Security Six firewall configuration represents a mandatory cybersecurity control required by IRS Publication 4557 for all tax professionals holding a PTIN (Preparer Tax Identification Number). According to the IRS Security Summit, tax preparation firms experience cyberattacks at three times the rate of other small businesses, with average breach costs exceeding $184,000 in recovery expenses, regulatory fines, and lost business revenue.
The FTC Safeguards Rule mandates documented implementation of administrative, technical, and physical safeguards to protect customer information, with firewall protection explicitly required as a core technical control. Non-compliance results in penalties up to $100,000 per violation, with each missing security control potentially constituting a separate violation.
Key Takeaway
Configure your tax office firewall to meet IRS Security Six requirements. Hardware vs software options, settings guide, and compliance checklist.
Tax Office Security Threats By The Numbers
Tax firms vs other small businesses
Recovery, fines, and lost revenue
After data breach incidents
A properly configured Security Six firewall serves as the primary defense mechanism between your tax practice network and external threats, blocking unauthorized access attempts, preventing data exfiltration, and ensuring compliance with both FTC Safeguards Rule and IRS security mandates. Beyond regulatory requirements, the business implications are severe: tax firms that experience data breaches lose an average of 40% of their client base due to reputation damage and trust erosion. The regulatory landscape has intensified significantly in 2025, making comprehensive firewall protection not just a compliance checkbox but a business survival imperative for accounting and tax preparation practices.
Understanding Security Six Firewall Requirements for Tax Professionals
The Security Six firewall requirement originates from IRS Publication 4557, which establishes six fundamental security controls that all tax preparers must implement. These controls form the baseline cybersecurity framework designed specifically to protect taxpayer data from the increasingly sophisticated threat landscape targeting financial services professionals.
A Security Six firewall operates as a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. According to NIST Special Publication 800-41, firewalls establish a barrier between trusted internal networks and untrusted external networks such as the internet. For tax professionals, this means protecting systems containing Social Security numbers, Employer Identification Numbers, bank account details, income information, and complete tax returns from unauthorized access and cyber threats.
Selecting the Right Security Six Firewall for Your Practice Size
Security Six firewall selection depends on multiple factors including practice size, number of employees, remote work requirements, technical expertise, and budget constraints. The following framework categorizes firewall solutions by practice size with specific product recommendations and implementation considerations.
Firewall Solutions by Practice Size
| Feature | Practice Size | Investment Range | Recommended Solutions | Key Features |
|---|---|---|---|---|
| Solo/Small (1-5 users) | $500-$1,500 + $150-$400/year | SonicWall TZ370, Fortinet FortiGate 40F | UTM, Cloud management, Easy setup | — |
| Medium (6-25 users) | $2,000-$10,000 + $500-$2,000/year | Palo Alto PA-440, Fortinet FortiGate 60F/80F | Advanced threat prevention, App-ID | — |
| Large (25+ users) | $10,000-$50,000 + $2,000-$10,000/year | Palo Alto PA-3200, Fortinet FortiGate 100F/200F | High throughput, Centralized management | — |
Security Six Firewall Implementation Process
Change All Default Credentials
Default administrator passwords represent the most exploited vulnerability. Automated scanning tools continuously probe for default credentials, with over 10,000 firewall devices compromised globally in February 2025.
Update Firmware to Latest Security Version
Install the latest stable firmware version before configuration. Verify digital signatures on firmware downloads to prevent supply chain attacks.
Configure Basic Network Parameters
Establish WAN/Internet interface, LAN/Internal interface, secure DNS servers (Cloudflare 1.1.1.1 or Quad9 9.9.9.9), and NTP time synchronization for accurate logging.
Enable Intrusion Prevention System (IPS)
Configure IPS in prevention mode to actively block threats in real-time rather than simply alerting after compromise occurs.
Configure Geographic Filtering
Block connections from foreign countries if serving only US clients. Over 80% of cyberattacks targeting US tax professionals originate from Eastern Europe, Asia, and South America.
Implement SSL/TLS Inspection
Enable firewall to decrypt, inspect, and re-encrypt traffic to detect threats hiding in encrypted sessions used by modern cybercriminals.
Critical Security Alert
According to FBI Cyber Division reporting, over 80% of cyberattacks targeting U.S. tax professionals originate from IP addresses in Eastern Europe, Asia, and South America. Geographic blocking provides a simple yet effective threat reduction mechanism with minimal false positives.
Essential Logging Configuration
Allowed Connections
Source IP, destination IP, port numbers, protocols, timestamps, usernames (if identified)
Blocked Connections
All details of denied traffic including source, destination, and deny reason
Threat Events
IPS detections, malware blocks, geographic filtering blocks, URL filtering blocks
Administrative Actions
Configuration changes, rule modifications, firmware updates, administrator logins
VPN Activity
Remote access connections, authentication successes and failures, session durations
System Events
Service starts/stops, high CPU or memory conditions, disk space warnings
Log Retention Requirements
The GLBA (Gramm-Leach-Bliley Act) and state data breach notification laws typically require 12-24 months of log retention. Configure your Security Six firewall to store logs on external log servers or SIEM systems to prevent log loss if the firewall fails or becomes compromised during an attack.
