Abstract
Firewalls are network security components that handle incoming and outgoing network traffic based on a set of rules. The process of correctly configuring a firewall is complicated and prone to error, and it worsens as the network complexity grows. A poorly configured firewall may result in major security threats; in the case of a network firewall, an organization’s security could be endangered, and in the case of a personal firewall, an individual computer’s security is threatened. A major reason for poorly configured firewalls, as pointed out in the literature, is usability issues. Our aim is to identify existing solutions that help professional and non-professional users to create and manage firewall configuration files, and to analyze the proposals in respect of usability. A systematic literature review with a focus on the usability of firewall configuration is presented in the article. Its main goal is to explore what has already been done in this field. In the primary selection procedure, 1,202 articles were retrieved and then screened. The secondary selection led us to 35 articles carefully chosen for further investigation, of which 14 articles were selected and summarized. As main contributions, we propose a taxonomy of existing solutions as well as a synthesis and in-depth discussion about the state of the art in firewall usability. Among the main findings, we perceived that there is a lack (or even an absence) of usability evaluation or user studies to validate the proposed models. Although all articles are related to the topic of usability, none of them clearly defines it, and only a few actually employ usability design principles and/or guidelines.
- Ehab S. Al-Shaer, Hazem Hamed, Raouf Boutaba, and Masum Hasan. 2005. Conflict classification and analysis of distributed firewall policies. IEEE J. Select. Areas Commun. 23, 10 (2005), 2069--2084. Google ScholarDigital Library
- Ehab S. Al-Shaer and Hazem H. Hamed. 2003. Firewall policy advisor for anomaly discovery and rule editing. In Proceedings of the IFIP/IEEE 8th International Symposium on Integrated Network Management. IEEE, 17--30.Google Scholar
- Ehab S. Al-Shaer and Hazem H. Hamed. 2004. Discovery of policy anomalies in distributed firewalls. In Proceedings of the 23rd Annual Joint Conference of the IEEE Computer and Communications Societies (INFOCOM’04), Vol. 4. IEEE, 2605--2616.Google Scholar
- Bander Alfayyadh, James Ponting, Mohammed Alzomai, and Audun Jøsang. 2010. Vulnerabilities in personal firewalls caused by poor security usability. In Proceedings of the 2010 IEEE International Conference on Information Theory and Information Security (ICITIS’10). IEEE, 682--688.Google ScholarCross Ref
- Florin Baboescu and George Varghese. 2003. Fast and scalable conflict detection for packet classifiers. Comput. Netw. 42, 6 (2003), 717--735. Google ScholarDigital Library
- Matthias Beckerle and Leonardo A. Martucci. 2013. Formal definitions for usable access control rule sets from goals to metrics. In Proceedings of the 9th Symposium on Usable Privacy and Security. ACM, 2. Google ScholarDigital Library
- Nigel Bevan, James Carter, and Susan Harker. 2015. ISO 9241-11 Revised: What Have We Learnt About Usability Since 1998? Springer International Publishing, Cham, 143--151.Google Scholar
- Sandeep N. Bhatt, Cat Okita, and Prasad Rao. 2008. Fast, cheap, and in control: Towards pain-free security! In Proceedings of the Conference on Large Installation System Administration (LISA’08). USENIX Association, 75--90. Google ScholarDigital Library
- Michael Bingham, Adam Skillen, and Anil Somayaji. 2014. Even hackers deserve usability: An expert evaluation of penetration testing tools. In Proceedings of the 9th Annual Symposium on Information Assurance (ASIA’14). 23--31. Retrieved from http://www.albany.edu/iasymposium/proceedings/2014/ASIA14Proceedings.pdf.Google Scholar
- Carolyn Brodie, Clare-Marie Karat, and John Karat. 2006. An empirical study of natural language parsing of privacy policy rules using the SPARCLE policy workbench. In Proceedings of the Symposium on Usable Privacy and Security (SOUPS’06) (ACM International Conference Proceeding Series), Vol. 149. ACM, 8--19. Google ScholarDigital Library
