Usability and Security of Personal Firewalls
Effective security of a personal firewall depends on (1) the rule granularity and the implementation of the rule enforcement and (2) the correctness and granularity of user decisions at the time of an alert. A misconfigured or loosely configured firewall may be more dangerous than no firewall at all because of the user’s false sense of security. This study assesses effective security of 13 personal firewalls by comparing possible granularity of rules as well as the usability of rule set-up and its influence on security.
In order to evaluate usability, we have submitted each firewall to use cases that require user decisions and cause rule creation. In order to evaluate the firewalls’ security, we analysed the created rules. In addition, we ran a port scan and replaced a legitimate, network-enabled application with another program to assess the firewalls’ behaviour in misuse cases. We have conducted a cognitive walkthrough paying special attention to user guidance and user decision support.
We conclude that a stronger emphasis on user guidance, on conveying the design of the personal firewall application, on the principle of least privilege and on implications of default settings would greatly enhance both usability and security of personal firewalls.
KeywordsUser Guidance File Transfer Protocol Misuse Case User Decision Default Behaviour
- 2.S. M. Furnell and S. Bolakis. Helping us to help ourselves: Assessing administrators’ use of security analysis tools. Network Security, 2004(2):7–12, February 2004.Google Scholar
- 4.S. L. Garfinkel. Design Principles and Patterns for Computer Systems That Are Simultaneously Secure and Usable. PhD thesis, Massachusetts Institute of Technology, May 2005.Google Scholar
- 5.D. Gerd torn Markotten. Benutzbare Sicherheit in informationstechnischen Systemen. Rhombos Verlag, Berlin, 2004. ISBN 3-937231-06-4.Google Scholar
- 6.M. Hertzum, N. Jørgensen, and M. Nørgaard. Usable security and e-banking: Ease of use vis-à-vis security. In Proceedings of the Annual Conference of CHISIG (OZCHI’04). http://webhotel.ruc.dk/nielsj/research/papers/eBanking-ajis.pdf (visited 3-Aug-2005), November 2004.
- 7.A. Herzog and N. Shahmehri. A usability study of security policy managment. In S. Fischer-Hübner, K. Rannenberg, and S. L. Louise Yngström, editors, Security and Privacy in Dynamic Environments, Proceedings of the 21st International Information Security Conference (IFIP TC-11) (SEC’06), pages 296–306. Springer-Verlag, May 2006.Google Scholar
- 8.J. Johnston, J. H. P. Eloff, and L. Labuschagne. Security and human computer interfaces. Computers & Security, 22(8):675–684, December 2003.Google Scholar
- 9.S. Kamara, S. Fahmy, E. E. Schultz, F. Kerschbaum, and M. Frantzen. Analysis of vulnerabilities in Internet firewalls. Computers & Security, 22(3):214–232, April 2003.Google Scholar
- 10.N. Leveson. Safeware: System Safety and Computers. Addison Wesley, 1995.Google Scholar
- 11.J. Nielsen. Usability Engineering. Morgan Kaufmann Publishers, Inc, 1993.Google Scholar
- 12.M. Nilsson, A. Adams, and S. Herd. Building security and trust in online banking. In Proceedings of the Conference on Human Factors in Computing Systems (CHI’05), pages 1701–1704. ACM Press, April 2005.Google Scholar
- 13.B. Shneiderman and C. Plaisant. Designing the User Interface. Addison Wesley, 4th edition, 2004.Google Scholar
- 14.A. Whitten and J. D. Tygar. Why Johnny can’t encrypt: A usability evaluation of PGP 5.0. In Proceedings of the 8th USENIX Security Symposium (Security’99). Usenix, August 1999.Google Scholar
- 15.A. Wool. The use and usability of direction-based filtering in firewalls. Computers & Security, 23(6):459–468, September 2004.Google Scholar
- 16.K.-P. Yee. User interaction design for secure systems. In Proceedings of the International Conference on Information and Communications Security (ICICS’02), pages 278–290. Springer-Verlag, December 2002.Google Scholar