On the Usability of Firewall Configuration

The firewalls in an enterprise network must be configured correctly or the internal corporate network can be infiltrated, leading to serious security, financial and performance implications. However, firewall configuration is a complex and error-prone task. Configuration languages are like assembly languages: they are low-level and vendor-specific. Moreover, usually multiple firewalls must be configured to protect an enterprise network. This task has been compared to programming a distributed system with an assembly language. While many researchers have tackled the firewall configuration problem from various perspectives, including new models, languages and complete systems, little has been done from the usability standpoint. Recently, studies have demonstrated that administrators strongly prefer textual or command line interfaces (CLIs) over GUIs. Most administrators are reluctant to invest time to learn new models, languages or systems for their everyday tasks. In this paper, we study the firewall configuration problem from the usability perspective. We first propose models to measure the lexical and structural complexity of firewall configuration. Using these models, we examine where complexity lies in the configurations of real networks. With the assumption that CLI will remain as the main user interface for administrators, we suggest visualizations to make firewall configuration more usable.