Cyber Essentials Firewalls Explained.

The Cyber Essentials Scheme requires all devices that are connected to the internet are to be protected with a firewall. This effectively creates a ‘buffer zone’ between your IT network or device and other, external networks. In the simplest case, this means between your computer (or computers) and ‘the Internet’.

Two types of firewall

You could use a personal firewall on your internet connected laptop (normally included within your Operating System at no extra charge). Or, if you have a more complicated set up with many different types of devices, you might require a dedicated boundary firewall, which places a protective buffer around your network as a whole. Some routers will contain a firewall which could be used in this boundary protection role. But, this can’t be guaranteed.


Both Personal and boundary firewalls come setup with a default configuration in place. This should be reviewed and updated to provide the correct level of protection to meet the schemes requirements.

Firewalls What Cyber Essentials Requires

Cyber Essentials Certification requires that you use and configure a firewall to protect all your devices, particularly those that connect to public or other untrusted Wi-Fi networks.

This applies to: all devices including boundary firewalls, desktop computers, laptop computers, tablets, routers and servers.


Ensure that only safe and necessary network services can be accessed from the Internet.


All devices run network services, which create some form of communication with other devices and services. By restricting access to these services, you reduce your exposure to attacks. This can be achieved using firewalls and equivalent network devices.

A boundary firewall is a network device which can restrict the inbound and outbound network traffic to services on its network of computers and mobile devices. It can help protect against cyber-attacks by implementing restrictions, known as ‘firewall rules’, which can allow or block traffic according to its source, destination and type of communication protocol.

Alternatively, a host-based firewall may be configured on a device. This works in the same way as a boundary firewall but only protects the single device on which it is configured. This approach can provide for more tailored rules and means that the rules apply to the device wherever it is used. However, this increases the administrative overhead of managing firewall rules.

Requirements under this technical control theme

Every device that is in scope must be protected by a correctly configured firewall (or equivalent network device).

For all firewalls (or equivalent network devices), the Applicant organisation must routinely:

  • change any default administrative password to an alternative that is difficult to guess or disable remote administrative access entirely
  • prevent access to the administrative interface (used to manage firewall configuration) from the Internet, unless there is a clear and documented business need and the interface is protected by one of the following controls:
    • a second authentication factor, such as a one-time token
    • an IP whitelist that limits access to a small range of trusted addresses
  • block unauthenticated inbound connections by default
  • ensure inbound firewall rules are approved and documented by an authorised individual; the business need must be included in the documentation
  • remove or disable permissive firewall rules quickly, when they are no longer needed
  • use a host-based firewall on devices which are used on untrusted networks, such as public Wi-Fi hotspots