Understanding Cyber Essentials firewall requirements

One of the five major controls of Cyber Essentials is to configure and deploy a network firewall. Let’s delve into what that means in practice.

What’s a firewall?

A firewall is a network security system that creates a buffer zone between your company’s network and external networks. In simple terms, it creates a secure zone between your devices and the internet.

To qualify for Cyber Essentials, all your internet-connected devices should be protected with a firewall. 

Types of firewall 

There are two kinds of firewall that meet the cyber essentials firewall requirements:

1. Personal firewall
2. Boundary firewall

Personal firewall

You’ll usually find these installed on internet-connected desktops or laptops. Most operating systems come with a built-in personal firewall so you’re likely already using one.

Boundary firewall

Also known as a network firewall, boundary firewalls provide a protective buffer around your entire network of devices. In most cases, you’ll need a hardware firewall to deploy a boundary firewall.

How do firewalls work?

Firewalls restrict inbound and outbound traffic to ensure you connect safely to to external networks like the internet. They prevent desktops, laptops, and mobile devices within your network from accessing malicious or harmful content. 

Firewalls do this by using rules to restrict the kind of traffic that gets in. These rules allow or block incoming traffic into a network depending on its source, destination, and communication protocol.

Cyber Essentials firewall requirements 

The Cyber Essentials firewall requirements are to use and configure a firewall to protect every device in your business. And, especially the ones connected to public or untrusted Wi-Fi networks. 

To comply with Cyber Essentials, you must:

• Disable permissive firewall rules once they become obsolete
• Make use of personal firewalls on devices connected to untrusted networks like public Wi-Fi or hotspots
• Block unauthenticated and untrusted inbound connections by default
• Review and update default passwords and settings according to the organisation’s security requirements
• Use strong administrative passwords with a mix of upper and lower-case characters, numbers, and symbols, or disable remote administrative access
• Set and document administrator-approved firewall rules 
• Restrict administrative access to the firewall interface. Access should be protected with: Two-factor authenticationAn IP whitelist with a small number of devices only

Does your firewall meet Cyber Essentials requirements?

Setting up a properly configured firewall is one of the first steps towards a Cyber Essentials certification. If you’d like to learn more about network firewalls and how to configure them for Cyber Essentials, contact us.

Or, if you want to know more about Cyber Essentials and the benefits of certification to small businesses like yours, check out our guide.