survey

Systematic Literature Review on Usability of Firewall Configuration

Authors:
Artem Voronkov

Karlstad University

Karlstad University

0000-0001-9203-0773
View Profile

,
Leonardo Horn Iwaya

Karlstad University

Karlstad University
View Profile

,
Leonardo A. Martucci

Karlstad University

Karlstad University
View Profile

,
Stefan Lindskog

Karlstad University

Karlstad University
View Profile

Authors Info & Claims

ACM Computing Surveys Volume 50 Issue 6Article No.: 87pp 1–35https://doi.org/10.1145/3130876

Published:06 December 2017Publication History

ACM Computing Surveys

Abstract

Firewalls are network security components that handle incoming and outgoing network traffic based on a set of rules. The process of correctly configuring a firewall is complicated and prone to error, and it worsens as the network complexity grows. A poorly configured firewall may result in major security threats; in the case of a network firewall, an organization’s security could be endangered, and in the case of a personal firewall, an individual computer’s security is threatened. A major reason for poorly configured firewalls, as pointed out in the literature, is usability issues. Our aim is to identify existing solutions that help professional and non-professional users to create and manage firewall configuration files, and to analyze the proposals in respect of usability. A systematic literature review with a focus on the usability of firewall configuration is presented in the article. Its main goal is to explore what has already been done in this field. In the primary selection procedure, 1,202 articles were retrieved and then screened. The secondary selection led us to 35 articles carefully chosen for further investigation, of which 14 articles were selected and summarized. As main contributions, we propose a taxonomy of existing solutions as well as a synthesis and in-depth discussion about the state of the art in firewall usability. Among the main findings, we perceived that there is a lack (or even an absence) of usability evaluation or user studies to validate the proposed models. Although all articles are related to the topic of usability, none of them clearly defines it, and only a few actually employ usability design principles and/or guidelines.

