Systematic Literature Review on Usability of Firewall Configuration

Firewalls are network security components that handle incoming and outgoing network traffic based on a set of rules. The process of correctly configuring a firewall is complicated and prone to error, and it worsens as the network complexity grows. A poorly configured firewall may result in major security threats; in the case of a network firewall, an organization’s security could be endangered, and in the case of a personal firewall, an individual computer’s security is threatened. A major reason for poorly configured firewalls, as pointed out in the literature, is usability issues. Our aim is to identify existing solutions that help professional and non-professional users to create and manage firewall configuration files, and to analyze the proposals in respect of usability. A systematic literature review with a focus on the usability of firewall configuration is presented in the article. Its main goal is to explore what has already been done in this field. In the primary selection procedure, 1,202 articles were retrieved and then screened. The secondary selection led us to 35 articles carefully chosen for further investigation, of which 14 articles were selected and summarized. As main contributions, we propose a taxonomy of existing solutions as well as a synthesis and in-depth discussion about the state of the art in firewall usability. Among the main findings, we perceived that there is a lack (or even an absence) of usability evaluation or user studies to validate the proposed models. Although all articles are related to the topic of usability, none of them clearly defines it, and only a few actually employ usability design principles and/or guidelines.

[1]  Ehab Al-Shaer,et al.  Specifications of a high-level conflict-free firewall policy language for multi-domain networks , 2007, SACMAT '07.

[2]  Marcus J. Ranum,et al.  Web Security Sourcebook , 1997 .

[3]  Kirstie Hawkey,et al.  Guidelines for designing IT security management tools , 2008, CHiMiT '08.

[4]  Kirstie Hawkey,et al.  Investigating an appropriate design for personal firewalls , 2010, CHI Extended Abstracts.

[5]  Kirstie Hawkey,et al.  Revealing hidden context: improving mental models of personal firewall users , 2009, SOUPS.

[6]  Chen-Nee Chuah,et al.  FIREMAN: a toolkit for firewall modeling and analysis , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[7]  Raheem A. Beyah,et al.  Visual firewall: real-time network security monitor , 2005, IEEE Workshop on Visualization for Computer Security, 2005. (VizSEC 05)..

[8]  Georges Grinstein,et al.  Developing Multidimensional Firewall Configuration Visualizations , 2010 .

[9]  Chao,et al.  A Feasible Visualized System for Anomaly Diagnosis of Internet Firewall Rules , 2012 .

[10]  Raffael Marty,et al.  Applied Security Visualization , 2008 .

[11]  Robert Biddle,et al.  Even Experts Deserve Usable Security: Design guidelines for security management systems , 2007 .

[12]  Rocky Ross,et al.  Mental models , 2004, SIGA.

[13]  Terje N. Lillegraven,et al.  Design of a Bayesian Recommender System for Tourists Presenting a Solution to the Cold-Start User Problem , 2010 .

[14]  Muhammad Khurram Khan,et al.  Security Analysis of Firewall Rule Sets in Computer Networks , 2010, SECURWARE.

[15]  Elisa Bertino,et al.  Access Control Policy Analysis and Visualization Tools for Security Professionals , 2008 .

[16]  Joshua D. Guttman,et al.  Rigorous automated network security management , 2005, International Journal of Information Security.

[17]  Paul Vickers,et al.  Network infrastructure visualisation using high-dimensional node-attribute data , 2012, IEEE VAST.

[18]  Pearl Brereton,et al.  A systematic review of systematic review process research in software engineering , 2013, Inf. Softw. Technol..

[19]  John R. Goodall,et al.  Visual Discovery in Computer Network Defense , 2007, IEEE Computer Graphics and Applications.

[20]  Tina Wong On the Usability of Firewall Configuration , 2008 .

[21]  Kirstie Hawkey,et al.  It's too complicated, so i turned it off!: expectations, perceptions, and misconceptions of personal firewalls , 2010, SafeConfig '10.

[22]  Steven Hsu,et al.  Promoting a physical security mental model for personal firewall warnings , 2011, CHI Extended Abstracts.

[23]  Scott Flinn,et al.  Usable Firewall Configuration , 2005, PST.

