * to < R1 Destination IP
b. Introduce a new rule with R1 Source IP (sd) > R2 Source IP and R2
Destination IP(dc, dd) > R1 Destination IP
OR
8. If (Flag 4 = true, Flag 14 = true, Flag 20 = true, Flag 23 = true) and R1(action = deny)
and R2(action = allow) then create denial of service.
a. To resolve inconsistency change R1 Source IP(sd) from * to < R2 Source
IP, R2 Destination IP(db, dc, dd) from * to < R1 Destination IP, R2
Source Port < R1 Source Port and R2 Destination Port < R1 Destination
Port
b. Introduce a new rule with R1 Source IP (sd) > R2 Source IP, R2
Destination IP(db, dc, dd) > R1 Destination IP, R2 Source Port > R1
Source Port and R2 Destination Port > R1 Destination Port
OR
9. If (Flag 5 = true, Flag 14 = true, Flag 19 = true, Flag 22 = true) and R1(action = deny)
and R2(action = allow) then create denial of service.
105
a. To resolve inconsistency change R1 Source IP(sc, sd) from * to < R2
Source IP and R2 Destination IP(db, dc, dd) from * to < R1 Destination
IP,
b. Introduce a new rule with R1 Source IP (sc, sd) > R2 Source IP and R2
Destination IP(db, dc, dd) > R1 Destination IP
OR
10. If (Flag 5 = true, Flag 15 = true, Flag 21 = true, Flag 24 = true) and R1(action = deny)
and R2(action = allow) then create denial of service.
a. To resolve inconsistency change R1 Source IP(sc, sd) from * to < R2
Source IP, R1 Destination IP(dd) from * to < R2 Destination IP, R1
Source Port < R2 Source Port and R1 Destination Port < R2 Destination
Port
b. Introduce a new rule with R1 Source IP (sc, sd) > R2 Source IP, R1
Destination IP(dd) > R2 Destination IP, R1 Source Port > R2 Source Port
and R1 Destination Port > R2 Destination Port
OR
11. If (Flag 6 = true, Flag 15 = true, Flag 19 = true, Flag 22 = true) and R1(action = deny)
and R2(action = allow) then create denial of service.
a. To resolve inconsistency change R1 Source IP(sb, sc, sd) from * to < R2
Source IP and R1 Destination IP(dd) from * to < R2 Destination IP
b. Introduce a new rule with R1 Source IP (sb, sc, sd) > R2 Source IP and R1
Destination IP(dd) > R2 Destination IP
OR
12. If (Flag 6 = true, Flag 16 = true, Flag 20 = true, Flag 23 = true) and R1(action = deny)
and R2(action = allow) then create denial of service.
a. To resolve inconsistency change R1 Source IP(sb, sc, sd) from * to < R2
Source IP, R1 Destination IP(dc, dd) from * to < R2 Destination IP, R2
Source Port < R1 Source Port and R2 Destination Port < R1 Destination
Port
b. Introduce a new rule with R1 Source IP (sb, sc, sd) > R2 Source IP, R1
Destination IP(dc, dd) > R2 Destination IP, R2 Source Port > R1 Source
Port and R2 Destination Port > R1 Destination Port
OR
13. If (Flag 7 = true, Flag 17 = true, Flag 21 = true, Flag 24 = true) and R1(action = deny)
and R2(action = allow) then create denial of service.
a. To resolve inconsistency change R2 Source IP(sd) from * to < R1 Source
IP, R1 Destination IP(db, dc, dd) from * to < R2 Destination IP, R1
106
Source Port < R2 Source Port and R1 Destination Port < R2 Destination
Port
b. Introduce a new rule with R2 Source IP (sd) > R1 Source IP, R1
Destination IP(db, dc, dd) > R2 Destination IP, R1 Source Port > R2
Source Port and R1 Destination Port > R2 Destination Port
OR
14. If (Flag 7 = true, Flag 16 = true, Flag 19 = true, Flag 22 = true) and R1(action = deny)
and R2(action = allow) then create denial of service.
a. To resolve inconsistency change R2 Source IP(sd) from * to < R1 Source
IP and R1 Destination IP(dc, dd) from * to < R2 Destination IP
b. Introduce a new rule with R2Source IP (sd) > R1 Source IP and R1
Destination IP(dc, dd) > R2 Destination IP
OR
15. If (Flag 8 = true, Flag 17 = true, Flag 19 = true, Flag 22 = true) and R1(action = deny)
and R2(action = allow) then create denial of service.
a. To resolve inconsistency change R2 Source IP(sc, sd) from * to < R1
Source IP and R1 Destination IP(db, dc, dd) from * to < R2 Destination IP
b. Introduce a new rule with R2 Source IP (sc, sd) > R1 Source IP and R1
Destination IP(db, dc, dd) > R2 Destination IP
OR
16. If (Flag 8 = true, Flag 18 = true, Flag 20 = true, Flag 24 = true) and R1(action = deny)
and R2(action = allow) then create denial of service.
a. To resolve inconsistency change R2 Source IP(sc, sd) from * to < R1
Source IP, R1 Destination IP from * to < R2 Destination IP, R2 Source
Port from * to < R1 Source Port and R1 Destination Port from * to < R2
Destination Port
b. Introduce a new rule with R2 Source IP (sc, sd) > R1 Source IP, R1
Destination IP > R2 Destination IP, R2 Source Port > R1 Source Port and
R1 Destination Port > R2 Destination Port
OR
17. If (Flag 9 = true, Flag 18 = true, Flag 19 = true, Flag 22 = true) and R1(action = deny)
and R2(action = allow) then create denial of service.
a. To resolve inconsistency change R2 Source IP(sb, sc, sd) from * to < R1
Source IP and R1 Destination IP from * to < R2 Destination IP
b. Introduce a new rule with R2 Source IP (sb, sc, sd) > R1 Source IP and R1
Destination IP > R2 Destination IP
OR
107
18. If (Flag 9 = true, Flag 10 = true, Flag 21 = true, Flag 23 = true) and R1(action = deny)
and R2(action = allow) then create denial of service.
a. To resolve inconsistency change R2 Source IP(sb, sc, sd) from * to < R1
Source IP, R1 Source Port from * to < R2 Source Port and R2 Destination
Port from * to < R1 Destination Port
b. Introduce a new rule with R2 Source IP (sb, sc, sd) > R1 Source IP, R1
Source Port > R2 Source Port and R2 Destination Port > R1 Destination
Port
(Rest of the rules not displayed due to space Constarint)
108
APPENDIX B
Config file (runcfg-program-master-config_V1)
############################# N E T W O R K S ##########################
# This config file to have only one Section below defining All the Networks
########################################################################
networks=N1,N2
########################### N E T W O R K - N1 #########################
# Repeat this Section for each Network with details regarding the network
########################################################################
# Entry below Will control whether or not the network is active, this will allow us
# to add more networks in the config file and activate them in future
N1.active = true
N2.active=false
# Entry below defines the date when this network is activated, just for display for
# now, no validation done by program Suggested format MM/DD/YYYY
N1.activationdate=10/13/2013
# Entry below define all Zones in the firewall
N1.zones=N1-Z1,N1-Z2,N1-Z3
N1.outaclconflictfilename=N1_ACLFile_conflict.txt
# Entry below define all configured paths in the network
N1.path.1=N1-Z1-A1,N2-Z2-B1,N3-Z3-C1
N1.path.2=N1-Z1-A1,N2-Z2-B2,N3-Z3-C1
109
N1.path.3=N1-Z1-A2,N2-Z2-B1,N3-Z3-C1
N1.path.4=N1-Z1-A2,N2-Z2-B2,N3-Z3-C1
#################### N E T W O R K - N1, Z O N E - Z1 #####################
# Repeat this Section for each Zone in the network with details regarding the zone
########################################################################
# Entry below Will control whether or not the zone is active, this will allow us
# to add more zones for the firewall in the config file and activate them in future
N1-Z1.active = true
N1-Z2.active = true
N1-Z3.active = true
# Entry below defines the date when this zone is activated, just for display for now,
# no validation done by program Suggested format MM/DD/YYYY
N1-Z1.activationdate=10/13/2013
# Entry below Will control what all firewalls are in a given zone, this will allow us
# to add more firewalls in the zone in the config file without requiring change
# in the master program
N1-Z1.firewalls=N1-Z1-A1,N1-Z1-A2
N1-Z2.firewalls=N1-Z1-B1,N1-Z1-B2
N1-Z3.firewalls=N1-Z1-C1
############ N E T W O R K - N1, Z O N E - Z1, F I R E W A L L - A1 ###########
# Repeat this Section for each firewall in the zone with details of the firewall
########################################################################
# ACL and allow / deny file for this firewall
110
N1-Z1-A1.active = true
N1-Z1-A1.activationdate=10/13/2013
N1-Z1A1.inconfigdir=C:\\workspace2\\MainProject2013\\testing\\inconsistencyfirewall\\input\\
N1-Z1A1.outconfigdir=C:\\workspace2\\MainProject2013\\testing\\inconsistencyfirewall\\outpu
t\\
N1-Z1-A1.inaclmasterfilename=N1-Z1-A1_ACLFile_master.csv
N1-Z1-A1.inaclallowfilename=N1-Z1-A1_ACLFile_allow.csv
N1-Z1-A1.inacldenyfilename=N1-Z1-A1_ACLFile_deny.csv
N1-Z1-A1.outaclconflictfilename=N1-Z1-A1_ACLFile_conflict.txt
N1-Z1-A1.outaclconflictXmlfilename=N1-Z1-A1_ACLFile_conflict.xml
############ N E T W O R K - N1, Z O N E - Z1, F I R E W A L L - A2 ###########
# Repeat this Section for each firewall in the zone with details of the firewall
########################################################################
# ACL and allow / deny file for this firewall
N1-Z1-A2.active = true
N1-Z1-A2.activationdate=10/13/2013
N1-Z1A2.inconfigdir=C:\\workspace2\\MainProject2013\\testing\\inconsistencyfirewall\\input\\
N1-Z1A2.outconfigdir=C:\\workspace2\\MainProject2013\\testing\\inconsistencyfirewall\\outpu
t\\
N1-Z1-A2.inaclmasterfilename=N1-Z1-A2_ACLFile_master.csv
N1-Z1-A2.inaclallowfilename=N1-Z1-A2_ACLFile_allow.csv
111
N1-Z1-A2.inacldenyfilename=N1-Z1-A2_ACLFile_deny.csv
N1-Z1-A2.outaclconflictfilename=N1-Z1-A2_ACLFile_conflict.txt
N1-Z1-A2.outaclconflictXmlfilename=N1-Z1-A2_ACLFile_conflict.xml
############ N E T W O R K - N1, Z O N E - Z1, F I R E W A L L - B1 ###########
# Repeat this Section for each firewall in the zone with details of the firewall
########################################################################
# ACL and allow / deny file for this firewall
N1-Z1-B1.active = true
N1-Z1-B1.activationdate=10/13/2013
N1-Z1B1.inconfigdir=C:\\workspace2\\MainProject2013\\testing\\inconsistencyfirewall\\input\\
N1-Z1B1.outconfigdir=C:\\workspace2\\MainProject2013\\testing\\inconsistencyfirewall\\outpu
t\\
N1-Z1-B1.inaclmasterfilename=N1-Z1-B1_ACLFile_master.csv
N1-Z1-B1.inaclallowfilename=N1-Z1-B1_ACLFile_allow.csv
N1-Z1-B1.inacldenyfilename=N1-Z1-B1_ACLFile_deny.csv
N1-Z1-B1.outaclconflictfilename=N1-Z1-B1_ACLFile_conflict.txt
N1-Z1-B1.outaclconflictXmlfilename=N1-Z1-B1_ACLFile_conflict.xml
############ N E T W O R K - N1, Z O N E - Z1, F I R E W A L L - B2 ###########
# Repeat this Section for each firewall in the zone with details of the firewall
########################################################################
# ACL and allow / deny file for this firewall
N1-Z1-B2.active = true
112
N1-Z1-B2.activationdate=10/13/2013
N1-Z1B2.inconfigdir=C:\\workspace2\\MainProject2013\\testing\\inconsistencyfirewall\\input\\
N1-Z1B2.outconfigdir=C:\\workspace2\\MainProject2013\\testing\\inconsistencyfirewall\\outpu
t\\
N1-Z1-B2.inaclmasterfilename=N1-Z1-B2_ACLFile_master.csv
N1-Z1-B2.inaclallowfilename=N1-Z1-B2_ACLFile_allow.csv
N1-Z1-B2.inacldenyfilename=N1-Z1-B2_ACLFile_deny.csv
N1-Z1-B2.outaclconflictfilename=N1-Z1-B2_ACLFile_conflict.txt
N1-Z1-B2.outaclconflictXmlfilename=N1-Z1-B2_ACLFile_conflict.xml
########### N E T W O R K - N1, Z O N E - Z1, F I R E W A L L - C1 ###########
# Repeat this Section for each firewall in the zone with details of the firewall
########################################################################
# ACL and allow / deny file for this firewall
N1-Z1-C1.active = true
N1-Z1-C1.activationdate=10/13/2013
N1-Z1C1.inconfigdir=C:\\workspace2\\MainProject2013\\testing\\inconsistencyfirewall\\input\\
N1-Z1C1.outconfigdir=C:\\workspace2\\MainProject2013\\testing\\inconsistencyfirewall\\outpu
t\\
N1-Z1-C1.inaclmasterfilename=N1-Z1-C1_ACLFile_master.csv
N1-Z1-C1.inaclallowfilename=N1-Z1-C1_ACLFile_allow.csv
N1-Z1-C1.inacldenyfilename=N1-Z1-C1_ACLFile_deny.csv
113
N1-Z1-C1.outaclconflictfilename=N1-Z1-C1_ACLFile_conflict.txt
N1-Z1-C1.outaclconflictXmlfilename=N1-Z1-C1_ACLFile_conflict.xml
###################### C O M P A R E - C O N F I G ########################
# This section will contain entries for use when individual context are not
# applicable
########################################################################
outconfigdir=C:\\workspace2\\MainProject2013\\testing\\inconsistencyfirewall\\output\\
outaclconflictfilename=MultiCompareResult_conflict.txt
outaclconflictXmlfilename=MultiCompareResult_conflict.xml
#################### C O M P A R E - DB C O N F I G ######################
# This section will contain entries for db use when individual context are not
# applicable
########################################################################
# Info for db
load.dbDriver = com.mysql.jdbc.Driver
load.dbUrl = jdbc:mysql://localhost:3306/firewallacl
load.dbUser = firewalladmin
load.dbPassword = password
######################## G E N E R A L - C O N F I G ######################
# This config file to have only one Section below defining all entries to be used
# by the master program. These entries will not be specific to any network or zone
# or firewall in there
########################################################################
114
# Port where server needs to listen / open server port
serverPort =55001
# Name (Prefix) of log file, file name format will be Prefix + date time stamp + extension
logfilename=C:\\workspace2\\MainProject2013\\testing\\inconsistencyfirewall\\log\\Ident
ifyConflicts_
# Extension of log file
logfileext=.log
# Type of logger XML or SIMPLE
loggertype=SIMPLE
# Logger Class Name
loggerclass=utilofinconsistency.IdentifyConflicts
# DEBUG settings (still to fine tune the level part)
debug = true
debuglevel=10
115
APPENDIX C
TestClassIdentifyAndLoadConflictsForAllNetworks.java
package utilofinconsistency;
import common.TestClassBase;
public class TestClassIdentifyAndLoadConflictsForAllNetworks
extends TestClassBase
{
//------------------ MEMBERS
private static String THIS_IMPL_NAME =
"TestClassIdentifyAndLoadConflictsForAllNetworks";
//------------------ ACCESS METHODS
public void runTestNoParams (String[] args)
throws Exception
{
System.out.println("**** ENTERED ****");
// First identify
runTest
(
"C:\\workspace2\\MainProject2013\\testing\\inconsistencyfir
ewall\\config\\runcfg-program-master-config_V1.cfg",
"utilofinconsistency.IdentifyConflicts","",
"C:\\workspace2\\MainProject2013\\testing\\inconsistencyfir
ewall\\config\\runcfg-program-master-config_V1.cfg",
"networks"
) ;
// Now Load
runTest
(
"C:\\workspace2\\MainProject2013\\testing\\inconsistencyfir
ewall\\config\\runcfg-program-master-config_V1.cfg",
"dbload.LoadConflictsXmlReportToDB","",
"C:\\workspace2\\MainProject2013\\testing\\inconsistencyfir
ewall\\config\\runcfg-program-master-config_V1.cfg",
"loadnetworks"
) ;
System.out.println("**** EXITED ****");
}
public static void main(String[] args)
throws Exception
{
TestClassBase testBase = new
TestClassIdentifyAndLoadConflictsForAllNetworks ();
testBase.runTest(args);
}
}
116
APPENDIX D
TestClassIdentifyAndLoadConflictsForMultiFirewallsCompare.java
package utilofinconsistency;
import common.TestClassBase;
public class
TestClassIdentifyAndLoadConflictsForMultiFirewallsCompare
extends TestClassBase
{
//------------------ MEMBERS
private static String THIS_IMPL_NAME =
"TestClassIdentifyAndLoadConflictsForMultiFirewallsCompare";
//------------------ ACCESS METHODS
public void runTestNoParams (String[] args)
throws Exception
{
System.out.println("**** ENTERED ****");
// First Identify
runTest
(
"C:\\workspace2\\MainProject2013\\testing\\inconsistencyfir
ewall\\config\\runcfg-program-master-config_V1.cfg",
"utilofinconsistency.IdentifyConflicts", "",
"C:\\workspace2\\MainProject2013\\testing\\inconsistencyfir
ewall\\config\\runcfg-program-master-config_V1.cfg",
"comparefirewalls=N1-Z1-A1,N1-Z1-A2"
) ;
// Now Load
runTest
(
"C:\\workspace2\\MainProject2013\\testing\\inconsistencyfir
ewall\\config\\runcfg-program-master-config_V1.cfg",
"dbload.LoadConflictsXmlReportToDB", "",
"C:\\workspace2\\MainProject2013\\testing\\inconsistencyfir
ewall\\config\\runcfg-program-master-config_V1.cfg", "load"
) ;
System.out.println("**** EXITED ****");
}
public static void main(String[] args)
throws Exception
{
TestClassBase testBase = new
TestClassIdentifyAndLoadConflictsForMultiFirewallsCompare ();
testBase.runTest(args);
}
}
117
APPENDIX E
TestClassIdentifyAndLoadConflictsForMultiFirewallsGroupCompare.java
package utilofinconsistency;
import common.TestClassBase;
public class
TestClassIdentifyAndLoadConflictsForMultiFirewallsGroupCompare
extends TestClassBase
{
//------------------ MEMBERS
private static String THIS_IMPL_NAME =
"TestClassIdentifyAndLoadConflictsForMultiFirewallsCompare";
//------------------ ACCESS METHODS
public void runTestNoParams (String[] args)
throws Exception
{
System.out.println("**** ENTERED ****");
// First Identify
runTest
(
"C:\\workspace2\\MainProject2013\\testing\\inconsistencyfirewall\
\config\\runcfg-program-master-config_V1.cfg",
"utilofinconsistency.IdentifyConflicts", "",
"C:\\workspace2\\MainProject2013\\testing\\inconsistencyfirewall\
\config\\runcfg-program-master-config_V1.cfg",
"comparegroupedfirewalls=srcGroup:N1-Z1-A1,N1-Z1-A2^destGroup:N1Z1-B1"
) ;
// Now Load
runTest
(
"C:\\workspace2\\MainProject2013\\testing\\inconsistencyfir
ewall\\config\\runcfg-program-master-config_V1.cfg",
"dbload.LoadConflictsXmlReportToDB", "",
"C:\\workspace2\\MainProject2013\\testing\\inconsistencyfir
ewall\\config\\runcfg-program-master-config_V1.cfg", "load" ) ;
System.out.println("**** EXITED ****");
}
public static void main(String[] args)
throws Exception
{
TestClassBase testBase = new
TestClassIdentifyAndLoadConflictsForMultiFirewallsGroupCompare
();
testBase.runTest(args);
}
}
118
APPENDIX F
IdentifyCorrelationConflicts.java
package utilofinconsistency;
import java.io.BufferedWriter;
import java.io.FileWriter;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.Date;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.Map.Entry;
import java.util.Properties;
import common.RunProcessBase;
public class IdentifyCorrelationConflicts
extends RunProcessBase
{
private static String _implName =
"IdentifyCorrelationConflicts";
/**
* Constructor
*
* @param p_args
*/
public IdentifyCorrelationConflicts ()
{
}
/**
* Constructor
*
* @param p_args
*/
public IdentifyCorrelationConflicts (String p_args[])
{
}
/**
* Match on Port field based on rules etc.
*
* @param p_source1Val
* @param p_source2Val
* @param p_useAny
* @return
* @throws Exception
*/
public static boolean matchOneCorrelationSourcePort
119
(
String p_source1Val,
String p_source2Val,
boolean p_useAny
)
throws Exception
{
boolean bRetVal = false;
if (p_source2Val.equalsIgnoreCase(p_source1Val))
{
bRetVal = true;
}
return bRetVal;
}
/**
* Match on Port field based on rules etc.
*
* @param p_source1Val
* @param p_source2Val
* @param p_useAny
* @return
* @throws Exception
*/
public static boolean matchOneCorrelationDestPort
(
String p_source1Val,
String p_source2Val,
boolean p_useAny
)
throws Exception
{
boolean bRetVal = false;
if (p_source2Val.equalsIgnoreCase(p_source1Val))
{
bRetVal = true;
}
return bRetVal;
}
/**
* Matching IP Address field for Correlation conflict.
*
* @param p_source1Val
* @param p_source2Val
* @param p_Source1Key
* @param p_Source2Key
* @return
* @throws Exception
*/
120
public static boolean matchOneCorrelationIPField
(
String p_source1Val,
String p_source2Val,
String p_Source1Key,
String p_Source2Key,
boolean p_Source1AsterixAllowed
)
throws Exception
{
boolean bRetVal = true;
// Get the different pieces of IP Addr
String [] s1_IP_Parts = p_source1Val.split("\\.");
String [] s2_IP_Parts = p_source2Val.split("\\.");
int s1_IP_NumberOfParts = s1_IP_Parts.length;
int s2_IP_NumberOfParts = s2_IP_Parts.length;
if (s1_IP_NumberOfParts != s2_IP_NumberOfParts)
{
// false
bRetVal = false;
return bRetVal;
}
int s1_IP_NumberOfPartsAsterixCount = 0;
int s2_IP_NumberOfPartsAsterixCount = 0;
// Count * in source 2
for (int i = 0; i < s2_IP_NumberOfParts; i++)
{
if (s2_IP_Parts[i].equals("*"))
{
s2_IP_NumberOfPartsAsterixCount++;
}
}
// Count * in source 1
for (int i = 0; i < s1_IP_NumberOfParts; i++)
{
if (s1_IP_Parts[i].equals("*"))
{
s1_IP_NumberOfPartsAsterixCount++;
}
}
// define Flag s, one for each part, initialize each
as false
boolean[] bpartMatch = {false,false,false,false};
for (int i = 0; i < s2_IP_NumberOfParts; i++)
{
// Either s1 matches s2 or s1 is an asterix, a
subset of s2
if ( s1_IP_Parts[i].equals(s2_IP_Parts[i])
121
|| (s1_IP_Parts[i].equals("*") && i ==
3 )
)
{
bpartMatch[i] = true;
}
}
// Now get them all
for (int i = 0; i < s2_IP_NumberOfParts; i++)
{
bRetVal = bRetVal && bpartMatch[i];
}
// Over ride the final if R2 is all asterix
if (s2_IP_NumberOfPartsAsterixCount ==
s2_IP_NumberOfParts)
{
bRetVal = true;
if (s1_IP_NumberOfPartsAsterixCount > 0)
{
bRetVal = false;
}
}
if (s1_IP_NumberOfPartsAsterixCount ==
s1_IP_NumberOfParts)
{
bRetVal = true;
if (s2_IP_NumberOfPartsAsterixCount > 0)
{
bRetVal = false;
}
}
else if (s2_IP_NumberOfPartsAsterixCount > 0 &&
s1_IP_NumberOfPartsAsterixCount > 0)
{
bRetVal = false;
}
else if (s1_IP_NumberOfPartsAsterixCount == 0)
{
bRetVal = false;
}
return bRetVal;
}
/**
* Matching Source IP Address field for Correlation
conflict.
*
* @param p_source1Val
* @param p_source2Val
122
* @param p_Source1Key
* @param p_Source2Key
* @return
* @throws Exception
*/
public static boolean matchOneCorrelationSourceIPField
(
String p_source1Val,
String p_source2Val,
String p_Source1Key,
String p_Source2Key,
boolean p_Source1AsterixAllowed
)
throws Exception
{
boolean bRetVal = true;
// Get the different pieces of IP Addr
String [] s1_IP_Parts = p_source1Val.split("\\.");
String [] s2_IP_Parts = p_source2Val.split("\\.");
int s1_IP_NumberOfParts = s1_IP_Parts.length;
int s2_IP_NumberOfParts = s2_IP_Parts.length;
// Get #1
boolean bMatchFlag 1 = false;
int s1_IP_NumberOfPartsAsterixCount = 0;
int s2_IP_NumberOfPartsAsterixCount = 0;
// Count * in source 2
for (int i = 0; i < s2_IP_NumberOfParts; i++)
{
if (s2_IP_Parts[i].equals("*"))
{
s2_IP_NumberOfPartsAsterixCount++;
}
}
// Count * in source 1
for (int i = 0; i < s1_IP_NumberOfParts; i++)
{
if (s1_IP_Parts[i].equals("*"))
{
s1_IP_NumberOfPartsAsterixCount++;
}
}
if (s1_IP_NumberOfPartsAsterixCount ==
s1_IP_NumberOfParts || s2_IP_NumberOfPartsAsterixCount ==
s2_IP_NumberOfParts)
{
bMatchFlag 1 = true;
}
123
// define Flag s, one for each part, initialize each
as false
boolean[] bpart2Match = {true,true,true,true};
for (int i = 0; i < s2_IP_NumberOfParts; i++)
{
if (s1_IP_Parts[i].equals(s2_IP_Parts[i]))
{
bpart2Match[i] = false;
}
}
// Get #2
boolean bMatchFlag 2 = true;
// Now get them all, start with true and any false
will turn the result into false for all
for (int i = 0; i < s2_IP_NumberOfParts; i++)
{
bMatchFlag 2 = bMatchFlag 2 && bpart2Match[i];
}
if (p_source1Val.equals(p_source2Val))
{
bMatchFlag 2 = false;
}
if (s1_IP_NumberOfPartsAsterixCount ==
s1_IP_NumberOfParts && s2_IP_NumberOfPartsAsterixCount ==
s2_IP_NumberOfParts)
{
bMatchFlag 2 = false;
}
// Get #3
boolean bMatchFlag 3 = false;
boolean[] bpart3Match = {false,false,false,false};
for (int i = 0; i < s2_IP_NumberOfParts; i++)
{
if (i != 3 &&
s1_IP_Parts[i].equals(s2_IP_Parts[i]))
{
bpart3Match[i] = true;
}
else if (i == 3 && (s1_IP_Parts[i].equals("*") ||
s2_IP_Parts[i].equals("*")))
{
bpart3Match[i] = true;
}
}
// Now get them all, start with true and any false
will turn the result into false for all
for (int i = 0; i < s2_IP_NumberOfParts; i++)
124
{
bMatchFlag 3 = bMatchFlag 3 && bpart3Match[i];
}
// Final Flag
if (bMatchFlag 1 && bMatchFlag 2)
{
bRetVal = true;
}
else if (bMatchFlag 2 && bMatchFlag 3)
{
bRetVal = true;
}
return bRetVal;
}
/**
* Matching Destination IP Address field for Correlation
conflict.
