1. Firewalls

The aim of this control is to ensure that network services are protected from unauthorised access.

This control expects organisations to:

• Change default admin passwords or disable remote admin access.

• Disable admin access from the internet unless there is a legitimate business need for such access. If access is required, this should be protected by multi-factor authentication or an IP allow list .

• Block unauthenticated inbound connections by default.

• Ensure inbound firewall rules are approved and documented by an authorised individual with the business need for the rule stated.

• Remove or disable unneeded firewall rules as soon as they are no longer required.

• Ensure devices have software firewalls installed if they will be used on untrusted networks, such as public wi-fi.