Firewall Everything The Cyber Essentials Way

Firewalls are a necessity for businesses of all sizes. Think of them as your digital security guards, tirelessly inspecting network traffic and blocking any malicious intrusions. However, choosing the right firewall and ensuring it meets essential security standards can be overwhelming.

This guide breaks down the fundamental aspects of firewall protection for your business, in line with the NCSC's Cyber Essentials requirements, covering everything from perimeter defences to individual workstations, servers, cloud services and remote employees.

OCM Communications are an approved Cyber Essentials Certification Body.

#1 -  Boundary Firewalls: The First Line of Defence of Cyber Essentials

Boundary firewalls are critical to business security, forming a protective barrier between your internal network and external threats from the internet. With Cyber Essentials, implementing a properly configured boundary firewall is a mandatory requirement, ensuring that only secure and necessary traffic is allowed into and out of your network.

Key Features:

• Packet filtering: Inspects and filters individual packets based on IP addresses, port numbers, and protocols. This aligns with the Cyber Essentials requirement to control access to your network through firewalls.

• Stateful inspection: Ensures that only traffic from established, trusted connections is allowed, preventing unauthorised access.

• Intrusion Prevention Systems (IPS): Actively monitors network traffic for known malicious patterns and blocks attack attempts.

• VPN Support: A critical feature, enabling secure, encrypted remote access to the network. A must for protecting data during remote work, as encouraged in the NCSC’s Secure Home and Remote Working guidance.

Common Hardware Platforms:

• Dedicated firewall appliances: Purpose-built hardware devices with advanced security features, suitable for larger businesses requiring high performance and granular control.

• Integrated firewalls in routers: For small and medium-sized enterprises (SMEs), business-grade routers with built-in firewalls can be a cost-effective option. Cyber Essentials allows this option, provided they are correctly configured to restrict unauthorised access.

Best Practices for Boundary Firewalls (Based on NCSC Guidance):

1. Keep your firewall software up to date: Regularly applying the latest firmware updates is essential for addressing vulnerabilities, in line with Cyber Essentials' requirement for up-to-date security controls.

2. Strong access control rules: Define specific rules based on user roles, devices, and applications to restrict access to sensitive systems.

3. Implement a DMZ (Demilitarized Zone): Separate publicly accessible servers from the internal network to protect sensitive data, adhering to Cyber Essentials' principle of network segmentation.

4. Regularly audit firewall logs: Monitor for unusual activity, enabling prompt action on suspicious traffic patterns, aligned with Cyber Essentials' recommendation for logging and monitoring.

Why it's Crucial:

Boundary firewalls protect your sensitive data and internal resources from unauthorised access and cyber-attacks, meeting Cyber Essentials' Requirement , which mandates the installation and configuration of boundary firewalls or internet gateways.

#2 - Workstation and Server Firewalls: Individual Protection for Every Device

While a boundary firewall protects your network at the perimeter, it's equally important to secure individual devices within your network. This includes both workstations (employee computers) and servers.

Why it's crucial: 

Think of it like this: even with a strong perimeter fence around your building, you still lock the doors to individual rooms. Why? Because it adds an extra layer of protection. If an attacker manages to bypass the boundary firewall or if a threat originates from within the network (e.g., an infected USB drive), workstation and server firewalls act as the last line of defence.

Workstation Firewalls:

What they do: Monitor network traffic going to and from each employee's computer. They block malicious software, prevent unauthorised connections, and control application access to the network.

• 
  

  • Benefits:

    • Contain malware infections, preventing them from spreading to other devices.

    • Protect against targeted attacks on individual employees.

    • Control which applications can access the network and internet, reducing the risk of data leakage.

    • Windows and Macs have a free firewall solution that should be enabled at all times.

      
      

  Server Firewalls:

  
  

  • What they do: Similar to workstation firewalls, but specifically designed for servers' unique security needs. They control network access to critical server resources, block unauthorised access attempts, and protect against server-specific vulnerabilities.