*
* @param p_source1Val
* @param p_source2Val
* @param p_Source1Key
* @param p_Source2Key
* @return
* @throws Exception
*/
public static boolean matchOneCorrelationDestIPField
(
String p_source1Val,
String p_source2Val,
String p_Source1Key,
String p_Source2Key,
boolean p_Source1AsterixAllowed
)
throws Exception
{
boolean bRetVal = true;
// Get the different pieces of IP Addr
String [] s1_IP_Parts = p_source1Val.split("\\.");
String [] s2_IP_Parts = p_source2Val.split("\\.");
int s1_IP_NumberOfParts = s1_IP_Parts.length;
int s2_IP_NumberOfParts = s2_IP_Parts.length;
// Get #1
boolean bMatchFlag 1 = false;
int s1_IP_NumberOfPartsAsterixCount = 0;
int s2_IP_NumberOfPartsAsterixCount = 0;
// Count * in source 2
for (int i = 0; i < s2_IP_NumberOfParts; i++)
{
125
if (s2_IP_Parts[i].equals("*"))
{
s2_IP_NumberOfPartsAsterixCount++;
}
}
// Count * in source 1
for (int i = 0; i < s1_IP_NumberOfParts; i++)
{
if (s1_IP_Parts[i].equals("*"))
{
s1_IP_NumberOfPartsAsterixCount++;
}
}
if (s1_IP_NumberOfPartsAsterixCount ==
s1_IP_NumberOfParts || s2_IP_NumberOfPartsAsterixCount ==
s2_IP_NumberOfParts)
{
bMatchFlag 1 = true;
}
// define Flag s, one for each part, initialize each
as false
boolean[] bpart2Match = {true,true,true,true};
for (int i = 0; i < s2_IP_NumberOfParts; i++)
{
if (s1_IP_Parts[i].equals(s2_IP_Parts[i]))
{
bpart2Match[i] = false;
}
}
// Get #2
boolean bMatchFlag 2 = true;
// Now get them all, start with true and any false
will turn the result into false for all
for (int i = 0; i < s2_IP_NumberOfParts; i++)
{
bMatchFlag 2 = bMatchFlag 2 && bpart2Match[i];
}
if (p_source1Val.equals(p_source2Val))
{
bMatchFlag 2 = false;
}
if (s1_IP_NumberOfPartsAsterixCount ==
s1_IP_NumberOfParts && s2_IP_NumberOfPartsAsterixCount ==
s2_IP_NumberOfParts)
{
bMatchFlag 2 = false;
}
// Get #3
126
boolean bMatchFlag 3 = false;
boolean[] bpart3Match = {false,false,false,false};
for (int i = 0; i < s2_IP_NumberOfParts; i++)
{
if (i != 3 &&
s1_IP_Parts[i].equals(s2_IP_Parts[i]))
{
bpart3Match[i] = true;
}
else if (i == 3 && (s1_IP_Parts[i].equals("*") ||
s2_IP_Parts[i].equals("*")))
{
bpart3Match[i] = true;
}
}
// Now get them all, start with true and any false
will turn the result into false for all
for (int i = 0; i < s2_IP_NumberOfParts; i++)
{
bMatchFlag 3 = bMatchFlag 3 && bpart3Match[i];
}
// Final Flag
if (bMatchFlag 1 && bMatchFlag 2)
{
bRetVal = true;
}
else if (bMatchFlag 2 && bMatchFlag 3)
{
bRetVal = true;
}
return bRetVal;
}
/**
* Matching Source IP Address field for Correlation
conflict for first condition
*
* @param p_source1Val
* @param p_source2Val
* @param p_Source1Key
* @param p_Source2Key
* @return
* @throws Exception
*/
public static boolean matchOneCorrelationSourceIPField_Flag
1
(
String p_source1Val,
127
String p_source2Val,
String p_Source1Key,
String p_Source2Key
)
throws Exception
{
boolean bRetVal = true;
// Get the different pieces of IP Addr
String [] s1_IP_Parts = p_source1Val.split("\\.");
String [] s2_IP_Parts = p_source2Val.split("\\.");
int s1_IP_NumberOfParts = s1_IP_Parts.length;
int s2_IP_NumberOfParts = s2_IP_Parts.length;
// define Flag s, one for each part, initialize each
as false
boolean[] bpart2Match = {false,false,false,false};
for (int i = 0; i < s2_IP_NumberOfParts; i++)
{
if ( s2_IP_Parts[i].equals("*"))
{
bpart2Match[i] = true;
}
}
// Get #1
boolean bMatchFlag 1 = true;
// Now get them all, start with true and any false
will turn the result into false for all
for (int i = 0; i < s2_IP_NumberOfParts; i++)
{
bMatchFlag 1 = bMatchFlag 1 && bpart2Match[i];
}
// Final Flag
bRetVal = bMatchFlag 1;
return bRetVal;
}
/**
* Matching Source IP Address field for Correlation
conflict for second condition
*
* @param p_source1Val
* @param p_source2Val
* @param p_Source1Key
* @param p_Source2Key
* @return
* @throws Exception
*/
public static boolean matchOneCorrelationSourceIPField_Flag
2
128
(
String
String
String
String
p_source1Val,
p_source2Val,
p_Source1Key,
p_Source2Key
)
throws Exception
{
boolean bRetVal = true;
// Get the different pieces of IP Addr
String [] s1_IP_Parts = p_source1Val.split("\\.");
String [] s2_IP_Parts = p_source2Val.split("\\.");
int s1_IP_NumberOfParts = s1_IP_Parts.length;
int s2_IP_NumberOfParts = s2_IP_Parts.length;
// define Flag s, one for each part, initialize each
as false
boolean[] bpart1Match = {false,false,false,false};
for (int i = 0; i < s2_IP_NumberOfParts; i++)
{
if ( s1_IP_Parts[i].equals("*"))
{
bpart1Match[i] = true;
}
}
// Get #1
boolean bMatchFlag 1 = true;
// Now get them all, start with true and any false
will turn the result into false for all
for (int i = 0; i < s2_IP_NumberOfParts; i++)
{
bMatchFlag 1 = bMatchFlag 1 && bpart1Match[i];
}
// Final Flag
bRetVal = bMatchFlag 1;
return bRetVal;
}
/**
* Matching Source IP Address field for Correlation
conflict for second condition
*
* @param p_source1Val
* @param p_source2Val
* @param p_Source1Key
* @param p_Source2Key
* @return
* @throws Exception
*/
129
public static boolean matchOneCorrelationSourceIPField_Flag
3
(
String
String
String
String
p_source1Val,
p_source2Val,
p_Source1Key,
p_Source2Key
)
throws Exception
{
boolean bRetVal = true;
// Get the different pieces of IP Addr
String [] s1_IP_Parts = p_source1Val.split("\\.");
String [] s2_IP_Parts = p_source2Val.split("\\.");
int s1_IP_NumberOfParts = s1_IP_Parts.length;
int s2_IP_NumberOfParts = s2_IP_Parts.length;
// define Flag s, one for each part, initialize each
as false
boolean[] bpart1Match = {false,false,false,false};
for (int i = 0; i < s2_IP_NumberOfParts; i++)
{
if (i != 3 &&
s1_IP_Parts[i].equals(s2_IP_Parts[i]))
{
bpart1Match[i] = true;
}
else if (i == 3 && ! s1_IP_Parts[i].equals("*")
&& s2_IP_Parts[i].equals("*"))
{
bpart1Match[i] = true;
}
}
// Get #1
boolean bMatchFlag 1 = true;
// Now get them all, start with true and any false
will turn the result into false for all
for (int i = 0; i < s2_IP_NumberOfParts; i++)
{
bMatchFlag 1 = bMatchFlag 1 && bpart1Match[i];
}
// Final Flag
bRetVal = bMatchFlag 1;
return bRetVal;
}
/**
130
* Matching Source IP Address field for Correlation
conflict for fourth condition
*
* @param p_source1Val
* @param p_source2Val
* @param p_Source1Key
* @param p_Source2Key
* @return
* @throws Exception
*/
public static boolean matchOneCorrelationSourceIPField_Flag
4
(
String p_source1Val,
String p_source2Val,
String p_Source1Key,
String p_Source2Key
)
throws Exception
{
boolean bRetVal = true;
// Get the different pieces of IP Addr
String [] s1_IP_Parts = p_source1Val.split("\\.");
String [] s2_IP_Parts = p_source2Val.split("\\.");
int s1_IP_NumberOfParts = s1_IP_Parts.length;
int s2_IP_NumberOfParts = s2_IP_Parts.length;
// define Flag s, one for each part, initialize each
as false
boolean[] bpart1Match = {false,false,false,false};
for (int i = 0; i < s2_IP_NumberOfParts; i++)
{
if (i != 3 &&
s1_IP_Parts[i].equals(s2_IP_Parts[i]))
{
bpart1Match[i] = true;
}
else if (i == 3 && ! s2_IP_Parts[i].equals("*")
&& s1_IP_Parts[i].equals("*"))
{
bpart1Match[i] = true;
}
}
boolean bMatchFlag 1 = true;
// Now get them all, start with true and any false
will turn the result into false for all
for (int i = 0; i < s2_IP_NumberOfParts; i++)
{
bMatchFlag 1 = bMatchFlag 1 && bpart1Match[i];
131
}
// Final Flag
bRetVal = bMatchFlag 1;
return bRetVal;
}
/**
* Matching Source IP Address field for Correlation
conflict for fifth condition
*
* @param p_source1Val
* @param p_source2Val
* @param p_Source1Key
* @param p_Source2Key
* @return
* @throws Exception
*/
public static boolean matchOneCorrelationSourceIPField_Flag
5
(
String p_source1Val,
String p_source2Val,
String p_Source1Key,
String p_Source2Key
)
throws Exception
{
boolean bRetVal = true;
// Get the different pieces of IP Addr
String [] s1_IP_Parts = p_source1Val.split("\\.");
String [] s2_IP_Parts = p_source2Val.split("\\.");
int s1_IP_NumberOfParts = s1_IP_Parts.length;
int s2_IP_NumberOfParts = s2_IP_Parts.length;
// define Flag s, one for each part, initialize each
as false
boolean[] bpart1Match = {false,false,false,false};
for (int i = 0; i < s2_IP_NumberOfParts; i++)
{
if (i != 3 &&
s1_IP_Parts[i].equals(s2_IP_Parts[i]))
{
bpart1Match[i] = true;
}
else if (i == 2 && ! s1_IP_Parts[i].equals("*")
&& s2_IP_Parts[i].equals("*"))
{
bpart1Match[i] = true;
}
132
else if (i == 3 && ! s1_IP_Parts[i].equals("*")
&& s2_IP_Parts[i].equals("*"))
{
bpart1Match[i] = true;
}
}
boolean bMatchFlag 1 = true;
// Now get them all, start with true and any false
will turn the result into false for all
for (int i = 0; i < s2_IP_NumberOfParts; i++)
{
bMatchFlag 1 = bMatchFlag 1 && bpart1Match[i];
}
// Final Flag
bRetVal = bMatchFlag 1;
return bRetVal;
}
/**
* Matching Source IP Address field for Correlation
conflict for sixth condition
*
* @param p_source1Val
* @param p_source2Val
* @param p_Source1Key
* @param p_Source2Key
* @return
* @throws Exception
*/
public static boolean matchOneCorrelationSourceIPField_Flag
6
(
String p_source1Val,
String p_source2Val,
String p_Source1Key,
String p_Source2Key
)
throws Exception
{
boolean bRetVal = true;
// Get the different pieces of IP Addr
String [] s1_IP_Parts = p_source1Val.split("\\.");
String [] s2_IP_Parts = p_source2Val.split("\\.");
int s1_IP_NumberOfParts = s1_IP_Parts.length;
int s2_IP_NumberOfParts = s2_IP_Parts.length;
// define Flag s, one for each part, initialize each
as false
boolean[] bpart1Match = {false,false,false,false};
for (int i = 0; i < s2_IP_NumberOfParts; i++)
133
{
if (i != 3 &&
s1_IP_Parts[i].equals(s2_IP_Parts[i]))
{
bpart1Match[i] = true;
}
else if (i == 2 && s1_IP_Parts[i].equals("*") &&
! s2_IP_Parts[i].equals("*"))
{
bpart1Match[i] = true;
}
else if (i == 3 && s1_IP_Parts[i].equals("*") &&
! s2_IP_Parts[i].equals("*"))
{
bpart1Match[i] = true;
}
}
boolean bMatchFlag 1 = true;
// Now get them all, start with true and any false
will turn the result into false for all
for (int i = 0; i < s2_IP_NumberOfParts; i++)
{
bMatchFlag 1 = bMatchFlag 1 && bpart1Match[i];
}
// Final Flag
bRetVal = bMatchFlag 1;
return bRetVal;
}
/**
* Matching Destination IP Address field for Correlation
conflict for seventh condition
*
* @param p_source1Val
* @param p_source2Val
* @param p_Source1Key
* @param p_Source2Key
* @return
* @throws Exception
*/
public static boolean matchOneCorrelationDestIPField_Flag 7
(
String p_source1Val,
String p_source2Val,
String p_Source1Key,
String p_Source2Key
)
throws Exception
{
return matchOneCorrelationSourceIPField_Flag 1
134
(
p_source1Val,
p_source2Val,
p_Source1Key,
p_Source2Key
) ;
}
/**
* Matching Destination IP Address field for Correlation
conflict for eighth condition
*
* @param p_source1Val
* @param p_source2Val
* @param p_Source1Key
* @param p_Source2Key
* @return
* @throws Exception
*/
public static boolean matchOneCorrelationDestIPField_Flag 8
(
String p_source1Val,
String p_source2Val,
String p_Source1Key,
String p_Source2Key
)
throws Exception
{
return matchOneCorrelationSourceIPField_Flag 2
(
p_source1Val,
p_source2Val,
p_Source1Key,
p_Source2Key
) ;
}
/**
* Matching Destination IP Address field for Correlation
conflict for ninth condition
*
* @param p_source1Val
* @param p_source2Val
* @param p_Source1Key
* @param p_Source2Key
* @return
* @throws Exception
*/
public static boolean matchOneCorrelationDestIPField_Flag 9
(
135
String
String
String
String
p_source1Val,
p_source2Val,
p_Source1Key,
p_Source2Key
)
throws Exception
{
return matchOneCorrelationSourceIPField_Flag 3
(
p_source1Val,
p_source2Val,
p_Source1Key,
p_Source2Key
) ;
}
/**
* Matching Destination IP Address field for Correlation
conflict for tenth condition
*
* @param p_source1Val
* @param p_source2Val
* @param p_Source1Key
* @param p_Source2Key
* @return
* @throws Exception
*/
public static boolean matchOneCorrelationDestIPField_Flag
10
(
String p_source1Val,
String p_source2Val,
String p_Source1Key,
String p_Source2Key
)
throws Exception
{
return matchOneCorrelationSourceIPField_Flag 4
(
p_source1Val,
p_source2Val,
p_Source1Key,
p_Source2Key
) ;
}
/**
* Matching Destination IP Address field for Correlation
conflict for eleventh condition
*
136
* @param p_source1Val
* @param p_source2Val
* @param p_Source1Key
* @param p_Source2Key
* @return
* @throws Exception
*/
public static boolean matchOneCorrelationDestIPField_Flag
11
(
String
String
String
String
p_source1Val,
p_source2Val,
p_Source1Key,
p_Source2Key
)
throws Exception
{
return matchOneCorrelationSourceIPField_Flag 5
(
p_source1Val,
p_source2Val,
p_Source1Key,
p_Source2Key
) ;
}
/**
* Matching Destination IP Address field for Correlation
conflict for twelfth condition
*
* @param p_source1Val
* @param p_source2Val
* @param p_Source1Key
* @param p_Source2Key
* @return
* @throws Exception
*/
public static boolean matchOneCorrelationDestIPField_Flag
12
(
String p_source1Val,
String p_source2Val,
String p_Source1Key,
String p_Source2Key
)
throws Exception
{
return matchOneCorrelationSourceIPField_Flag 6
(
137
p_source1Val,
p_source2Val,
p_Source1Key,
p_Source2Key
) ;
}
/**
* Match on Source Port field based on rules etc.
*
* @param p_source1Val
* @param p_source2Val
* @return
* @throws Exception
*/
public static boolean matchOneCorrelationSourcePort_Flag 13
(
String p_source1Val,
String p_source2Val
)
throws Exception
{
boolean bRetVal = false;
if (p_source1Val.equalsIgnoreCase(p_source2Val))
{
bRetVal = true;
}
return bRetVal;
}
/**
* Match on Source Port field based on rules etc.
*
* @param p_source1Val
* @param p_source2Val
* @return
* @throws Exception
*/
public static boolean matchOneCorrelationSourcePort_Flag 14
(
String p_source1Val,
String p_source2Val
)
throws Exception
{
boolean bRetVal = false;
138
if (p_source2Val.equalsIgnoreCase("any") ||
p_source2Val.equalsIgnoreCase("*"))
{
bRetVal = true;
}
return bRetVal;
}
/**
* Match on Source Port field based on rules etc.
*
* @param p_source1Val
* @param p_source2Val
* @return
* @throws Exception
*/
public static boolean matchOneCorrelationSourcePort_Flag 15
(
String p_source1Val,
String p_source2Val
)
throws Exception
{
boolean bRetVal = false;
if (p_source1Val.equalsIgnoreCase("any") ||
p_source1Val.equalsIgnoreCase("*"))
{
bRetVal = true;
}
return bRetVal;
}
/**
* Match on Dest Port field based on rules etc.
*
* @param p_source1Val
* @param p_source2Val
* @return
* @throws Exception
*/
public static boolean matchOneCorrelationDestPort_Flag 16
(
String p_source1Val,
String p_source2Val
)
throws Exception
{
return matchOneCorrelationSourcePort_Flag 13
(
139
p_source1Val,
p_source2Val
) ;
}
/**
* Match on Dest Port field based on rules etc.
*
* @param p_source1Val
* @param p_source2Val
* @return
* @throws Exception
*/
public static boolean matchOneCorrelationDestPort_Flag 17
(
String p_source1Val,
String p_source2Val
)
throws Exception
{
return matchOneCorrelationSourcePort_Flag 14
(
p_source1Val,
p_source2Val
) ;
}
/**
* Match on Dest Port field based on rules etc.
*
* @param p_source1Val
* @param p_source2Val
* @return
* @throws Exception
*/
public static boolean matchOneCorrelationDestPort_Flag 18
(
String p_source1Val,
String p_source2Val
)
throws Exception
{
return matchOneCorrelationSourcePort_Flag 15
(
p_source1Val,
p_source2Val
) ;
}
}
140
APPENDIX G
IdentifyDenialOfServiceConflicts.java
package utilofinconsistency;
import java.io.BufferedWriter;
import java.io.FileWriter;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.Date;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.Map.Entry;
import java.util.Properties;
import common.RunProcessBase;
public class IdentifyDenialOfServiceConflicts
extends RunProcessBase
{
private static String _implName =
"IdentifyDenialOfServiceConflicts";
/**
* Constructor
*
* @param p_args
*/
public IdentifyDenialOfServiceConflicts ()
{
}
/**
* Constructor
*
* @param p_args
*/
public IdentifyDenialOfServiceConflicts (String p_args[])
{
}
/**
* Matching Source IP Address field for DenialOfService
conflict for first condition
*
* @param p_source1Val
* @param p_source2Val
* @param p_Source1Key
* @param p_Source2Key
* @return
141
* @throws Exception
*/
public static boolean
matchOneDenialOfServiceSourceIPField_Flag 1
(
String p_source1Val,
String p_source2Val,
String p_Source1Key,
String p_Source2Key
)
throws Exception
{
boolean bRetVal = true;
// Get the different pieces of IP Addr
String [] s1_IP_Parts = p_source1Val.split("\\.");
String [] s2_IP_Parts = p_source2Val.split("\\.");
int s1_IP_NumberOfParts = s1_IP_Parts.length;
int s2_IP_NumberOfParts = s2_IP_Parts.length;
// define Flag s, one for each part, initialize each
as false
boolean[] bpart1Match = {false,false,false,false};
for (int i = 0; i < s2_IP_NumberOfParts; i++)
{
if ( s1_IP_Parts[i].equals(s2_IP_Parts[i]))
{
bpart1Match[i] = true;
}
}
// Get #1
boolean bMatchFlag 1 = true;
// Now get them all, start with true and any false
will turn the result into false for all
for (int i = 0; i < s2_IP_NumberOfParts; i++)
{
bMatchFlag 1 = bMatchFlag 1 && bpart1Match[i];
}
// Final Flag
bRetVal = bMatchFlag 1;
return bRetVal;
}
/**
* Matching Source IP Address field for DenialOfService
conflict
*
* @param p_source1Val
* @param p_source2Val
* @param p_Source1Key
142
* @param p_Source2Key
* @return
* @throws Exception
*/
public static boolean
matchOneDenialOfServiceSourceIPFieldAsterix
(
String p_source1Val,
String p_source2Val,
String p_Source1Key,
String p_Source2Key
)
throws Exception
{
boolean bRetVal = true;
// Get the different pieces of IP Addr
String [] s1_IP_Parts = p_source1Val.split("\\.");
int s1_IP_NumberOfParts = s1_IP_Parts.length;
// Get #2
boolean bMatchFlag 2 = false;
int s1_IP_NumberOfPartsAsterixCount = 0;
// Count * in source 1
for (int i = 0; i < s1_IP_NumberOfParts; i++)
{
if (s1_IP_Parts[i].equals("*"))
{
s1_IP_NumberOfPartsAsterixCount++;
}
}
if (s1_IP_NumberOfPartsAsterixCount ==
s1_IP_NumberOfParts)
{
bMatchFlag 2 = true;
}
// Final Flag
bRetVal = bMatchFlag 2;
return bRetVal;
}
/**
* Matching Source IP Address field for DenialOfService
conflict for second condition
*
* @param p_source1Val
* @param p_source2Val
* @param p_Source1Key
* @param p_Source2Key
* @return
143
* @throws Exception
*/
public static boolean
matchOneDenialOfServiceSourceIPField_Flag 2
(
String p_source1Val,
String p_source2Val,
String p_Source1Key,
String p_Source2Key
)
throws Exception
{
return matchOneDenialOfServiceSourceIPFieldAsterix
(p_source2Val,p_source1Val,p_Source2Key,p_Source1Key) ;
}
/**
* Matching Source IP Address field for DenialOfService
conflict for third condition
*
* @param p_source1Val
* @param p_source2Val
* @param p_Source1Key
* @param p_Source2Key
* @return
* @throws Exception
*/
public static boolean
matchOneDenialOfServiceSourceIPField_Flag 3
(
String p_source1Val,
String p_source2Val,
String p_Source1Key,
String p_Source2Key
)
throws Exception
{
return matchOneDenialOfServiceSourceIPFieldAsterix
(p_source1Val,p_source2Val,p_Source1Key,p_Source2Key) ;
}
/**
* Matching Source IP Address field for DenialOfService
conflict for forth condition
*
* @param p_source1Val
* @param p_source2Val
* @param p_Source1Key
* @param p_Source2Key
* @return
144
* @throws Exception
*/
public static boolean
matchOneDenialOfServiceSourceIPField_Flag 4
(
String p_source1Val,
String p_source2Val,
String p_Source1Key,
String p_Source2Key
)
throws Exception
{
boolean bRetVal = true;
// Get the different pieces of IP Addr
String [] s1_IP_Parts = p_source1Val.split("\\.");
String [] s2_IP_Parts = p_source2Val.split("\\.");
int s1_IP_NumberOfParts = s1_IP_Parts.length;
int s2_IP_NumberOfParts = s2_IP_Parts.length;
// define Flag s, one for each part, initialize each
as false
boolean[] bpart1Match = {false,false,false,false};
for (int i = 0; i < s2_IP_NumberOfParts; i++)
{
if (i != 3 &&
s1_IP_Parts[i].equals(s2_IP_Parts[i]))
{
bpart1Match[i] = true;
}
else if (i == 3 && s1_IP_Parts[i].equals("*") &&
! s2_IP_Parts[i].equals("*"))
{
bpart1Match[i] = true;
}
}
boolean bMatchFlag 1 = true;
// Now get them all, start with true and any false
will turn the result into false for all
for (int i = 0; i < s2_IP_NumberOfParts; i++)
{
bMatchFlag 1 = bMatchFlag 1 && bpart1Match[i];
}
// Final Flag
bRetVal = bMatchFlag 1;
return bRetVal;
}
/**
145
* Matching Source IP Address field for DenialOfService
conflict for fifth condition
*
* @param p_source1Val
* @param p_source2Val
* @param p_Source1Key
* @param p_Source2Key
* @return
* @throws Exception
*/
public static boolean
matchOneDenialOfServiceSourceIPField_Flag 5
(
String p_source1Val,
String p_source2Val,
String p_Source1Key,
String p_Source2Key
)
throws Exception
{
boolean bRetVal = true;
// Get the different pieces of IP Addr
String [] s1_IP_Parts = p_source1Val.split("\\.");
String [] s2_IP_Parts = p_source2Val.split("\\.");
int s1_IP_NumberOfParts = s1_IP_Parts.length;
int s2_IP_NumberOfParts = s2_IP_Parts.length;
// define Flag s, one for each part, initialize each
as false
boolean[] bpart1Match = {false,false,false,false};
for (int i = 0; i < s2_IP_NumberOfParts; i++)
{
if (i == 2 && s1_IP_Parts[i].equals("*") && !
