Firewalls: Your First Line of Defence

Key Takeaways

Point	Summary
All connections protected	Every device connecting to the internet needs firewall protection
Default deny inbound	Block all incoming connections unless explicitly allowed
Change default passwords	Firewall admin credentials must be unique and strong
Document rules	Know why each firewall rule exists; remove unnecessary rules
Cloud services count	Cloud firewalls and security groups must also meet requirements

Quick Answer: Cyber Essentials requires firewalls on all internet-connected devices with default-deny for inbound connections. Change default admin passwords, disable unnecessary services, and document all firewall rules.

Understanding what firewalls do

A firewall monitors and controls incoming and outgoing network traffic based on predetermined security rules. Think of it as a security checkpoint that examines traffic and decides what to allow through.

For each connection attempt, the firewall applies rules to decide:

• Allow: Permitted traffic passes through
• Block: Denied traffic is stopped
• Log: Traffic is recorded for monitoring

What Cyber Essentials requires

Mandatory requirements

Requirement	Details
All internet connections protected	Every device connecting to internet needs firewall protection
Default deny inbound	Block incoming connections unless explicitly allowed
Change default passwords	Firewall admin credentials must be changed from factory settings
Disable or block unapproved services	Only allow necessary network services
Document firewall rules	Know why each rule exists

Configuration standards

Inbound traffic rules:

• Default action should be to deny all incoming connections
• Explicitly allow only services that are required
• Each allowed rule should have a documented purpose
• Review rules regularly and remove those no longer needed

Outbound traffic rules:

• May be less restrictive than inbound
• Consider blocking known malicious destinations
• Document any restrictions
• Review periodically

Administrative access:

• Change all default credentials
• Use strong passwords (14+ characters recommended)
• Limit who has admin access
• Enable logging of admin actions
• Access only from trusted locations

Types of firewalls

Boundary/network firewalls

These protect the entire network at the perimeter:

Type	Description	Typical Use Case
Hardware firewall	Dedicated device	Business networks
Router firewall	Built into router	Small offices
UTM (Unified Threat Management)	Multi-function security	Medium businesses
Next-Gen Firewall (NGFW)	Application-aware	Enterprises

Host-based firewalls

These protect individual devices:

Type	Description	Use Case
Windows Firewall	Built into Windows	All Windows devices
macOS Firewall	Built into macOS	All Mac devices
Linux iptables/nftables	Built into Linux	Linux systems
Third-party software	Additional protection	Enhanced control

Cloud firewalls

These protect cloud infrastructure:

Type	Description	Use Case
AWS Security Groups	AWS-native	AWS workloads
Azure NSGs	Azure-native	Azure workloads
GCP Firewall Rules	GCP-native	GCP workloads
Cloud WAF	Web application protection	Web services

Implementing firewall controls

Step 1: Identify all internet connections

Start by understanding where your network connects to the internet:

Fixed locations:

• Main office internet connection
• Branch office connections
• Data centre connections
• Cloud infrastructure

Mobile/remote:

• Employee laptops (need host firewall)
• Mobile devices
• Home office connections
• Public WiFi usage

Third-party connections:

• VPN connections
• Partner network links
• Vendor remote access
• Cloud service connections

Step 2: Configure boundary firewalls

For your network perimeter:

Configuration	Action
Default inbound	Set to DENY
Admin credentials	Change from default
Management access	Restrict to internal/VPN
Logging	Enable comprehensive logging
Firmware	Update to latest version

Step 3: Enable host firewalls

Every device needs its own firewall. For Windows devices:

• Access via Control Panel → Windows Defender Firewall
• Ensure it's enabled for all network types (Domain, Private, Public)
• Use Advanced Settings for custom rules

For macOS devices:

• Access via System Preferences → Security & Privacy → Firewall
• Turn on the firewall
• Configure Firewall Options for specific applications
• Consider enabling stealth mode

Step 4: Document your rules

For each firewall rule, document:

Field	Example
Rule Name	Allow-HTTPS-Inbound
Direction	Inbound
Action	Allow
Source	Any
Destination	Web Server IP
Port	443/TCP
Purpose	Public website access
Created By	IT Admin
Date	2024-01-15
Review Date	2024-07-15

Common firewall rules

Typical inbound allows

Service	Port	Purpose
HTTPS	443/TCP	Secure web traffic
HTTP	80/TCP	Web traffic (redirect to HTTPS)
SMTP	25/TCP	Email receipt (mail servers)
IMAPS	993/TCP	Secure email access
VPN	Various	Remote access

Typical outbound allows

Service	Port	Purpose
HTTP/HTTPS	80, 443/TCP	Web browsing
DNS	53/UDP/TCP	Name resolution
NTP	123/UDP	Time synchronisation
SMTP	587/TCP	Email sending

Rules to avoid

Rule	Risk
Allow Any → Any	No protection at all
Allow All Inbound to Workstations	Unnecessary exposure
Unencrypted Remote Access	Credentials at risk
Telnet (port 23)	Unencrypted, obsolete
FTP (port 21)	Unencrypted, use SFTP instead

Home and remote workers

For organisations with remote workers, there are additional considerations:

Corporate devices:

• Host firewall must be enabled (mandatory)
• VPN for corporate access
• Same security standards as office devices
• Mobile Device Management (MDM) can help enforce policies

Home networks:

• Not directly in scope for certification
• But recommending good practices to staff can help:
  • Router firmware should be updated
  • Default router password should be changed
  • Guest network for IoT devices
  • WPA3 or WPA2 WiFi encryption

Public WiFi:

• Host firewall is essential
• VPN strongly recommended
• Avoid sensitive transactions
• Treat as a hostile network

Common mistakes to avoid

Configuration errors

Mistake	Impact	Solution
Default password unchanged	Easy admin compromise	Change immediately
Allow Any inbound	No protection	Remove, add specific rules
Host firewall disabled	Devices unprotected	Enable on all devices
No rule documentation	Can't audit effectively	Document all rules
Stale rules	Unnecessary exposure	Regular review/cleanup

Management errors

Mistake	Impact	Solution
No change control	Unauthorised changes	Implement approval process
No backup config	Recovery issues	Regular backups
No firmware updates	Known vulnerabilities	Update schedule
Open management access	Admin compromise risk	Restrict access

Pre-certification checklist

Before your Cyber Essentials assessment, verify:

• All internet connections have firewall protection
• Default inbound rule is DENY
• All default passwords changed
• Administrative access restricted
• All firewall rules documented
• Unnecessary rules removed
• Firmware is current
• Logging is enabled
• Host firewalls enabled on all devices

How Bastion can help

Firewall configuration can be complex, especially when balancing security requirements with business needs.

Challenge	How We Help
Firewall assessment	We review your current configuration and identify gaps
Rule optimisation	We help identify unnecessary rules that create exposure
Documentation	We create comprehensive rule documentation
Policy development	We help establish firewall management policies
Ongoing monitoring	We can alert on suspicious activity

Working with a managed service partner means your firewall configuration is reviewed by people who've seen many environments and know what good looks like. We help ensure things are done right the first time, avoiding the back-and-forth that comes from learning through trial and error.

---

Need help configuring your firewalls for Cyber Essentials? Talk to our team