It's common for businesses to operate out of a serviced office or shared office, such as a co-working space. If this is the case, there are some simple steps to take in order to meet the firewall controls for internet boundaries for Cyber Essentials.
The organisation does not need to manage their own network, it's acceptable to confirm with the provider that the controls are in place.
From the official specifications: for all firewalls (or equivalent network devices), the organisation must routinely:
- change any default administrative password to an alternative that is difficult to guess — or disable remote administrative access entirely
- prevent access to the administrative interface (used to manage firewall configuration) from the Internet, unless there is a clear and documented business need and the interface is protected by one of the following controls: (A) a second authentication factor, such as a one-time token (B) an IP whitelist that limits access to a small range of trusted addresses
- block unauthenticated inbound connections by default
- ensure inbound firewall rules are approved and documented by an authorised individual; the business need must be included in the documentation
- remove or disable permissive firewall rules quickly, when they are no longer needed. Use a host-based firewall on devices which are used on untrusted networks, such as public Wi-Fi hotspots.
This can be confirmed using the following template:
To service provider,
We are applying for Cyber Essentials certification and need to check on the controls in place within our network.
Can you please confirm the following:
- There is a firewall in place between the boundary of our network and the internet
- The default password has been changed on this device
- The new password is at least 8 characters and difficult to guess
- If believed to be compromised, the password would be changed
- Only approved whitelisted services are allowed to broadcast to the internet, and these are removed when no longer required
- If remote access to the network device configuration is enabled, this is protected by either 2-factor authentication or limited to specific IP addresses