s2_IP_Parts[i].equals("*"))
{
bpart1Match[i] = true;
}
else if (i == 3 && s1_IP_Parts[i].equals("*") &&
! s2_IP_Parts[i].equals("*"))
{
bpart1Match[i] = true;
}
else if (s1_IP_Parts[i].equals(s2_IP_Parts[i]))
{
bpart1Match[i] = true;
}
}
boolean bMatchFlag 1 = true;
146
// Now get them all, start with true and any false
will turn the result into false for all
for (int i = 0; i < s2_IP_NumberOfParts; i++)
{
bMatchFlag 1 = bMatchFlag 1 && bpart1Match[i];
}
// Final Flag
bRetVal = bMatchFlag 1;
return bRetVal;
}
/**
* Matching Source IP Address field for DenialOfService
conflict for sixth condition
*
* @param p_source1Val
* @param p_source2Val
* @param p_Source1Key
* @param p_Source2Key
* @return
* @throws Exception
*/
public static boolean
matchOneDenialOfServiceSourceIPField_Flag 6
(
String p_source1Val,
String p_source2Val,
String p_Source1Key,
String p_Source2Key
)
throws Exception
{
boolean bRetVal = true;
// Get the different pieces of IP Addr
String [] s1_IP_Parts = p_source1Val.split("\\.");
String [] s2_IP_Parts = p_source2Val.split("\\.");
int s1_IP_NumberOfParts = s1_IP_Parts.length;
int s2_IP_NumberOfParts = s2_IP_Parts.length;
// define Flag s, one for each part, initialize each
as false
boolean[] bpart1Match = {false,false,false,false};
for (int i = 0; i < s2_IP_NumberOfParts; i++)
{
if (i == 1 && s1_IP_Parts[i].equals("*") && !
s2_IP_Parts[i].equals("*"))
{
bpart1Match[i] = true;
}
147
else if (i == 2 && s1_IP_Parts[i].equals("*") &&
! s2_IP_Parts[i].equals("*"))
{
bpart1Match[i] = true;
}
else if (i == 3 && s1_IP_Parts[i].equals("*") &&
! s2_IP_Parts[i].equals("*"))
{
bpart1Match[i] = true;
}
else if (s1_IP_Parts[i].equals(s2_IP_Parts[i]))
{
bpart1Match[i] = true;
}
}
boolean bMatchFlag 1 = true;
// Now get them all, start with true and any false
will turn the result into false for all
for (int i = 0; i < s2_IP_NumberOfParts; i++)
{
bMatchFlag 1 = bMatchFlag 1 && bpart1Match[i];
}
// Final Flag
bRetVal = bMatchFlag 1;
return bRetVal;
}
/**
* Matching Source IP Address field for DenialOfService
conflict for seventh condition
*
* @param p_source1Val
* @param p_source2Val
* @param p_Source1Key
* @param p_Source2Key
* @return
* @throws Exception
*/
public static boolean
matchOneDenialOfServiceSourceIPField_Flag 7
(
String p_source1Val,
String p_source2Val,
String p_Source1Key,
String p_Source2Key
)
throws Exception
{
boolean bRetVal = true;
148
// Get the different pieces of IP Addr
String [] s1_IP_Parts = p_source1Val.split("\\.");
String [] s2_IP_Parts = p_source2Val.split("\\.");
int s1_IP_NumberOfParts = s1_IP_Parts.length;
int s2_IP_NumberOfParts = s2_IP_Parts.length;
// define Flag s, one for each part, initialize each
as false
boolean[] bpart1Match = {false,false,false,false};
for (int i = 0; i < s2_IP_NumberOfParts; i++)
{
if (i == 3 && !s1_IP_Parts[i].equals("*") &&
s2_IP_Parts[i].equals("*"))
{
bpart1Match[i] = true;
}
else if (s1_IP_Parts[i].equals(s2_IP_Parts[i]))
{
bpart1Match[i] = true;
}
}
boolean bMatchFlag 1 = true;
// Now get them all, start with true and any false
will turn the result into false for all
for (int i = 0; i < s2_IP_NumberOfParts; i++)
{
bMatchFlag 1 = bMatchFlag 1 && bpart1Match[i];
}
// Final Flag
bRetVal = bMatchFlag 1;
return bRetVal;
}
/**
* Matching Source IP Address field for DenialOfService
conflict for eighth condition
*
* @param p_source1Val
* @param p_source2Val
* @param p_Source1Key
* @param p_Source2Key
* @return
* @throws Exception
*/
public static boolean
matchOneDenialOfServiceSourceIPField_Flag 8
(
String p_source1Val,
String p_source2Val,
String p_Source1Key,
149
String p_Source2Key
)
throws Exception
{
boolean bRetVal = true;
// Get the different pieces of IP Addr
String [] s1_IP_Parts = p_source1Val.split("\\.");
String [] s2_IP_Parts = p_source2Val.split("\\.");
int s1_IP_NumberOfParts = s1_IP_Parts.length;
int s2_IP_NumberOfParts = s2_IP_Parts.length;
// define Flag s, one for each part, initialize each
as false
boolean[] bpart1Match = {false,false,false,false};
for (int i = 0; i < s2_IP_NumberOfParts; i++)
{
if (i == 2 && !s1_IP_Parts[i].equals("*") &&
s2_IP_Parts[i].equals("*"))
{
bpart1Match[i] = true;
}
else if (i == 3 && !s1_IP_Parts[i].equals("*") &&
s2_IP_Parts[i].equals("*"))
{
bpart1Match[i] = true;
}
else if (s1_IP_Parts[i].equals(s2_IP_Parts[i]))
{
bpart1Match[i] = true;
}
}
boolean bMatchFlag 1 = true;
// Now get them all, start with true and any false
will turn the result into false for all
for (int i = 0; i < s2_IP_NumberOfParts; i++)
{
bMatchFlag 1 = bMatchFlag 1 && bpart1Match[i];
}
// Final Flag
bRetVal = bMatchFlag 1;
return bRetVal;
}
/**
* Matching Source IP Address field for DenialOfService
conflict for ninth condition
*
* @param p_source1Val
* @param p_source2Val
* @param p_Source1Key
150
* @param p_Source2Key
* @return
* @throws Exception
*/
public static boolean
matchOneDenialOfServiceSourceIPField_Flag 9
(
String p_source1Val,
String p_source2Val,
String p_Source1Key,
String p_Source2Key
)
throws Exception
{
boolean bRetVal = true;
// Get the different pieces of IP Addr
String [] s1_IP_Parts = p_source1Val.split("\\.");
String [] s2_IP_Parts = p_source2Val.split("\\.");
int s1_IP_NumberOfParts = s1_IP_Parts.length;
int s2_IP_NumberOfParts = s2_IP_Parts.length;
// define Flag s, one for each part, initialize each
as false
boolean[] bpart1Match = {false,false,false,false};
for (int i = 0; i < s2_IP_NumberOfParts; i++)
{
if (i == 1 && !s1_IP_Parts[i].equals("*") &&
s2_IP_Parts[i].equals("*"))
{
bpart1Match[i] = true;
}
else if (i == 2 && !s1_IP_Parts[i].equals("*") &&
s2_IP_Parts[i].equals("*"))
{
bpart1Match[i] = true;
}
else if (i == 3 && !s1_IP_Parts[i].equals("*") &&
s2_IP_Parts[i].equals("*"))
{
bpart1Match[i] = true;
}
else if (s1_IP_Parts[i].equals(s2_IP_Parts[i]))
{
bpart1Match[i] = true;
}
}
boolean bMatchFlag 1 = true;
// Now get them all, start with true and any false
will turn the result into false for all
151
for (int i = 0; i < s2_IP_NumberOfParts; i++)
{
bMatchFlag 1 = bMatchFlag 1 && bpart1Match[i];
}
// Final Flag
bRetVal = bMatchFlag 1;
return bRetVal;
}
/**
* Matching Destination IP Address field for
DenialOfService conflict for tenth condition
*
* @param p_source1Val
* @param p_source2Val
* @param p_Source1Key
* @param p_Source2Key
* @return
* @throws Exception
*/
public static boolean
matchOneDenialOfServiceDestIPField_Flag 10
(
String p_source1Val,
String p_source2Val,
String p_Source1Key,
String p_Source2Key
)
throws Exception
{
return matchOneDenialOfServiceSourceIPField_Flag 1
(p_source1Val, p_source2Val, p_Source1Key, p_Source2Key);
}
/**
* Matching Destination IP Address field for
DenialOfService conflict for eleventh condition
*
* @param p_source1Val
* @param p_source2Val
* @param p_Source1Key
* @param p_Source2Key
* @return
* @throws Exception
*/
public static boolean
matchOneDenialOfServiceDestIPField_Flag 11
(
String p_source1Val,
String p_source2Val,
152
String p_Source1Key,
String p_Source2Key
)
throws Exception
{
return matchOneDenialOfServiceSourceIPField_Flag 2
(p_source1Val, p_source2Val, p_Source1Key, p_Source2Key);
}
/**
* Matching Destination IP Address field for
DenialOfService conflict for 12th condition
*
* @param p_source1Val
* @param p_source2Val
* @param p_Source1Key
* @param p_Source2Key
* @return
* @throws Exception
*/
public static boolean
matchOneDenialOfServiceDestIPField_Flag 12
(
String p_source1Val,
String p_source2Val,
String p_Source1Key,
String p_Source2Key
)
throws Exception
{
return matchOneDenialOfServiceSourceIPField_Flag 7
(p_source1Val, p_source2Val, p_Source1Key, p_Source2Key);
}
/**
* Matching Destination IP Address field for
DenialOfService conflict for 13th condition
*
* @param p_source1Val
* @param p_source2Val
* @param p_Source1Key
* @param p_Source2Key
* @return
* @throws Exception
*/
public static boolean
matchOneDenialOfServiceDestIPField_Flag 13
(
String p_source1Val,
String p_source2Val,
153
String p_Source1Key,
String p_Source2Key
)
throws Exception
{
return matchOneDenialOfServiceSourceIPField_Flag 8
(p_source1Val, p_source2Val, p_Source1Key, p_Source2Key);
}
/**
* Matching Destination IP Address field for
DenialOfService conflict for 14th condition
*
* @param p_source1Val
* @param p_source2Val
* @param p_Source1Key
* @param p_Source2Key
* @return
* @throws Exception
*/
public static boolean
matchOneDenialOfServiceDestIPField_Flag 14
(
String p_source1Val,
String p_source2Val,
String p_Source1Key,
String p_Source2Key
)
throws Exception
{
return matchOneDenialOfServiceSourceIPField_Flag 9
(p_source1Val, p_source2Val, p_Source1Key, p_Source2Key);
}
/**
* Matching Destination IP Address field for
DenialOfService conflict for 15th condition
*
* @param p_source1Val
* @param p_source2Val
* @param p_Source1Key
* @param p_Source2Key
* @return
* @throws Exception
*/
public static boolean
matchOneDenialOfServiceDestIPField_Flag 15
(
String p_source1Val,
String p_source2Val,
154
String p_Source1Key,
String p_Source2Key
)
throws Exception
{
return matchOneDenialOfServiceSourceIPField_Flag 4
(p_source1Val, p_source2Val, p_Source1Key, p_Source2Key);
}
/**
* Matching Destination IP Address field for
DenialOfService conflict for 16th condition
*
* @param p_source1Val
* @param p_source2Val
* @param p_Source1Key
* @param p_Source2Key
* @return
* @throws Exception
*/
public static boolean
matchOneDenialOfServiceDestIPField_Flag 16
(
String p_source1Val,
String p_source2Val,
String p_Source1Key,
String p_Source2Key
)
throws Exception
{
return matchOneDenialOfServiceSourceIPField_Flag 5
(p_source1Val, p_source2Val, p_Source1Key, p_Source2Key);
}
/**
* Matching Destination IP Address field for
DenialOfService conflict for 17th condition
*
* @param p_source1Val
* @param p_source2Val
* @param p_Source1Key
* @param p_Source2Key
* @return
* @throws Exception
*/
public static boolean
matchOneDenialOfServiceDestIPField_Flag 17
(
String p_source1Val,
String p_source2Val,
155
String p_Source1Key,
String p_Source2Key
)
throws Exception
{
return matchOneDenialOfServiceSourceIPField_Flag 6
(p_source1Val, p_source2Val, p_Source1Key, p_Source2Key);
}
/**
* Matching Destination IP Address field for
DenialOfService conflict for 18th condition
*
* @param p_source1Val
* @param p_source2Val
* @param p_Source1Key
* @param p_Source2Key
* @return
* @throws Exception
*/
public static boolean
matchOneDenialOfServiceDestIPField_Flag 18
(
String p_source1Val,
String p_source2Val,
String p_Source1Key,
String p_Source2Key
)
throws Exception
{
return matchOneDenialOfServiceSourceIPField_Flag 3
(p_source1Val, p_source2Val, p_Source1Key, p_Source2Key);
}
/**
* Match on Source Port field based on rules etc.
*
* @param p_source1Val
* @param p_source2Val
* @return
* @throws Exception
*/
public static boolean
matchOneDenialOfServiceSourcePort_Flag 19
(
String p_source1Val,
String p_source2Val
)
throws Exception
{
156
boolean bRetVal = false;
if (p_source1Val.equalsIgnoreCase(p_source2Val))
{
bRetVal = true;
}
return bRetVal;
}
/**
* Match on Source Port field based on rules etc. *
* @param p_source1Val
* @param p_source2Val
* @return
* @throws Exception
*/
public static boolean
matchOneDenialOfServiceSourcePort_Flag 20
(
String p_source1Val,
String p_source2Val
)
throws Exception
{
boolean bRetVal = false;
if (p_source2Val.equalsIgnoreCase("any") ||
p_source2Val.equalsIgnoreCase("*"))
{
bRetVal = true;
}
return bRetVal;
}
/**
* Match on Source Port field based on rules etc. *
* @param p_source1Val
* @param p_source2Val
* @return
* @throws Exception
*/
public static boolean
matchOneDenialOfServiceSourcePort_Flag 21
(
String p_source1Val,
String p_source2Val
)
throws Exception
{
boolean bRetVal = false;
if (p_source1Val.equalsIgnoreCase("any") ||
p_source1Val.equalsIgnoreCase("*"))
{
157
bRetVal = true;
}
return bRetVal;
}
/**
* Match on Dest Port field based on rules etc.
* @param p_source1Val
* @param p_source2Val
* @return
* @throws Exception
*/
public static boolean matchOneDenialOfServiceDestPort_Flag
22
(
String p_source1Val,
String p_source2Val
)
throws Exception
{
return matchOneDenialOfServiceSourcePort_Flag 19
(p_source1Val,p_source2Val);
}
/**
* Match on Dest Port field based on rules etc.
* @param p_source1Val
* @param p_source2Val
* @return
* @throws Exception
*/
public static boolean matchOneDenialOfServiceDestPort_Flag
23
(
String p_source1Val,
String p_source2Val
)
throws Exception
{
return matchOneDenialOfServiceSourcePort_Flag 20
(p_source1Val,p_source2Val);
}
/**
* Match on Dest Port field based on rules etc.
* @param p_source1Val
* @param p_source2Val
* @return
* @throws Exception
*/
public static boolean matchOneDenialOfServiceDestPort_Flag
24
(
158
String p_source1Val,
String p_source2Val
)
throws Exception
{
return matchOneDenialOfServiceSourcePort_Flag 21
(p_source1Val,p_source2Val);
}
/**
* Resolving DenialOfService Inconsistency
* @param p_source1
* @param p_source2
* @return
* @throws Exception
*/
public static String
getResolveDenialOfServiceInconsistencyMsg
(
String p_source1,
String p_source2,
int p_type1
)
throws Exception
{
return
ResolveDenialOfServiceConflict.getResolveInconsistencyMsg(p_sourc
e1, p_source2, p_type1);
}
}
159
APPENDIX H
IdentifyExceptionConflicts.java
package utilofinconsistency;
import java.io.BufferedWriter;
import java.io.FileWriter;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.Date;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.Map.Entry;
import java.util.Properties;
import common.RunProcessBase;
public class IdentifyExceptionConflicts
extends RunProcessBase
{
private static String _implName =
"IdentifyExceptionConflicts";
/**
* Constructor
*
* @param p_args
*/
public IdentifyExceptionConflicts ()
{
}
/**
* Constructor
*
* @param p_args
*/
public IdentifyExceptionConflicts (String p_args[])
{
}
/**
* Match on Port field based on rules etc.
*
* @param p_source1Val
* @param p_source2Val
* @param p_useAny
* @return
160
* @throws Exception
*/
public static boolean matchOneExceptionSourcePort
(
String p_source1Val,
String p_source2Val,
boolean p_useAny
)
throws Exception
{
boolean bRetVal = false;
if (p_source1Val.equalsIgnoreCase(p_source2Val) ||
p_source2Val.equalsIgnoreCase("any") ||
p_source2Val.equalsIgnoreCase("*"))
{
bRetVal = true;
}
return bRetVal;
}
/**
* Match on Port field based on rules etc.
*
* @param p_source1Val
* @param p_source2Val
* @param p_useAny
* @return
* @throws Exception
*/
public static boolean matchOneExceptionDestPort
(
String p_source1Val,
String p_source2Val,
boolean p_useAny
)
throws Exception
{
boolean bRetVal = false;
if (p_source1Val.equalsIgnoreCase(p_source2Val) ||
p_source2Val.equalsIgnoreCase("any") ||
p_source2Val.equalsIgnoreCase("*"))
{
bRetVal = true;
}
return bRetVal;
}
/**
* Matching Source IP Address field for Exception conflict.
161
*
* @param p_source1Val
* @param p_source2Val
* @param p_Source1Key
* @param p_Source2Key
* @return
* @throws Exception
*/
public static boolean matchOneExceptionSourceIPField
(
String p_source1Val,
String p_source2Val,
String p_Source1Key,
String p_Source2Key,
boolean p_Source1AsterixAllowed
)
throws Exception
{
boolean bRetVal = true;
// Get the different pieces of IP Addr
String [] s1_IP_Parts = p_source1Val.split("\\.");
String [] s2_IP_Parts = p_source2Val.split("\\.");
int s1_IP_NumberOfParts = s1_IP_Parts.length;
int s2_IP_NumberOfParts = s2_IP_Parts.length;
if (s1_IP_NumberOfParts != s2_IP_NumberOfParts)
{
// false
bRetVal = false;
return bRetVal;
}
int s1_IP_NumberOfPartsAsterixCount = 0;
int s2_IP_NumberOfPartsAsterixCount = 0;
// Count * in source 2
for (int i = 0; i < s2_IP_NumberOfParts; i++)
{
if (s2_IP_Parts[i].equals("*"))
{
s2_IP_NumberOfPartsAsterixCount++;
}
}
// Count * in source 1
for (int i = 0; i < s1_IP_NumberOfParts; i++)
{
if (s1_IP_Parts[i].equals("*"))
{
s1_IP_NumberOfPartsAsterixCount++;
}
}
162
boolean[] bpartMatch1 = {false,false,false,false};
boolean[] bpartMatch2 = {false,false,false,false};
boolean bIPRuleMatchFlag 1 = true, bIPRuleMatchFlag 2
= true;
for (int i = 0; i < s2_IP_NumberOfParts; i++)
{
// s2 has to be an asterix
if ( s2_IP_Parts[i].equals("*"))
{
bpartMatch1[i] = true;
}
}
// Now get them all
for (int i = 0; i < s2_IP_NumberOfParts; i++)
{
bIPRuleMatchFlag 1 = bIPRuleMatchFlag 1 &&
bpartMatch1[i];
}
// We now have all set for Flag 1
//log ("matchOneExceptionSourceIPField
bIPRuleMatchFlag 1 (1) is ("+bIPRuleMatchFlag 1+")");
// define Flag s, one for each part, initialize each
as false
boolean[] bpartMatch = {false,false,false,false};
for (int i = 0; i < s2_IP_NumberOfParts; i++)
{
// Either s1 matches s2 or s1 is an asterix, a
subset of s2
if ( s1_IP_Parts[i].equals(s2_IP_Parts[i]) )
{
bpartMatch2[i] = true;
}
}
// Now get them all
for (int i = 0; i < s2_IP_NumberOfParts; i++)
{
bIPRuleMatchFlag 2 = bIPRuleMatchFlag 2 &&
bpartMatch2[i];
}
// We now have all set for Flag 1
// Check the Flag s
if (bIPRuleMatchFlag 1)
{
bRetVal = bIPRuleMatchFlag 1;
}
else if (bIPRuleMatchFlag 2)
{
bRetVal = bIPRuleMatchFlag 2;
163
}
else
{
bRetVal = false;
}
return bRetVal;
}
/**
* Matching Destination IP Address field for Exception
conflict.