References

Ehab S. Al-Shaer, Hazem Hamed, Raouf Boutaba, and Masum Hasan. 2005. Conflict classification and analysis of distributed firewall policies. IEEE J. Select. Areas Commun. 23, 10 (2005), 2069--2084. Google ScholarDigital Library
Ehab S. Al-Shaer and Hazem H. Hamed. 2003. Firewall policy advisor for anomaly discovery and rule editing. In Proceedings of the IFIP/IEEE 8th International Symposium on Integrated Network Management. IEEE, 17--30.Google Scholar
Ehab S. Al-Shaer and Hazem H. Hamed. 2004. Discovery of policy anomalies in distributed firewalls. In Proceedings of the 23rd Annual Joint Conference of the IEEE Computer and Communications Societies (INFOCOM’04), Vol. 4. IEEE, 2605--2616.Google Scholar
Bander Alfayyadh, James Ponting, Mohammed Alzomai, and Audun Jøsang. 2010. Vulnerabilities in personal firewalls caused by poor security usability. In Proceedings of the 2010 IEEE International Conference on Information Theory and Information Security (ICITIS’10). IEEE, 682--688.Google ScholarCross Ref
Florin Baboescu and George Varghese. 2003. Fast and scalable conflict detection for packet classifiers. Comput. Netw. 42, 6 (2003), 717--735. Google ScholarDigital Library
Matthias Beckerle and Leonardo A. Martucci. 2013. Formal definitions for usable access control rule sets from goals to metrics. In Proceedings of the 9th Symposium on Usable Privacy and Security. ACM, 2. Google ScholarDigital Library
Nigel Bevan, James Carter, and Susan Harker. 2015. ISO 9241-11 Revised: What Have We Learnt About Usability Since 1998? Springer International Publishing, Cham, 143--151.Google Scholar
Sandeep N. Bhatt, Cat Okita, and Prasad Rao. 2008. Fast, cheap, and in control: Towards pain-free security&excl; In Proceedings of the Conference on Large Installation System Administration (LISA’08). USENIX Association, 75--90. Google ScholarDigital Library
Michael Bingham, Adam Skillen, and Anil Somayaji. 2014. Even hackers deserve usability: An expert evaluation of penetration testing tools. In Proceedings of the 9th Annual Symposium on Information Assurance (ASIA’14). 23--31. Retrieved from http://www.albany.edu/iasymposium/proceedings/2014/ASIA14Proceedings.pdf.Google Scholar
Carolyn Brodie, Clare-Marie Karat, and John Karat. 2006. An empirical study of natural language parsing of privacy policy rules using the SPARCLE policy workbench. In Proceedings of the Symposium on Usable Privacy and Security (SOUPS’06) (ACM International Conference Proceeding Series), Vol. 149. ACM, 8--19. Google ScholarDigital Library
Chi-Shih Chao. 2012. A feasible visualized system for anomaly diagnosis of internet firewall rules. J. Commun. Comput. 9 (2012), 679--691.Google Scholar
Chi-Shih Chao and Stephen Jen-Hwa Yang. 2011. A novel three-tiered visualization approach for firewall rule validation. J. Vis. Lang. Comput. 22, 6 (2011), 401--414. Google ScholarDigital Library
Bill Cheswick. 1990. The design of a secure internet gateway. In Proceedings of the USENIX Summer Conference. Citeseer.Google Scholar
William R. Cheswick, Steven M. Bellovin, and Aviel D. Rubin. 2003. Firewalls and Internet Security: Repelling the Wily Hacker. Addison-Wesley Longman Publishing Co., Inc. Google ScholarDigital Library
Sonia Chiasson, Robert Biddle, and Anil Somayaji. 2007. Even Experts Deserve Usable Security: Design guidelines for security management systems. Retrieved from http://cups.cs.cmu.edu/soups/2007/workshop/Design_Gu idelines.pdf.Google Scholar
Thawatchai Chomsiri, Xiangjian He, Priyadarsi Nanda, and Zhiyuan Tan. 2016. Hybrid tree-rule firewall for high speed data transmission. IEEE Trans. Cloud Comput. (2016).Google Scholar
Anita D. D’Amico, John R. Goodall, Daniel R. Tesone, and Jason K. Kopylec. 2007. Visual discovery in computer network defense. IEEE Comput. Graph. Appl. 27, 5 (2007), 20--27. Google ScholarDigital Library
Rogerio De Paula, Xianghua Ding, Paul Dourish, Kari Nies, Ben Pillet, David F. Redmiles, Jie Ren, Jennifer A. Rode, and Roberto Silva Filho. 2005. In the eye of the beholder: A visualization-based approach to information system security. Int. J. Hum.-Comput. Studies 63, 1 (2005), 5--24. Google ScholarDigital Library
Joaquín García-Alfaro, Nora Boulahia-Cuppens, and Frédéric Cuppens. 2008. Complete analysis of configuration rules to guarantee reliable network security policies. Int. J. Inf. Sec. 7, 2 (2008), 103--122. Google ScholarDigital Library
