Network boundaries & Cyber Essentials

Jemma Aldridge Headshot
Jemma Aldridge
Cyber Essentials Assessor
05/01/2024

It’s not surprising that adoption of Cyber Essentials certification is growing steadily year on year. It’s a valuable certification to have, not least of all for the many commercial opportunities it presents. But as a Cyber Essentials Assessor, one thing I see repeatedly is that poor network boundary implementation makes reaching certification harder than it has to be – especially for smaller organisations. That’s what I’m going to be looking at in this blog.


Hardware boundary devices

One of the key 5 controls that Cyber Essentials evaluates is the implementation of the network boundary. Sometimes this is a hardware router, and often with a firewall either built-in, or a hardware firewall also used. The key importance of the boundary device is that it controls all incoming and outgoing traffic and can deny access to any potentially dangerous protocols or websites. However, a common issue for Cyber Essentials applications is that these are not configured correctly, or there is a lack of knowledge about best practices for firewalls and how they can be implemented.

Let’s start with one of the most common set-ups I see, where a company has its own office and their own router/firewall that was purchased by, and is managed by, themselves. We’re off to a good start that there’s a delimitation between the corporate network and the wider internet, but just the fact of having a boundary device itself is not enough.

Updates

Updates

Your boundary device must be capable of receiving regular firmware/software (as appropriate) updates from the vendor. This also means they can’t be at their end-of-life or end-of-support dates. For a Cyber Essentials assessment, we would therefore need the make and model of the device so that your assessor can check the vendor site, end-of-sale/life publications, and firmware update history to check the end-support dates and regularity of updates. Checking the boundary device is updated is a quick thing that all businesses undergoing Cyber Essentials can do ahead of their assessment to make certification go as quickly as possible. It’s also worth looking into support lifecycles ahead of buying a new boundary device. This would stop unfortunate expenditure on a device that would not be able to actively protect the company for long.

If the device is found to be at end-of-life, or to have not received an update for a certain amount of time, it would result in a failure of a Cyber Essentials assessment. This is due to the device not being able to protect against the latest ever-changing and developing security threat landscape.

Passwords

Passwords

Next, we would need to see confirmation that the default password of your router or firewall device has been changed, and the steps that were taken to do this so that we can verify this has definitely been completed. The best time to do this is when the device is first set up. The password must be strong, not easily guessable, and therefore less likely to be hacked.

Remote workers

Remote workers

Lastly, the issue of protection when working away from the office has not yet been considered. Even if there is a boundary device onsite there still needs to be protection in place in the event an employee was to work from home on occasion, at a conference, travelling, or if they’re just normally a remote worker. Therefore, the use of a VPN or software firewalls, and how these are implemented, would need to be noted in your Cyber Essentials to cover this.


Software boundary devices

This brings us nicely to our next scenario. In the post-pandemic world, remote working is often the norm. Now the biggest mistake for companies in this position is to believe they are exempt from this requirement and state there are no firewalls/boundary devices in place due to a fully remote workforce and no company routers. Whilst it is true for Cyber Essentials that home-based workers' ISP devices (such as the combi modem-router you get from your domestic broadband supplier) are out of scope, there still must be protections in place. Let’s take a look at what’s needed.

OS firewall applications

OS firewall applications

So here is where many companies get confused, but this can be much more straightforward than people think. All supported Windows and Mac OSes come with built-in firewalls. Simply checking the firewall is enabled on all devices would meet the need of having the basic firewall cover on all devices. As long as the Operating System on devices is kept up to date, this would be effective for compliance in Cyber Essentials. How’s that for a quick win?

Some companies may wish to go further here and also purchase some reputable firewall/endpoint software packages to ensure a more tailored and in-depth cover. For example, many Bulletproof Cyber Essentials packages include Defense.com subscription, which can feature endpoint protection. In this case, when completing your Cyber Essentials, you would need to provide the version details to ensure the installed software is up to date and therefore receiving the most recent security updates.

