What are Boundary Firewalls?
Boundary firewalls and internet gateways are your organisation's first line of defence, controlling all traffic between your internal network and the outside world. They're essential for Cyber Essentials compliance and fundamental network security.
The Role of Network Perimeter Defence
Your network perimeter is like the walls and gates of a medieval castle - it defines the boundary between your trusted internal network and the untrusted outside world. Boundary firewalls and internet gateways serve as intelligent guards at these gates, deciding what traffic should be allowed to pass through.
In the context of Cyber Essentials, this control area focuses on ensuring that devices connecting your organisation to the internet are configured securely and that unnecessary services are not accessible from outside your network.
Types of Network Boundaries
Hardware Firewalls
Hardware firewalls are dedicated devices that sit between your internal network and the internet. They provide robust protection and are typically used in business environments.
- Enterprise firewalls: High-performance devices for large organisations
- SMB firewalls: Cost-effective solutions for smaller businesses
- Router-integrated firewalls: Built into business and ISP issued routers
Software Firewalls
Software firewalls run on individual devices or servers, providing device-level protection that complements network-level security.
- Operating system firewalls: Built into Windows, macOS, and Linux
- Third-party solutions: Enhanced firewall software with additional features
- Application firewalls: Protecting specific applications and services
Essential Firewall Configuration
Default Deny Policy
The most important firewall principle is "default deny" - block everything by default and only allow specific traffic that you explicitly permit.
- Block all inbound connections by default
- Allow outbound connections as needed
- Create specific rules for required services
- Log denied connections for monitoring
Common Firewall Rules
Essential Inbound Rules
- Web servers (HTTP/HTTPS): Ports 80 and 443 if hosting websites
- Email servers: Ports 25, 110, 143, 993, 995 for mail services
- Remote access: Port 22 (SSH) or 3389 (RDP) with restrictions
- VPN connections: Specific ports for VPN protocols
Essential Outbound Rules
- Web browsing: Ports 80 and 443 for HTTP/HTTPS
- Email: Port 25 for SMTP, ports 993/995 for secure email
- DNS queries: Port 53 for domain name resolution
- Software updates: Various ports for automatic updates
Internet Gateway Security
Internet gateways include routers, modems, and other devices that provide internet connectivity. These devices need specific security attention as they're directly exposed to the internet.
Router Security Essentials
Critical Router Settings
- Change default passwords:Replace all default login credentials with strong passwords
- Disable WPS:Turn off Wi-Fi Protected Setup due to security vulnerabilities
- Update firmware:Keep router firmware up to date with security patches
- Disable remote management:Turn off remote administration unless absolutely necessary
Advanced Firewall Features
Stateful Packet Inspection
Modern firewalls use stateful inspection to track the state of network connections. This means they remember which connections were initiated from inside your network and can allow return traffic while blocking unsolicited inbound connections.
Application Layer Filtering
Advanced firewalls can inspect traffic at the application layer, understanding protocols like HTTP, FTP, and email. This allows for more sophisticated filtering based on content rather than just ports and IP addresses.
Intrusion Detection and Prevention
Many modern firewalls include IDS/IPS capabilities that can detect and block malicious traffic patterns, providing additional protection beyond basic filtering.
Cyber Essentials Requirements
For Cyber Essentials certification, you need to demonstrate that your boundary firewalls and internet gateways are configured according to these principles:
- Default deny: Unnecessary services are not accessible from the internet
- Secure configuration: Default passwords changed and unnecessary features disabled
- Regular updates: Firmware and software kept up to date
- Appropriate rules: Firewall rules match your business needs
- Documentation: Clear understanding of what services are exposed and why
Common Mistakes to Avoid
- Leaving default settings: Using manufacturer defaults for passwords and configuration
- Over-permissive rules: Allowing more access than necessary
- Lack of monitoring: Not reviewing firewall logs for suspicious activity
- Ignoring updates: Failing to apply security patches to firewall devices
- No documentation: Not maintaining records of firewall rules and changes
Monitoring and Maintenance
Firewalls require ongoing attention to remain effective:
- Regular log review: Check firewall logs for blocked attacks and policy violations
- Rule audits: Periodically review and clean up firewall rules
- Performance monitoring: Ensure firewalls aren't becoming bottlenecks
- Testing: Regularly test firewall effectiveness with security scans
- Change management: Document all firewall configuration changes
Getting Help
Firewall configuration can be complex, especially for larger organisations. Consider:
- Professional assessment: Have your firewall configuration reviewed by experts
- Managed services: Consider outsourcing firewall management for complex environments
- Training: Ensure your IT team understands firewall principles and best practices
- Documentation: Maintain clear documentation of your network architecture and firewall rules
Need Help with Firewall Configuration?
Get expert guidance on configuring boundary firewalls and internet gateways for Cyber Essentials compliance and robust network security.