*
* @param p_source1Val
* @param p_source2Val
* @param p_Source1Key
* @param p_Source2Key
* @return
* @throws Exception
*/
public static boolean matchOneExceptionDestIPField
(
String p_source1Val,
String p_source2Val,
String p_Source1Key,
String p_Source2Key,
boolean p_Source1AsterixAllowed
)
throws Exception
{
boolean bRetVal = true;
// Get the different pieces of IP Addr
String [] s1_IP_Parts = p_source1Val.split("\\.");
String [] s2_IP_Parts = p_source2Val.split("\\.");
int s1_IP_NumberOfParts = s1_IP_Parts.length;
int s2_IP_NumberOfParts = s2_IP_Parts.length;
if (s1_IP_NumberOfParts != s2_IP_NumberOfParts)
{
// false
bRetVal = false;
return bRetVal;
}
int s1_IP_NumberOfPartsAsterixCount = 0;
int s2_IP_NumberOfPartsAsterixCount = 0;
// Count * in source 2
for (int i = 0; i < s2_IP_NumberOfParts; i++)
{
if (s2_IP_Parts[i].equals("*"))
{
s2_IP_NumberOfPartsAsterixCount++;
164
}
}
// Count * in source 1
for (int i = 0; i < s1_IP_NumberOfParts; i++)
{
if (s1_IP_Parts[i].equals("*"))
{
s1_IP_NumberOfPartsAsterixCount++;
}
}
boolean[] bpartMatch1 = {false,false,false,false};
boolean[] bpartMatch2 = {false,false,false,false};
boolean bIPRuleMatchFlag 1 = true, bIPRuleMatchFlag 2
= true;
for (int i = 0; i < s2_IP_NumberOfParts; i++)
{
// s2 has to be an asterix
if ( s2_IP_Parts[i].equals("*"))
{
bpartMatch1[i] = true;
}
}
// Now get them all
for (int i = 0; i < s2_IP_NumberOfParts; i++)
{
bIPRuleMatchFlag 1 = bIPRuleMatchFlag 1 &&
bpartMatch1[i];
}
// We now have all set for Flag 1
// define Flag s, one for each part, initialize each
as false
boolean[] bpartMatch = {false,false,false,false};
for (int i = 0; i < s2_IP_NumberOfParts; i++)
{
// Either s1 matches s2 or s1 is an asterix, a
subset of s2
if ( s1_IP_Parts[i].equals(s2_IP_Parts[i]) )
{
bpartMatch2[i] = true;
}
}
// Now get them all
for (int i = 0; i < s2_IP_NumberOfParts; i++)
{
bIPRuleMatchFlag 2 = bIPRuleMatchFlag 2 &&
bpartMatch2[i];
}
// We now have all set for Flag 1
165
// Check the Flag s
if (bIPRuleMatchFlag 1)
{
bRetVal = bIPRuleMatchFlag 1;
}
else if (bIPRuleMatchFlag 2)
{
bRetVal = bIPRuleMatchFlag 2;
}
else
{
bRetVal = false;
}
return bRetVal;
}
// EXCEPTION BEGIN
/**
* Matching Source IP Address field for Exception conflict
for first condition
*
* @param p_source1Val
* @param p_source2Val
* @param p_Source1Key
* @param p_Source2Key
* @return
* @throws Exception
*/
public static boolean matchOneExceptionSourceIPField_Flag 1
(
String p_source1Val,
String p_source2Val,
String p_Source1Key,
String p_Source2Key
)
throws Exception
{
boolean bRetVal = true;
// Get the different pieces of IP Addr
String [] s1_IP_Parts = p_source1Val.split("\\.");
String [] s2_IP_Parts = p_source2Val.split("\\.");
int s1_IP_NumberOfParts = s1_IP_Parts.length;
int s2_IP_NumberOfParts = s2_IP_Parts.length;
// define Flag s, one for each part, initialize each
as false
boolean[] bpart2Match = {false,false,false,false};
for (int i = 0; i < s2_IP_NumberOfParts; i++)
{
if ( s2_IP_Parts[i].equals(s2_IP_Parts[i]))
166
{
bpart2Match[i] = true;
}
}
// Get #1
boolean bMatchFlag 1 = true;
// Now get them all, start with true and any false
will turn the result into false for all
for (int i = 0; i < s2_IP_NumberOfParts; i++)
{
bMatchFlag 1 = bMatchFlag 1 && bpart2Match[i];
}
// Final Flag
bRetVal = bMatchFlag 1;
return bRetVal;
}
/**
* Matching Source IP Address field for Exception conflict
for second condition
*
* @param p_source1Val
* @param p_source2Val
* @param p_Source1Key
* @param p_Source2Key
* @return
* @throws Exception
*/
public static boolean matchOneExceptionSourceIPField_Flag 2
(
String p_source1Val,
String p_source2Val,
String p_Source1Key,
String p_Source2Key
)
throws Exception
{
boolean bRetVal = true;
// Get the different pieces of IP Addr
String [] s1_IP_Parts = p_source1Val.split("\\.");
String [] s2_IP_Parts = p_source2Val.split("\\.");
int s1_IP_NumberOfParts = s1_IP_Parts.length;
int s2_IP_NumberOfParts = s2_IP_Parts.length;
// define Flag s, one for each part, initialize each
as false
boolean[] bpart1Match = {false,false,false,false};
for (int i = 0; i < s2_IP_NumberOfParts; i++)
{
if ( s2_IP_Parts[i].equals("*"))
167
{
bpart1Match[i] = true;
}
}
// Get #1
boolean bMatchFlag 1 = true;
// Now get them all, start with true and any false
will turn the result into false for all
for (int i = 0; i < s2_IP_NumberOfParts; i++)
{
bMatchFlag 1 = bMatchFlag 1 && bpart1Match[i];
}
// Final Flag
bRetVal = bMatchFlag 1;
return bRetVal;
}
/**
* Matching Source IP Address field for Exception conflict
for third condition
*
* @param p_source1Val
* @param p_source2Val
* @param p_Source1Key
* @param p_Source2Key
* @return
* @throws Exception
*/
public static boolean matchOneExceptionSourceIPField_Flag 3
(
String p_source1Val,
String p_source2Val,
String p_Source1Key,
String p_Source2Key
)
throws Exception
{
boolean bRetVal = true;
// Get the different pieces of IP Addr
String [] s1_IP_Parts = p_source1Val.split("\\.");
String [] s2_IP_Parts = p_source2Val.split("\\.");
int s1_IP_NumberOfParts = s1_IP_Parts.length;
int s2_IP_NumberOfParts = s2_IP_Parts.length;
// define Flag s, one for each part, initialize each
as false
boolean[] bpart1Match = {false,false,false,false};
for (int i = 0; i < s2_IP_NumberOfParts; i++)
{
if ( s1_IP_Parts[i].equals("*"))
168
{
bpart1Match[i] = true;
}
}
// Get #1
boolean bMatchFlag 1 = true;
// Now get them all, start with true and any false
will turn the result into false for all
for (int i = 0; i < s2_IP_NumberOfParts; i++)
{
bMatchFlag 1 = bMatchFlag 1 && bpart1Match[i];
}
// Final Flag
bRetVal = bMatchFlag 1;
return bRetVal;
}
/**
* Matching Source IP Address field for Exception conflict
for fourth condition
*
* @param p_source1Val
* @param p_source2Val
* @param p_Source1Key
* @param p_Source2Key
* @return
* @throws Exception
*/
public static boolean matchOneExceptionSourceIPField_Flag 4
(
String p_source1Val,
String p_source2Val,
String p_Source1Key,
String p_Source2Key
)
throws Exception
{
boolean bRetVal = true;
// Get the different pieces of IP Addr
String [] s1_IP_Parts = p_source1Val.split("\\.");
String [] s2_IP_Parts = p_source2Val.split("\\.");
int s1_IP_NumberOfParts = s1_IP_Parts.length;
int s2_IP_NumberOfParts = s2_IP_Parts.length;
// define Flag s, one for each part, initialize each
as false
boolean[] bpart1Match = {false,false,false,false};
for (int i = 0; i < s2_IP_NumberOfParts; i++)
{
169
if (i != 3 &&
s1_IP_Parts[i].equals(s2_IP_Parts[i]))
{
bpart1Match[i] = true;
}
else if (i == 3 && ! s1_IP_Parts[i].equals("*")
&& s2_IP_Parts[i].equals("*"))
{
bpart1Match[i] = true;
}
}
// Get #1
boolean bMatchFlag 1 = true;
// Now get them all, start with true and any false
will turn the result into false for all
for (int i = 0; i < s2_IP_NumberOfParts; i++)
{
bMatchFlag 1 = bMatchFlag 1 && bpart1Match[i];
}
// Final Flag
bRetVal = bMatchFlag 1;
return bRetVal;
}
/**
* Matching Source IP Address field for Exception conflict
for fifth condition
*
* @param p_source1Val
* @param p_source2Val
* @param p_Source1Key
* @param p_Source2Key
* @return
* @throws Exception
*/
public static boolean matchOneExceptionSourceIPField_Flag 5
(
String p_source1Val,
String p_source2Val,
String p_Source1Key,
String p_Source2Key
)
throws Exception
{
boolean bRetVal = true;
// Get the different pieces of IP Addr
String [] s1_IP_Parts = p_source1Val.split("\\.");
String [] s2_IP_Parts = p_source2Val.split("\\.");
int s1_IP_NumberOfParts = s1_IP_Parts.length;
170
int s2_IP_NumberOfParts = s2_IP_Parts.length;
// define Flag s, one for each part, initialize each
as false
boolean[] bpart1Match = {false,false,false,false};
for (int i = 0; i < s2_IP_NumberOfParts; i++)
{
if (i != 3 &&
s1_IP_Parts[i].equals(s2_IP_Parts[i]))
{
bpart1Match[i] = true;
}
else if (i == 3 && ! s2_IP_Parts[i].equals("*")
&& s1_IP_Parts[i].equals("*"))
{
bpart1Match[i] = true;
}
}
boolean bMatchFlag 1 = true;
// Now get them all, start with true and any false
will turn the result into false for all
for (int i = 0; i < s2_IP_NumberOfParts; i++)
{
bMatchFlag 1 = bMatchFlag 1 && bpart1Match[i];
}
// Final Flag
bRetVal = bMatchFlag 1;
return bRetVal;
}
/**
* Matching Source IP Address field for Exception conflict
for sixth condition
*
* @param p_source1Val
* @param p_source2Val
* @param p_Source1Key
* @param p_Source2Key
* @return
* @throws Exception
*/
public static boolean matchOneExceptionSourceIPField_Flag 6
(
String p_source1Val,
String p_source2Val,
String p_Source1Key,
String p_Source2Key
)
throws Exception
{
171
boolean bRetVal = true;
// Get the different pieces of IP Addr
String [] s1_IP_Parts = p_source1Val.split("\\.");
String [] s2_IP_Parts = p_source2Val.split("\\.");
int s1_IP_NumberOfParts = s1_IP_Parts.length;
int s2_IP_NumberOfParts = s2_IP_Parts.length;
// define Flag s, one for each part, initialize each
as false
boolean[] bpart1Match = {false,false,false,false};
for (int i = 0; i < s2_IP_NumberOfParts; i++)
{
if (i != 3 &&
s1_IP_Parts[i].equals(s2_IP_Parts[i]))
{
bpart1Match[i] = true;
}
else if (i == 2 && ! s1_IP_Parts[i].equals("*")
&& s2_IP_Parts[i].equals("*"))
{
bpart1Match[i] = true;
}
else if (i == 3 && ! s1_IP_Parts[i].equals("*")
&& s2_IP_Parts[i].equals("*"))
{
bpart1Match[i] = true;
}
}
boolean bMatchFlag 1 = true;
// Now get them all, start with true and any false
will turn the result into false for all
for (int i = 0; i < s2_IP_NumberOfParts; i++)
{
bMatchFlag 1 = bMatchFlag 1 && bpart1Match[i];
}
// Final Flag
bRetVal = bMatchFlag 1;
return bRetVal;
}
/**
* Matching Source IP Address field for Exception conflict
for seventh condition
*
* @param p_source1Val
* @param p_source2Val
* @param p_Source1Key
* @param p_Source2Key
* @return
* @throws Exception
172
*/
public static boolean matchOneExceptionSourceIPField_Flag 7
(
String p_source1Val,
String p_source2Val,
String p_Source1Key,
String p_Source2Key
)
throws Exception
{
boolean bRetVal = true;
// Get the different pieces of IP Addr
String [] s1_IP_Parts = p_source1Val.split("\\.");
String [] s2_IP_Parts = p_source2Val.split("\\.");
int s1_IP_NumberOfParts = s1_IP_Parts.length;
int s2_IP_NumberOfParts = s2_IP_Parts.length;
// define Flag s, one for each part, initialize each
as false
boolean[] bpart1Match = {false,false,false,false};
for (int i = 0; i < s2_IP_NumberOfParts; i++)
{
if (i != 3 &&
s1_IP_Parts[i].equals(s2_IP_Parts[i]))
{
bpart1Match[i] = true;
}
else if (i == 2 && s1_IP_Parts[i].equals("*") &&
! s2_IP_Parts[i].equals("*"))
{
bpart1Match[i] = true;
}
else if (i == 3 && s1_IP_Parts[i].equals("*") &&
! s2_IP_Parts[i].equals("*"))
{
bpart1Match[i] = true;
}
}
boolean bMatchFlag 1 = true;
// Now get them all, start with true and any false
will turn the result into false for all
for (int i = 0; i < s2_IP_NumberOfParts; i++)
{
bMatchFlag 1 = bMatchFlag 1 && bpart1Match[i];
}
// Final Flag
bRetVal = bMatchFlag 1;
return bRetVal;
}
173
/**
* Matching Destination IP Address field for Exception
conflict for seventh condition
*
* @param p_source1Val
* @param p_source2Val
* @param p_Source1Key
* @param p_Source2Key
* @return
* @throws Exception
*/
public static boolean matchOneExceptionDestIPField_Flag 8
(
String p_source1Val,
String p_source2Val,
String p_Source1Key,
String p_Source2Key
)
throws Exception
{
return matchOneExceptionSourceIPField_Flag 1
(
p_source1Val,
p_source2Val,
p_Source1Key,
p_Source2Key
) ;
}
/**
* Matching Destination IP Address field for Exception
conflict for ninth condition
*
* @param p_source1Val
* @param p_source2Val
* @param p_Source1Key
* @param p_Source2Key
* @return
* @throws Exception
*/
public static boolean matchOneExceptionDestIPField_Flag 9
(
String p_source1Val,
String p_source2Val,
String p_Source1Key,
String p_Source2Key
)
throws Exception
{
174
return matchOneExceptionSourceIPField_Flag 2
(
p_source1Val,
p_source2Val,
p_Source1Key,
p_Source2Key
) ;
}
/**
* Matching Destination IP Address field for Exception
conflict for tenth condition
*
* @param p_source1Val
* @param p_source2Val
* @param p_Source1Key
* @param p_Source2Key
* @return
* @throws Exception
*/
public static boolean matchOneExceptionDestIPField_Flag 10
(
String p_source1Val,
String p_source2Val,
String p_Source1Key,
String p_Source2Key
)
throws Exception
{
return matchOneExceptionSourceIPField_Flag 3
(
p_source1Val,
p_source2Val,
p_Source1Key,
p_Source2Key
) ;
}
/**
* Matching Destination IP Address field for Exception
conflict for eleventh condition
*
* @param p_source1Val
* @param p_source2Val
* @param p_Source1Key
* @param p_Source2Key
* @return
* @throws Exception
*/
public static boolean matchOneExceptionDestIPField_Flag 11
175
(
String
String
String
String
p_source1Val,
p_source2Val,
p_Source1Key,
p_Source2Key
)
throws Exception
{
return matchOneExceptionSourceIPField_Flag 4
(
p_source1Val,
p_source2Val,
p_Source1Key,
p_Source2Key
) ;
}
/**
* Matching Destination IP Address field for Exception
conflict for twelfth condition
*
* @param p_source1Val
* @param p_source2Val
* @param p_Source1Key
* @param p_Source2Key
* @return
* @throws Exception
*/
public static boolean matchOneExceptionDestIPField_Flag 12
(
String p_source1Val,
String p_source2Val,
String p_Source1Key,
String p_Source2Key
)
throws Exception
{
return matchOneExceptionSourceIPField_Flag 5
(
p_source1Val,
p_source2Val,
p_Source1Key,
p_Source2Key
) ;
}
/**
* Matching Destination IP Address field for Exception
conflict for thirteenth condition
*
176
* @param p_source1Val
* @param p_source2Val
* @param p_Source1Key
* @param p_Source2Key
* @return
* @throws Exception
*/
public static boolean matchOneExceptionDestIPField_Flag 13
(
String p_source1Val,
String p_source2Val,
String p_Source1Key,
String p_Source2Key
)
throws Exception
{
return matchOneExceptionSourceIPField_Flag 6
(
p_source1Val,
p_source2Val,
p_Source1Key,
p_Source2Key
) ;
}
/**
* Matching Destination IP Address field for Exception
conflict for fourteenth condition
*
* @param p_source1Val
* @param p_source2Val
* @param p_Source1Key
* @param p_Source2Key
* @return
* @throws Exception
*/
public static boolean matchOneExceptionDestIPField_Flag 14
(
String p_source1Val,
String p_source2Val,
String p_Source1Key,
String p_Source2Key
)
throws Exception
{
return matchOneExceptionSourceIPField_Flag 7
(
p_source1Val,
p_source2Val,
177
p_Source1Key,
p_Source2Key
) ;
}
/**
* Match on Source Port field based on rules etc.
*
* @param p_source1Val
* @param p_source2Val
* @return
* @throws Exception
*/
public static boolean matchOneExceptionSourcePort_Flag 15
(
String p_source1Val,
String p_source2Val
)
throws Exception
{
boolean bRetVal = false;
if (p_source1Val.equalsIgnoreCase(p_source2Val))
{
bRetVal = true;
}
return bRetVal;
}
/**
* Match on Source Port field based on rules etc.
*
* @param p_source1Val
* @param p_source2Val
* @return
* @throws Exception
*/
public static boolean matchOneExceptionSourcePort_Flag 16
(
String p_source1Val,
String p_source2Val
)
throws Exception
{
boolean bRetVal = false;
if (p_source2Val.equalsIgnoreCase("any") ||
p_source2Val.equalsIgnoreCase("*"))
{
bRetVal = true;
}
return bRetVal;
178
}
/**
* Match on Source Port field based on rules etc.
*
* @param p_source1Val
* @param p_source2Val
* @return
* @throws Exception
*/
public static boolean matchOneExceptionSourcePort_Flag 17
(
String p_source1Val,
String p_source2Val
)
throws Exception
{
boolean bRetVal = false;
if (p_source1Val.equalsIgnoreCase("any") ||
p_source1Val.equalsIgnoreCase("*"))
{
bRetVal = true;
}
return bRetVal;
}
/**
* Match on Dest Port field based on rules etc.
*
* @param p_source1Val
* @param p_source2Val
* @return
* @throws Exception
*/
public static boolean matchOneExceptionDestPort_Flag 18
(
String p_source1Val,
String p_source2Val
)
throws Exception
{
return matchOneExceptionSourcePort_Flag 15
(
p_source1Val,
p_source2Val
) ;
}
/**
* Match on Dest Port field based on rules etc.
*
* @param p_source1Val
179
* @param p_source2Val
* @return
* @throws Exception
*/
public static boolean matchOneExceptionDestPort_Flag 19
(
String p_source1Val,
String p_source2Val
)
throws Exception
{
return matchOneExceptionSourcePort_Flag 16
(
p_source1Val,
p_source2Val
) ;
}
/**
* Match on Dest Port field based on rules etc.
*
* @param p_source1Val
* @param p_source2Val
* @return
* @throws Exception
*/
public static boolean matchOneExceptionDestPort_Flag 20
(
String p_source1Val,
String p_source2Val
)
throws Exception
{
return matchOneExceptionSourcePort_Flag 17
(
p_source1Val,
p_source2Val
) ;
}
}
180
APPENDIX I
IdentifyShadowConflicts.java
package utilofinconsistency;
import
import
import
import
import
import
import
import
import
import
java.io.BufferedWriter;
java.io.FileWriter;
java.text.SimpleDateFormat;
java.util.ArrayList;
java.util.Date;
java.util.HashMap;
java.util.Hashtable;
java.util.Map.Entry;
java.util.Properties;
common.RunProcessBase;
public class IdentifyShadowConflicts
extends RunProcessBase
{
private static String _implName =
"IdentifyShadowConflicts";
/**
* Constructor
*
* @param p_args
*/
public IdentifyShadowConflicts ()
{
}
/**
* Constructor
*
* @param p_args
*/
public IdentifyShadowConflicts (String p_args[])
{
}
/**
* Matching Source IP Address field for shadow conflict for
first condition
*
* @param p_source1Val
* @param p_source2Val
* @param p_Source1Key
181
* @param p_Source2Key
* @return
* @throws Exception
*/
public static boolean matchOneShadowSourceIPField_Flag 1
(
String p_source1Val,
String p_source2Val,
String p_Source1Key,
String p_Source2Key
)
throws Exception
{
boolean bRetVal = true;
// Get the different pieces of IP Addr
String [] s1_IP_Parts = p_source1Val.split("\\.");
String [] s2_IP_Parts = p_source2Val.split("\\.");
int s1_IP_NumberOfParts = s1_IP_Parts.length;
int s2_IP_NumberOfParts = s2_IP_Parts.length;
// define Flag s, one for each part, initialize each
as false
boolean[] bpart1Match = {false,false,false,false};
for (int i = 0; i < s2_IP_NumberOfParts; i++)
{
if ( s1_IP_Parts[i].equals(s2_IP_Parts[i]))
{
bpart1Match[i] = true;
}
}
// Get #1
boolean bMatchFlag 1 = true;
// Now get them all, start with true and any false
will turn the result into false for all
for (int i = 0; i < s2_IP_NumberOfParts; i++)
{
bMatchFlag 1 = bMatchFlag 1 && bpart1Match[i];
}
// Final Flag
bRetVal = bMatchFlag 1;
return bRetVal;
}
/**
* Matching Source IP Address field for shadow conflict for
second condition
* @param p_source1Val
* @param p_source2Val
* @param p_Source1Key
* @param p_Source2Key
182
* @return
* @throws Exception
*/
public static boolean matchOneShadowSourceIPField_Flag 2
(
String p_source1Val,
String p_source2Val,
String p_Source1Key,
String p_Source2Key
)
throws Exception
{
boolean bRetVal = true;
// Get the different pieces of IP Addr
String [] s1_IP_Parts = p_source1Val.split("\\.");
int s1_IP_NumberOfParts = s1_IP_Parts.length;
// Get #2
boolean bMatchFlag 2 = false;
int s1_IP_NumberOfPartsAsterixCount = 0;
// Count * in source 1
for (int i = 0; i < s1_IP_NumberOfParts; i++)
{
if (s1_IP_Parts[i].equals("*"))
{
s1_IP_NumberOfPartsAsterixCount++;
}
}
if (s1_IP_NumberOfPartsAsterixCount ==
s1_IP_NumberOfParts)
{
bMatchFlag 2 = true;
}
// Final Flag
bRetVal = bMatchFlag 2;
return bRetVal;
}
/**
* Matching Destination IP Address field for shadow
conflict for third condition
* @param p_source1Val
* @param p_source2Val
* @param p_Source1Key
* @param p_Source2Key
* @return
* @throws Exception
*/
public static boolean matchOneShadowDestIPField_Flag 3
(
183
String
String
String
String
p_source1Val,
p_source2Val,
p_Source1Key,
p_Source2Key
)
throws Exception
{
return matchOneShadowSourceIPField_Flag 1
(
p_source1Val,
p_source2Val,
p_Source1Key,
p_Source2Key
) ;
}
/**
* Resolving Shadow Inconsistency
* @param p_source1
* @param p_source2
* @return
* @throws Exception
*/
public static String getResolveShadowInconsistencyMsg
(
String p_source1,
String p_source2,
int p_type1
)
throws Exception
{
return
ResolveShadowConflict.getResolveInconsistencyMsg(p_source1,
p_source2, p_type1);
}
/**
* Matching Destination IP Address field for shadow
conflict for fourth condition
* @param p_source1Val
* @param p_source2Val
* @param p_Source1Key
* @param p_Source2Key
* @return
* @throws Exception
*/
public static boolean matchOneShadowDestIPField_Flag 4
(
String p_source1Val,
String p_source2Val,
184
String p_Source1Key,
String p_Source2Key
)
throws Exception
{
return matchOneShadowSourceIPField_Flag 2
(
p_source1Val,
p_source2Val,
p_Source1Key,
p_Source2Key
) ;
}
/**
* Match on Source Port field based on rules etc.
* @param p_source1Val
* @param p_source2Val
* @return
* @throws Exception
*/
public static boolean matchOneShadowSourcePort_Flag 5
(
String p_source1Val,
String p_source2Val
)
throws Exception
{
boolean bRetVal = false;
if (p_source1Val.equalsIgnoreCase(p_source2Val))
{
bRetVal = true;
}
return bRetVal;
}
/**
* Match on Source Port field based on rules etc.
* @param p_source1Val
* @param p_source2Val
* @return
* @throws Exception
*/
public static boolean matchOneShadowSourcePort_Flag 6
(
String p_source1Val,
String p_source2Val
)
throws Exception
{
boolean bRetVal = false;
185
if (p_source1Val.equalsIgnoreCase("any") ||
p_source1Val.equalsIgnoreCase("*"))
{
bRetVal = true;
}
return bRetVal;
}
/**
* Match on Dest Port field based on rules etc.
* @param p_source1Val
* @param p_source2Val
* @return
* @throws Exception
*/
public static boolean matchOneShadowDestPort_Flag 7
(
String p_source1Val,
String p_source2Val
)
throws Exception
{
return matchOneShadowSourcePort_Flag 5
(
p_source1Val,
p_source2Val
) ;
}
/**
* Match on Dest Port field based on rules etc.
* @param p_source1Val
* @param p_source2Val
* @return
* @throws Exception
*/
public static boolean matchOneShadowDestPort_Flag 8
(
String p_source1Val,
String p_source2Val
)
throws Exception
{
return matchOneShadowSourcePort_Flag 6
(
p_source1Val,
p_source2Val
) ;
}
}
186
APPENDIX J
ResolveCorrelationConflict.java
package utilofinconsistency;
public class ResolveCorrelationConflict
{
/**
* Resolving Correlation Inconsistency
*
* @param p_source1
* @param p_source2
* @return
* @throws Exception
*/
public static String getResolveInconsistencyMsg
(
String p_source1,
String p_source2,
int p_type1
)
throws Exception
{
String strRet = "" + p_type1; //TODO: Remove
String[] stSrc1 = p_source1.split(",");
String[] stSrc2 = p_source2.split(",");
// For now assume format of priority is R1, R2 etc.
String sSource1PriorityId = stSrc1[0]; // source 1
priority id
String sSource1Protocol
= stSrc1[1]; // protocol ignore
String sSource1SourceIP
= stSrc1[2]; // Source IP break and compare each part
String sSource1SourcePort = stSrc1[3]; // Source Port
String sSource1DestIP
= stSrc1[4]; // Source IP break and compare each part
String sSource1DestPort
= stSrc1[5]; // dest port
String
priority id
String
ignore
String
break and compare
sSource2PriorityId = stSrc2[0]; // source 2
sSource2Protocol
= stSrc2[1]; // protocol -
sSource2SourceIP
each part
= stSrc2[2]; // Source IP -
187
String sSource2SourcePort = stSrc2[3]; // Source Port
String sSource2DestIP
= stSrc2[4]; // Source IP break and compare each part
String sSource2DestPort
= stSrc2[5]; // dest port
if (p_type1 == 1)
{
strRet = "" +
"a. To resolve inconsistency change " +
sSource1PriorityId + " Destination IP from * to < " +
sSource2PriorityId + " Destination IP "+
"b.Introduce new rule with " + sSource1PriorityId + " Destination
IP > " + sSource2PriorityId + " Destination IP "+
"c.Change " + sSource2PriorityId + " Source IP from * to < " +
sSource1PriorityId + " Source IP "+
"d.Introduce new rule with " + sSource2PriorityId + " Source IP >
" + sSource1PriorityId + " Source IP "+
"";
}
else if (p_type1 == 2)
{
strRet = "" +
"a. To resolve inconsistency change " + sSource1PriorityId + "
Source IP from * to < " + sSource2PriorityId + " Source IP
"+
"b. Introduce new rule with " + sSource1PriorityId + " Source IP
> " + sSource2PriorityId + " Source IP
"+
"c. Change " + sSource2PriorityId + " Destination IP from * to <
" + sSource2PriorityId + " Destination IP
"+
"d. Introduce new rule with " + sSource2PriorityId + "
destination > " + sSource2PriorityId + " Destination IP "+
"";
}
else if (p_type1 == 3)
{
strRet = "" +
"a. To resolve inconsistency change " + sSource1PriorityId + "
Destination IP (dd) from * to < " + sSource1PriorityId + "
Destination IP (dd) "+
"b. Introduce new rule with " + sSource1PriorityId + "
Destination IP (dd) > " + sSource1PriorityId + " Destination IP
(dd) "+
"c. Change " + sSource2PriorityId + " Source IP (sd) from * to <
" + sSource1PriorityId + " Source IP (sd) "+
"d. Introduce new rule with " + sSource2PriorityId + " Source IP
(sd) > " + sSource1PriorityId + " Source IP (sd) "+
"";
}
else if (p_type1 == 4)
{
188
strRet = "" +
"a. To resolve inconsistency change " +
sSource1PriorityId + " Source IP(sd) from * to < " +
sSource2PriorityId + " Source IP (sd). "+
"b. Introduce new rule with " +
sSource1PriorityId + " Source IP(sd) > " + sSource2PriorityId + "
Source IP (sd). "+
"c. Change " + sSource2PriorityId + " Destination
IP(dp) from * to < " + sSource1PriorityId + " Destination IP(dp).
