> series: cyber_essentials_demystified —— part: 03/10 —— control: firewalls —— function: boundary_defence<span class="cursor-blink">_</span>_
The firewall control is the first line of defence in the Cyber Essentials framework. Its purpose is straightforward: ensure that every device that connects to the internet is protected by a correctly configured firewall that controls what traffic is allowed in and out. What sounds simple in principle, however, is where a significant proportion of CE Plus assessment failures occur — not because organisations lack firewalls, but because the firewalls they have are misconfigured, overly permissive, or have accumulated years of exception rules that undermine their effectiveness.
This article covers what the Danzell v3.3 requirements specifically demand for the firewall control, the different types of firewall that apply (boundary, personal, cloud, and home router), the configuration mistakes we most commonly encounter during assessments, and practical guidance for ensuring your firewalls meet the standard.
We handle the Cyber Essentials process end to end — from gap analysis to certification.
Start Your CertificationUnder the Danzell question set, the firewall requirements are clearly defined. Every device in scope must be protected by at least one firewall — and the firewall must be configured to deny inbound connections by default, allowing only those that have been explicitly approved as necessary for business operations. Outbound connections should be restricted where practical, though the scheme acknowledges that most organisations allow outbound traffic by default.
| Requirement | Detail | Common Failure |
|---|---|---|
| Default deny inbound | All inbound connections must be blocked by default. Only explicitly required services should be allowed through — and each allowed service must have a documented business justification. | Firewall has accumulated 'temporary' allow rules over years that were never removed. Rules reference decommissioned services or former staff IP addresses. |
| Administrative interfaces | Firewall and router management interfaces must not be accessible from the internet. If remote administration is required, it must be protected by additional measures such as VPN access or IP whitelisting combined with MFA. | Router management interface accessible on a public IP with default credentials. We see this more often than any IT team would care to admit. |
| Personal firewalls | All laptops, desktops, and tablets must have a software firewall enabled. The firewall must be configured to block inbound connections by default and must not be user-configurable — end users should not be able to disable it. | Software firewall disabled by a user who found it 'interfered with their application'. Group Policy not enforcing firewall state across the domain. |
| Home routers (remote workers) | If staff work from home, their home router's firewall must be configured appropriately — or the device they use must be protected by its own software firewall. The default configuration of most consumer routers satisfies the inbound blocking requirement, but the default admin password must be changed. | Home router running default admin credentials (admin/admin). Staff member's home network not considered in scope. |
For organisations using cloud infrastructure — AWS, Azure, Google Cloud — the traditional concept of a network boundary firewall extends to cloud security groups, network access control lists, and cloud-native firewall services. Under Danzell, cloud services are formally in scope, which means your cloud security group configurations must meet the same default-deny-inbound requirements as a physical firewall appliance.
The most common cloud firewall failure we encounter is overly permissive security groups — typically set to allow all inbound traffic on all ports during development and never locked down for production. A security group that allows inbound SSH (port 22) or RDP (port 3389) from 0.0.0.0/0 is a critical misconfiguration that will fail a CE Plus assessment and, more importantly, exposes your cloud infrastructure to brute-force attacks from the entire internet.
Preparing your firewalls for a Cyber Essentials assessment — whether CE or CE Plus — requires a systematic review rather than a last-minute scramble. The following steps will identify and close the most common gaps.
A firewall that is correctly configured today can drift out of compliance within weeks as new rules are added, exceptions are granted, and configurations are modified. For organisations that want continuous visibility into their firewall posture — and their broader security state — SOC in a Box provides 24/7 monitoring that detects configuration drift, identifies unauthorised changes, and alerts your team before a misconfiguration becomes an exposure.
For organisations that want their firewall configurations tested under realistic attack conditions, our infrastructure penetration testing service probes your boundary from the outside using the same tools and techniques an attacker would use — providing evidence of what gets through and what does not.
Next week, we deep-dive into Control 2 — Secure Configuration. We cover what Danzell requires for default passwords, unnecessary accounts, device hardening, and the configuration baselines that every in-scope device must meet.
As an IASME-approved certification body, we assess your firewall configuration as part of every CE Plus engagement. If you want to fix issues before the assessment, our <a href="/cyber-essentials/concierge">Concierge service</a> identifies and remediates gaps so you pass first time.
We handle the Cyber Essentials process end to end — from gap analysis to certification.
Start Your Certification