Cyber Essentials Firewalls Explained

The Cyber Essentials Scheme specifies that all devices that are connected to the internet must be protected with a firewall. A firewall effectively creates a ‘buffer zone’ between your IT network or device and other, external, networks. In the simplest case, this means a firewall creates a buffer zone between your computer (or computers) and ‘the internet’.

Types of firewall

Firewalls are available both as software and as physical devices. You could use firewall software on your internet-connected laptop. This type of firewall is normally included within your operating system at no extra charge. If you have a more complicated set up with many different types of devices, you might need a dedicated physical device: a boundary firewall. A boundary firewall places a protective buffer around your network as a whole. Some routers will contain a firewall that could be used in this boundary protection role, but this can’t be guaranteed.


Both software-based and boundary firewalls come with a default configuration in place. This should be reviewed and updated to provide the correct level of protection to meet the scheme's requirements.

Firewalls—What Cyber Essentials Requires

Cyber Essentials Certification requires that you use and configure a firewall to protect all your internet-connected devices, particularly those that connect to public or other untrusted Wi-Fi networks.

This applies to: All internet-connected devices including desktop computers, laptop computers, tablets, routers, and servers


Ensure that only safe and necessary network services can be accessed from the internet.


All devices run network services, which create some form of communication with other devices and services. By restricting access to these services, you reduce your exposure to attacks. This can be achieved using firewalls and equivalent network devices.

A boundary firewall is a network device that can restrict the inbound and outbound network traffic to services on its network of computers and mobile devices. It helps protect against cyber-attacks by implementing restrictions, known as ‘firewall rules’, that can allow or block traffic according to its source, destination, and type of communication protocol.

Alternatively, firewall software may be configured on a device. This works in the same way as a boundary firewall but only protects the single device on which it is configured. This approach can provide for more tailored rules and means that the rules apply to the device wherever it is used. However, this increases the administrative overhead of managing firewall rules.

Requirements under this technical control theme

Every device that is in scope must be protected by a correctly configured firewall (or equivalent network device).

For all firewalls (or equivalent network devices), the applicant organisation must routinely:

  • Change any default administrative password to an alternative that is difficult to guess, or disable remote administrative access entirely
  • Prevent access to the administrative interface (used to manage firewall configuration) from the internet, unless there is a clear and documented business need and the interface is protected by one of the following controls:
    • A second authentication factor, such as a one-time token
    • An IP whitelist that limits access to a small range of trusted addresses
  • Block unauthenticated inbound connections by default
  • Ensure inbound firewall rules are approved and documented by an authorised individual, with the business need being included in the documentation
  • Remove or disable permissive firewall rules quickly, when they are no longer needed
  • Use firewall software on devices that are used on untrusted networks, such as public Wi-Fi hotspots.