Default passwords

Default passwords

For software firewalls, a Cyber Essentials Assessor must confirm that the default firewall password has been changed. For the use of OS firewalls, this requirement could be met by confirming the default Admin password on all devices has been changed (and the steps on how this was done) so it can be verified the action has been completed.


Boundary devices managed by third parties

Another common area of confusion is when organisations have a boundary device managed by an external IT provider or has serviced offices.

Third-party IT provider

Third-party IT provider

Let’s now look at where your boundary device is managed by a third party, such as your IT provider. I’m going to say this in plain language: these are still in the scope of your Cyber Essentials certification and all questions need to be fully answered and applied! Even though it has been outsourced to a third party company, the certifying company still has overall responsibility for ensuring protection needs are being met. Outsourced service is not outsourced responsibility. The supplier must advise on how the default firewall password has been changed and know the configuration of the password. If these details aren’t known, then working with the provider to find these details needs to happen so this can be properly managed going forward.

Think of it this way: if the firewall is not up to date, is at end-of-life, or the password configuration is not strong enough, finding out now and asking the provider to replace or update the device would be much better than finding out after a worst-case scenario of a successful cyber attack on the company network. The Cyber Essentials self-assessment is all about identifying weak areas and improving them to ensure your company has a better security posture at the end, so if any of these things aren’t in place or are found then it’s a great opportunity to remediate. Cyber Essentials isn’t about judgement or criticism, it’s about doing what it takes to meet the basics.

Services or shared offices

Services or shared offices

In the case of a serviced or shared office, where the servicing company is providing the boundary device, the make and model details ideally should be provided in your Cyber Essentials assessment. Again, it should be confirmed if it’s currently in support by the manufacturer. If it’s not, then it won’t pass Cyber Essentials, and you’ll need to discuss it with the service provider and ask that this be replaced with a supported device. If doing Cyber Essentials Plus, you’ll also need permission to perform an external vulnerability scan on the serviced device.

Otherwise, in the scenario where the above details are unable to be released by the service provider or you, or the provider is having difficulty obtaining the details, or you can obtain the details but do not have permission for the device to be VA scanned, then there is a way forward. The equipment can be marked as out of scope and a new network boundary marked. This could be with your own hardware firewall in front of the third-party device, or locally to each machine at the software firewall level. In these cases, the previous advice still applies. Given that a Cyber Essentials Plus certification requires a vulnerability scan, having your own, single boundary device, rather than software firewalls on everyone’s laptop, will make certification easier.


One last thing... open ports

Another area that is sometimes forgotten to be considered when looking into firewall configuration is whether there are any open ports, and the process around these. If there are open ports needed, say for VPN access or any other external services, well, this is absolutely fine. The problem is if open ports are not properly documented and monitored. There should be a clear business case in place for the need of the open ports, and a regular review process to check all open ports. This is to ensure there are no misconfigurations, all is up to date and if a port is no longer needed to be open, it is closed promptly. This will provide optimum protection from any hackers using bot tools to identify open ports as a way into a network.

Summary

As you can see, Cyber Essentials doesn’t expect you to reinvent the wheel or be a technical genius on the topic of business firewalls (phew – a sigh of relief I hear). Instead, it’s all common sense security basics, the rationale behind which should be clear. Thinking about these simple steps would help protect company assets from security threats and keep you safe online. In today’s world, this knowledge is ever more important.

Jemma Aldridge Headshot

Meet the author

Jemma Aldridge Cyber Essentials Assessor

Jemma has a long background in IT specialises in cyber security. As a Cyber Essentials Assessor she has a great eye for technical detail and prides herself on a smart approach to helping businesses through certification.

Get Cyber Essentials certification today

Get expert assessor-led support and all the tools needed to pass with out flexible packages.

Learn more

Related resources


Trusted cyber security & compliance services from a certified provider

Get a quote today

If you are interested in our services, get a free, no obligation quote today by filling out the form below.

(1,500 characters limit)

For more information about how we collect, process and retain your personal data, please see our privacy policy.