Weiwei Geng, Scott Flinn, and John M. DeDourek. 2005. Usable firewall configuration. In Proceedings of the 3rd Annual Conference on Privacy, Security and Trust. Retrieved from http://www.lib.unb.ca/Texts/PST/2005/pdf/geng.pdf.Google Scholar
Mohammad Ghoniem, Georgiy Shurkhovetskyy, Ahmed Bahey, and Benoît Otjacques. 2013. VAFLE: Visual analytics of firewall log events. In Proceedings of the IS8T/SPIE Conference on Electronic Imaging. International Society for Optics and Photonics, 901704--901704.Google Scholar
Helen Gibson and Paul Vickers. 2012. Network infrastructure visualisation using high-dimensional node-attribute data. In Proceedings of the IEEE Conference on Visual Analytics Science and Technology (VAST’12). IEEE Computer Society, 293--294. Google ScholarDigital Library
Joshua D. Guttman and Amy L. Herzog. 2005. Rigorous automated network security management. Int. J. Inf. Sec. 4, 1--2 (2005), 29--48. Google ScholarDigital Library
Sunil Hazari. 2005. Perceptions of end-users on the requirements in personal firewall software: An exploratory study. J. Organ. End User Comput. 17, 3 (2005), 47--65.Google ScholarCross Ref
Xiangjian He, Thawatchai Chomsiri, Priyadarsi Nanda, and Zhiyuan Tan. 2014. Improving cloud network security using the tree-rule firewall. Future Gen. Comput. Syst. 30 (2014), 116--126.Google ScholarDigital Library
Almut Herzog and Nahid Shahmehri. 2007. Usability and security of personal firewalls. In Proceedings of the Symposium on Edge Computing (SEC’07) (IFIP), Vol. 232. Springer, 37--48.Google ScholarCross Ref
Almut Herzog and Nahid Shahmehri. 2007. User help techniques for usable security. In Proceedings of the Symposium on Computer Human Interaction for Management of Information Technology (CHIMIT’07). ACM, 11. Google ScholarDigital Library
Hongxin Hu, Gail-Joon Ahn, and Ketan Kulkarni. 2012. Detecting and resolving firewall policy anomalies. IEEE Trans. Depend. Secure Comput. 9, 3 (2012), 318--331. Google ScholarDigital Library
Kenneth Ingham and Stephanie Forrest. 2002. A History and Survey of Network Firewalls. Technical Report, University of New Mexico.Google Scholar
International Organization for Standardization. 1998. ISO 9241-11: Ergonomic Requirements for Office Work with Visual Display Terminals (VDTs): Part 11: Guidance on Usability.Google Scholar
Pooya Jaferian, David Botta, Fahimeh Raja, Kirstie Hawkey, and Konstantin Beznosov. 2008. Guidelines for designing IT security management tools. In Proceedings of the 2nd ACM Symposium on Computer Human Interaction for Management of Information Technology (CHIMIT’08). ACM, New York, NY, Article 7, 10 pages. Google ScholarDigital Library
Audun Jøsang, Bander AlFayyadh, Tyrone Grandison, Mohammed AlZomai, and Judith McNamara. 2007. Security usability principles for vulnerability analysis and risk assessment. In Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC’07). 269--278.Google ScholarCross Ref
Bilal Khan, Muhammad Khurram Khan, Maqsood Mahmud, and Khaled S. Alghathbar. 2010. Security analysis of firewall rule sets in computer networks. In Proceedings of the 2010 4th International Conference on Emerging Security Information Systems and Technologies (SECURWARE’10). IEEE, 51--56. Google ScholarDigital Library
Ui-Hyong Kim, Jung-Min Kang, Jae-Sung Lee, and Hyong-Shik Kim. 2012. Practical firewall policy inspection using anomaly detection and its visualization. In Proceedings of the International Conference on IT Convergence and Security 2011. Springer, 629--639.Google ScholarCross Ref
Barbara Kitchenham and Pearl Brereton. 2013. A systematic review of systematic review process research in software engineering. Info. Softw. Technol. 55, 12 (2013), 2049--2075. Google ScholarDigital Library
Anita Komlodi, Penny Rheingans, Utkarsha Ayachit, John R. Goodall, and Amit Joshi. 2005. A user-centered look at glyph-based security visualization. In Proceedings of the IEEE Workshop on Visualization for Computer Security (VizSEC’05). IEEE, 21--28. Google ScholarDigital Library
Nanda Kumar, Kannan Mohan, and Richard D. Holowczak. 2008. Locking the door but leaving the computer vulnerable: Factors inhibiting home users’ adoption of software firewalls. Decis. Supp. Syst. 46, 1 (2008), 254--264. Google ScholarDigital Library
Christopher P. Lee, Jason Trost, Nicholas Gibbs, Raheem A. Beyah, and John A. Copeland. 2005. Visual firewall: Real-time network security monitor. In Proceedings of IEEE Workshop on Visualization for Computer (VizSEC’05). IEEE Computer Society, 16. Google ScholarDigital Library