"+
"d. Introduce new rule with " +
sSource2PriorityId + " Destination IP(dp) > " +
sSource1PriorityId + " destination (dp). "+
"";
}
else if (p_type1 == 5)
{
strRet = "" +
"a. To resolve inconsistency change " +
sSource1PriorityId + " Destination IP(dc, dp) from * to < " +
sSource2PriorityId + " Destination IP(dc, dp). "+
"b. Introduce new rule with " +
sSource1PriorityId + " Destination IP(dc, dp) > " +
sSource1PriorityId + " destination (dc, dp). "+
"c. Change " + sSource2PriorityId + " Source
IP(sc,sd) from * to < " + sSource1PriorityId + " Source IP (sc,
sd). "+
"d. Introduce new rule with " +
sSource2PriorityId + " Source IP(sc, sd) > " + sSource1PriorityId
+ " Source IP (sc, sd). "+
"";
}
else if (p_type1 == 6)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Source IP (sc, sd) from * to < " +
sSource2PriorityId + " Source IP (sc, sd) and " +
sSource1PriorityId + " Source Port from * to < " +
sSource2PriorityId + " Source Port. "+
"b. Introduce new rule with " +
sSource1PriorityId + " Source IP (sc, sd) > " +
sSource2PriorityId + " Source IP (sc, sd) and " +
sSource1PriorityId + " Source Port > " + sSource2PriorityId + "
Source Port. "+
"c. Change " + sSource2PriorityId + "
Destination IP (dc, dd) from * to < " + sSource1PriorityId + "
Destination IP (sc, sd). "+
189
"d. Introduce new rule with " +
sSource2PriorityId + " Destination IP (dc, dd) > " +
sSource1PriorityId + " Destination IP (sc, sd). "+
"";
}
else if (p_type1 == 7)
{
strRet = "" +
"a. To resolve inconsistency change " +
sSource1PriorityId + " Destination IP (dd) from * to < " +
sSource2PriorityId + " Destination IP (dd). "+
"b. Introduce new rule with " +
sSource1PriorityId + " Destination IP (dd) > " +
sSource2PriorityId + " Destination IP (dd). "+
"c. Change " + sSource2PriorityId + " Source IP
from * to < " + sSource1PriorityId + " Source IP. "+
"d. Introduce new rule with " +
sSource2PriorityId + " Source IP > " + sSource1PriorityId + "
Source IP. "+
"";
}
else if (p_type1 == 8)
{
strRet = "" +
"a. To resolve inconsistency change " +
sSource1PriorityId + " Destination IP (dc, dd) from * to < " +
sSource2PriorityId + " Destination IP (dc, dd). "+
"b. Introduce new rule with " +
sSource1PriorityId + " Destination IP (dc, dd) > " +
sSource2PriorityId + " Destination IP (dc, dd). "+
"c. Change " + sSource2PriorityId + " Source IP
from * to < " + sSource1PriorityId + " Source IP. "+
"d. Introduce new rule with " +
sSource2PriorityId + " Source IP > " + sSource1PriorityId + "
Source IP. "+
"";
}
else if (p_type1 == 9)
{
strRet = "" +
"a. To resolve inconsistency change " +
sSource2PriorityId + " Destination IP (dd) from * to < " +
sSource1PriorityId + " Destination IP (dd). "+
"b. Introduce new rule with " +
sSource2PriorityId + " Destination IP (dd) > " +
sSource1PriorityId + " Destination IP (dd). "+
"c. Change " + sSource1PriorityId + " Source IP
from * to < " + sSource2PriorityId + " Source IP. "+
190
"d. Introduce new rule with " +
sSource1PriorityId + " Source IP > " + sSource2PriorityId + "
Source IP. "+
"";
}
else if (p_type1 == 10)
{
strRet = "" +
"a. To resolve inconsistency change " +
sSource2PriorityId + " Destination IP (dc, dd) from * to < " +
sSource1PriorityId + " Destination IP (dc, dd). "+
"b. Introduce new rule with " +
sSource2PriorityId + " Destination IP (dc, dd) > " +
sSource1PriorityId + " Destination IP (dc, dd). "+
"c. Change " + sSource1PriorityId + " Source IP
from * to < " + sSource2PriorityId + " Source IP. "+
"d. Introduce new rule with " +
sSource1PriorityId + " Source IP > " + sSource2PriorityId + "
Source IP. "+
"";
}
else if (p_type1 == 11)
{
strRet = "" +
"a. To resolve inconsistency Change "
+ sSource1PriorityId + " Destination IP from * to < " +
sSource2PriorityId + " Destination IP. "+
"b. Introduce new rule with " +
sSource1PriorityId + " Destination IP > " + sSource2PriorityId +
" Destination IP. "+
"c. Change " + sSource2PriorityId + "
Source IP (sd) from * to < " + sSource1PriorityId + " Source IP
(sd). "+
"d. Introduce new rule with " +
sSource2PriorityId + " Source IP (sd) > " + sSource1PriorityId +
" Source IP (sd). "+
"";
}
else if (p_type1 == 12)
{
strRet = "" +
"a. To resolve inconsistency change " +
sSource1PriorityId + " Destination IP (dc, dd) from * to < " +
sSource2PriorityId + " Destination IP (dc, dd). "+
"b. Introduce new rule with " +
sSource1PriorityId + " Destination IP (dc, dd) > " +
sSource2PriorityId + " Destination IP (dc, dd). "+
191
"c. Change " + sSource2PriorityId + " Source IP
(sd) from * to < " + sSource1PriorityId + " Source IP (sd). "+
"d. Introduce new rule with " +
sSource2PriorityId + " Source IP (sd) > " + sSource1PriorityId +
" Source IP (sd). "+
"";
}
else if (p_type1 == 13)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Destination IP from * to < " +
sSource1PriorityId + " Destination IP. "+
"b. Introduce new rule with " +
sSource2PriorityId + " Destination IP > " + sSource1PriorityId +
" Destination IP. "+
"c. Change " + sSource1PriorityId + "
Source IP (sd) from * to < " + sSource2PriorityId + " Source IP
(sd). "+
"d. Introduce new rule with " +
sSource1PriorityId + " Source IP (sd) > " + sSource2PriorityId +
" Source IP (sd). "+
"";
}
else if (p_type1 == 14)
{
strRet = "" +
"a. To resolve inconsistency Change " +
sSource1PriorityId + " Source IP (sd) from * to < " +
sSource2PriorityId + " Source IP (sd). "+
"b. Introduce new rule with " +
sSource1PriorityId + " Source IP (sd) > " + sSource2PriorityId +
" Source IP (sd). "+
"c. Change " + sSource2PriorityId + " Destination
IP (dc, dd) from * to < " + sSource1PriorityId + " Destination IP
(dc, dd). "+
"d. Introduce new rule with " +
sSource2PriorityId + " Destination IP (dc, dd) > " +
sSource1PriorityId + " Destination IP (dc, dd). "+
"";
}
else if (p_type1 == 15)
{
strRet = "" +
"a. To resolve inconsistency change " +
sSource2PriorityId + " Source IP (sc, sd) from * to < " +
sSource1PriorityId + " Source IP (sc, sd). "+
192
"b. Introduce a new rule with " +
sSource2PriorityId + " Source IP (sc, sd) > " +
sSource1PriorityId + " Source IP (sc, sd). "+
"c. Change " + sSource2PriorityId + " Destination
IP (dd) from * to < " + sSource1PriorityId + " Destination
IP(dd). "+
"d. Introduce a new rule " + sSource2PriorityId +
" Destination IP (dd) > " + sSource1PriorityId + " Destination
IP(dd). "+
"";
}
else if (p_type1 == 16)
{
strRet = "" +
"a. To resolve inconsistency Change "
+ sSource1PriorityId + " Destination IP from * to < " +
sSource2PriorityId + " Destination IP. "+
"b. Introduce new rule with " +
sSource1PriorityId + " Destination IP > " + sSource2PriorityId +
" Destination IP. "+
"c. Change " + sSource2PriorityId + "
Source IP (sc, sd) from * to < " + sSource1PriorityId + " Source
IP (sc, sd). "+
"d. Introduce a new rule with " +
sSource2PriorityId + " Source IP (sc, sd) > " +
sSource1PriorityId + " Source IP (sc, sd). "+
"";
}
else if (p_type1 == 17)
{
strRet = "" +
"a. To resolve inconsistency Change "
+ sSource2PriorityId + " Destination IP from * to < " +
sSource1PriorityId + " Destination IP. "+
"b. Introduce new rule with " +
sSource2PriorityId + " Destination IP > " + sSource1PriorityId +
" Destination IP. "+
"c. Change " + sSource1PriorityId + "
Source IP (sc, sd) from * to < " + sSource2PriorityId + " Source
IP (sc, sd). "+
"d. Introduce a new rule with " +
sSource1PriorityId + " Source IP (sc, sd) > " +
sSource2PriorityId + " Source IP (sc, sd). "+
"";
}
else if (p_type1 == 18)
{
strRet = "" +
193
"a. To resolve inconsistency change " +
sSource1PriorityId + " Source IP (sc, sd) from * to < " +
sSource2PriorityId + " Source IP (sc, sd). "+
"b. Introduce a new rule with " +
sSource1PriorityId + " Source IP (sc, sd) > " +
sSource2PriorityId + " Source IP (sc, sd). "+
"c. Change " + sSource2PriorityId + " Destination
IP (dc, dd) from * to < " + sSource1PriorityId + " Destination IP
(dc, dd). "+
"d. Introduce new rule with " +
sSource2PriorityId + " Destination IP (dc, dd) > " +
sSource1PriorityId + " Destination IP (dc, dd). "+
"";
}
return strRet;
}
}
194
APPENDIX K
ResolveDenialOfServiceConflict.java
package utilofinconsistency;
public class ResolveDenialOfServiceConflict
{
/**
* Resolving DenialOfService Inconsistency
*
* @param p_source1
* @param p_source2
* @return
* @throws Exception
*/
public static String getResolveInconsistencyMsg
(
String p_source1,
String p_source2,
int p_type1
)
throws Exception
{
String strRet = "" + p_type1; //TODO: Default
String[] stSrc1 = p_source1.split(",");
String[] stSrc2 = p_source2.split(",");
// For now assume format of priority is " +
sSource1PriorityId + ", " + sSource2PriorityId + " etc.
String sSource1PriorityId = stSrc1[0]; // source 1
priority id
String sSource1Protocol
= stSrc1[1]; // protocol ignore
String sSource1SourceIP
= stSrc1[2]; // Source IP break and compare each part
String sSource1SourcePort = stSrc1[3]; // Source Port
String sSource1DestIP
= stSrc1[4]; // Source IP break and compare each part
String sSource1DestPort
= stSrc1[5]; // dest port
String sSource2PriorityId = stSrc2[0]; // source 2
priority id
String sSource2Protocol
= stSrc2[1]; // protocol ignore
String sSource2SourceIP
= stSrc2[2]; // Source IP break and compare each part
String sSource2SourcePort = stSrc2[3]; // Source Port
195
String sSource2DestIP
= stSrc2[4]; // Source IP break and compare each part
String sSource2DestPort
= stSrc2[5]; // dest port
if (p_type1 == 1)
{
strRet = "" +
"a. To resolve inconsistency compare
priority level of " + sSource1PriorityId + " and " +
sSource2PriorityId + " if priority level of " +
sSource1PriorityId + ">" + sSource2PriorityId + " then keep " +
sSource1PriorityId + " and delete " + sSource2PriorityId + ". If
priority level of " + sSource2PriorityId + ">" +
sSource1PriorityId + " then keep " + sSource2PriorityId + "
delete " + sSource1PriorityId + ". " +
"";
}
else if (p_type1 == 2)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Destination IP from * to < " +
sSource1PriorityId + " Destination IP, " + sSource2PriorityId + "
Source Port < " + sSource1PriorityId + " Source Port and " +
sSource2PriorityId + " Destination Port < " + sSource1PriorityId
+ " Destination Port. " +
"b. Introduce a new rule with " +
sSource2PriorityId + " Destination IP > " + sSource1PriorityId +
" Destination IP, " + sSource2PriorityId + " Source Port > " +
sSource1PriorityId + " Source Port and " + sSource2PriorityId + "
Destination Port > " + sSource1PriorityId + " Destination Port. "
+
"";
}
else if (p_type1 == 3)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Source IP from * to < " +
sSource1PriorityId + " Source IP, " + sSource2PriorityId + "
Source Port < " + sSource1PriorityId + " Source Port and " +
sSource2PriorityId + " Destination Port < " + sSource1PriorityId
+ " Destination Port. " +
"b. Introduce a new rule with " +
sSource2PriorityId + " Destination IP > " + sSource1PriorityId +
" Destination IP, " + sSource2PriorityId + " Source Port > " +
sSource1PriorityId + " Source Port and " + sSource2PriorityId + "
Destination Port > " + sSource1PriorityId + " Destination Port. "
+
196
"";
}
else if (p_type1 == 4)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Source IP from * to < " +
sSource1PriorityId + " Source IP, " + sSource2PriorityId + "
Destination IP from * to < " + sSource1PriorityId + " Destination
IP and " + sSource1PriorityId + " Destination Port < " +
sSource2PriorityId + " Destination Port. " +
"b. Introduce a new rule with " +
sSource2PriorityId + " Source IP > " + sSource1PriorityId + "
Source IP, " + sSource2PriorityId + " Destination IP > " +
sSource1PriorityId + " Destination IP and " + sSource1PriorityId
+ " Destination Port > " + sSource2PriorityId + " Destination
Port. " +
"";
}
else if (p_type1 == 5)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Source IP from * to < " +
sSource2PriorityId + " Source IP and " + sSource2PriorityId + "
Destination IP(dd) from * to < " + sSource1PriorityId + "
Destination IP. " +
"b. Introduce a new rule with " +
sSource1PriorityId + " Source IP > " + sSource2PriorityId + "
Source IP and " + sSource2PriorityId + " Destination IP(dd) > " +
sSource1PriorityId + " Destination IP. " +
"";
}
else if (p_type1 == 6)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Source IP from * to < " +
sSource2PriorityId + " Source IP, " + sSource2PriorityId + "
Destination IP(dc, dd) from * to < " + sSource1PriorityId + "
Destination IP, " + sSource1PriorityId + " Source Port < " +
sSource2PriorityId + " Source Port and " + sSource1PriorityId + "
Destination Port < " + sSource2PriorityId + " Destination Port. "
+
"b. Introduce a new rule with " +
sSource1PriorityId + " Source IP > " + sSource2PriorityId + "
Source IP, " + sSource2PriorityId + " Destination IP(dc, dd) > "
+ sSource1PriorityId + " Destination IP, " + sSource1PriorityId +
197
" Source Port > " + sSource2PriorityId + " Source Port and " +
sSource1PriorityId + " Destination Port > " + sSource2PriorityId
+ " Destination Port. " +
"";
}
else if (p_type1 == 7)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Source IP(sd) from * to < " +
sSource2PriorityId + " Source IP and " + sSource2PriorityId + "
Destination IP(dc, dd) from * to < " + sSource1PriorityId + "
Destination IP. " +
"b. Introduce a new rule with " +
sSource1PriorityId + " Source IP (sd) > " + sSource2PriorityId +
" Source IP and " + sSource2PriorityId + " Destination IP(dc, dd)
> " + sSource1PriorityId + " Destination IP. " +
"";
}
else if (p_type1 == 8)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Source IP(sd) from * to < " +
sSource2PriorityId + " Source IP, " + sSource2PriorityId + "
Destination IP(db, dc, dd) from * to < " + sSource1PriorityId + "
Destination IP, " + sSource2PriorityId + " Source Port < " +
sSource1PriorityId + " Source Port and " + sSource2PriorityId + "
Destination Port < " + sSource1PriorityId + " Destination Port. "
+
"b. Introduce a new rule with " +
sSource1PriorityId + " Source IP (sd) > " + sSource2PriorityId +
" Source IP, " + sSource2PriorityId + " Destination IP(db, dc,
dd) > " + sSource1PriorityId + " Destination IP, " +
sSource2PriorityId + " Source Port > " + sSource1PriorityId + "
Source Port and " + sSource2PriorityId + " Destination Port > " +
sSource1PriorityId + " Destination Port. " +
"";
}
else if (p_type1 == 9)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Source IP(sc, sd) from * to < " +
sSource2PriorityId + " Source IP and " + sSource2PriorityId + "
Destination IP(db, dc, dd) from * to < " + sSource1PriorityId + "
Destination IP. " +
198
"b. Introduce a new rule with " +
sSource1PriorityId + " Source IP (sc, sd) > " +
sSource2PriorityId + " Source IP and " + sSource2PriorityId + "
Destination IP(db, dc, dd) > " + sSource1PriorityId + "
Destination IP. " +
"";
}
else if (p_type1 == 10)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Source IP(sc, sd) from * to < " +
sSource2PriorityId + " Source IP, " + sSource1PriorityId + "
Destination IP(dd) from * to < " + sSource2PriorityId + "
Destination IP, " + sSource1PriorityId + " Source Port < " +
sSource2PriorityId + " Source Port and " + sSource1PriorityId + "
Destination Port < " + sSource2PriorityId + " Destination Port. "
+
"b. Introduce a new rule with " +
sSource1PriorityId + " Source IP (sc, sd) > " +
sSource2PriorityId + " Source IP, " + sSource1PriorityId + "
Destination IP(dd) > " + sSource2PriorityId + " Destination IP, "
+ sSource1PriorityId + " Source Port > " + sSource2PriorityId + "
Source Port and " + sSource1PriorityId + " Destination Port > " +
sSource2PriorityId + " Destination Port. " +
"";
}
else if (p_type1 == 11)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Source IP(sb, sc, sd) from * to < " +
sSource2PriorityId + " Source IP and " + sSource1PriorityId + "
Destination IP(dd) from * to < " + sSource2PriorityId + "
Destination IP. " +
"b. Introduce a new rule with " +
sSource1PriorityId + " Source IP (sb, sc, sd) > " +
sSource2PriorityId + " Source IP and " + sSource1PriorityId + "
Destination IP(dd) > " + sSource2PriorityId + " Destination IP. "
+
"";
}
else if (p_type1 == 12)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Source IP(sb, sc, sd) from * to < " +
sSource2PriorityId + " Source IP, " + sSource1PriorityId + "
199
Destination IP(dc, dd) from * to < " + sSource2PriorityId + "
Destination IP, " + sSource2PriorityId + " Source Port < " +
sSource1PriorityId + " Source Port and " + sSource2PriorityId + "
Destination Port < " + sSource1PriorityId + " Destination Port. "
+
"b. Introduce a new rule with " +
sSource1PriorityId + " Source IP (sb, sc, sd) > " +
sSource2PriorityId + " Source IP, " + sSource1PriorityId + "
Destination IP(dc, dd) > " + sSource2PriorityId + " Destination
IP, " + sSource2PriorityId + " Source Port > " +
sSource1PriorityId + " Source Port and " + sSource2PriorityId + "
Destination Port > " + sSource1PriorityId + " Destination Port. "
+
"";
}
else if (p_type1 == 13)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Source IP(sd) from * to < " +
sSource1PriorityId + " Source IP, " + sSource1PriorityId + "
Destination IP(db, dc, dd) from * to < " + sSource2PriorityId + "
Destination IP, " + sSource1PriorityId + " Source Port < " +
sSource2PriorityId + " Source Port and " + sSource1PriorityId + "
Destination Port < " + sSource2PriorityId + " Destination Port. "
+
"b. Introduce a new rule with " +
sSource2PriorityId + " Source IP (sd) > " + sSource1PriorityId +
" Source IP, " + sSource1PriorityId + " Destination IP(db, dc,
dd) > " + sSource2PriorityId + " Destination IP, " +
sSource1PriorityId + " Source Port > " + sSource2PriorityId + "
Source Port and " + sSource1PriorityId + " Destination Port > " +
sSource2PriorityId + " Destination Port. " +
"";
}
else if (p_type1 == 14)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Source IP(sd) from * to < " +
sSource1PriorityId + " Source IP and " + sSource1PriorityId + "
Destination IP(dc, dd) from * to < " + sSource2PriorityId + "
Destination IP. " +
"b. Introduce a new rule with " +
sSource2PriorityId + "Source IP (sd) > " + sSource1PriorityId + "
Source IP and " + sSource1PriorityId + " Destination IP(dc, dd) >
" + sSource2PriorityId + " Destination IP. " +
"";
200
}
else if (p_type1 == 15)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Source IP(sc, sd) from * to < " +
sSource1PriorityId + " Source IP and " + sSource1PriorityId + "
Destination IP(db, dc, dd) from * to < " + sSource2PriorityId + "
Destination IP. " +
"b. Introduce a new rule with " +
sSource2PriorityId + " Source IP (sc, sd) > " +
sSource1PriorityId + " Source IP and " + sSource1PriorityId + "
Destination IP(db, dc, dd) > " + sSource2PriorityId + "
Destination IP. " +
"";
}
else if (p_type1 == 16)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Source IP(sc, sd) from * to < " +
sSource1PriorityId + " Source IP, " + sSource1PriorityId + "
Destination IP from * to < " + sSource2PriorityId + " Destination
IP, " + sSource2PriorityId + " Source Port from * to < " +
sSource1PriorityId + " Source Port and " + sSource1PriorityId + "
Destination Port from * to < " + sSource2PriorityId + "
Destination Port. " +
"b. Introduce a new rule with " +
sSource2PriorityId + " Source IP (sc, sd) > " +
sSource1PriorityId + " Source IP, " + sSource1PriorityId + "
Destination IP > " + sSource2PriorityId + " Destination IP, " +
sSource2PriorityId + " Source Port > " + sSource1PriorityId + "
Source Port and " + sSource1PriorityId + " Destination Port > " +
sSource2PriorityId + " Destination Port. " +
"";
}
else if (p_type1 == 17)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Source IP(sb, sc, sd) from * to < " +
sSource1PriorityId + " Source IP and " + sSource1PriorityId + "
Destination IP from * to < " + sSource2PriorityId + " Destination
IP. " +
"b. Introduce a new rule with " +
sSource2PriorityId + " Source IP (sb, sc, sd) > " +
sSource1PriorityId + " Source IP and " + sSource1PriorityId + "
Destination IP > " + sSource2PriorityId + " Destination IP. " +
201
"";
}
else if (p_type1 == 18)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Source IP(sb, sc, sd) from * to < " +
sSource1PriorityId + " Source IP, " + sSource1PriorityId + "
Source Port from * to < " + sSource2PriorityId + " Source Port
and " + sSource2PriorityId + " Destination Port from * to < " +
sSource1PriorityId + " Destination Port. " +
"b. Introduce a new rule with " +
sSource2PriorityId + " Source IP (sb, sc, sd) > " +
sSource1PriorityId + " Source IP, " + sSource1PriorityId + "
Source Port > " + sSource2PriorityId + " Source Port and " +
sSource2PriorityId + " Destination Port > " + sSource1PriorityId
+ " Destination Port. " +
"";
}
return strRet;
}
}
202
APPENDIX L
ResolveExceptionConflict.java
package utilofinconsistency;
public class ResolveExceptionConflict
{
/**
* Resolving Exception Inconsistency
*
* @param p_source1
* @param p_source2
* @return
* @throws Exception
*/
public static String getResolveInconsistencyMsg
(
String p_source1,
String p_source2,
int p_type1
)
throws Exception
{
String strRet = "" + p_type1; //TODO: Remove
String[] stSrc1 = p_source1.split(",");
String[] stSrc2 = p_source2.split(",");
// For now assume format of priority is " +
sSource1PriorityId + ", " + sSource2PriorityId + " etc.