- Chi-Shih Chao. 2012. A feasible visualized system for anomaly diagnosis of internet firewall rules. J. Commun. Comput. 9 (2012), 679--691.Google Scholar
- Chi-Shih Chao and Stephen Jen-Hwa Yang. 2011. A novel three-tiered visualization approach for firewall rule validation. J. Vis. Lang. Comput. 22, 6 (2011), 401--414. Google ScholarDigital Library
- Bill Cheswick. 1990. The design of a secure internet gateway. In Proceedings of the USENIX Summer Conference. Citeseer.Google Scholar
- William R. Cheswick, Steven M. Bellovin, and Aviel D. Rubin. 2003. Firewalls and Internet Security: Repelling the Wily Hacker. Addison-Wesley Longman Publishing Co., Inc. Google ScholarDigital Library
- Sonia Chiasson, Robert Biddle, and Anil Somayaji. 2007. Even Experts Deserve Usable Security: Design guidelines for security management systems. Retrieved from http://cups.cs.cmu.edu/soups/2007/workshop/Design_Gu idelines.pdf.Google Scholar
- Thawatchai Chomsiri, Xiangjian He, Priyadarsi Nanda, and Zhiyuan Tan. 2016. Hybrid tree-rule firewall for high speed data transmission. IEEE Trans. Cloud Comput. (2016).Google Scholar
- Anita D. D’Amico, John R. Goodall, Daniel R. Tesone, and Jason K. Kopylec. 2007. Visual discovery in computer network defense. IEEE Comput. Graph. Appl. 27, 5 (2007), 20--27. Google ScholarDigital Library
- Rogerio De Paula, Xianghua Ding, Paul Dourish, Kari Nies, Ben Pillet, David F. Redmiles, Jie Ren, Jennifer A. Rode, and Roberto Silva Filho. 2005. In the eye of the beholder: A visualization-based approach to information system security. Int. J. Hum.-Comput. Studies 63, 1 (2005), 5--24. Google ScholarDigital Library
- Joaquín García-Alfaro, Nora Boulahia-Cuppens, and Frédéric Cuppens. 2008. Complete analysis of configuration rules to guarantee reliable network security policies. Int. J. Inf. Sec. 7, 2 (2008), 103--122. Google ScholarDigital Library
- Weiwei Geng, Scott Flinn, and John M. DeDourek. 2005. Usable firewall configuration. In Proceedings of the 3rd Annual Conference on Privacy, Security and Trust. Retrieved from http://www.lib.unb.ca/Texts/PST/2005/pdf/geng.pdf.Google Scholar
- Mohammad Ghoniem, Georgiy Shurkhovetskyy, Ahmed Bahey, and Benoît Otjacques. 2013. VAFLE: Visual analytics of firewall log events. In Proceedings of the IS8T/SPIE Conference on Electronic Imaging. International Society for Optics and Photonics, 901704--901704.Google Scholar
- Helen Gibson and Paul Vickers. 2012. Network infrastructure visualisation using high-dimensional node-attribute data. In Proceedings of the IEEE Conference on Visual Analytics Science and Technology (VAST’12). IEEE Computer Society, 293--294. Google ScholarDigital Library
- Joshua D. Guttman and Amy L. Herzog. 2005. Rigorous automated network security management. Int. J. Inf. Sec. 4, 1--2 (2005), 29--48. Google ScholarDigital Library
- Sunil Hazari. 2005. Perceptions of end-users on the requirements in personal firewall software: An exploratory study. J. Organ. End User Comput. 17, 3 (2005), 47--65.Google ScholarCross Ref
- Xiangjian He, Thawatchai Chomsiri, Priyadarsi Nanda, and Zhiyuan Tan. 2014. Improving cloud network security using the tree-rule firewall. Future Gen. Comput. Syst. 30 (2014), 116--126.Google ScholarDigital Library
- Almut Herzog and Nahid Shahmehri. 2007. Usability and security of personal firewalls. In Proceedings of the Symposium on Edge Computing (SEC’07) (IFIP), Vol. 232. Springer, 37--48.Google ScholarCross Ref
- Almut Herzog and Nahid Shahmehri. 2007. User help techniques for usable security. In Proceedings of the Symposium on Computer Human Interaction for Management of Information Technology (CHIMIT’07). ACM, 11. Google ScholarDigital Library
- Hongxin Hu, Gail-Joon Ahn, and Ketan Kulkarni. 2012. Detecting and resolving firewall policy anomalies. IEEE Trans. Depend. Secure Comput. 9, 3 (2012), 318--331. Google ScholarDigital Library
- Kenneth Ingham and Stephanie Forrest. 2002. A History and Survey of Network Firewalls. Technical Report, University of New Mexico.Google Scholar
