Missing Features

Your correspondent has worked with loads of different firewall configuration screens over the years, like Linux’s IPTables (command line), various Linksys and D-Link home and small business routers, the Apple OS X firewall, the Plesk IPTables interface and Windows tools like Windows Firewall (classic, Server 2008), BlackIce, Kerio Personal Firewall and on and on and on.

Sadly, must of these firewall configuration screens are painful to use.

Take the Linksys RV042, a reliable business-class router well suited for a small office. Managing the firewall can involve updates to three separate screens. Even the buttons on the edit rule screen (see right), are confusing: “Return”, “Save Settings” and “Cancel Changes”.

There are probably several reasons why this happens — limited budget, schedule, etc — but the likely explanation is that when the engineers schedule designing the new router they leave the admin interface as the last task, hate doing it and spend as little amount of time as possible on this “tail-end” work.

The ironic part of this logic is that it’s the admin interface where your customers spend 90% of their interaction time with the product. Sure, your customers appreciate (in the broadest sense) how quickly your little box moves tiny packets around, but they really don’t care so long as:

1. It doesn’t crash; and,
2. The admin interface isn’t too painful.

Given this, I’ve come up with a few really simple design guidelines for firewall interface designs.

Firewall configuration user experience design screen rules:

1. No pagination. Pagination of firewall rules is as pointless as pagination on online news stories: there is rarely enough content to justify it.
2. Poor or non-existent labeling. As soon as you write your 11th firewall rule you start to forget for what the first 10 rules are used. Firewall configuration should support both tracking a rule name and labels on individual IP ranges.
3. Allow multiple, user-entered IP ranges. Users should be able to enter in IPs in three formats: single IPs, human ranges (like 2.5.7.1-2.5.7.123) and in netmask form (for the nerds). And you must allow users to enter in a mix of all three.
4. Clear interface. This should be a no-brainer, but loads of configuration screens have glaring UI gaffes. Keep it simple and standard.
5. Combine stuff. Port forwarding, NAT, firewall, etc, can be combined into a single interface for most routers.

Mock-Up Screens

To demonstrate some of these ideas, your correspondent has created a set of HTML mock-up screens. Sure, this interface won’t work for a high-end Cisco router, but it should include the functionality you might expect from a home or small business router.

These are simple mock-ups; there are a few things missing like support for multiple ports and a way to move a rule several positions with one click. However, these screens hopefully demonstrate that firewall configuration screens can be made to be user friendly.

Trackback URI | Comments RSS