Most system administrators prefer firewall GUIs over CLIs

results-gui-cli.png

Image: Voronkov et al.

When it comes to firewalls, most system administrators prefer to use a graphical user interface (GUI) rather than a command-line interface (CLI), a new academic study published over the summer has revealed.

Despite the many preconceptions that system administrators are almost all ardent CLI users, firewall GUIs won by a pretty large margin in a survey compiling results from more than 300 respondents.

Almost 60% of sysadmins said they “preferred” GUIs over CLIs, and 70% said they “used” GUIs on a daily basis.

The survey showed that while CLIs might be popular in some circles, they are not the most ideal interface for managing a complex security software suite like a firewall.

The survey, which included more than 15 questions that also sought to discover the reasoning behind each answer, revealed that “usability” was the main reason why system administrators tended to prefer and use firewalls more than CLIs.

CLIs are terrible at generating visual information

“CLIs are terrible at generating visual information,” said Leonardo A. Martucci, one of the academics, in a presentation at a security conference over the summer.

CLI reports usually look like a giant blob of text, and are mostly ineffective when shown to a non-technical manager, he added.

The other main downside to CLIs was the steep learning curve that kept many new users away. Since firewalls are highly sensitive systems, many users choose to use GUIs because they were much clearer about the actions a user is taking. Simpler interfaces eliminate mistakes were a new sysadmin could accidentally expose networks to attacks due to a misunderstood CLI parameter.

cli-results.png

Image: Voronkov et al.

As for GUI strengths, usability was the primary reason cited by most respondents. In hindsight, it is pretty hard to get things wrong in a firewall GUI.

Furthermore, the presence of graphs and statistics is also a bonus feature that can also help many users spot anomalies and threats faster — in opposition to having to stare at hundreds or thousands of lines of text.

However, GUIs were not perfect either. The downside that most sysadmins cited was that firewall GUIs could not be automated to perform tasks in the absence of a human operator. Furthermore, some firewall GUIs lacked fine-grained controls, eventually needing that sysadmins use a CLI to perform certain actions.

gui-results.png

Image: Voronkov et al.

The survey was carried out by a three-man research team from the Karlstad University in Sweden. Academics asked system administrators who manage firewalls on a daily basis to answer 15+ questions part of an online survey.

Respondents were invited to participate in the survey via the /r/sysadmin subreddit, the SysAdmins.ru forum, and various system administrators’ mailing lists. From the 516 participants who started the survey, only 303 answered all questions.

For the full results, ZDNet readers can check out the “System Administrators Prefer Command Line Interfaces, Don’t They? An Exploratory Study of Firewall Interfaces” white paper, available for download from here or here.

The research team also presented their findings at the USENIX security conference in August. A video is available below.

Leave a Reply

Your email address will not be published. Required fields are marked *