- International Organization for Standardization. 1998. ISO 9241-11: Ergonomic Requirements for Office Work with Visual Display Terminals (VDTs): Part 11: Guidance on Usability.Google Scholar
- Pooya Jaferian, David Botta, Fahimeh Raja, Kirstie Hawkey, and Konstantin Beznosov. 2008. Guidelines for designing IT security management tools. In Proceedings of the 2nd ACM Symposium on Computer Human Interaction for Management of Information Technology (CHIMIT’08). ACM, New York, NY, Article 7, 10 pages. Google ScholarDigital Library
- Audun Jøsang, Bander AlFayyadh, Tyrone Grandison, Mohammed AlZomai, and Judith McNamara. 2007. Security usability principles for vulnerability analysis and risk assessment. In Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC’07). 269--278.Google ScholarCross Ref
- Bilal Khan, Muhammad Khurram Khan, Maqsood Mahmud, and Khaled S. Alghathbar. 2010. Security analysis of firewall rule sets in computer networks. In Proceedings of the 2010 4th International Conference on Emerging Security Information Systems and Technologies (SECURWARE’10). IEEE, 51--56. Google ScholarDigital Library
- Ui-Hyong Kim, Jung-Min Kang, Jae-Sung Lee, and Hyong-Shik Kim. 2012. Practical firewall policy inspection using anomaly detection and its visualization. In Proceedings of the International Conference on IT Convergence and Security 2011. Springer, 629--639.Google ScholarCross Ref
- Barbara Kitchenham and Pearl Brereton. 2013. A systematic review of systematic review process research in software engineering. Info. Softw. Technol. 55, 12 (2013), 2049--2075. Google ScholarDigital Library
- Anita Komlodi, Penny Rheingans, Utkarsha Ayachit, John R. Goodall, and Amit Joshi. 2005. A user-centered look at glyph-based security visualization. In Proceedings of the IEEE Workshop on Visualization for Computer Security (VizSEC’05). IEEE, 21--28. Google ScholarDigital Library
- Nanda Kumar, Kannan Mohan, and Richard D. Holowczak. 2008. Locking the door but leaving the computer vulnerable: Factors inhibiting home users’ adoption of software firewalls. Decis. Supp. Syst. 46, 1 (2008), 254--264. Google ScholarDigital Library
- Christopher P. Lee, Jason Trost, Nicholas Gibbs, Raheem A. Beyah, and John A. Copeland. 2005. Visual firewall: Real-time network security monitor. In Proceedings of IEEE Workshop on Visualization for Computer (VizSEC’05). IEEE Computer Society, 16. Google ScholarDigital Library
- Terje Nesbakken Lillegraven and Arnt Christian Wolden. 2010. Design of a Bayesian Recommender System for Tourists Presenting a Solution to the Cold-Start User Problem. Master’s thesis. Institutt for datateknikk og informasjonsvitenskap (IDI-NTNU).Google Scholar
- Muhammad Mahmoud, Sonia Chiasson, and Ashraf Matrawy. 2012. Does context influence responses to firewall warnings? In Proceedings of the eCrime Researchers Summit. IEEE, 1--10.Google ScholarCross Ref
- Florian Mansmann, Timo Göbel, and William Cheswick. 2012. Visual analysis of complex firewall configurations. In Proceedings of the 9th International Symposium on Visualization for Cyber Security. ACM, 1--8. Google ScholarDigital Library
- Raffael Marty. 2009. Applied Security Visualization. Addison-Wesley Upper Saddle River. Google ScholarDigital Library
- J. Mogul, R. Rashid, and M. Accetta. 1987. The packet filter: An efficient mechanism for user-level network code. In Proceedings of the 11th ACM Symposium on Operating Systems Principles (SOSP’87). ACM, 39--51. Google ScholarDigital Library
- Shaun P. Morrissey, Georges Grinstein, et al. 2010. Developing multidimensional firewall configuration visualizations. In Proceedings of the 2010 International Conference on Information Security and Privacy (ISP’10). ISRST, 62--69.Google Scholar
- J. Nielsen. 1994. Usability Engineering. Morgan Kaufmann.Google Scholar
- Jakob Nielsen. 2010. Mental models. Nielsen Norman Group.Google Scholar
- Wes Noonan and Ido Dubrawsky. 2006. Firewall Fundamentals. Pearson Education. Google ScholarDigital Library
- Fahimeh Raja, Kirstie Hawkey, and Konstantin Beznosov. 2009. Revealing hidden context: Improving mental models of personal firewall users. In Proceedings of the Symposium on Usable Privacy and Security (SOUPS’09) (ACM International Conference Proceeding Series). ACM. Google ScholarDigital Library
