What this control covers
This control requires organisations to place a properly configured firewall or equivalent boundary device between their internal systems and the internet, as well as between different internal network segments where appropriate. The aim is to restrict inbound and outbound traffic to what is necessary for business, close unused ports and services and reduce the attack surface exposed to the public internet.
In practice, Cyber Essentials expects default-deny rules wherever feasible, removal of unnecessary port forwarding, and the use of strong authentication on any remote‑access services that remain exposed. Correct firewall configuration helps block opportunistic scans, simple exploitation tools and many automated attacks before they ever reach end‑user devices, making it a foundational element of the scheme.
What assessors expect to see
For Cyber Essentials, assessors expect to see that firewalls and boundary devices are actively enforcing traffic restrictions, rather than simply being present.
In practice, this means:
- A firewall or equivalent boundary device in place between the internet and all in-scope systems
- Inbound traffic restricted to only those services required for business
- Outbound traffic restricted where feasible, particularly on servers and infrastructure devices
- Default credentials changed on firewalls, routers, and network appliances
- Administrative access restricted and protected using strong authentication
Where remote access services are exposed to the internet (for example VPNs or remote management portals), assessors expect:
- Multi-factor authentication to be enabled
- Access restricted to named users or IP ranges where possible
- Services to be fully patched and vendor supported
For internal networks, assessors may also expect reasonable segmentation where different risk levels exist (for example separating servers from user devices), particularly in larger or more complex environments.
Common reasons organisations fail
Organisations commonly fail this control due to configuration issues rather than the absence of a firewall.
Frequent failure reasons include:
- Exposing unnecessary services or ports to the internet
- Port forwarding rules that are no longer required
- Firewalls or routers still using default administrative credentials
- Internet-facing management interfaces without multi-factor authentication
- Poor visibility of what services are exposed externally
- Assuming ISP-provided routers are “secure by default” without verification
In Cyber Essentials Plus assessments, failures often occur when:
- Live testing identifies open ports that were not declared
- Firewall rules do not match documented configurations
- Internal segmentation is claimed but not technically enforced
Practical tips for SMEs
For small and medium-sized organisations, the following practical steps can significantly reduce risk and improve assessment outcomes:
- Review all inbound firewall rules and remove anything that is no longer required
- Document why each exposed service is needed for business
- Disable internet-facing management interfaces wherever possible
- Use VPNs with MFA instead of exposing individual services
- Regularly review firewall configurations, especially after IT changes
- Keep firewall firmware and software fully up to date
- If unsure, perform an external port scan to understand what is visible from the internet
Simple, well-maintained configurations are often more secure and easier to assess than complex rule sets.
This guidance reflects common assessor interpretations and is intended to support understanding of Cyber Essentials requirements.