Terje Nesbakken Lillegraven and Arnt Christian Wolden. 2010. Design of a Bayesian Recommender System for Tourists Presenting a Solution to the Cold-Start User Problem. Master’s thesis. Institutt for datateknikk og informasjonsvitenskap (IDI-NTNU).Google Scholar
Muhammad Mahmoud, Sonia Chiasson, and Ashraf Matrawy. 2012. Does context influence responses to firewall warnings? In Proceedings of the eCrime Researchers Summit. IEEE, 1--10.Google ScholarCross Ref
Florian Mansmann, Timo Göbel, and William Cheswick. 2012. Visual analysis of complex firewall configurations. In Proceedings of the 9th International Symposium on Visualization for Cyber Security. ACM, 1--8. Google ScholarDigital Library
Raffael Marty. 2009. Applied Security Visualization. Addison-Wesley Upper Saddle River. Google ScholarDigital Library
J. Mogul, R. Rashid, and M. Accetta. 1987. The packet filter: An efficient mechanism for user-level network code. In Proceedings of the 11th ACM Symposium on Operating Systems Principles (SOSP’87). ACM, 39--51. Google ScholarDigital Library
Shaun P. Morrissey, Georges Grinstein, et al. 2010. Developing multidimensional firewall configuration visualizations. In Proceedings of the 2010 International Conference on Information Security and Privacy (ISP’10). ISRST, 62--69.Google Scholar
J. Nielsen. 1994. Usability Engineering. Morgan Kaufmann.Google Scholar
Jakob Nielsen. 2010. Mental models. Nielsen Norman Group.Google Scholar
Wes Noonan and Ido Dubrawsky. 2006. Firewall Fundamentals. Pearson Education. Google ScholarDigital Library
Fahimeh Raja, Kirstie Hawkey, and Konstantin Beznosov. 2009. Revealing hidden context: Improving mental models of personal firewall users. In Proceedings of the Symposium on Usable Privacy and Security (SOUPS’09) (ACM International Conference Proceeding Series). ACM. Google ScholarDigital Library
Fahimeh Raja, Kirstie Hawkey, Steven Hsu, Kai-Le Clement Wang, and Konstantin Beznosov. 2011. A brick wall, a locked door, and a bandit: A physical security metaphor for firewall warnings. In Proceedings of the 7th Symposium on Usable Privacy and Security. ACM, 1. Google ScholarDigital Library
Fahimeh Raja, Kirstie Hawkey, Pooya Jaferian, Konstantin Beznosov, and Kellogg S. Booth. 2010. It’s too complicated, so i turned it off&excl;: Expectations, perceptions, and misconceptions of personal firewalls. In Proceedings of the 3rd ACM Workshop on Assurable and Usable Security Configuration. ACM, 53--62. Google ScholarDigital Library
Marcus J. Ranum. 1992. A network firewall. In Proceedings of the World Conference on System Administration and Security.Google Scholar
Robert W. Reeder, Lujo Bauer, Lorrie Faith Cranor, Michael K. Reiter, Kelli Bacon, Keisha How, and Heather Strong. 2008. Expandable grids for visualizing and authoring computer security policies. In Proceedings of the Conference on Computer-Human Interaction (CHI’08). ACM, 1473--1482. Google ScholarDigital Library
Jennifer Rode, Carolina Johansson, Paul DiGioia, Kari Nies, David H. Nguyen, Jie Ren, Paul Dourish, David Redmiles, et al. 2006. Seeing further: Extending visualization as a basis for usable security. In Proceedings of the 2nd Symposium on Usable Privacy and Security. ACM, 145--155. Google ScholarDigital Library
Aviel D. Rubin, Daniel Geer, and Marcus J. Ranum. 1997. Web Security Sourcebook. John Wiley 8 Sons, Inc. Google ScholarDigital Library
J. H. Saltzer and M. D. Schroeder. 1975. The protection of information in computer systems. Proc. IEEE 63, 9 (Sept 1975), 1278--1308.Google ScholarCross Ref
M. Angela Sasse and Matthew Smith. 2016. The security-usability tradeoff myth {guest editors’ introduction}. IEEE Secur. Priv. 14, 5 (2016), 11--13. Google ScholarDigital Library
Karen Scarfone and Paul Hoffman. 2009. Guidelines on Firewalls and Firewall Policy. Technical Report. National Institute of Standards and Technology (NIST). Retrieved from http://csrc.nist.gov/publications/nistpubs/800-41-Rev1/sp800-41-rev1.pdf. Google Scholar
B. Shneiderman and C. Plaisant. 2005. Designing the User Interface: Strategies for Effective Human-computer Interaction. Pearson/Addison Wesley. Google ScholarDigital Library
Tung Tran, Ehab S. Al-Shaer, and Raouf Boutaba. 2007. PolicyVis: Firewall security policy visualization and inspection. In Proceedings of the Conference on Large Installation System Administration (LISA’07), Vol. 7. 1--16. Google ScholarDigital Library