[24]  Clare-Marie Karat,et al.  An empirical study of natural language parsing of privacy policy rules using the SPARCLE policy workbench , 2006, SOUPS '06.

[25]  Sonia Chiasson,et al.  Does context influence responses to firewall warnings? , 2012, 2012 eCrime Researchers Summit.

[26]  Audun Josang,et al.  Vulnerabilities in personal firewalls caused by poor security usability , 2010, 2010 IEEE International Conference on Information Theory and Information Security.

[27]  Anil Somayaji,et al.  Even Hackers Deserve Usability : An Expert Evaluation of Penetration Testing Tools , 2014 .

[28]  Richard D. Holowczak,et al.  Locking the door but leaving the computer vulnerable: Factors inhibiting home users' adoption of software firewalls , 2008, Decis. Support Syst..

[29]  Stephan Windmüller Offline Validation of Firewalls , 2011, 2011 IEEE 34th Software Engineering Workshop.

[30]  Kirstie Hawkey,et al.  Towards improving mental models of personal firewall users , 2009, CHI Extended Abstracts.

[31]  Sandeep N. Bhatt,et al.  Fast, Cheap, and in Control: Towards Pain-Free Security! , 2008, LISA.

[32]  Gail-Joon Ahn,et al.  Detecting and Resolving Firewall Policy Anomalies , 2012, IEEE Transactions on Dependable and Secure Computing.

[33]  P. Johnson-Laird Mental models , 1989 .

[34]  Steven Hsu,et al.  A brick wall, a locked door, and a bandit: a physical security metaphor for firewall warnings , 2011, SOUPS.

[35]  Jakob Nielsen,et al.  Chapter 6 – Usability Testing , 1993 .

[36]  Stefan Lindskog,et al.  Challenges in Managing Firewalls , 2015, NordSec.

[37]  Bill Cheswick The Design of a Secure Internet Gateway , 1990, USENIX Summer.

[38]  Avishai Wool,et al.  A quantitative study of firewall configuration errors , 2004, Computer.

[39]  Jeffrey C. Mogul,et al.  The packer filter: an efficient mechanism for user-level network code , 1987, SOSP '87.

[40]  Ehab Al-Shaer,et al.  Conflict classification and analysis of distributed firewall policies , 2005, IEEE Journal on Selected Areas in Communications.

[41]  Gerrit C. van der Veer,et al.  Breaking Down Usability , 1999, INTERACT.

[42]  Xiangjian He,et al.  Improving cloud network security using the Tree-Rule firewall , 2014, Future Gener. Comput. Syst..

[43]  Paul Dourish,et al.  Seeing further: extending visualization as a basis for usable security , 2006, SOUPS '06.

[44]  Leonardo A. Martucci,et al.  Formal definitions for usable access control rule sets from goals to metrics , 2013, SOUPS.

[45]  Stephan Windmüller Simplifying Firewall Setups by Using Offline Validation , 2013, J. Integr. Des. Process. Sci..

[46]  J. D. Tygar,et al.  Usability of Security: A Case Study, , 1998 .

[47]  Wes Noonan,et al.  Firewall Fundamentals , 2006 .

[48]  Bill Cheswick,et al.  Visual analysis of complex firewall configurations , 2012, VizSec '12.

[49]  Paul Dourish,et al.  In the eye of the beholder: A visualization-based approach to information system security , 2005, Int. J. Hum. Comput. Stud..

[50]  Ehab Al-Shaer,et al.  PolicyVis: Firewall Security Policy Visualization and Inspection , 2007, LISA.

[51]  Nahid Shahmehri,et al.  Usability and Security of Personal Firewalls , 2007, SEC.

[52]  Chi-Shih Chao A Visualized Internet Firewall Rule Validation System , 2007, APNOMS.

[53]  S. Forrest,et al.  A History and Survey of Network Firewalls , 2014 .

[54]  Nora Cuppens-Boulahia,et al.  Complete analysis of configuration rules to guarantee reliable network security policies , 2008, International Journal of Information Security.

[55]  Lujo Bauer,et al.  Expandable grids for visualizing and authoring computer security policies , 2008, CHI.

[56]  Susan Harker,et al.  ISO 9241-11 Revised: What Have We Learnt About Usability Since 1998? , 2015, HCI.