String sSource1PriorityId = stSrc1[0]; // source 1
priority id
String sSource1Protocol
= stSrc1[1]; // protocol ignore
String sSource1SourceIP
= stSrc1[2]; // Source IP break and compare each part
String sSource1SourcePort = stSrc1[3]; // Source Port
String sSource1DestIP
= stSrc1[4]; // Source IP break and compare each part
String sSource1DestPort
= stSrc1[5]; // dest port
String sSource2PriorityId = stSrc2[0]; // source 2
priority id
203
String sSource2Protocol
= stSrc2[1]; // protocol -
ignore
String
break and compare
String
String
break and compare
String
sSource2SourceIP
each part
sSource2SourcePort
sSource2DestIP
each part
sSource2DestPort
= stSrc2[2]; // Source IP = stSrc2[3]; // Source Port
= stSrc2[4]; // Source IP = stSrc2[5]; // dest port
//" + sSource1PriorityId + " and " +
sSource2PriorityId + "
if (p_type1 == 1)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Destination IP from * to < " +
sSource1PriorityId + " Destination IP."+
"b. Introduce new rule with " +
sSource2PriorityId + " Destination IP > " + sSource1PriorityId +
" Destination IP."+
"";
}
else if (p_type1 == 2)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Destination IP from * to < " +
sSource1PriorityId + " Destination IP and " + sSource2PriorityId
+ " Destination Port from * to < " + sSource1PriorityId + "
Destination Port."+
"b. Introduce new rule with " +
sSource2PriorityId + " Destination IP > " + sSource1PriorityId +
" Destination IP and " + sSource2PriorityId + " Destination Port
to > " + sSource1PriorityId + " Destination Port."+
"";
}
else if (p_type1 == 3)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Destination IP from * to < " +
sSource1PriorityId + " Destination IP and " + sSource2PriorityId
+ " Source Port from * to < " + sSource1PriorityId + " Source
Port."+
"b. Introduce new rule with " +
sSource2PriorityId + " Destination IP > " + sSource1PriorityId +
204
" Destination IP and " + sSource2PriorityId + " Source Port to >
" + sSource1PriorityId + " Source Port."+
"";
}
else if (p_type1 == 4)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Destination IP from * to < " +
sSource1PriorityId + " Destination IP, " + sSource2PriorityId + "
Source Port from * to < " + sSource1PriorityId + " Source Port
and " + sSource2PriorityId + " Destination Port from * to < " +
sSource1PriorityId + " Destination Port."+
"b. Introduce new rule with " +
sSource2PriorityId + " Destination IP > " + sSource1PriorityId +
" Destination IP, " + sSource2PriorityId + " Source Port to > " +
sSource1PriorityId + " Source Port and " + sSource2PriorityId + "
Destination Port to > " + sSource1PriorityId + " Destination
Port."+
"";
}
else if (p_type1 == 5)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Destination IP from * to < " +
sSource2PriorityId + " Destination IP."+
"b. Introduce new rule with " +
sSource1PriorityId + " Destination IP > " + sSource2PriorityId +
" Destination IP."+
"";
}
else if (p_type1 == 6)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Destination IP from * to < " +
sSource2PriorityId + " Destination IP and " + sSource1PriorityId
+ " Destination Port from * to < " + sSource2PriorityId + "
Destination Port."+
"b. Introduce new rule with " +
sSource1PriorityId + " Destination IP > " + sSource2PriorityId +
" Destination IP and " + sSource1PriorityId + " Destination Port
to > " + sSource2PriorityId + " Destination Port."+
"";
}
else if (p_type1 == 7)
{
205
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Destination IP from * to < " +
sSource2PriorityId + " Destination IP, " + sSource1PriorityId + "
Destination Port from * to < " + sSource2PriorityId + "
Destination Port and " + sSource1PriorityId + " Source Port from
* to < " + sSource2PriorityId + " Source Port."+
"b. Introduce new rule with " +
sSource1PriorityId + " Destination IP > " + sSource2PriorityId +
" Destination IP and " + sSource1PriorityId + " Source Port to >
" + sSource2PriorityId + " Source Port."+
"";
}
else if (p_type1 == 8)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Destination IP from * to < " +
sSource2PriorityId + " Destination IP and " + sSource1PriorityId
+ " Source Port from * to < " + sSource2PriorityId + " Source
Port."+
"b. Introduce new rule with " +
sSource1PriorityId + " Destination IP > " + sSource2PriorityId +
" Destination IP, " + sSource1PriorityId + " Destination Port to
> " + sSource2PriorityId + " Destination Port and " +
sSource1PriorityId + " Source Port to > " + sSource2PriorityId +
" Source Port."+
"";
}
else if (p_type1 == 9)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Destination IP (dd) from * to < " +
sSource1PriorityId + " Destination IP (dd)."+
"b. Introduce new rule with " +
sSource2PriorityId + " Destination IP (dd) > " +
sSource1PriorityId + " Destination IP (dd)."+
"";
}
else if (p_type1 == 10)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Destination IP (dd) from * to < " +
sSource1PriorityId + " Destination IP (dd) and " +
sSource2PriorityId + " Destination Port from * to < " +
sSource1PriorityId + " Destination Port."+
206
sSource2PriorityId
sSource1PriorityId
sSource2PriorityId
sSource1PriorityId
+
+
+
+
"
"
"
"
"b. Introduce new rule with " +
Destination IP (dd) > " +
Destination IP (dd) and " +
Destination Port to > " +
Destination Port."+
"";
}
else if (p_type1 == 11)
{
strRet = "" +
"a. To resolve inconsistency change
+ sSource2PriorityId + " Destination IP (dd) from * to < " +
sSource1PriorityId + " Destination IP (dd) and " +
sSource2PriorityId + " Source Port from * to < " +
sSource1PriorityId + " Source Port."+
"b. Introduce new rule with " +
sSource2PriorityId + " Destination IP (dd) > " +
sSource1PriorityId + " Destination IP (dd) and " +
sSource2PriorityId + " Source Port to > " + sSource1PriorityId
" Source Port."+
"";
}
else if (p_type1 == 12)
{
strRet = "" +
"a. To resolve inconsistency change
+ sSource2PriorityId + " Destination IP (dd) from * to < " +
sSource1PriorityId + " Destination IP (dd), " +
sSource2PriorityId + " Destination Port from * to < " +
sSource1PriorityId + " Destination Port and " +
sSource2PriorityId + " Source Port from * to < " +
sSource1PriorityId + " Source Port."+
"b. Introduce new rule with " +
sSource2PriorityId + " Destination IP (dd) > " +
sSource1PriorityId + " Destination IP (dd), " +
sSource2PriorityId + " Destination Port to > " +
sSource1PriorityId + " Destination Port and " +
sSource2PriorityId + " Source Port to > " + sSource1PriorityId
" Source Port."+
"";
}
else if (p_type1 == 13)
{
strRet = "" +
"a. To resolve inconsistency change
+ sSource1PriorityId + " Destination IP (dd) from * to < " +
sSource2PriorityId + " Destination IP (dd)."+
"
+
"
+
"
207
"b. Introduce new rule with " +
sSource1PriorityId + " Destination IP (dd) > " +
sSource2PriorityId + " Destination IP (dd)."+
"";
}
else if (p_type1 == 14)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Destination IP (dd) from * to < " +
sSource2PriorityId + " Destination IP (dd) and " +
sSource1PriorityId + " Destination Port from * to < " +
sSource2PriorityId + " Destination Port."+
"b. Introduce new rule with " +
sSource1PriorityId + " Destination IP (dd) > " +
sSource2PriorityId + " Destination IP (dd) and " +
sSource1PriorityId + " Destination Port > " + sSource2PriorityId
+ " Destination Port."+
"";
}
else if (p_type1 == 15)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Destination IP (dd) from * to < " +
sSource2PriorityId + " Destination IP (dd) and " +
sSource1PriorityId + " Source Port from * to < " +
sSource2PriorityId + " Source Port."+
"b. Introduce new rule with " +
sSource1PriorityId + " Destination IP (dd) > " +
sSource2PriorityId + " Destination IP (dd) and " +
sSource1PriorityId + " Source Port > " + sSource2PriorityId + "
Source Port."+
"";
}
else if (p_type1 == 16)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Destination IP (dd) from * to < " +
sSource2PriorityId + " Destination IP (dd), " +
sSource1PriorityId + " Destination Port from * to < " +
sSource2PriorityId + " Destination Port and " +
sSource1PriorityId + " Source Port from * to < " +
sSource2PriorityId + " Source Port."+
"b. Introduce new rule with " +
sSource1PriorityId + " Destination IP (dd) > " +
sSource2PriorityId + " Destination IP (dd), " +
208
sSource1PriorityId + " Destination Port > " + sSource2PriorityId
+ " Destination Port and " + sSource1PriorityId + " Source Port >
" + sSource2PriorityId + " Source Port."+
"";
}
else if (p_type1 == 17)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Destination IP (dc, dd) from * to < " +
sSource2PriorityId + " Destination IP (dc, dd)."+
"b. Introduce new rule with " +
sSource1PriorityId + " Destination IP (dc, dd) > " +
sSource2PriorityId + " Destination IP (dc, dd)."+
"";
}
else if (p_type1 == 18)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Destination IP (dc, dd) from * to < " +
sSource2PriorityId + " Destination IP (dc, dd) and " +
sSource1PriorityId + " Destination Port from * to < " +
sSource2PriorityId + " Destination Port."+
"b. Introduce new rule with " +
sSource1PriorityId + " Destination IP (dc, dd) > " +
sSource2PriorityId + " Destination IP (dc, dd) and " +
sSource1PriorityId + " Destination Port > " + sSource2PriorityId
+ " Destination Port."+
"";
}
else if (p_type1 == 19)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Destination IP (dc, dd) from * to < " +
sSource2PriorityId + " Destination IP (dc, dd) and " +
sSource1PriorityId + " Source Port from * to < " +
sSource2PriorityId + " Source Port."+
"b. Introduce new rule with " +
sSource1PriorityId + " Destination IP (dc, dd) > " +
sSource2PriorityId + " Destination IP (dc, dd) and " +
sSource1PriorityId + " Source Port > " + sSource2PriorityId + "
Source Port."+
"";
}
else if (p_type1 == 20)
{
209
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Destination IP (dc, dd) from * to < " +
sSource2PriorityId + " Destination IP (dc, dd), " +
sSource1PriorityId + " Destination Port from * to < " +
sSource2PriorityId + " Destination Port and " +
sSource1PriorityId + " Source Port from * to < " +
sSource2PriorityId + " Source Port."+
"b. Introduce new rule with " +
sSource1PriorityId + " Destination IP (dc, dd) > " +
sSource2PriorityId + " Destination IP (dc, dd), " +
sSource1PriorityId + " Destination Port > " + sSource2PriorityId
+ " Destination Port and " + sSource1PriorityId + " Source Port >
" + sSource2PriorityId + " Source Port."+
"";
}
else if (p_type1 == 21)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Destination IP (dc, dd) from * to < " +
sSource1PriorityId + " Destination IP (dc, dd)."+
"b. Introduce new rule with " +
sSource2PriorityId + " Destination IP (dc, dd) > " +
sSource1PriorityId + " Destination IP (dc, dd)."+
"";
}
else if (p_type1 == 22)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Destination IP (dc, dd) from * to < " +
sSource1PriorityId + " Destination IP (dc, dd) and " +
sSource2PriorityId + " Destination Port from * to < " +
sSource1PriorityId + " Destination Port."+
"b. Introduce new rule with " +
sSource2PriorityId + " Destination IP (dc, dd) > " +
sSource1PriorityId + " Destination IP (dc, dd) and " +
sSource2PriorityId + " Destination Port > " + sSource1PriorityId
+ " Destination Port."+
"";
}
else if (p_type1 == 23)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Destination IP (dc, dd) from * to < " +
sSource1PriorityId + " Destination IP (dc, dd) and " +
210
sSource2PriorityId + " Source Port from * to < " +
sSource1PriorityId + " Source Port."+
"b. Introduce new rule with " +
sSource2PriorityId + " Destination IP (dc, dd) > " +
sSource1PriorityId + " Destination IP (dc, dd) and " +
sSource2PriorityId + " Source Port > " + sSource1PriorityId + "
Source Port."+
"";
}
else if (p_type1 == 24)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Destination IP (dc, dd) from * to < " +
sSource1PriorityId + " Destination IP (dc, dd), " +
sSource2PriorityId + " Destination Port from * to < " +
sSource1PriorityId + " Destination Port and " +
sSource2PriorityId + " Source Port from * to < " +
sSource1PriorityId + " Source Port."+
"b. Introduce new rule with " +
sSource2PriorityId + " Destination IP (dc, dd) > " +
sSource1PriorityId + " Destination IP (dc, dd), " +
sSource2PriorityId + " Destination Port > " + sSource1PriorityId
+ " Destination Port and " + sSource2PriorityId + " Source Port >
" + sSource1PriorityId + " Source Port."+
"";
}
else if (p_type1 == 25)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Source IP from * to < " +
sSource1PriorityId + " Source IP."+
"b. Introduce new rule with " +
sSource2PriorityId + " Source IP > " + sSource1PriorityId + "
Source IP."+
"";
}
else if (p_type1 == 26)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Source IP from * to < " +
sSource1PriorityId + " Source IP and " + sSource2PriorityId + "
Destination Port from * to < " + sSource1PriorityId + "
Destination Port."+
"b. Introduce new rule with " +
sSource2PriorityId + " Source IP > " + sSource1PriorityId + "
211
Source IP and " + sSource2PriorityId + " Destination Port > " +
sSource1PriorityId + " Destination Port."+
"";
}
else if (p_type1 == 27)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Source IP from * to < " +
sSource1PriorityId + " Source IP and " + sSource2PriorityId + "
Source Port from * to < " + sSource1PriorityId + " Source
Port."+
"b. Introduce new rule with " +
sSource2PriorityId + " Source IP > " + sSource1PriorityId + "
Source IP and " + sSource2PriorityId + " Source Port > " +
sSource1PriorityId + " Source Port."+
"";
}
else if (p_type1 == 28)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Source IP from * to < " +
sSource1PriorityId + " Source IP, " + sSource2PriorityId + "
Destination Port from * to < " + sSource1PriorityId + "
Destination Port and " + sSource2PriorityId + " Source Port from
* to < " + sSource1PriorityId + " Source Port."+
"b. Introduce new rule with " +
sSource2PriorityId + " Source IP > " + sSource1PriorityId + "
Source IP, " + sSource2PriorityId + " Destination Port > " +
sSource1PriorityId + " Destination Port and " +
sSource2PriorityId + " Source Port > " + sSource1PriorityId + "
Source Port."+
"";
}
else if (p_type1 == 29)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Source IP from * to < " +
sSource1PriorityId + " Source IP and " + sSource2PriorityId + "
Destination IP from * to < " + sSource1PriorityId + " Destination
IP."+
"b. Introduce new rule with " +
sSource2PriorityId + " Source IP > " + sSource1PriorityId + "
Source IP and " + sSource2PriorityId + " Destination IP > " +
sSource1PriorityId + " Destination IP."+
"";
212
}
else if (p_type1 == 30)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Source IP from * to < " +
sSource1PriorityId + " Source IP and " + sSource2PriorityId + "
Destination IP from * to < " + sSource1PriorityId + " Destination
IP and " + sSource2PriorityId + " Destination Port from * to < "
+ sSource1PriorityId + " Destination Port."+
"b. Introduce new rule with " +
sSource2PriorityId + " Source IP > " + sSource1PriorityId + "
Source IP and " + sSource2PriorityId + " Destination IP > " +
sSource1PriorityId + " Destination IP and " + sSource2PriorityId
+ " Destination Port > " + sSource1PriorityId + " Destination
Port."+
"";
}
else if (p_type1 == 31)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Source IP from * to < " +
sSource1PriorityId + " Source IP and " + sSource2PriorityId + "
Destination IP from * to < " + sSource1PriorityId + " Destination
IP and " + sSource2PriorityId + " Source Port from * to < " +
sSource1PriorityId + " Source Port."+
"b. Introduce new rule with " +
sSource2PriorityId + " Source IP > " + sSource1PriorityId + "
Source IP and " + sSource2PriorityId + " Destination IP > " +
sSource1PriorityId + " Destination IP and " + sSource2PriorityId
+ " Source Port > " + sSource1PriorityId + " Source Port."+
"";
}
else if (p_type1 == 32)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Source IP from * to < " +
sSource1PriorityId + " Source IP and " + sSource2PriorityId + "
Destination IP from * to < " + sSource1PriorityId + " Destination
IP, " + sSource2PriorityId + " Destination Port from * to < " +
sSource1PriorityId + " Destination Port and " +
sSource2PriorityId + " Source Port from * to < " +
sSource1PriorityId + " Source Port."+
"b. Introduce new rule with " +
sSource2PriorityId + " Source IP > " + sSource1PriorityId + "
Source IP, " + sSource2PriorityId + " Destination Port > " +
213
sSource1PriorityId +
sSource2PriorityId +
" Destination IP and
sSource1PriorityId +
"
"
"
"
Destination Port and " +
Destination IP > " + sSource1PriorityId +
+ sSource2PriorityId + " Source Port > " +
Source Port."+
"";
}
else if (p_type1 == 33)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Source IP from * to < " +
sSource1PriorityId + " Source IP and " + sSource2PriorityId + "
Destination IP (dd) from * to < " + sSource1PriorityId + "
Destination IP (dd)."+
"b. Introduce new rule with " +
sSource2PriorityId + " Source IP > " + sSource1PriorityId + "
Source IP and " + sSource2PriorityId + " Destination IP (dd) > "
+ sSource1PriorityId + " Destination IP (dd)."+
"";
}
else if (p_type1 == 34)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Source IP from * to < " +
sSource1PriorityId + " Source IP, " + sSource2PriorityId + "
Destination IP (dd) from * to < " + sSource1PriorityId + "
Destination IP (dd) and " + sSource2PriorityId + " Destination
Port from * to < " + sSource1PriorityId + " Destination Port."+
"b. Introduce new rule with " +
sSource2PriorityId + " Source IP > " + sSource1PriorityId + "
Source IP, " + sSource2PriorityId + " Destination IP (dd) > " +
sSource1PriorityId + " Destination IP (dd) and " +
sSource2PriorityId + " Destination Port > " + sSource1PriorityId
+ " Destination Port."+
"";
}
else if (p_type1 == 35)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Source IP from * to < " +
sSource1PriorityId + " Source IP, " + sSource2PriorityId + "
Destination IP (dd) from * to < " + sSource1PriorityId + "
Destination IP (dd) and " + sSource2PriorityId + " Source Port
from * to < " + sSource1PriorityId + " Source Port."+
"b. Introduce new rule with " +
sSource2PriorityId + " Source IP > " + sSource1PriorityId + "
214
Source IP, " + sSource2PriorityId + " Destination IP (dd) > " +
sSource1PriorityId + " Destination IP (dd) and " +
sSource2PriorityId + " Source Port > " + sSource1PriorityId + "
Source Port."+
"";
}
else if (p_type1 == 36)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Source IP from * to < " +
sSource1PriorityId + " Source IP, " + sSource2PriorityId + "
Destination IP (dd) from * to < " + sSource1PriorityId + "
Destination IP (dd), " + sSource2PriorityId + " Source Port from
* to < " + sSource1PriorityId + " Source Port and " +
sSource2PriorityId + " Destination Port from * to < " +
sSource1PriorityId + " Destination Port."+
"b. Introduce new rule with " +
sSource2PriorityId + " Source IP > " + sSource1PriorityId + "
Source IP, " + sSource2PriorityId + " Destination IP (dd) > " +
sSource1PriorityId + " Destination IP (dd), " +
sSource2PriorityId + " Source Port > " + sSource1PriorityId + "
Source Port and " + sSource2PriorityId + " Destination Port > " +
sSource1PriorityId + " Destination Port."+
"";
}
else if (p_type1 == 37)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Source IP from * to < " +
sSource1PriorityId + " Source IP and " + sSource2PriorityId + "
Destination IP (dc, dd) > " + sSource1PriorityId + " Destination
IP (dc, dd)."+
"b. Introduce new rule with " +
sSource2PriorityId + " Source IP > " + sSource1PriorityId + "
Source IP and " + sSource2PriorityId + " Destination IP (dc, dd)
> " + sSource1PriorityId + " Destination IP (dc, dd)."+
"";
}
else if (p_type1 == 38)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Source IP from * to < " +
sSource1PriorityId + " Source IP, " + sSource2PriorityId + "
Destination IP (dc, dd) > " + sSource1PriorityId + " Destination
215
IP (dc, dd) and " + sSource2PriorityId + " Destination Port from
* to < " + sSource1PriorityId + " Destination Port."+
"b. Introduce new rule with " +
sSource2PriorityId + " Source IP > " + sSource1PriorityId + "
Source IP, " + sSource2PriorityId + " Destination IP (dc, dd) > "
+ sSource1PriorityId + " Destination IP (dc, dd) and " +
sSource2PriorityId + " Destination Port > " + sSource1PriorityId
+ " Destination Port."+
"";
}
else if (p_type1 == 39)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Source IP from * to < " +
sSource1PriorityId + " Source IP, " + sSource2PriorityId + "
Destination IP (dc, dd) > " + sSource1PriorityId + " Destination
IP (dc, dd) and " + sSource2PriorityId + " Source Port from * to
< " + sSource1PriorityId + " Source Port."+
"b. Introduce new rule with " +
sSource2PriorityId + " Source IP > " + sSource1PriorityId + "
Source IP, " + sSource2PriorityId + " Destination IP (dc, dd) > "
+ sSource1PriorityId + " Destination IP (dc, dd) and " +
sSource2PriorityId + " Source Port > " + sSource1PriorityId + "
Source Port."+
"";
}
else if (p_type1 == 40)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Source IP from * to < " +
sSource1PriorityId + " Source IP, " + sSource2PriorityId + "
Destination IP (dc, dd) > " + sSource1PriorityId + " Destination
IP (dc, dd), " + sSource2PriorityId + " Source Port from * to <
" + sSource1PriorityId + " Source Port and " + sSource2PriorityId
+ " Destination Port from * to < " + sSource1PriorityId + "
Destination Port."+
"b. Introduce new rule with " +
sSource2PriorityId + " Source IP > " + sSource1PriorityId + "
Source IP, " + sSource2PriorityId + " Destination IP (dc, dd) > "
+ sSource1PriorityId + " Destination IP (dc, dd), " +
sSource2PriorityId + " Source Port > " + sSource1PriorityId + "
Source Port and " + sSource2PriorityId + " Destination Port > " +
sSource1PriorityId + " Destination Port."+
"";
}
else if (p_type1 == 41)
216
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Source IP from * to < " +
sSource2PriorityId + " Source IP."+
"b. Introduce new rule with " +
sSource1PriorityId + " Source IP > " + sSource2PriorityId + "
Source IP."+
"";
}
else if (p_type1 == 42)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Source IP from * to < " +
sSource2PriorityId + " Source IP and " + sSource1PriorityId + "
Destination Port from * to < " + sSource2PriorityId + "
Destination Port."+
"b. Introduce new rule with " +
sSource1PriorityId + " Source IP > " + sSource2PriorityId + "
Source IP and " + sSource1PriorityId + " Destination Port > " +
sSource2PriorityId + " Destination Port."+
"";
}
else if (p_type1 == 43)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Source IP from * to < " +
sSource2PriorityId + " Source IP and " + sSource1PriorityId + "
Source Port from * to < " + sSource2PriorityId + " Source Port."+
"b. Introduce new rule with " +
sSource1PriorityId + " Source IP > " + sSource2PriorityId + "
Source IP and " + sSource1PriorityId + " Source Port > " +
sSource2PriorityId + " Source Port."+
"";
}
else if (p_type1 == 44)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Source IP from * to < " +
sSource2PriorityId + " Source IP, " + sSource1PriorityId + "
Source Port from * to < " + sSource2PriorityId + " Source Port
and " + sSource1PriorityId + " Destination Port from * to < " +
sSource2PriorityId + " Destination Port."+
"b. Introduce new rule with " +
sSource1PriorityId + " Source IP > " + sSource2PriorityId + "
217
Source IP, " + sSource1PriorityId + " Source Port > " +
sSource2PriorityId + " Source Port and " + sSource1PriorityId + "
Destination Port > " + sSource2PriorityId + " Destination Port."+
"";
}
else if (p_type1 == 45)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Source IP from * to < " +
sSource2PriorityId + " Source IP and " + sSource1PriorityId + "
Destination IP from * to < " + sSource2PriorityId + " Destination
IP."+
"b. Introduce new rule with " +
sSource1PriorityId + " Source IP > " + sSource2PriorityId + "
Source IP and " + sSource1PriorityId + " Destination IP > " +
sSource2PriorityId + " Destination IP."+
"";
}
else if (p_type1 == 46)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Source IP from * to < " +
sSource2PriorityId + " Source IP, " + sSource1PriorityId + "
Destination IP from * to < " + sSource2PriorityId + " Destination
IP and " + sSource1PriorityId + " Destination Port from * to < "
+ sSource2PriorityId + " Destination Port."+
"b. Introduce new rule with " +
sSource1PriorityId + " Source IP > " + sSource2PriorityId + "
Source IP, " + sSource1PriorityId + " Destination IP > " +
sSource2PriorityId + " Destination IP and " + sSource1PriorityId
+ " Destination Port > " + sSource2PriorityId + " Destination
Port."+
"";
}
else if (p_type1 == 47)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Source IP from * to < " +
sSource2PriorityId + " Source IP, " + sSource1PriorityId + "
Destination IP from * to < " + sSource2PriorityId + " Destination
IP and " + sSource1PriorityId + " Source Port from * to < " +
sSource2PriorityId + " Source Port."+
"b. Introduce new rule with " +
sSource1PriorityId + " Source IP > " + sSource2PriorityId + "
Source IP, " + sSource1PriorityId + " Destination IP > " +
218
sSource2PriorityId + " Destination IP and " + sSource1PriorityId
+ " Source Port > " + sSource2PriorityId + " Source Port."+
"";
}
else if (p_type1 == 48)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Source IP from * to < " +
sSource2PriorityId + " Source IP, " + sSource1PriorityId + "
Destination IP from * to < " + sSource2PriorityId + " Destination
IP, " + sSource1PriorityId + " Source Port from * to < " +
sSource2PriorityId + " Source Port and " + sSource1PriorityId + "
Destination Port from * to < " + sSource2PriorityId + "
Destination Port."+
"b. Introduce new rule with " +
sSource1PriorityId + " Source IP > " + sSource2PriorityId + "
Source IP, " + sSource1PriorityId + " Destination IP > " +
sSource2PriorityId + " Destination IP, " + sSource1PriorityId + "
Source Port > " + sSource2PriorityId + " Source Port and " +
sSource1PriorityId + " Destination Port > " + sSource2PriorityId
+ " Destination Port."+
"";
}
else if (p_type1 == 49)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Source IP from * to < " +
sSource2PriorityId + " Source IP and " + sSource1PriorityId + "
Destination IP (dd) from * to < " + sSource2PriorityId + "
Destination IP (dd)."+
"b. Introduce new rule with " +
sSource1PriorityId + " Source IP > " + sSource2PriorityId + "
Source IP and " + sSource1PriorityId + " Destination IP (dd) > "
+ sSource2PriorityId + " Destination IP (dd)."+
"";
}
else if (p_type1 == 50)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Source IP from * to < " +
sSource2PriorityId + " Source IP, " + sSource1PriorityId + "
Destination IP (dd) from * to < " + sSource2PriorityId + "
Destination IP (dd) and " + sSource1PriorityId + " Destination
Port from * to < " + sSource2PriorityId + " Destination Port."+
219
"b. Introduce new rule with " +
sSource1PriorityId + " Source IP > " + sSource2PriorityId + "
Source IP, " + sSource1PriorityId + " Destination IP (dd) > " +
sSource2PriorityId + " Destination IP (dd) and " +
sSource1PriorityId + " Destination Port > " + sSource2PriorityId
+ " Destination Port."+
"";
}
else if (p_type1 == 51)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Source IP from * to < " +
sSource2PriorityId + " Source IP, " + sSource1PriorityId + "
Destination IP (dd) from * to < " + sSource2PriorityId + "
Destination IP (dd) and " + sSource1PriorityId + " Source Port