    
    

  • Benefits:

    • Harden your servers against external attacks and internal threats.

    • Prevent unauthorised access to sensitive data stored on your servers.

    • Ensure the availability of critical services by blocking malicious traffic.

#3 - Internal Firewalls and Network Segmentation, Divide and Conquer

Beyond boundary firewalls, businesses should implement internal firewalls and network segmentation to isolate critical systems. Cyber Essentials recommends minimising access to services and ports that are not explicitly required for business needs, which can be achieved with internal firewalls.

Best Practices for Internal Firewalls:

• Segment your network: Use internal firewalls to create separate zones for sensitive systems (e.g., finance, HR), so that a breach in one part of your network does not spread to the rest.

• Granular access controls: Ensure internal firewalls enforce strict access policies to limit who and what can communicate with sensitive areas of your network.

• Key features: VLANs, access control lists (ACLs), and internal firewalls.

Why it's crucial: 

Contains security threats to a specific segment, preventing them from spreading to the entire network. For example, you can isolate your financial data from your customer database.

#4 - Server Firewalls in Cloud Environments (IaaS, PaaS, and SaaS)

As businesses continue to migrate services to the cloud, securing your infrastructure, platform, and software services using firewalls is critical. Cloud security operates under the shared responsibility model, which is key to understanding your security obligations. In this model, the cloud service provider (CSP) is responsible for securing the underlying infrastructure, while the customer is responsible for securing the data, applications, and configurations they run on the platform. Using Cyber Essentials and NCSC guidance, it is essential for businesses to understand and fulfil their responsibilities in cloud environments to ensure comprehensive protection.

Shared Responsibility Model Overview

• Cloud Provider's Responsibility: In any cloud environment—whether IaaS, PaaS, or SaaS—the cloud provider is responsible for securing the physical infrastructure, including hardware, data centres, and core networking. For example, they ensure that their facilities are protected from physical threats, manage hypervisor security, and provide the basic security tools you need to protect your data and applications.

• End-User's Responsibility: You, as the cloud customer, must manage the security of your data, applications, and configurations. This includes implementing and managing firewalls, access controls, data encryption, and compliance with relevant security standards such as Cyber Essentials. Failing to configure firewalls and other security features correctly can leave your cloud infrastructure vulnerable to attack.

IaaS (Infrastructure as a Service)

In IaaS environments such as Amazon Web Services (AWS) or Microsoft Azure, the cloud provider manages the underlying infrastructure (e.g., servers, storage, and networking). However, you are responsible for securing the cloud resources you deploy. This includes configuring network firewalls such as AWS Security Groups or Azure Network Security Groups to control traffic to and from your virtual machines (VMs).

• Example of Responsibility: In AWS, you would configure Security Groups to allow traffic only from approved IP addresses and block any unauthorised access attempts. This is a key element of the shared responsibility model because AWS secures the underlying hardware, but you must configure the firewall rules to protect your VMs.

Cyber Essentials Guidance: Ensure that all traffic to cloud-based services is tightly controlled using firewall rules, and regularly review these rules to block any unnecessary access. You are responsible for managing network security configurations, just as you would with an on-premise firewall.

PaaS (Platform as a Service)

In PaaS solutions such as Google App Engine or Azure App Service, the cloud provider manages the infrastructure, including servers and runtime environments. However, you are still responsible for securing the applications you build and deploy on these platforms. This includes configuring application-level firewalls to protect your services from malicious traffic.

• Example of Responsibility: When using Azure App Service, you must enable and configure a Web Application Firewall (WAF) to protect against web-based threats like SQL injection and cross-site scripting (XSS). The cloud provider secures the underlying platform, but you need to ensure your applications and their configurations are secure.

Cyber Essentials Guidance: Ensure that cloud-based applications are protected by firewalls at the application layer, particularly when dealing with sensitive data. Implement WAFs and regularly review security configurations for cloud-deployed applications.