Martijn Van Welie, Gerrit C. Van Der Veer, and Anton Eliëns. 1999. Breaking down usability. In Proceedings of Interact’99. 613--620.Google Scholar
Kami Vaniea, Qun Ni, Lorrie Cranor, and Elisa Bertino. 2008. Access control policy analysis and visualization tools for security professionals. In Proceedings of the Symposium on Usable Privacy and Security (SOUPS’08) Workshop (USM).Google Scholar
Artem Voronkov, Stefan Lindskog, and Leonardo A. Martucci. 2015. Challenges in managing firewalls. In Proceedings of the Nordic Conference on Secure IT (NordSec’15) (Lecture Notes in Computer Science), Vol. 9417. Springer, 191--196.Google Scholar
Justin Warner, David Musielewicz, G. Parks Masters, Taylor Verett, Robert Winchester, and Steven Fulton. 2010. Network firewall visualization in the classroom. J. Comput. Sci. Colleges 26, 2 (2010), 88--96. Google ScholarDigital Library
Alma Whitten and J. D. Tygar. 1998. Usability of Security: A Case Study. Technical Report. DTIC Document.Google Scholar
Stephan Windmüller. 2013. Simplifying firewall setups by using offline validation. J. Integr. Design Process Sci. 17, 3 (2013), 59--69. Google ScholarDigital Library
Tina Wong. 2008. On the usability of firewall configuration. In Proceedings of the Symposium on Usable Privacy and Security (SOUPS’08) (Workshop on Usable IT Security Management (USM’08)). http://cups.cs.cmu.edu/soups/2008/USM/wong.pdf.Google Scholar
A. Wool. 2004. A quantitative study of firewall configuration errors. Computer 37, 6 (June 2004), 62--67. Google ScholarDigital Library
Avishai Wool. 2010. Trends in firewall configuration errors: Measuring the holes in swiss cheese. IEEE Internet Comput. 14, 4 (2010), 58--65. Google ScholarDigital Library
Ka-Ping Yee. 2002. User interaction design for secure systems. In Proceedings of the International Conference on Information and Communications Security. Springer, 278--290. Google ScholarDigital Library
Lihua Yuan, Hao Chen, Jianning Mai, Chen-Nee Chuah, Zhendong Su, and Prasant Mohapatra. 2006. Fireman: A toolkit for firewall modeling and analysis. In Proceedings of the 2006 IEEE Symposium on Security and Privacy. IEEE, 15 pages. Google ScholarDigital Library
Bin Zhang, Ehab Al-Shaer, Radha Jagadeesan, James Riely, and Corin Pitcher. 2007. Specifications of a high-level conflict-free firewall policy language for multi-domain networks. In Proceedings of the 12th ACM Symposium on Access Control Models and Technologies (SACMAT’07). ACM, New York, NY, 185--194. Google ScholarDigital Library
Chao and Chi-Shih. 2011. A flexible and feasible anomaly diagnosis system for internet firewall rules. 13th Asia-Pacific Network Operations and Management Symposium (APNOMS’11). IEEE, 1--8.Google Scholar
Chao and Chi-Shih. 2007. A visualized internet firewall rule validation system. Asia-Pacific Network Operations and Management Symposium. Springer, 364--374. Google ScholarDigital Library
Hongxin Hu, Gail-Joon Ahn, and Ketan Kulkarni. 2010. FAME: A firewall anomaly management environment. In Proceedings of the 3rd ACM Workshop on Assurable and Usable Security Configuration. ACM, 17--26. Google ScholarDigital Library
Fahimeh Raja, Kirstie Hawkey, Konstantin Beznosov, and Kellogg S. Booth. 2010. Investigating an appropriate design for personal firewalls. CHI Extended Abstracts on Human Factors in Computing Systems. ACM, 4123--4128. Google ScholarDigital Library
Fahimeh Raja, Kirstie Hawkey, Steven Hsu, Kai-Le Wang, and Konstantin Beznosov. 2011. Promoting a physical security mental model for personal firewall warnings. CHI Extended Abstracts on Human Factors in Computing Systems. ACM, 1585--1590. Google ScholarDigital Library
Fahimeh Raja, Kirstie Hawkey, and Konstantin Beznosov. 2009. Towards improving mental models of personal firewall users. CHI Extended Abstracts on Human Factors in Computing Systems. ACM. 4633--4638. Google ScholarDigital Library
Shaun P. Morrissey and Georges Grinstein. 2009. Visualizing firewall configurations using created voids. 6th International Workshop on Visualization for Cyber Security, VizSec. IEEE, 75--79.Google Scholar
Stephan Windmuller. 2011. Offline Validation of Firewalls. In Proceedings of the 2011 IEEE 34th Software Engineering Workshop (SEW’11). IEEE Computer Society, 36--41. Google ScholarDigital Library

