ISSN(Online): 2320-9801 ISSN (Print): 2320-9798 International Journal of Innovative Research in Computer and Communication Engineering (An ISO 3297: 2007 Certified Organization) Vol. 2, Issue 12, December 2014 10.15680/ijircce.2014.0212050 Copyright to IJIRCCE www.ijircce.com 7116 Model for Strengthening Accuracy through Detection of Anomalous Firewall Policy Rules Tawfiq SM. Barhoom 1 , Emad KH. Elrayyes 2 Associate Professor, Dept. of I.T., Faculty of Information Technology, Islamic Universityof Gaza, Gaza Strip, Palestine 1 M.Sc. Student, Dept. of I.T., Faculty of Information Technology, Islamic Universityof Gaza, Gaza Strip, Palestine 2 ABSTRACT: The firewall is a core technology that has an important role in the network security. However, managing firewall policy is an extremely complex task because the interactive rules in centralized or distributed firewalls significantly increase the possibility of policy mismanagement and network vulnerabilities. Therefore, the accuracy factor is crucial for managing policy rules by detecting the anomalies firewall policy rules .The lack of accuracy in the policy rules management leads to high risk for the network security. Therefore, we propose a model for strengthening of the accuracy in management and detection of the anomalous of firewall policy rules in small network security. KEYWORDS: accuracy, anomalous, firewall, policy rules, mismanagement. I. INTRODUCTION A firewall is a network element that controls the traversal of packets across the boundaries of a secured network based on a specific security policy. A firewall policy rule is a list of ordered filtering rules that define the actions performed on matching packets. A rule is composed of filtering fields (also called network fields) such as protocol type, source IP address, destination IP address, source port and destination port, and a filter action field. Each network field could be a single value or range of values. In the world of networks security, firewall policy rules is the first line of defense against external network attacks and threats, the management of firewall policy rules has been proven be complicated and error-prone for networked organizations. The task of manually managing, firewall policy rules becomes very difficult and time-consuming, if not impossible. One of the salient problems is that how much the rules are useful, up-to-dated. Therefore, these rules are in a constant need of updating, tuning and validating to optimize firewall security [1]. It is possible to use any field in IP, UDP or TCP headers in the rule filtering part, however, practical experience shows that the most commonly used matching fields are: protocol type, source IP address, source port, destination IP address and destination port. Some other fields are occasionally usefor specific filtering purposes [2][3]. The errors in the rule set is called anomalies that have to be detected and removed from rule set for the efficient working of any firewall. Five types of anomalies discovered and studied Namely, Shadowing Anomalies, Correlation Anomalies, Generalization Anomalies, Redundancy Anomalies, and Irrelevance Anomalies [4]. Filtering actions are either to accept, which allows the packet to be pass into or from the secure network, or to deny, which causes the packet to be discard. The packet is accept or deny, by a specific rule if the packet header information matches all the network fields of this rule. Otherwise, the next following rule is use to test the matching with his packet again. Similarly, this process is repeated until a matching rule is found or the default policy action is performed [5][6]. The size of the rule set varies according to the type of the organization. Generally, the rule set is very large because different network administrators often modify the policy rules according to their requirements. These changes could cause the occurrence of anomalies. Because of the large size of the rule set, it is difficult to detect anomalies by manually checking the rules one by one [10].