Towards more usable firewalls2020-05-26
Setting up firewalls correctly is a challenging task which becomes more difficult the bigger a network grows. Artem Voronkov, who recently completed a Degree of Doctor in Computer Science, has focused his work on how to help system administrators to better manage firewalls.
Most companies have access to the Internet and their corporate networks connected to it. Many threats to computer systems, e.g. worms, trojans, and denial-of-service attacks, can be encountered online and may entail, for example, confidential data theft, service disruption and financial losses. Every organisation, regardless of its size, type of activity or infrastructure, requires network security solutions in place in order to protect it from the ever-increasing number of cyber threats. Firewalls are an important component of network security that protects networks by regulating incoming and outgoing traffic.
“Simply having a firewall does not guarantee any protection against Internet threats, unless it is properly configured,” says Artem Voronkov. “Firewall configuration files consist of rule sets that might be hard to understand even for professionals that deal with them regularly. The main reason for this is that most firewall rule sets have a certain structure: the higher the position of a rule in the rule set, the higher priority it has. Challenging problems arise when a new rule is added to the set and a proper position for it needs to be found, or when existing rules are removed due to a security policy change.”
Three different aspects of firewall configuration
In his work, Artem Voronkov has explored three different aspects of firewall configuration: 1) the syntax of rules, 2) the organisation of rules in a rule set, and 3) the way rule sets are presented to a user. By using this acquired knowledge, he offer system administrators more usable firewall solutions and approaches to the configuration process that can help facilitate their daily work.
“There are several contributions of the thesis, both practical and theoretical,” says Artem Voronkov. “For the practical part we suggested some metrics that can help to optimise the configuration files. A big part of the work is theoretical. We found some dependences, like people’s preferences on how they want to structure their configuration files. In this paper we showed that firewalls need to have several rule set representations of configurations.”
How the work was done
First, Artem Voronkov conducted a series of semi-structured interviews with system administrators, in which he asked them about problems confronted when managing firewalls. After having ascertained that there were usability problems involved, he began to address them.
“We compared two different firewall rule set representation approaches and identified that a preference for one or the other depends on the firewall expertise of the individual. We introduced and mathematically formalised a set of four usability metrics which were designed to evaluate the quality of firewall rule sets. Furthermore, we did not only investigate which firewall interfaces that are utilised and preferred by system administrators but we also identified and classified the interfaces' strengths and limitations. Finally, we conducted a systematic literature review to gain an understanding of the state of the art in firewall usability. This review classifies the available solutions and identifies the open challenges that exist in the field.”
Artem Voronkov publicly defended his doctoral thesis on 3 April. The work has been part of the project HITS, High Quality Networked Services in a Mobile World, which aims to contribute to the development of high quality networking services for a mobile world. The research is conducted in close collaboration with industry partners.
You can access the doctoral thesis Usability of Firewall Configuration: Making the Life of System Administrators Easier in