from * to < " + sSource2PriorityId + " Source Port."+
"b. Introduce new rule with " +
sSource1PriorityId + " Source IP > " + sSource2PriorityId + "
Source IP, " + sSource1PriorityId + " Destination IP (dd) > " +
sSource2PriorityId + " Destination IP (dd) and " +
sSource1PriorityId + " Source Port > " + sSource2PriorityId + "
Source Port."+
"";
}
else if (p_type1 == 52)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Source IP from * to < " +
sSource2PriorityId + " Source IP, " + sSource1PriorityId + "
Destination IP (dd) from * to < " + sSource2PriorityId + "
Destination IP (dd), " + sSource1PriorityId + " Source Port from
* to < " + sSource2PriorityId + " Source Port and " +
sSource1PriorityId + " Destination Port from * to < " +
sSource2PriorityId + " Destination Port."+
"b. Introduce new rule with " +
sSource1PriorityId + " Source IP > " + sSource2PriorityId + "
Source IP, " + sSource1PriorityId + " Destination IP (dd) > " +
sSource2PriorityId + " Destination IP (dd), " +
sSource1PriorityId + " Source Port > " + sSource2PriorityId + "
Source Port and " + sSource1PriorityId + " Destination Port > " +
sSource2PriorityId + " Destination Port."+
"";
}
else if (p_type1 == 53)
{
strRet = "" +
220
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Source IP from * to < " +
sSource2PriorityId + " Source IP and " + sSource1PriorityId + "
Destination IP (dc, dd) from * to < " + sSource2PriorityId + "
Destination IP (dc, dd)."+
"b. Introduce new rule with " +
sSource1PriorityId + " Source IP > " + sSource2PriorityId + "
Source IP and " + sSource1PriorityId + " Destination IP (dc, dd)
> " + sSource2PriorityId + " Destination IP (dc, dd)."+
"";
}
else if (p_type1 == 54)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Source IP from * to < " +
sSource2PriorityId + " Source IP, " + sSource1PriorityId + "
Destination IP (dc, dd) from * to < " + sSource2PriorityId + "
Destination IP (dc, dd) and " + sSource1PriorityId + "
Destination Port from * to < " + sSource2PriorityId + "
Destination Port."+
"b. Introduce new rule with " +
sSource1PriorityId + " Source IP > " + sSource2PriorityId + "
Source IP, " + sSource1PriorityId + " Destination IP (dc, dd) > "
+ sSource2PriorityId + " Destination IP (dc, dd) and " +
sSource1PriorityId + " Destination Port > " + sSource2PriorityId
+ " Destination Port."+
"";
}
else if (p_type1 == 55)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Source IP from * to < " +
sSource2PriorityId + " Source IP, " + sSource1PriorityId + "
Destination IP (dc, dd) from * to < " + sSource2PriorityId + "
Destination IP (dc, dd) and " + sSource1PriorityId + " Source
Port from * to < " + sSource2PriorityId + " Source Port."+
"b. Introduce new rule with " +
sSource1PriorityId + " Source IP > " + sSource2PriorityId + "
Source IP, " + sSource1PriorityId + " Destination IP (dc, dd) > "
+ sSource2PriorityId + " Destination IP (dc, dd) and " +
sSource1PriorityId + " Source Port > " + sSource2PriorityId + "
Source Port."+
"";
}
else if (p_type1 == 56)
{
221
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Source IP from * to < " +
sSource2PriorityId + " Source IP, " + sSource1PriorityId + "
Destination IP (dc, dd) from * to < " + sSource2PriorityId + "
Destination IP (dc, dd), " + sSource1PriorityId + " Source Port
from * to < " + sSource2PriorityId + " Source Port and " +
sSource1PriorityId + " Destination Port from * to < " +
sSource2PriorityId + " Destination Port."+
"b. Introduce new rule with " +
sSource1PriorityId + " Source IP > " + sSource2PriorityId + "
Source IP, " + sSource1PriorityId + " Destination IP (dc, dd) > "
+ sSource2PriorityId + " Destination IP (dc, dd), " +
sSource1PriorityId + " Source Port > " + sSource2PriorityId + "
Source Port and " + sSource1PriorityId + " Destination Port > " +
sSource2PriorityId + " Destination Port."+
"";
}
else if (p_type1 == 57)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Source IP (sd) from * to < " +
sSource1PriorityId + " Source IP(sd)."+
"b. Introduce a new rule with " +
sSource2PriorityId + " Source IP (sd) > " + sSource1PriorityId +
" Source IP (sd)."+
"";
}
else if (p_type1 == 58)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Source IP (sd) from * to < " +
sSource1PriorityId + " Source IP(sd) and " + sSource2PriorityId +
" Destination Port from * to < " + sSource1PriorityId + "
Destination Port."+
"b. Introduce a new rule with " +
sSource2PriorityId + " Source IP (sd) > " + sSource1PriorityId +
" Source IP (sd) and " + sSource2PriorityId + " Destination Port
> " + sSource1PriorityId + " Destination Port."+
"";
}
else if (p_type1 == 59)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Source IP (sd) from * to < " +
222
sSource1PriorityId + " Source IP (sd) and " + sSource2PriorityId
+ " Source Port from * to < " + sSource1PriorityId + " Source
Port."+
"b. Introduce a new rule with " +
sSource2PriorityId + " Source IP (sd) > " + sSource1PriorityId +
" Source IP (sd) and " + sSource2PriorityId + " Source Port > " +
sSource1PriorityId + " Source Port."+
"";
}
else if (p_type1 == 60)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Source IP (sd) from * to < " +
sSource1PriorityId + " Source IP (sd), " + sSource2PriorityId +
" Source Port from * to < " + sSource1PriorityId + " Source Port
and " + sSource2PriorityId + " Destination Port from * to < " +
sSource1PriorityId + " Destination Port."+
"b. Introduce a new rule with " +
sSource2PriorityId + " Source IP (sd) > " + sSource1PriorityId +
" Source IP (sd), " + sSource2PriorityId + " Source Port > " +
sSource1PriorityId + " Source Port and " + sSource2PriorityId + "
Destination Port > " + sSource1PriorityId + " Destination Port."+
"";
}
else if (p_type1 == 61)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Source IP (sd) from * to < " +
sSource1PriorityId + " Source IP(sd) and " + sSource2PriorityId +
" Destination IP from * to < " + sSource1PriorityId + "
Destination IP."+
"b. Introduce a new rule with " +
sSource2PriorityId + " Source IP (sd) > " + sSource1PriorityId +
" Source IP (sd) and " + sSource2PriorityId + " Destination IP >
" + sSource1PriorityId + " Destination IP."+
"";
}
else if (p_type1 == 62)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Source IP (sd) from * to < " +
sSource1PriorityId + " Source IP(sd), " + sSource2PriorityId + "
Destination IP from * to < " + sSource1PriorityId + " Destination
IP and " + sSource2PriorityId + " Destination Port from * to < "
+ sSource1PriorityId + " Destination Port."+
223
"b. Introduce a new rule with " +
sSource2PriorityId + " Source IP (sd) > " + sSource1PriorityId +
" Source IP (sd), " + sSource2PriorityId + " Destination IP > "
+ sSource1PriorityId + " Destination IP and " +
sSource2PriorityId + " Destination Port > " + sSource1PriorityId
+ " Destination Port."+
"";
}
else if (p_type1 == 63)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Source IP (sd) from * to < " +
sSource1PriorityId + " Source IP(sd), " + sSource2PriorityId + "
Destination IP from * to < " + sSource1PriorityId + " Destination
IP and " + sSource2PriorityId + " Source Port from * to < " +
sSource1PriorityId + " Source Port."+
"b. Introduce a new rule with " +
sSource2PriorityId + " Source IP (sd) > " + sSource1PriorityId +
" Source IP (sd), " + sSource2PriorityId + " Destination IP > "
+ sSource1PriorityId + " Destination IP and " +
sSource2PriorityId + " Source Port > " + sSource1PriorityId + "
Source Port."+
"";
}
else if (p_type1 == 64)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Source IP (sd) from * to < " +
sSource1PriorityId + " Source IP(sd), " + sSource2PriorityId + "
Destination IP from * to < " + sSource1PriorityId + " Destination
IP, " + sSource2PriorityId + " Source Port from * to < " +
sSource1PriorityId + " Source Port and " + sSource2PriorityId + "
Destination Port from * to < " + sSource1PriorityId + "
Destination Port."+
"b. Introduce a new rule with " +
sSource2PriorityId + " Source IP (sd) > " + sSource1PriorityId +
" Source IP (sd), " + sSource2PriorityId + " Destination IP > "
+ sSource1PriorityId + " Destination IP, " + sSource2PriorityId +
" Source Port > " + sSource1PriorityId + " Source Port and " +
sSource2PriorityId + " Destination Port > " + sSource1PriorityId
+ " Destination Port."+
"";
}
else if (p_type1 == 65)
{
strRet = "" +
224
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Source IP (sd) from * to < " +
sSource1PriorityId + " Source IP(sd) and " + sSource2PriorityId +
" Destination IP (dd) from * to < " + sSource1PriorityId + "
Destination IP(dd)."+
"b. Introduce a new rule with " +
sSource2PriorityId + " Source IP (sd) > " + sSource1PriorityId +
" Source IP (sd) and " + sSource2PriorityId + " Destination IP
(dd) > " + sSource1PriorityId + " Destination IP(dd)."+
"";
}
else if (p_type1 == 66)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Source IP (sd) from * to < " +
sSource1PriorityId + " Source IP(sd), " + sSource2PriorityId + "
Destination IP (dd) from * to < " + sSource1PriorityId + "
Destination IP(dd) and " + sSource2PriorityId + " Destination
Port from * to < " + sSource1PriorityId + " Destination Port."+
"b. Introduce a new rule with " +
sSource2PriorityId + " Source IP (sd) > " + sSource1PriorityId +
" Source IP (sd), " + sSource2PriorityId + " Destination IP (dd)
> " + sSource1PriorityId + " Destination IP(dd) and " +
sSource2PriorityId + " Destination Port > " + sSource1PriorityId
+ " Destination Port."+
"";
}
else if (p_type1 == 67)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Source IP (sd) from * to < " +
sSource1PriorityId + " Source IP(sd), " + sSource2PriorityId + "
Destination IP (dd) from * to < " + sSource1PriorityId + "
Destination IP(dd) and " + sSource2PriorityId + " Source Port
from * to < " + sSource1PriorityId + " Source Port."+
"b. Introduce a new rule with " +
sSource2PriorityId + " Source IP (sd) > " + sSource1PriorityId +
" Source IP (sd), " + sSource2PriorityId + " Destination IP (dd)
> " + sSource1PriorityId + " Destination IP(dd) and " +
sSource2PriorityId + " Source Port > " + sSource1PriorityId + "
Source Port."+
"";
}
else if (p_type1 == 68)
{
strRet = "" +
225
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Source IP (sd) from * to < " +
sSource1PriorityId + " Source IP(sd), " + sSource2PriorityId + "
Destination IP (dd) from * to < " + sSource1PriorityId + "
Destination IP(dd), " + sSource2PriorityId + " Source Port from *
to < " + sSource1PriorityId + " Source Port and " +
sSource2PriorityId + " Destination Port from * to < " +
sSource1PriorityId + " Destination Port."+
"b. Introduce a new rule with " +
sSource2PriorityId + " Source IP (sd) > " + sSource1PriorityId +
" Source IP (sd), " + sSource2PriorityId + " Destination IP (dd)
> " + sSource1PriorityId + " Destination IP(dd), " +
sSource2PriorityId + " Source Port > " + sSource1PriorityId + "
Source Port and " + sSource2PriorityId + " Destination Port > " +
sSource1PriorityId + " Destination Port."+
"";
}
else if (p_type1 == 69)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Source IP (sd) from * to < " +
sSource1PriorityId + " Source IP(sd) and " + sSource2PriorityId +
" Destination IP (dc, dd) from * to < " + sSource1PriorityId + "
Destination IP(dc, dd)."+
"b. Introduce a new rule with " +
sSource2PriorityId + " Source IP (sd) > " + sSource1PriorityId +
" Source IP (sd) and " + sSource2PriorityId + " Destination IP
(dc, dd) > " + sSource1PriorityId + " Destination IP(dc, dd)."+
"";
}
else if (p_type1 == 70)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Source IP (sd) from * to < " +
sSource1PriorityId + " Source IP(sd), " + sSource2PriorityId + "
Destination IP (dc, dd) from * to < " + sSource1PriorityId + "
Destination IP(dc, dd) and " + sSource2PriorityId + " Destination
Port from * to < " + sSource1PriorityId + " Destination Port."+
"b. Introduce a new rule with " +
sSource2PriorityId + " Source IP (sd) > " + sSource1PriorityId +
" Source IP (sd), " + sSource2PriorityId + " Destination IP (dc,
dd) > " + sSource1PriorityId + " Destination IP(dc, dd) and " +
sSource2PriorityId + " Destination Port > " + sSource1PriorityId
+ " Destination Port."+
"";
}
226
else if (p_type1 == 71)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Source IP (sd) from * to < " +
sSource1PriorityId + " Source IP(sd), " + sSource2PriorityId + "
Destination IP (dc, dd) from * to < " + sSource1PriorityId + "
Destination IP(dc, dd) and " + sSource2PriorityId + " Source Port
from * to < " + sSource1PriorityId + " Source Port."+
"b. Introduce a new rule with " +
sSource2PriorityId + " Source IP (sd) > " + sSource1PriorityId +
" Source IP (sd), " + sSource2PriorityId + " Destination IP (dc,
dd) > " + sSource1PriorityId + " Destination IP(dc, dd) and " +
sSource2PriorityId + " Source Port > " + sSource1PriorityId + "
Source Port."+
"";
}
else if (p_type1 == 72)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Source IP (sd) from * to < " +
sSource1PriorityId + " Source IP(sd), " + sSource2PriorityId + "
Destination IP (dc, dd) from * to < " + sSource1PriorityId + "
Destination IP(dc, dd), " + sSource2PriorityId + " Source Port
from * to < " + sSource1PriorityId + " Source Port and " +
sSource2PriorityId + " Destination Port from * to < " +
sSource1PriorityId + " Destination Port."+
"b. Introduce a new rule with " +
sSource2PriorityId + " Source IP (sd) > " + sSource1PriorityId +
" Source IP (sd), " + sSource2PriorityId + " Destination IP (dc,
dd) > " + sSource1PriorityId + " Destination IP(dc, dd), " +
sSource2PriorityId + " Source Port > " + sSource1PriorityId + "
Source Port and " + sSource2PriorityId + " Destination Port > " +
sSource1PriorityId + " Destination Port."+
"";
}
else if (p_type1 == 73)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Source IP (sd) from * to < " +
sSource2PriorityId + " Source IP(sd)."+
"b. Introduce a new rule with " +
sSource1PriorityId + "Source IP (sd) > " + sSource2PriorityId +
" Source IP (sd)."+
"";
}
227
else if (p_type1 == 74)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Source IP (sd) from * to < " +
sSource2PriorityId + " Source IP(sd) and " + sSource1PriorityId +
" Destination Port from * to < " + sSource2PriorityId + "
Destination Port."+
"b. Introduce a new rule with " +
sSource1PriorityId + "Source IP (sd) > " + sSource2PriorityId +
" Source IP (sd) and " + sSource1PriorityId + " Destination Port
> " + sSource2PriorityId + " Destination Port."+
"";
}
else if (p_type1 == 75)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Source IP (sd) from * to < " +
sSource2PriorityId + " Source IP(sd) and " + sSource1PriorityId +
" Source Port from * to < " + sSource2PriorityId + " Source
Port."+
"b. Introduce a new rule with " +
sSource1PriorityId + "Source IP (sd) > " + sSource2PriorityId +
" Source IP (sd) and " + sSource1PriorityId + " Source Port > " +
sSource2PriorityId + " Source Port."+
"";
}
else if (p_type1 == 76)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Source IP (sd) from * to < " +
sSource2PriorityId + " Source IP(sd) and " + sSource1PriorityId +
" Destination IP from * to < " + sSource2PriorityId + "
Destination IP."+
"b. Introduce a new rule with " +
sSource1PriorityId + "Source IP (sd) > " + sSource2PriorityId +
" Source IP (sd) and " + sSource1PriorityId + " Destination IP >
" + sSource2PriorityId + " Destination IP."+
"";
}
else if (p_type1 == 77)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Source IP (sd) from * to < " +
sSource2PriorityId + " Source IP(sd), " + sSource1PriorityId + "
228
Destination IP from * to < " + sSource2PriorityId + " Destination
IP and " + sSource1PriorityId + " Destination Port from * to < "
+ sSource2PriorityId + " Destination Port."+
"b. Introduce a new rule with " +
sSource1PriorityId + "Source IP (sd) > " + sSource2PriorityId +
" Source IP (sd) and " + sSource1PriorityId + " Destination IP >
" + sSource2PriorityId + " Destination IP and " +
sSource1PriorityId + " Destination Port > " + sSource2PriorityId
+ " Destination Port."+
"";
}
else if (p_type1 == 78)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Source IP (sd) from * to < " +
sSource2PriorityId + " Source IP(sd), " + sSource1PriorityId + "
Destination IP from * to < " + sSource2PriorityId + " Destination
IP and " + sSource1PriorityId + " Source Port from * to < " +
sSource2PriorityId + " Source Port."+
"b. Introduce a new rule with " +
sSource1PriorityId + "Source IP (sd) > " + sSource2PriorityId +
" Source IP (sd) and " + sSource1PriorityId + " Destination IP >
" + sSource2PriorityId + " Destination IP and " +
sSource1PriorityId + " Source Port > " + sSource2PriorityId + "
Source Port."+
"";
}
else if (p_type1 == 79)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Source IP (sd) from * to < " +
sSource2PriorityId + " Source IP(sd), " + sSource1PriorityId + "
Destination IP from * to < " + sSource2PriorityId + " Destination
IP, " + sSource1PriorityId + " Source Port from * to < " +
sSource2PriorityId + " Source Port and " + sSource1PriorityId + "
Destination Port from * to < " + sSource2PriorityId + "
Destination Port."+
"b. Introduce a new rule with " +
sSource1PriorityId + "Source IP (sd) > " + sSource2PriorityId +
" Source IP (sd) and " + sSource1PriorityId + " Destination IP >
" + sSource2PriorityId + " Destination IP, " + sSource1PriorityId
+ " Source Port > " + sSource2PriorityId + " Source Port and " +
sSource1PriorityId + " Destination Port > " + sSource2PriorityId
+ " Destination Port."+
"";
}
229
else if (p_type1 == 80)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Source IP (sd) from * to < " +
sSource2PriorityId + " Source IP(sd) and " + sSource1PriorityId +
" Destination IP (dd) from * to < " + sSource2PriorityId + "
Destination IP (dd)."+
"b. Introduce a new rule with " +
sSource1PriorityId + "Source IP (sd) > " + sSource2PriorityId +
" Source IP (sd) and " + sSource1PriorityId + " Destination IP
(dd) > " + sSource2PriorityId + " Destination IP (dd)."+
"";
}
else if (p_type1 == 81)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Source IP (sd) from * to < " +
sSource2PriorityId + " Source IP(sd), " + sSource1PriorityId + "
Destination IP (dd) from * to < " + sSource2PriorityId + "
Destination IP (dd) and " + sSource1PriorityId + " Destination
Port from * to < " + sSource2PriorityId + " Destination Port."+
"b. Introduce a new rule with " +
sSource1PriorityId + "Source IP (sd) > " + sSource2PriorityId +
" Source IP (sd), " + sSource1PriorityId + " Destination IP (dd)
> " + sSource2PriorityId + " Destination IP (dd) and " +
sSource1PriorityId + " Destination Port > " + sSource2PriorityId
+ " Destination Port."+
"";
}
else if (p_type1 == 82)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Source IP (sd) from * to < " +
sSource2PriorityId + " Source IP(sd), " + sSource1PriorityId + "
Destination IP (dd) from * to < " + sSource2PriorityId + "
Destination IP (dd) and " + sSource1PriorityId + " Source Port
from * to < " + sSource2PriorityId + " Source Port."+
"b. Introduce a new rule with " +
sSource1PriorityId + "Source IP (sd) > " + sSource2PriorityId +
" Source IP (sd), " + sSource1PriorityId + " Destination IP (dd)
> " + sSource2PriorityId + " Destination IP (dd) and " +
sSource1PriorityId + " Source Port > " + sSource2PriorityId + "
Source Port."+
"";
}
230
else if (p_type1 == 83)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Source IP (sd) from * to < " +
sSource2PriorityId + " Source IP(sd), " + sSource1PriorityId + "
Destination IP (dd) from * to < " + sSource2PriorityId + "
Destination IP (dd), " + sSource1PriorityId + " Source Port from
* to < " + sSource2PriorityId + " Source Port and " +
sSource1PriorityId + " Destination Port from * to < " +
sSource2PriorityId + " Destination Port."+
"b. Introduce a new rule with " +
sSource1PriorityId + "Source IP (sd) > " + sSource2PriorityId +
" Source IP (sd), " + sSource1PriorityId + " Destination IP (dd)
> " + sSource2PriorityId + " Destination IP (dd), " +
sSource1PriorityId + " Source Port > " + sSource2PriorityId + "
Source Port and " + sSource1PriorityId + " Destination Port > "
+ sSource2PriorityId + " Destination Port."+
"";
}
else if (p_type1 == 84)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Source IP (sd) from * to < " +
sSource2PriorityId + " Source IP(sd) and " + sSource1PriorityId +
" Destination IP (dc, dd) from * to < " + sSource2PriorityId + "
Destination IP (dc, dd)."+
"b. Introduce a new rule with " +
sSource1PriorityId + "Source IP (sd) > " + sSource2PriorityId +
" Source IP (sd) and " + sSource1PriorityId + " Destination IP
(dc, dd) > " + sSource2PriorityId + " Destination IP (dc, dd)."+
"";
}
else if (p_type1 == 85)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Source IP (sd) from * to < " +
sSource2PriorityId + " Source IP(sd), " + sSource1PriorityId + "
Destination IP (dc, dd) from * to < " + sSource2PriorityId + "
Destination IP (dc, dd) and " + sSource1PriorityId + "
Destination Port from * to < " + sSource2PriorityId + "
Destination Port."+
"b. Introduce a new rule with " +
sSource1PriorityId + "Source IP (sd) > " + sSource2PriorityId +
" Source IP (sd), " + sSource1PriorityId + " Destination IP (dc,
dd) > " + sSource2PriorityId + " Destination IP (dc, dd) and " +
231
sSource1PriorityId + " Destination Port > " + sSource2PriorityId
+ " Destination Port."+
"";
}
else if (p_type1 == 86)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Source IP (sd) from * to < " +
sSource2PriorityId + " Source IP(sd), " + sSource1PriorityId + "
Destination IP (dc, dd) from * to < " + sSource2PriorityId + "
Destination IP (dc, dd) and " + sSource1PriorityId + " Source
Port from * to < " + sSource2PriorityId + " Source Port."+
"b. Introduce a new rule with " +
sSource1PriorityId + "Source IP (sd) > " + sSource2PriorityId +
" Source IP (sd), " + sSource1PriorityId + " Destination IP (dc,
dd) > " + sSource2PriorityId + " Destination IP (dc, dd) and " +
sSource1PriorityId + " Source Port > " + sSource2PriorityId + "
Source Port."+
"";
}
else if (p_type1 == 87)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Source IP (sd) from * to < " +
sSource2PriorityId + " Source IP(sd), " + sSource1PriorityId + "
Destination IP (dc, dd) from * to < " + sSource2PriorityId + "
Destination IP (dc, dd), " + sSource1PriorityId + " Source Port
from * to < " + sSource2PriorityId + " Source Port and " +
sSource1PriorityId + " Destination Port from * to < " +
sSource2PriorityId + " Destination Port."+
"b. Introduce a new rule with " +
sSource1PriorityId + "Source IP (sd) > " + sSource2PriorityId +
" Source IP (sd), " + sSource1PriorityId + " Destination IP (dc,
dd) > " + sSource2PriorityId + " Destination IP (dc, dd), " +
sSource1PriorityId + " Source Port > " + sSource2PriorityId + "
Source Port and " + sSource1PriorityId + " Destination Port > "
+ sSource2PriorityId + " Destination Port."+
"";
}
else if (p_type1 == 88)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Source IP (sc, sd) from * to < " +
sSource1PriorityId + " Source IP(sc, sd)."+
232
"b. Introduce a new rule with " +
sSource2PriorityId + " Source IP (sc, sd) > " +
sSource1PriorityId + " Source IP (sc, sd)."+
"";
}
else if (p_type1 == 89)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Source IP (sc, sd) from * to < " +
sSource1PriorityId + " Source IP(sc, sd) and " +
sSource2PriorityId + " Destination Port from * to < " +
sSource1PriorityId + " Destination Port."+
"b. Introduce a new rule with " +
sSource2PriorityId + " Source IP (sc, sd) > " +
sSource1PriorityId + " Source IP (sc, sd) and " +
sSource2PriorityId + " Destination Port > " + sSource1PriorityId
+ " Destination Port."+
"";
}
else if (p_type1 == 90)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Source IP (sc, sd) from * to < " +
sSource1PriorityId + " Source IP(sc, sd) and " +
sSource2PriorityId + " Source Port from * to < " +
sSource1PriorityId + " Source Port."+
"b. Introduce a new rule with " +
sSource2PriorityId + " Source IP (sc, sd) > " +
sSource1PriorityId + " Source IP (sc, sd) and " +
sSource2PriorityId + " Source Port > " + sSource1PriorityId + "
Source Port."+
"";
}
else if (p_type1 == 91)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Source IP (sc, sd) from * to < " +
sSource1PriorityId + " Source IP(sc, sd), " + sSource2PriorityId
+ " Source Port from * to < " + sSource1PriorityId + " Source
Port and " + sSource2PriorityId + " Destination Port from * to <
" + sSource1PriorityId + " Destination Port."+
"b. Introduce a new rule with " +
sSource2PriorityId + " Source IP (sc, sd) > " +
sSource1PriorityId + " Source IP (sc, sd), " + sSource2PriorityId
+ " Source Port > " + sSource1PriorityId + " Source Port and " +
233
sSource2PriorityId + " Destination Port > " + sSource1PriorityId
+ " Destination Port."+
"";
}
else if (p_type1 == 92)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Source IP (sc, sd) from * to < " +
sSource1PriorityId + " Source IP(sc, sd) and " +
sSource2PriorityId + " Destination IP from * to < " +
sSource1PriorityId + " Destination IP."+
"b. Introduce a new rule with " +
sSource2PriorityId + " Source IP (sc, sd) > " +
sSource1PriorityId + " Source IP (sc, sd) and " +
sSource2PriorityId + " Destination IP > " + sSource1PriorityId +
" Destination IP."+
"";
}
else if (p_type1 == 93)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Source IP (sc, sd) from * to < " +
sSource1PriorityId + " Source IP(sc, sd), " + sSource2PriorityId
+ " Destination IP from * to < " + sSource1PriorityId + "
Destination IP and " + sSource2PriorityId + " Destination Port
from * to < " + sSource1PriorityId + " Destination Port."+
"b. Introduce a new rule with " +
sSource2PriorityId + " Source IP (sc, sd) > " +
sSource1PriorityId + " Source IP (sc, sd), " + sSource2PriorityId
+ " Destination IP > " + sSource1PriorityId + " Destination IP
and " + sSource2PriorityId + " Destination Port > " +
sSource1PriorityId + " Destination Port."+
"";
}
else if (p_type1 == 94)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Source IP (sc, sd) from * to < " +
sSource1PriorityId + " Source IP(sc, sd), " + sSource2PriorityId
+ " Destination IP from * to < " + sSource1PriorityId + "
Destination IP and " + sSource2PriorityId + " Source Port from *
to < " + sSource1PriorityId + " Source Port."+
"b. Introduce a new rule with " +
sSource2PriorityId + " Source IP (sc, sd) > " +
sSource1PriorityId + " Source IP (sc, sd), " + sSource2PriorityId
234
+ " Destination IP > " + sSource1PriorityId + " Destination IP
and " + sSource2PriorityId + " Source Port > " +
sSource1PriorityId + " Source Port."+
"";
}
else if (p_type1 == 95)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Source IP (sc, sd) from * to < " +
sSource1PriorityId + " Source IP(sc, sd), " + sSource2PriorityId
+ " Destination IP from * to < " + sSource1PriorityId + "
Destination IP, " + sSource2PriorityId + " Source Port from * to
< " + sSource1PriorityId + " Source Port and " +
sSource2PriorityId + " Destination Port from * to < " +
sSource1PriorityId + " Destination Port."+
"b. Introduce a new rule with " +
sSource2PriorityId + " Source IP (sc, sd) > " +
sSource1PriorityId + " Source IP (sc, sd), " + sSource2PriorityId
+ " Destination IP > " + sSource1PriorityId + " Destination IP, "
+ sSource2PriorityId + " Source Port > " + sSource1PriorityId + "
Source Port and " + sSource2PriorityId + " Destination Port > " +
sSource1PriorityId + " Destination Port."+
"";
}
else if (p_type1 == 96)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Source IP (sc, sd) from * to < " +