SaaS (Software as a Service)

With SaaS offerings like Office 365 or Salesforce, the cloud provider manages almost all aspects of the service, including security at the infrastructure, platform, and application levels. However, you are still responsible for managing how users access these services. This includes enforcing access control policies, managing permissions, and utilising multi-factor authentication (MFA).

• Example of Responsibility: In Office 365, it is your responsibility to configure conditional access policies and ensure that only authorised users can access the service. You might also require VPN connections or location-based restrictions for enhanced security, depending on your organisation's requirements.

Cyber Essentials Guidance: Implement strong access control policies for SaaS applications, enforce MFA for all users, and review user activity to detect and respond to potential threats. Your responsibility includes ensuring that only legitimate users can access cloud services.

Why It's Crucial

In cloud environments, while the cloud provider is responsible for securing the underlying infrastructure, you must take responsibility for the correct configuration of firewalls, access control, and user-level security measures. Misconfigurations in cloud firewalls or security settings could expose your infrastructure or services to unauthorised access and increase the risk of a data breach. Understanding the shared responsibility model is critical to maintaining security compliance and protecting your cloud assets.

By adhering to Cyber Essentials and NCSC guidance, businesses can secure their cloud services effectively and ensure they fulfil their responsibilities under the shared responsibility model, protecting against common cyber threats.

#5 - Remote Worker Firewalls: Essential Protection for a Mobile Workforce

With the increase in remote working, ensuring that employees accessing company networks from home or other locations are equally protected is critical. According to NCSC's Secure Home and Remote Working guidance, VPNs, combined with personal firewalls, form the foundation of secure remote access.

Key Cyber Essentials Recommendations:

• VPNs for Secure Connections: Remote employees should always use a VPN to encrypt their internet connections when accessing the company network. This meets Cyber Essentials’ requirement to secure internet-facing services.

• Personal firewalls: Ensure employees must enable personal firewalls on their laptops or home routers to add an extra layer of protection. This aligns with the Cyber Essentials principle of protecting all devices that access the network.

To Sum Up

Firewalls are an essential element of any business's cyber security strategy, serving as the first line of defence against external threats. The NCSC's Cyber Essentials framework highlights the importance of properly configured firewalls and internet gateways, ensuring that businesses of all sizes are protected from the most common cyber threats.

By adhering to these firewall best practices and ensuring your firewalls meet the Cyber Essentials standards, you can significantly enhance your business's resilience to cyber-attacks.

 No matter which type of firewall you use, proper configuration and maintenance are key to ensuring their effectiveness. According to best practices, firewalls should be set up with "deny by default" rules, only allowing specific, necessary services.

Key Configuration Tips:

1. Deny by default: Ensure all firewalls (whether boundary, internal, or cloud-based) block all traffic by default, only allowing traffic that is explicitly permitted.

2. Disable unused services: Close any services or ports that aren’t necessary for your operations.

3. Regularly audit logs: Review your firewall logs frequently to detect unusual activity and take action if necessary.

4. Patch and update regularly: Keep your firewalls up to date with the latest firmware and security patches to ensure vulnerabilities are patched.

Aligning your firewall strategy with the Cyber Essentials and NCSC's guidance will ensure that your business has the best possible protection from cyber threats, both today and in the future.

Implementing and managing firewalls can be complex, but OCM Communications Limited is here to help. We offer comprehensive firewall solutions tailored to your business needs, including:

• Firewall assessment and design: We analyse your network and security requirements to recommend the best firewall solutions for your business.

• Firewall deployment and configuration: Our experts handle the installation and setup of your firewalls, ensuring optimal performance and security.

• Firewall management and monitoring: We provide ongoing management and monitoring of your firewalls, keeping them updated and protecting your business from the latest threats.

Don't wait for a security breach. Contact OCM Communications Limited today and let us help you build a robust firewall strategy to protect your business.