IRS Publication 4557 Documentation Requirements
Firewall Specifications
Document the specific firewall hardware or software deployed with make, model, and technical specifications
Configuration Standards
Detailed description of firewall configuration including default-deny policies, specific rule sets, and enabled security features
Network Diagrams
Visual representations showing firewall placement and network segmentation architecture
Maintenance Schedule
Documented procedures for firmware updates, rule reviews, and security subscription renewals
Access Controls
List of personnel authorized to modify firewall configurations with role definitions
Incident Response Procedures
Documented processes for responding to firewall alerts and security events
Frequently Asked Questions
No. While Windows Firewall provides basic host-based protection, it does not satisfy the IRS Security Six firewall requirement. IRS Publication 4557 specifically requires network-based firewall protection that defends the entire practice network, not just individual computers. Windows Firewall lacks critical capabilities including network segmentation, centralized management, advanced threat prevention, comprehensive logging, and intrusion prevention. Tax professionals must implement business-grade network firewalls with next-generation security features to achieve compliance and adequate protection for taxpayer data.
Security Six firewall budgets vary based on practice size and complexity. Solo practitioners and small firms (1-5 users) should budget $500-$1,500 for hardware plus $150-$400 annually for security subscriptions. Medium practices (6-25 users) typically invest $2,000-$10,000 for hardware plus $500-$2,000 annually for subscriptions and support. Large practices (25+ users) require $10,000-$50,000 for enterprise firewall infrastructure plus $2,000-$10,000 annually for ongoing costs. Calculate approximately $100-$200 per user for initial deployment and $50-$100 per user annually for maintenance and subscriptions.
Absolutely. Even when using cloud-based tax software like Drake Tax Hosted or your tax software your tax software CS, your office network still requires Security Six firewall protection. Firewalls protect your workstations accessing cloud applications, prevent malware infections that could compromise cloud credentials, protect other office systems and data, secure any locally stored client information, and comply with IRS Publication 4557 requirements that apply regardless of software deployment model. Cloud applications do not eliminate the need for comprehensive network security controls at your practice location.
Security Six firewall maintenance follows a multi-tiered schedule: Security signature updates should occur daily and should be automated. Firmware and security patches require monthly review with critical updates applied immediately. Firewall rule audits should be conducted quarterly to remove obsolete rules and optimize configurations. Comprehensive security assessments including penetration testing should occur annually before tax season begins. Additionally, update firewall configurations immediately when adding new services, changing network architecture, or responding to security incidents. Document all configuration changes in your WISP to demonstrate ongoing compliance with regulatory requirements.
Non-compliance with Security Six firewall requirements creates multiple serious consequences: IRS penalties including potential loss of PTIN and e-file privileges; FTC Safeguards Rule violations resulting in fines up to $100,000 per violation; dramatically increased breach risk with average costs exceeding $184,000; client notification obligations and associated costs; professional liability insurance claim denials for non-compliant security practices; reputation damage and client loss following security incidents; and potential personal liability for negligent security practices resulting in client harm. Beyond regulatory consequences, inadequate firewall protection makes data breaches virtually inevitable given the threat landscape targeting tax professionals.
No. Consumer-grade routers from retail stores do not provide adequate protection for professional tax practices. While these devices include basic firewall functionality, they lack essential capabilities required for Security Six compliance including advanced threat prevention and intrusion detection, comprehensive logging and audit trails, VPN capabilities for secure remote access, network segmentation and VLAN support, centralized management for policy enforcement, application-layer filtering and control, SSL/TLS inspection for encrypted traffic, and vendor support with security updates beyond 1-2 years. Business-grade firewalls specifically designed for professional environments are required to meet IRS Security Six requirements and provide adequate protection for client data.
The decision between managed Security Six firewall services and self-management depends on technical expertise, available time, and practice size. Managed firewall services provide professional configuration and monitoring, 24/7 security operations center oversight, automatic security updates and patches, compliance reporting and documentation, incident response capabilities, and predictable monthly costs. Self-management offers potentially lower costs, complete control over configurations, and no dependency on external providers. Most small and medium tax practices benefit significantly from managed services due to limited IT resources and the critical nature of security during tax season. Consider managed services as an investment in risk reduction rather than an expense—the cost of professional security management is minimal compared to breach consequences and regulatory penalties.
Take Action: Implement Your Security Six Firewall Today
Security Six firewall implementation represents a non-negotiable requirement for tax professionals in 2025. The combination of regulatory mandates, increasing cyber threats targeting financial services, and severe consequences of data breaches makes comprehensive firewall protection essential for practice survival and client trust.
The tax firms that thrive in today's threat landscape are those that proactively implement robust security controls rather than reactively responding to breaches. A properly configured Security Six firewall serves as the foundation of your cybersecurity program, protecting client data, ensuring regulatory compliance, and enabling business continuity throughout tax season and beyond.
Protect Your Tax Practice Today
Schedule a free consultation to discuss your cybersecurity needs and IRS compliance requirements.
Free Consultation
Need help with IRS compliance?
Our tax cybersecurity specialists can review your security posture and help you get compliant.
