Firewalls are a cybersecurity fundamental that should be in place for all businesses and organisations, regardless of size and shape. They serve as a filter at the entry and exit points of your devices or networks to inspect traffic and identify potentially dangerous activity. Having a firewall in place is a requirement for Cyber Essentials, but there are loads of ways to skin this particular cat. This week we’re putting on our fire-proof gloves and climbing the firewall: We want to provide a simple reminder of what they are, and how you should pick one in the context of Cyber Essentials.
What is a Firewall?
When data is sent to and fro between your device and others, it enters and leaves via the internet connected network your machine is on before accessing ‘the internet’. This is often via a router or gateway. Firewalls sit at the entry and exit points of either your computer or the network you’re sitting on, and serve to inspect the packets of data that move in and out of either your computer, or your network. This inspection works both ways – it checks data on the way in and on the way out. There are many types of firewall – but put simply, it checks data against predefined security checks calls firewall rules, and blocks anything that doesn’t meet the requirements. In short, it creates a security barrier between your private laptop, your private internal network, and the public internet. It’s nothing less than vital.
The Main Types of Firewalls
There are loads of different types of firewalls that take different approaches to carrying out the same fundemental task of inspecting data movements and interfering if necessary to protect you; we’re sticking with the Cyber Essentials relevant material today, and so for our purposes, we’re focusing on the locations where these firewalls are allowed to be. For Cyber Essentials, you need to have a firewall in place either at the boundary of your network (this is unsurprisingly referred to as a boundary firewall), or you need to have a piece of software on each computer that works as a firewall for that device (this is again unsurprisingly called a software firewall).
Boundary Firewalls
A boundary firewall sits at the edge of your network, acting as the main guard post between you and the internet.
- Hardware Firewalls: These are separate physical devices, like a small computer, installed between your network and the internet. They are powerful and typically used by larger companies who need to be able to inspect large amounts of traffic at once.
- Router Firewalls: For most small businesses and home networks, the firewall is built directly into the internet router provided by your internet service provider (ISP). This device is the gateway to your network, making it vital that its inbuilt firewall is turned on and configured correctly. Disabling it is like leaving your front door wide open.
Software Firewalls
A software firewall is a program installed directly onto an individual computer, laptop, or server, protecting that single device. Most modern operating systems include a free, pre-installed software firewall. This adds a critical layer of internal protection, allowing you to control the behaviour of specific applications on each machine. For Cyber Essentials, every device that accesses company data must have its software firewall configured.
Checking if your software firewall is enabled is super easy.
- On Windows, you can check the status of your software firewall by navigating to Settings, then Update & Security or Privacy & security, and selecting Windows Security. From there, choose Firewall & network protection to see if your firewall is active.
- On a Mac, go to System Settings (or System Preferences on older macOS versions), then click Network or Security & Privacy, and select the Firewall tab. You’ll see if the firewall is turned on or off.
Virtual Firewalls
A virtual firewall is another type of software-based firewall. It is built into a hypervisor, which is software used to create and manage virtual machines (VMs) on a server. It inspects and controls traffic flowing between these virtual machines, acting much like a traditional network firewall and can serve as a boundary firewall.
Firewall Rules and Open Ports
As mentioned, firewalls operate by checking traffic against firewall rules. This collection of rules is referred to as an Access control List. It’s worth noting that the recommended best practice is to block all traffic by default and then produce access control list to list traffic from trusted sources, rather than to allow everything and produce a list of untrusted sources to block. This is because – as with all unknown threats, we don’t know what we don’t know! This means that the best practice is to block all inbound ports by default.
An ‘open port’ is a port that has been configured to accept data packets from the wider internet, creating a deliberate hole in your firewall. Devices can have certain ports opened and closed to allow for specific types of traffic to be addressed to them.
While this is sometimes necessary for business reasons, such as allowing access to a mail server or VPN, it must be a considered and deliberate decision. Criminals use automated tools to scan the internet for open ports that could be exploited – and often reconnaissance is conducted against a potential target by scanning the external IP address for open ports. You don’t even need to be being actively targets to come up in one of these scans, as automated tooling can hunt for examples of certain ports and then decide if it’s worth pursuing. Therefore, any open port must have a legitimate business requirement, be documented, and be closed as soon as it’s no longer needed. This is a requirement for Cyber Essentials.
A note on VPNs and Remote Working
Firewalls often arise in conversations around remote working and the use of VPNs to access the company network. Here’s what you need to consider when thinking about Cyber Essentials…
- Home Workers: If your employees work from home using their own internet connection, their home router is not in scope for Cyber Essentials (unless you provided it). However, it is vital that the software firewall on their work device is securely configured to protect any organisational data it accesses.
- Virtual Private Networks (VPNs): A VPN creates a secure connection for remote workers back to the organisation’s private network, which means that it’s possible to still use the office boundary firewall instead of a software firewall. However, it’s vital to make sure you’re using a single tunnel VPN, and not a split tunnel VPN. The former ensures that all traffic is channelled through the companies secure firewall. The latter doesn’t route all traffic through the company firewall and so isn’t considered an acceptable option for corporate VPNs. If the user has a software firewall in place, then you don’t need to worry about this for Cyber Essentials, but should still consider if you would find value in the use of a corporate VPN.
Conclusion
And that concludes our tour of the Cyber Essentials firewall requirements… ADAS Ltd is a qualified Certification Body for the IASME regulated services like Cyber Essentials and Plus, and IASME Cyber Assurance Level 1 and 2. If you’re looking for a partner in your journey to getting badged up as Cyber Essentials or Cyber Assurance assessed, then look no further and drop us an email!