sSource1PriorityId + " Source IP(sc, sd) and " +
sSource2PriorityId + " Destination IP (dd) from * to < " +
sSource1PriorityId + " Destination IP (dd)."+
"b. Introduce a new rule with " +
sSource2PriorityId + " Source IP (sc, sd) > " +
sSource1PriorityId + " Source IP (sc, sd) and " +
sSource2PriorityId + " Destination IP (dd) > " +
sSource1PriorityId + " Destination IP (dd)."+
"";
}
else if (p_type1 == 97)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Source IP (sc, sd) from * to < " +
sSource1PriorityId + " Source IP(sc, sd), " + sSource2PriorityId
+ " Destination IP (dd) from * to < " + sSource1PriorityId + "
235
Destination IP (dd) and " + sSource2PriorityId + " Destination
Port from * to < " + sSource1PriorityId + " Destination Port."+
"b. Introduce a new rule with " +
sSource2PriorityId + " Source IP (sc, sd) > " +
sSource1PriorityId + " Source IP (sc, sd), " + sSource2PriorityId
+ " Destination IP (dd) > " + sSource1PriorityId + " Destination
IP (dd) and " + sSource2PriorityId + " Destination Port > " +
sSource1PriorityId + " Destination Port."+
"";
}
else if (p_type1 == 98)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Source IP (sc, sd) from * to < " +
sSource1PriorityId + " Source IP(sc, sd), " + sSource2PriorityId
+ " Destination IP (dd) from * to < " + sSource1PriorityId + "
Destination IP (dd) and " + sSource2PriorityId + " Source Port
from * to < " + sSource1PriorityId + " Source Port."+
"b. Introduce a new rule with " +
sSource2PriorityId + " Source IP (sc, sd) > " +
sSource1PriorityId + " Source IP (sc, sd), " + sSource2PriorityId
+ " Destination IP (dd) > " + sSource1PriorityId + " Destination
IP (dd) and " + sSource2PriorityId + " Source Port > " +
sSource1PriorityId + " Source Port."+
"";
}
else if (p_type1 == 99)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Source IP (sc, sd) from * to < " +
sSource1PriorityId + " Source IP(sc, sd), " + sSource2PriorityId
+ " Destination IP (dd) from * to < " + sSource1PriorityId + "
Destination IP (dd), " + sSource2PriorityId + " Source Port from
* to < " + sSource1PriorityId + " Source Port and " +
sSource2PriorityId + " Destination Port from * to < " +
sSource1PriorityId + " Destination Port."+
"b. Introduce a new rule with " +
sSource2PriorityId + " Source IP (sc, sd) > " +
sSource1PriorityId + " Source IP (sc, sd), " + sSource2PriorityId
+ " Destination IP (dd) > " + sSource1PriorityId + " Destination
IP (dd), " + sSource2PriorityId + " Source Port > " +
sSource1PriorityId + " Source Port and " + sSource2PriorityId + "
Destination Port > " + sSource1PriorityId + " Destination Port."+
"";
}
else if (p_type1 == 100)
236
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Source IP (sc, sd) from * to < " +
sSource1PriorityId + " Source IP(sc, sd) and " +
sSource2PriorityId + " Destination IP (dc, dd) from * to < " +
sSource1PriorityId + " Destination IP (dc, dd)."+
"b. Introduce a new rule with " +
sSource2PriorityId + " Source IP (sc, sd) > " +
sSource1PriorityId + " Source IP (sc, sd) and " +
sSource2PriorityId + " Destination IP (dc, dd) > " +
sSource1PriorityId + " Destination IP (dc, dd)."+
"";
}
else if (p_type1 == 101)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Source IP (sc, sd) from * to < " +
sSource1PriorityId + " Source IP(sc, sd), " + sSource2PriorityId
+ " Destination IP (dc, dd) from * to < " + sSource1PriorityId +
" Destination IP (dc, dd) and " + sSource2PriorityId + "
Destination Port from * to < " + sSource1PriorityId + "
Destination Port."+
"b. Introduce a new rule with " +
sSource2PriorityId + " Source IP (sc, sd) > " +
sSource1PriorityId + " Source IP (sc, sd), " + sSource2PriorityId
+ " Destination IP (dc, dd) > " + sSource1PriorityId + "
Destination IP (dc, dd) and " + sSource2PriorityId + "
Destination Port > " + sSource1PriorityId + " Destination Port."+
"";
}
else if (p_type1 == 102)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Source IP (sc, sd) from * to < " +
sSource1PriorityId + " Source IP(sc, sd), " + sSource2PriorityId
+ " Destination IP (dc, dd) from * to < " + sSource1PriorityId +
" Destination IP (dc, dd) and " + sSource2PriorityId + " Source
Port from * to < " + sSource1PriorityId + " Source Port."+
"b. Introduce a new rule with " +
sSource2PriorityId + " Source IP (sc, sd) > " +
sSource1PriorityId + " Source IP (sc, sd), " + sSource2PriorityId
+ " Destination IP (dc, dd) > " + sSource1PriorityId + "
Destination IP (dc, dd) and " + sSource2PriorityId + " Source
Port > " + sSource1PriorityId + " Source Port."+
"";
237
}
else if (p_type1 == 103)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource2PriorityId + " Source IP (sc, sd) from * to < " +
sSource1PriorityId + " Source IP(sc, sd), " + sSource2PriorityId
+ " Destination IP (dc, dd) from * to < " + sSource1PriorityId +
" Destination IP (dc, dd), " + sSource2PriorityId + " Source Port
from * to < " + sSource1PriorityId + " Source Port and " +
sSource2PriorityId + " Destination Port from * to < " +
sSource1PriorityId + " Destination Port."+
"b. Introduce a new rule with " +
sSource2PriorityId + " Source IP (sc, sd) > " +
sSource1PriorityId + " Source IP (sc, sd), " + sSource2PriorityId
+ " Destination IP (dc, dd) > " + sSource1PriorityId + "
Destination IP (dc, dd), " + sSource2PriorityId + " Source Port >
" + sSource1PriorityId + " Source Port and " + sSource2PriorityId
+ " Destination Port > " + sSource1PriorityId + " Destination
Port."+
"";
}
else if (p_type1 == 104)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Source IP (sc, sd) from * to < " +
sSource2PriorityId + " Source IP(sc, sd)."+
"b. Introduce a new rule with " +
sSource1PriorityId + " Source IP (sc, sd) > " +
sSource2PriorityId + " Source IP (sc, sd)."+
"";
}
else if (p_type1 == 105)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Source IP (sc, sd) from * to < " +
sSource2PriorityId + " Source IP(sc, sd) and " +
sSource1PriorityId + " Destination Port from * to < " +
sSource2PriorityId + " Destination Port."+
"b. Introduce a new rule with " +
sSource1PriorityId + " Source IP (sc, sd) > " +
sSource2PriorityId + " Source IP (sc, sd) and " +
sSource1PriorityId + " Destination Port > " + sSource2PriorityId
+ " Destination Port."+
"";
}
238
else if (p_type1 == 106)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Source IP (sc, sd) from * to < " +
sSource2PriorityId + " Source IP(sc, sd) and " +
sSource1PriorityId + " Source Port from * to < " +
sSource2PriorityId + " Source Port."+
"b. Introduce a new rule with " +
sSource1PriorityId + " Source IP (sc, sd) > " +
sSource2PriorityId + " Source IP (sc, sd) and " +
sSource1PriorityId + " Source Port > " + sSource2PriorityId + "
Source Port."+
"";
}
else if (p_type1 == 107)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Source IP (sc, sd) from * to < " +
sSource2PriorityId + " Source IP(sc, sd), " + sSource1PriorityId
+ " Source Port from * to < " + sSource2PriorityId + " Source
Port and " + sSource1PriorityId + " Destination Port from * to <
" + sSource2PriorityId + " Destination Port."+
"b. Introduce a new rule with " +
sSource1PriorityId + " Source IP (sc, sd) > " +
sSource2PriorityId + " Source IP (sc, sd), " + sSource1PriorityId
+ " Source Port > " + sSource2PriorityId + " Source Port and " +
sSource1PriorityId + " Destination Port > " + sSource2PriorityId
+ " Destination Port."+
"";
}
else if (p_type1 == 108)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Source IP (sc, sd) from * to < " +
sSource2PriorityId + " Source IP(sc, sd) and " +
sSource1PriorityId + " Destination IP from * to < " +
sSource2PriorityId + " Destination IP."+
"b. Introduce a new rule with " +
sSource1PriorityId + " Source IP (sc, sd) > " +
sSource2PriorityId + " Source IP (sc, sd) and " +
sSource1PriorityId + " Destination IP > " + sSource2PriorityId +
" Destination IP."+
"";
}
else if (p_type1 == 109)
239
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Source IP (sc, sd) from * to < " +
sSource2PriorityId + " Source IP(sc, sd), " + sSource1PriorityId
+ " Destination IP from * to < " + sSource2PriorityId + "
Destination IP and " + sSource1PriorityId + " Destination Port
from * to < " + sSource2PriorityId + " Destination Port."+
"b. Introduce a new rule with " +
sSource1PriorityId + " Source IP (sc, sd) > " +
sSource2PriorityId + " Source IP (sc, sd), " + sSource1PriorityId
+ " Destination IP > " + sSource2PriorityId + " Destination IP
and " + sSource1PriorityId + " Destination Port > " +
sSource2PriorityId + " Destination Port."+
"";
}
else if (p_type1 == 110)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Source IP (sc, sd) from * to < " +
sSource2PriorityId + " Source IP(sc, sd), " + sSource1PriorityId
+ " Destination IP from * to < " + sSource2PriorityId + "
Destination IP and " + sSource1PriorityId + " Source Port from *
to < " + sSource2PriorityId + " Source Port."+
"b. Introduce a new rule with " +
sSource1PriorityId + " Source IP (sc, sd) > " +
sSource2PriorityId + " Source IP (sc, sd), " + sSource1PriorityId
+ " Destination IP > " + sSource2PriorityId + " Destination IP
and " + sSource1PriorityId + " Source Port > " +
sSource2PriorityId + " Source Port."+
"";
}
else if (p_type1 == 111)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Source IP (sc, sd) from * to < " +
sSource2PriorityId + " Source IP(sc, sd), " + sSource1PriorityId
+ " Destination IP from * to < " + sSource2PriorityId + "
Destination IP, " + sSource1PriorityId + " Source Port from * to
< " + sSource2PriorityId + " Source Port and " +
sSource1PriorityId + " Destination Port from * to < " +
sSource2PriorityId + " Destination Port."+
"b. Introduce a new rule with " +
sSource1PriorityId + " Source IP (sc, sd) > " +
sSource2PriorityId + " Source IP (sc, sd), " + sSource1PriorityId
+ " Destination IP > " + sSource2PriorityId + " Destination IP, "
240
+ sSource1PriorityId + " Source Port > " + sSource2PriorityId + "
Source Port and " + sSource1PriorityId + " Destination Port > " +
sSource2PriorityId + " Destination Port."+
"";
}
else if (p_type1 == 112)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Source IP (sc, sd) from * to < " +
sSource2PriorityId + " Source IP(sc, sd) and " +
sSource1PriorityId + " Destination IP (dd) from * to < " +
sSource2PriorityId + " Destination IP (dd)."+
"b. Introduce a new rule with " +
sSource1PriorityId + " Source IP (sc, sd) > " +
sSource2PriorityId + " Source IP (sc, sd) and " +
sSource1PriorityId + " Destination IP (dd) > " +
sSource2PriorityId + " Destination IP (dd)."+
"";
}
else if (p_type1 == 113)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Source IP (sc, sd) from * to < " +
sSource2PriorityId + " Source IP(sc, sd), " + sSource1PriorityId
+ " Destination IP (dd) from * to < " + sSource2PriorityId + "
Destination IP (dd) and " + sSource1PriorityId + " Destination
Port from * to < " + sSource2PriorityId + " Destination Port."+
"b. Introduce a new rule with " +
sSource1PriorityId + " Source IP (sc, sd) > " +
sSource2PriorityId + " Source IP (sc, sd), " + sSource1PriorityId
+ " Destination IP (dd) > " + sSource2PriorityId + " Destination
IP (dd) and " + sSource1PriorityId + " Destination Port > " +
sSource2PriorityId + " Destination Port."+
"";
}
else if (p_type1 == 114)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Source IP (sc, sd) from * to < " +
sSource2PriorityId + " Source IP(sc, sd), " + sSource1PriorityId
+ " Destination IP (dd) from * to < " + sSource2PriorityId + "
Destination IP (dd) and " + sSource1PriorityId + " Source Port
from * to < " + sSource2PriorityId + " Source Port."+
"b. Introduce a new rule with " +
sSource1PriorityId + " Source IP (sc, sd) > " +
241
sSource2PriorityId + " Source IP (sc, sd), " + sSource1PriorityId
+ " Destination IP (dd) > " + sSource2PriorityId + " Destination
IP (dd) and " + sSource1PriorityId + " Source Port > " +
sSource2PriorityId + " Source Port."+
"";
}
else if (p_type1 == 115)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Source IP (sc, sd) from * to < " +
sSource2PriorityId + " Source IP(sc, sd), " + sSource1PriorityId
+ " Destination IP (dd) from * to < " + sSource2PriorityId + "
Destination IP (dd), " + sSource1PriorityId + " Source Port from
* to < " + sSource2PriorityId + " Source Port and " +
sSource1PriorityId + " Destination Port from * to < " +
sSource2PriorityId + " Destination Port."+
"b. Introduce a new rule with " +
sSource1PriorityId + " Source IP (sc, sd) > " +
sSource2PriorityId + " Source IP (sc, sd), " + sSource1PriorityId
+ " Destination IP (dd) > " + sSource2PriorityId + " Destination
IP (dd), " + sSource1PriorityId + " Source Port > " +
sSource2PriorityId + " Source Port and " + sSource1PriorityId + "
Destination Port > " + sSource2PriorityId + " Destination Port."+
"";
}
else if (p_type1 == 116)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Source IP (sc, sd) from * to < " +
sSource2PriorityId + " Source IP(sc, sd) and " +
sSource1PriorityId + " Destination IP (dc, dd) from * to < " +
sSource2PriorityId + " Destination IP (dc, dd)."+
"b. Introduce a new rule with " +
sSource1PriorityId + " Source IP (sc, sd) > " +
sSource2PriorityId + " Source IP (sc, sd) and " +
sSource1PriorityId + " Destination IP (dc, dd) > " +
sSource2PriorityId + " Destination IP (dc, dd)."+
"";
}
else if (p_type1 == 117)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Source IP (sc, sd) from * to < " +
sSource2PriorityId + " Source IP(sc, sd), " + sSource1PriorityId
+ " Destination IP (dc, dd) from * to < " + sSource2PriorityId +
242
" Destination IP (dc, dd) and " + sSource1PriorityId + "
Destination Port from * to < " + sSource2PriorityId + "
Destination Port."+
"b. Introduce a new rule with " +
sSource1PriorityId + " Source IP (sc, sd) > " +
sSource2PriorityId + " Source IP (sc, sd), " + sSource1PriorityId
+ " Destination IP (dc, dd) > " + sSource2PriorityId + "
Destination IP (dc, dd) and " + sSource1PriorityId + "
Destination Port > " + sSource2PriorityId + " Destination Port."+
"";
}
else if (p_type1 == 118)
{
strRet = "" + "a. To resolve inconsistency change
" + sSource1PriorityId + " Source IP (sc, sd) from * to < " +
sSource2PriorityId + " Source IP(sc, sd), " + sSource1PriorityId
+ " Destination IP (dc, dd) from * to < " + sSource2PriorityId +
" Destination IP (dc, dd) and " + sSource1PriorityId + " Source
Port from * to < " + sSource2PriorityId + " Source Port."+
"b. Introduce a new rule with " +
sSource1PriorityId + " Source IP (sc, sd) > " +
Source2PriorityId + " Source IP (sc, sd), " + sSource1PriorityId
+ " Destination IP (dc, dd) > " + sSource2PriorityId + "
Destination IP (dc, dd) and " + sSource1PriorityId + " Source
Port > " + sSource2PriorityId + " Source Port."+ "";
}
else if (p_type1 == 119)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Source IP (sc, sd) from * to < " +
sSource2PriorityId + " Source IP(sc, sd), " + sSource1PriorityId
+ " Destination IP (dc, dd) from * to < " + sSource2PriorityId +
" Destination IP (dc, dd), " + sSource1PriorityId + " Source Port
from * to < " + sSource2PriorityId + " Source Port and " +
sSource1PriorityId + " Destination Port from * to < " +
sSource2PriorityId + " Destination Port."+
"b. Introduce a new rule with " +
sSource1PriorityId + " Source IP (sc, sd) > " +
sSource2PriorityId + " Source IP (sc, sd), " + sSource1PriorityId
+ " Destination IP (dc, dd) > " + sSource2PriorityId + "
Destination IP (dc, dd), " + sSource1PriorityId + " Source Port >
" + sSource2PriorityId + " Source Port and " + sSource1PriorityId
+ " Destination Port > " + sSource2PriorityId + " Destination
Port."+ "";
}
return strRet;
}
}
243
APPENDIX M
ResolveShadowConflict.java
package utilofinconsistency;
public class ResolveShadowConflict
{
/**
* Resolving Shadow Inconsistency
*
* @param p_source1
* @param p_source2
* @return
* @throws Exception
*/
public static String getResolveInconsistencyMsg
(
String p_source1,
String p_source2,
int p_type1
)
throws Exception
{
String strRet = "" + p_type1; //TODO: Remove
String[] stSrc1 = p_source1.split(",");
String[] stSrc2 = p_source2.split(",");
// For now assume format of
String sSource1PriorityId =
priority id
String sSource1Protocol
=
ignore
String sSource1SourceIP
=
break and compare each part
String sSource1SourcePort =
String sSource1DestIP
=
break and compare each part
String sSource1DestPort
=
String sSource2PriorityId =
priority id
String sSource2Protocol
=
ignore
String sSource2SourceIP
=
break and compare each part
String sSource2SourcePort =
priority is R1, R2 etc.
stSrc1[0]; // source 1
stSrc1[1]; // protocol stSrc1[2]; // Source IP stSrc1[3]; // Source Port
stSrc1[4]; // Source IP stSrc1[5]; // dest port
stSrc2[0]; // source 2
stSrc2[1]; // protocol stSrc2[2]; // Source IP stSrc2[3]; // Source Port
244
String sSource2DestIP
break and compare each part
String sSource2DestPort
= stSrc2[4]; // Source IP = stSrc2[5]; // dest port
if (p_type1 == 1)
{
strRet = "To resolve inconsistency compare
priority level of " + sSource1PriorityId + " and " +
sSource2PriorityId + "." +
" If priority level of " +
sSource1PriorityId + " > " + sSource2PriorityId + " then keep " +
sSource1PriorityId + "" +
" and delete " + sSource2PriorityId + ".
If priority level of " + sSource2PriorityId + " > " +
sSource1PriorityId + "" +
" then keep " + sSource2PriorityId + " and
delete " + sSource1PriorityId + "." +
"";
}
else if (p_type1 == 2)
{
strRet = "a. To resolve inconsistency change " +
sSource1PriorityId + " Destination Port from * to > or < " +
sSource2PriorityId + "" +
". Destination Port. "+
"b. introduce new rule with " +
sSource1PriorityId + " Destination Port > " + sSource2PriorityId
+ " Destination Port." +
"";
}
else if (p_type1 == 3)
{
strRet = "a. To resolve inconsistency if " +
sSource1PriorityId + "(action = allow) and " + sSource2PriorityId
+ "(action = deny) "+
" change " + sSource1PriorityId + "
Source Port < " + sSource2PriorityId + " Source Port. " +
"b. If " + sSource2PriorityId +
"(action = allow) and " + sSource1PriorityId + "(action = deny)
change " + sSource1PriorityId +
" Source Port < " +
sSource2PriorityId + " Source Port. " +
"c. Introduce new rule with " +
sSource1PriorityId + " Source Port > " + sSource2PriorityId + "
Source Port." +
"";
}
else if (p_type1 == 4)
245
{
strRet =
"" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Source Port to < " + sSource2PriorityId
+ " Source Port "+
" and " + sSource1PriorityId + "
Destination Port to < " + sSource2PriorityId + " Destination
Port. " +
"b. Introduce a new rule with " +
sSource1PriorityId + " Source Port > " + sSource2PriorityId + "
Source Port " +
" and " + sSource1PriorityId + "
Destination Port > " + sSource2PriorityId + " Destination Port" +
"." +
"";
}
else if (p_type1 == 5)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Destination IP from * to < " +
sSource2PriorityId + " Destination IP " +
"b. Introduce a new rule with " +
sSource1PriorityId + " Destination IP > " + sSource2PriorityId +
" Destination IP." +
"";
}
else if (p_type1 == 6)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Destination IP from * to < " +
sSource2PriorityId + " Destination IP " +
" and " + sSource1PriorityId + "
Destination Port < " + sSource2PriorityId + " Destination Port. "
+
"b. Introduce a new rule with " +
sSource1PriorityId + " Destination IP > " + sSource2PriorityId +
" Destination IP and " + sSource1PriorityId + "" +
" Destination Port > " +
sSource2PriorityId + " Destination Port." +
"";
}
else if (p_type1 == 7)
{
strRet = "" +
246
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Destination IP from * to < " +
sSource2PriorityId + " Destination IP " +
" and " + sSource1PriorityId + "
Source Port < " + sSource2PriorityId + " Source Port. " +
"b. Introduce a new rule with " +
sSource1PriorityId + " Destination IP > " + sSource2PriorityId +
" Destination IP " +
" and " + sSource1PriorityId + "
Source Port > " + sSource2PriorityId + " Source Port." +
"";
}
else if (p_type1 == 8)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Destination IP from * " +
" to < " + sSource2PriorityId + "
Destination IP, " + sSource1PriorityId + " Source Port < " +
sSource2PriorityId + " Source Port " +
" and " + sSource1PriorityId + "
Destination Port < " + sSource2PriorityId + " Destination Port. "
+
"b. Introduce a new rule with " +
sSource1PriorityId + " Destination IP > " + sSource2PriorityId +
" Destination IP "+
"and " + sSource1PriorityId + " Source
Port > " + sSource2PriorityId + " Source Port "+
"and " + sSource1PriorityId + "
Destination Port > " + sSource2PriorityId + " Destination Port."
+
"";
}
else if (p_type1 == 9)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Source IP from * to < " +
sSource2PriorityId + " Source IP. " +
"b. Introduce a new rule with " +
sSource1PriorityId + " Source IP > " + sSource2PriorityId + "
Source IP." +
"";
}
else if (p_type1 == 10)
{
strRet = "" +
247
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Source IP from * to < " +
sSource2PriorityId + " source" +
" IP and " + sSource1PriorityId + "
Destination Port from * to < " + sSource2PriorityId + "
Destination Port "+
"b. Introduce a new rule with " +
sSource1PriorityId + " Source IP > " + sSource2PriorityId + "
Source IP " +
"and " + sSource1PriorityId + "
Destination Port > " + sSource2PriorityId + " Destination Port."+
"";
}
else if (p_type1 == 11)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Source IP from * to < " +
sSource2PriorityId + " Source IP" +
" and " + sSource1PriorityId + "
Source Port from * to < " + sSource2PriorityId + " Source Port.
"+
"b. Introduce a new rule with " +
sSource1PriorityId + " Source IP > " + sSource2PriorityId + "
Source IP and " + sSource1PriorityId + " " +
"Source Port > " + sSource2PriorityId
+ " Source Port." +
"";
}
else if (p_type1 == 12)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Source IP from * to < " +
sSource2PriorityId + " Source IP, "+
" " + sSource1PriorityId + " Source
Port from * to < " + sSource2PriorityId + " Source Port and " +
sSource1PriorityId + " Destination Port "+
" from * to < " + sSource2PriorityId +
" Destination Port." +
"b. Introduce a new rule with " +
sSource1PriorityId + " Source IP > " + sSource2PriorityId + "
Source IP, " + sSource1PriorityId + " "+
" Source Port > " + sSource2PriorityId
+ " Source Port and " + sSource1PriorityId + " Destination Port >
" + sSource2PriorityId + " Destination Port." +
"";
}
248
else if (p_type1 == 13)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Source IP from * to < " +
sSource2PriorityId + " Source IP "+
"and " + sSource1PriorityId + "
Destination IP from * to < " + sSource2PriorityId + " Destination
IP." +
"b. Introduce a new rule with " +
sSource1PriorityId + " Source IP > " + sSource2PriorityId + "
Source IP "+
"and " + sSource1PriorityId + "
Destination IP > " + sSource2PriorityId + " Destination IP." +
"";
}
else if (p_type1 == 14)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Source IP from * to < " +
sSource2PriorityId + " source "+
"IP, " + sSource1PriorityId + "
Destination IP from * to < " + sSource2PriorityId + " Destination
IP "+
"and " + sSource1PriorityId + "
Destination Port from * to < " + sSource2PriorityId + "
Destination Port. " +
"b. Introduce a new rule with " +
sSource1PriorityId + " Source IP > " + sSource2PriorityId + "
Source IP,"+
" " + sSource1PriorityId + "
Destination IP > " + sSource2PriorityId + " Destination IP and "
+ sSource1PriorityId + " destination "+
" port > " + sSource2PriorityId + "
Destination Port." +
"";
}
else if (p_type1 == 15)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Source IP from * to < " +
sSource2PriorityId + " source "+
"IP, " + sSource1PriorityId + "
Destination IP from * to < " + sSource2PriorityId + " Destination
IP "+
249
"and " + sSource1PriorityId + " Source
Port from * to < " + sSource2PriorityId + " Source Port. " +
"b. Introduce a new rule with " +
sSource1PriorityId + " Source IP > " + sSource2PriorityId + "
Source IP"+
", " + sSource1PriorityId + "
Destination IP > " + sSource2PriorityId + " Destination IP and "
+ sSource1PriorityId + " source "+
"port > " + sSource2PriorityId + "
Source Port." +
"";
}
else if (p_type1 == 16)
{
strRet = "" +
"a. To resolve inconsistency change "
+ sSource1PriorityId + " Source IP from * to < " +
sSource2PriorityId + " source "+
"IP, " + sSource1PriorityId + "
Destination IP from * to < " + sSource2PriorityId + " Destination
IP, " + sSource1PriorityId + " source "+
"port from * to < " +
sSource2PriorityId + " Source Port and " + sSource1PriorityId + "
Destination Port from * to "+
"< " + sSource2PriorityId + "
Destination Port. " +
"b. Introduce a new rule with " +
sSource1PriorityId + " Source IP > " + sSource2PriorityId + "
Source IP"+
", " + sSource1PriorityId + "
Destination IP > " + sSource2PriorityId + " Destination IP, " +
sSource1PriorityId + " source "+
"port > " + sSource2PriorityId + "
Source Port and " + sSource1PriorityId + " Destination Port > " +
sSource2PriorityId + " Destination Port." +
"";
}
return strRet;
}
}
250
REFERENCES
1. Du Zhang, The Utility of Inconsistency in Information Security and Digital
Forensics
Available online: www.springerlink.com/index/K35502244377N375.pdf
2. Ehab S. Al-Shaer and Hazem H. Hamed, Firewall Policy Advisor For Anomaly
Discovery And Rule Editing
Available online:
http://pdf.aminer.org/000/395/467/firewall_policy_advisor_for_anomaly_discover
y_and_rule_editing.pdf
3. Ehab Al-Shaer, Hazem Hamed, Raouf Boutaba, and Masum Hasan, Conflict
Classification and Analysis of Distributed Firewall Policies.
Available online:
http://nsm1.cs.uwaterloo.ca/rboutaba/Papers/Journals/Archive/JSAC-05_3.pdf
4. Ricardo M. Oliveira, Sihyung Lee and Hyong S. Kim, Automatic detection of
firewall misconfigurations using firewall and network routing policies
Available online:
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.206.2143&rep=rep1&t
ype=pdf
251
5. Frédéric Cuppens, Nora Cuppens-Boulahia and Joaquín García-Alfaro, Detection
of Network Security Component Misconfiguration by Rewriting and Correlation
Available online:
http://www.researchgate.net/publication/250870397_Detection_of_Network_Secu
rity_Component_Misconfiguration_by_Rewriting_and_Correlation
6. Nihel Ben Youssef Ben Souayeh and Adel Bouhoula, Automatic Correction of
Firewall Mis-configurations
Available online:
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.186.960&rep=rep1&ty
pe=pdf
7. Bandara, Arosha K.; Kakas, Antonis; Lupu, Emil C. and Russo, Alessandra,
Using Argumentation Logic for Firewall Policy Specification and Analysis.
Available online: http://link.springer.com/chapter/10.1007%2F11907466_16
8. Lihua Yuan, Jianning Mai, Zhendong Su, FIREMAN: A Toolkit for FIREwall
Modeling and Analysis
Available online: http://www.cs.ucdavis.edu/~su/publications/fireman.pdf
9. S. Pozo, R. Ceballos, R. M. Gasca, A. J. Varela-Vaca, Polynomial Heuristic
Algorithms for Inconsistency Characterization in Firewall Rule Sets.
252
Available online: http://www.lsi.us.es/~quivir/sergio/SECURWARE08.pdf
10. S. Pozo, R. Ceballos and R.M. Gasca, A Heuristic Process for Local
Inconsistency Diagnosis in Firewall Rule Sets, Journal of Networks, Vol.4, No.8,
October 2009, pp.698-710.
Available online: http://www.lsi.us.es/~quivir/sergio/JNW09.pdf
11. S. Pozo, A. J. Varela-Vaca, R. M. Gasca, R. Ceballos , Efficient algorithms and
abstract data types for local inconsistency isolation in firewall ACLS
Available online: http://www.lsi.us.es/~quivir/sergio/SECRYPT09.pdf