[57]  Ehab Al-Shaer,et al.  Firewall Policy Advisor for Anomaly Discovery and Rule Editing , 2003, Integrated Network Management.

[58]  Sunil Hazari Perceptions of End-Users on the Requirements in Personal Firewall Software: An Exploratory Study , 2005, J. Organ. End User Comput..

[59]  Gail-Joon Ahn,et al.  FAME: a firewall anomaly management environment , 2010, SafeConfig '10.

[60]  Jae-Sung Lee,et al.  Practical firewall policy inspection using anomaly detection and its visualization , 2013, Multimedia Tools and Applications.

[61]  Steven Fulton,et al.  Network firewall visualization in the classroom , 2010 .

[62]  George Varghese,et al.  Fast and scalable conflict detection for packet classifiers , 2003, Comput. Networks.

[63]  Bill Cheswick,et al.  Firewalls and internet security - repelling the wily hacker , 2003, Addison-Wesley professional computing series.

[64]  M. Angela Sasse,et al.  The Security-Usability Tradeoff Myth [Guest editors' introduction] , 2016, IEEE Secur. Priv..

[65]  Ehab Al-Shaer,et al.  Discovery of policy anomalies in distributed firewalls , 2004, IEEE INFOCOM 2004.

[66]  Christopher C. White,et al.  Focus on Durability, PATH Research at the National Institute of Standards and Technology | NIST , 2001 .

[67]  Benoît Otjacques,et al.  VAFLE: visual analytics of firewall log events , 2013, Electronic Imaging.

[68]  Georges G. Grinstein,et al.  Visualizing firewall configurations using created voids , 2009, 2009 6th International Workshop on Visualization for Cyber Security.

[69]  Audun Jøsang,et al.  Security Usability Principles for Vulnerability Analysis and Risk Assessment , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[70]  Ma Sasse,et al.  The Security-Usability Tradeoff Myth , 2016, IEEE S&P 2016.

[71]  John R. Goodall,et al.  A user-centered look at glyph-based security visualization , 2005, IEEE Workshop on Visualization for Computer Security, 2005. (VizSEC 05)..

[72]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[73]  Ben Shneiderman,et al.  Designing the User Interface: Strategies for Effective Human-Computer Interaction (4th Edition) , 2004 .

[74]  Chi-Shih Chao A flexible and feasible anomaly diagnosis system for Internet firewall rules , 2011, 2011 13th Asia-Pacific Network Operations and Management Symposium.

[75]  Ergonomic requirements for office work with visual display terminals ( VDTs ) — Part 11 : Guidance on usability , 1998 .

[76]  Sandeep N. Bhatt,et al.  Fast, cheap, and in control: a step towards pain free security! , 2008 .

[77]  Xiangjian He,et al.  Hybrid Tree-Rule Firewall for High Speed Data Transmission , 2020, IEEE Transactions on Cloud Computing.

[78]  Avishai Wool,et al.  Trends in Firewall Configuration Errors: Measuring the Holes in Swiss Cheese , 2010, IEEE Internet Computing.

[79]  Anne Marsden,et al.  International Organization for Standardization , 2014 .

[80]  Chi-Shih Chao,et al.  A novel three-tiered visualization approach for firewall rule validation , 2011, J. Vis. Lang. Comput..

[81]  Nahid Shahmehri,et al.  User help techniques for usable security , 2007, CHIMIT '07.

[82]  Oscar Mauricio Serrano Jaimes,et al.  EVALUACION DE LA USABILIDAD EN SITIOS WEB, BASADA EN EL ESTANDAR ISO 9241-11 (International Standard (1998) Ergonomic requirements For office work with visual display terminals (VDTs)-Parts II: Guidance on usability , 2012 .

[83]  Jakob Nielsen,et al.  Usability engineering , 1997, The Computer Science and Engineering Handbook.

[84]  Karen A. Scarfone,et al.  Guidelines on Firewalls and Firewall Policy , 2009 .

[85]  Ben Shneiderman,et al.  Designing the User Interface: Strategies for Effective Human-Computer Interaction , 1998 .

[86]  Ka-Ping Yee,et al.  User Interaction Design for Secure Systems , 2002, ICICS.