- Fahimeh Raja, Kirstie Hawkey, Steven Hsu, Kai-Le Clement Wang, and Konstantin Beznosov. 2011. A brick wall, a locked door, and a bandit: A physical security metaphor for firewall warnings. In Proceedings of the 7th Symposium on Usable Privacy and Security. ACM, 1. Google ScholarDigital Library
- Fahimeh Raja, Kirstie Hawkey, Pooya Jaferian, Konstantin Beznosov, and Kellogg S. Booth. 2010. It’s too complicated, so i turned it off!: Expectations, perceptions, and misconceptions of personal firewalls. In Proceedings of the 3rd ACM Workshop on Assurable and Usable Security Configuration. ACM, 53--62. Google ScholarDigital Library
- Marcus J. Ranum. 1992. A network firewall. In Proceedings of the World Conference on System Administration and Security.Google Scholar
- Robert W. Reeder, Lujo Bauer, Lorrie Faith Cranor, Michael K. Reiter, Kelli Bacon, Keisha How, and Heather Strong. 2008. Expandable grids for visualizing and authoring computer security policies. In Proceedings of the Conference on Computer-Human Interaction (CHI’08). ACM, 1473--1482. Google ScholarDigital Library
- Jennifer Rode, Carolina Johansson, Paul DiGioia, Kari Nies, David H. Nguyen, Jie Ren, Paul Dourish, David Redmiles, et al. 2006. Seeing further: Extending visualization as a basis for usable security. In Proceedings of the 2nd Symposium on Usable Privacy and Security. ACM, 145--155. Google ScholarDigital Library
- Aviel D. Rubin, Daniel Geer, and Marcus J. Ranum. 1997. Web Security Sourcebook. John Wiley 8 Sons, Inc. Google ScholarDigital Library
- J. H. Saltzer and M. D. Schroeder. 1975. The protection of information in computer systems. Proc. IEEE 63, 9 (Sept 1975), 1278--1308.Google ScholarCross Ref
- M. Angela Sasse and Matthew Smith. 2016. The security-usability tradeoff myth {guest editors’ introduction}. IEEE Secur. Priv. 14, 5 (2016), 11--13. Google ScholarDigital Library
- Karen Scarfone and Paul Hoffman. 2009. Guidelines on Firewalls and Firewall Policy. Technical Report. National Institute of Standards and Technology (NIST). Retrieved from http://csrc.nist.gov/publications/nistpubs/800-41-Rev1/sp800-41-rev1.pdf. Google Scholar
- B. Shneiderman and C. Plaisant. 2005. Designing the User Interface: Strategies for Effective Human-computer Interaction. Pearson/Addison Wesley. Google ScholarDigital Library
- Tung Tran, Ehab S. Al-Shaer, and Raouf Boutaba. 2007. PolicyVis: Firewall security policy visualization and inspection. In Proceedings of the Conference on Large Installation System Administration (LISA’07), Vol. 7. 1--16. Google ScholarDigital Library
- Martijn Van Welie, Gerrit C. Van Der Veer, and Anton Eliëns. 1999. Breaking down usability. In Proceedings of Interact’99. 613--620.Google Scholar
- Kami Vaniea, Qun Ni, Lorrie Cranor, and Elisa Bertino. 2008. Access control policy analysis and visualization tools for security professionals. In Proceedings of the Symposium on Usable Privacy and Security (SOUPS’08) Workshop (USM).Google Scholar
- Artem Voronkov, Stefan Lindskog, and Leonardo A. Martucci. 2015. Challenges in managing firewalls. In Proceedings of the Nordic Conference on Secure IT (NordSec’15) (Lecture Notes in Computer Science), Vol. 9417. Springer, 191--196.Google Scholar
- Justin Warner, David Musielewicz, G. Parks Masters, Taylor Verett, Robert Winchester, and Steven Fulton. 2010. Network firewall visualization in the classroom. J. Comput. Sci. Colleges 26, 2 (2010), 88--96. Google ScholarDigital Library
- Alma Whitten and J. D. Tygar. 1998. Usability of Security: A Case Study. Technical Report. DTIC Document.Google Scholar
- Stephan Windmüller. 2013. Simplifying firewall setups by using offline validation. J. Integr. Design Process Sci. 17, 3 (2013), 59--69. Google ScholarDigital Library
- Tina Wong. 2008. On the usability of firewall configuration. In Proceedings of the Symposium on Usable Privacy and Security (SOUPS’08) (Workshop on Usable IT Security Management (USM’08)). http://cups.cs.cmu.edu/soups/2008/USM/wong.pdf.Google Scholar
- A. Wool. 2004. A quantitative study of firewall configuration errors. Computer 37, 6 (June 2004), 62--67. Google ScholarDigital Library