Index Terms

Systematic Literature Review on Usability of Firewall Configuration

Recommendations

A systematic literature review of security software defined network: research trends, threat, attack, detect, mitigate, and countermeasure
ICTCE '19: Proceedings of the 3rd International Conference on Telecommunications and Communication Engineering

The development of internet technology in the current decade is growing very rapidly. This triggers a variety of innovations in the application layer. However, these developments cannot be followed by network layers that tend to be slow. The concept of ...
Read More
A systematic literature review: Messaging protocols and electronic platforms used in the internet of things for the purpose of building smart homes
Abstract
Internet of Things is a paradigm that aims at connectivity for everything, such as computing devices, machines, objects, people and so on. Messaging protocols and electronic platforms are needed in the implementation of Internet of Things(IoT) ...
Read More
Systematic Literature Review on Data Provenance in Internet of Things
Computational Science and Its Applications – ICCSA 2022 Workshops
Abstract
Internet of Things(IoT) is a concept that develops day by day and is now an indispensable part of our lives. Although it has been developed a lot, it still has many problematic areas and has many aspects that need improvement. On the other hand, ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
ACM Computing Surveys Volume 50, Issue 6
November 2018
752 pages
ISSN:0360-0300
EISSN:1557-7341
DOI:10.1145/3161158
Editor:
Sartaj Sahni
Department of Computer and Information Science and Engineering / University of Florida / Gainesville, FL
Issue’s Table of Contents
Copyright © 2017 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 6 December 2017
- Accepted: 1 August 2017
- Revised: 1 July 2017
- Received: 1 August 2016
Published in csur Volume 50, Issue 6

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Firewall
systematic literature review
usability
visualization
Qualifiers
- survey
- Research
- Refereed
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 17
  Total Citations
  View Citations
- 2,142
  Total Downloads
- Downloads (Last 12 months)247
- Downloads (Last 6 weeks)16
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Systematic Literature Review on Usability of Firewall Configuration

ACM Computing Surveys

Abstract

References

Cited By

Index Terms

Recommendations

A systematic literature review of security software defined network: research trends, threat, attack, detect, mitigate, and countermeasure

A systematic literature review: Messaging protocols and electronic platforms used in the internet of things for the purpose of building smart homes

Systematic Literature Review on Data Provenance in Internet of Things