- Avishai Wool. 2010. Trends in firewall configuration errors: Measuring the holes in swiss cheese. IEEE Internet Comput. 14, 4 (2010), 58--65. Google ScholarDigital Library
- Ka-Ping Yee. 2002. User interaction design for secure systems. In Proceedings of the International Conference on Information and Communications Security. Springer, 278--290. Google ScholarDigital Library
- Lihua Yuan, Hao Chen, Jianning Mai, Chen-Nee Chuah, Zhendong Su, and Prasant Mohapatra. 2006. Fireman: A toolkit for firewall modeling and analysis. In Proceedings of the 2006 IEEE Symposium on Security and Privacy. IEEE, 15 pages. Google ScholarDigital Library
- Bin Zhang, Ehab Al-Shaer, Radha Jagadeesan, James Riely, and Corin Pitcher. 2007. Specifications of a high-level conflict-free firewall policy language for multi-domain networks. In Proceedings of the 12th ACM Symposium on Access Control Models and Technologies (SACMAT’07). ACM, New York, NY, 185--194. Google ScholarDigital Library
- Chao and Chi-Shih. 2011. A flexible and feasible anomaly diagnosis system for internet firewall rules. 13th Asia-Pacific Network Operations and Management Symposium (APNOMS’11). IEEE, 1--8.Google Scholar
- Chao and Chi-Shih. 2007. A visualized internet firewall rule validation system. Asia-Pacific Network Operations and Management Symposium. Springer, 364--374. Google ScholarDigital Library
- Hongxin Hu, Gail-Joon Ahn, and Ketan Kulkarni. 2010. FAME: A firewall anomaly management environment. In Proceedings of the 3rd ACM Workshop on Assurable and Usable Security Configuration. ACM, 17--26. Google ScholarDigital Library
- Fahimeh Raja, Kirstie Hawkey, Konstantin Beznosov, and Kellogg S. Booth. 2010. Investigating an appropriate design for personal firewalls. CHI Extended Abstracts on Human Factors in Computing Systems. ACM, 4123--4128. Google ScholarDigital Library
- Fahimeh Raja, Kirstie Hawkey, Steven Hsu, Kai-Le Wang, and Konstantin Beznosov. 2011. Promoting a physical security mental model for personal firewall warnings. CHI Extended Abstracts on Human Factors in Computing Systems. ACM, 1585--1590. Google ScholarDigital Library
- Fahimeh Raja, Kirstie Hawkey, and Konstantin Beznosov. 2009. Towards improving mental models of personal firewall users. CHI Extended Abstracts on Human Factors in Computing Systems. ACM. 4633--4638. Google ScholarDigital Library
- Shaun P. Morrissey and Georges Grinstein. 2009. Visualizing firewall configurations using created voids. 6th International Workshop on Visualization for Cyber Security, VizSec. IEEE, 75--79.Google Scholar
- Stephan Windmuller. 2011. Offline Validation of Firewalls. In Proceedings of the 2011 IEEE 34th Software Engineering Workshop (SEW’11). IEEE Computer Society, 36--41. Google ScholarDigital Library
Index Terms
- Systematic Literature Review on Usability of Firewall Configuration
Recommendations
A systematic literature review of security software defined network: research trends, threat, attack, detect, mitigate, and countermeasure
ICTCE '19: Proceedings of the 3rd International Conference on Telecommunications and Communication EngineeringThe development of internet technology in the current decade is growing very rapidly. This triggers a variety of innovations in the application layer. However, these developments cannot be followed by network layers that tend to be slow. The concept of ...
A systematic literature review: Messaging protocols and electronic platforms used in the internet of things for the purpose of building smart homes
AbstractInternet of Things is a paradigm that aims at connectivity for everything, such as computing devices, machines, objects, people and so on. Messaging protocols and electronic platforms are needed in the implementation of Internet of Things(IoT) ...
Systematic Literature Review on Data Provenance in Internet of Things
Computational Science and Its Applications – ICCSA 2022 WorkshopsAbstractInternet of Things(IoT) is a concept that develops day by day and is now an indispensable part of our lives. Although it has been developed a lot, it still has many problematic areas and has many aspects that need improvement. On the other hand, ...
Comments