Skip to content

Free 15-minute cybersecurity consultation — no obligation

Book Free Call
Tax43 min readDeep Dive

Firewall Setup for Tax Offices: Network Protection Guide

Set up an IRS-compliant firewall for your tax office in 2026. Security Six requirements, NGFW selection, VPN config, and WISP documentation explained.

Firewall Setup for Tax Offices: Network Protection Guide - firewall for tax office

Why Every Tax Office Needs a Security Six Firewall

A properly configured firewall for your tax office is not an optional upgrade—it is a documented requirement under IRS Publication 4557 for all tax professionals holding a Preparer Tax Identification Number (PTIN). The IRS Security Summit reports that tax preparation firms experience cyberattacks at three times the rate of other small businesses, driven by the extraordinary value of the data they hold: Social Security numbers, bank account details, income records, and complete tax returns filed on behalf of clients.

The FTC Safeguards Rule under 16 CFR § 314.4(c) explicitly requires documented firewall implementation as a core technical safeguard for any financial services firm handling customer data. Non-compliance exposes your practice to penalties up to $100,000 per violation—and regulators have treated each missing security control as a separate violation. A single audit finding can halt your practice's filing operations before you ever face an actual breach.

The Security Six framework distills IRS cybersecurity guidance into six foundational controls, with firewall protection as the first line of defense. Whether you run a multi-employee accounting firm or practice as a solo preparer from a home office, the compliance standard is identical. The IRS now conducts random security audits of PTIN holders, and firms without documented Security Six controls face immediate PTIN suspension pending remediation—which prevents you from filing returns on behalf of clients until compliance is fully documented.

Tax practices that have experienced data breaches lose an average of 40% of their client base due to reputation damage and erosion of trust. The combined financial and reputational exposure makes proper firewall configuration one of the most defensible investments a tax professional can make—with returns measured in avoided penalties, preserved client relationships, and uninterrupted filing operations.

Tax Office Cybersecurity by the Numbers

3×
Attack Rate vs. Other Small Businesses

IRS Security Summit data on targeted cyberattacks against tax preparers compared to other small business sectors

$184K
Average Breach Recovery Cost

Per-incident cost including recovery expenses, regulatory fines, and lost business revenue for tax practices

$100K
Max FTC Penalty Per Violation

Each missing Security Six control may constitute a separate violation under 16 CFR § 314 of the Safeguards Rule

What Security Six Firewall Compliance Actually Requires

The Security Six firewall requirement gives IRS auditors a specific checklist—not a vague directive to "have a firewall." NIST Special Publication 800-41 Rev. 1 defines a firewall as a network security system that monitors and controls traffic between trusted internal networks and untrusted external networks. For tax professionals, this means protecting systems containing taxpayer data from unauthorized access, data exfiltration, and malware infections throughout the year—not only during filing season.

A compliant firewall for your tax office must demonstrate seven core capabilities that go well beyond the basic routing functions in a consumer-grade device:

  • Stateful packet inspection (SPI) — tracks the state of network connections and blocks packets that don't belong to established, authorized sessions
  • Intrusion Prevention System (IPS) — actively blocks known attack patterns, malware signatures, and exploit attempts in real time
  • Application awareness and control — identifies applications regardless of which port or protocol they use, enabling granular policy enforcement
  • VPN capability — provides encrypted remote access for tax preparers working from home or client locations
  • Full security event logging — captures all security events, denied connections, and configuration changes with seven-year retention
  • Centralized management — enables configuration backup, change tracking, and policy documentation for audit purposes
  • Regular updates and patching — receives manufacturer security updates and threat intelligence feeds to address newly discovered vulnerabilities

Consumer routers provided by internet service providers lack stateful inspection depth, application-level controls, intrusion prevention capabilities, and the logging depth Security Six demands. Home-based tax preparers frequently ask whether their ISP-provided router provides adequate protection. It does not—and IRS auditors make this distinction routinely during PTIN reviews.

For a full breakdown of your IRS Publication 4557 compliance obligations, including which controls apply to your practice size and how to document them for auditors, review our dedicated compliance guide.

2026 IRS PTIN Audit Risk

The IRS now conducts random security audits of PTIN holders and reviews firewall configuration files, change logs, and security event reports. Tax practices without documented Security Six firewall controls face immediate PTIN suspension pending remediation. This applies equally to solo home-based preparers and multi-location firms. A functioning firewall without documentation is indistinguishable from no firewall to an auditor who cannot inspect your physical equipment during a remote review.

Selecting the Right Firewall for Your Tax Practice

Firewall selection for a tax office depends on practice size, number of employees, remote work requirements, and available IT expertise. The wrong choice results in either inadequate protection that fails an IRS audit or unnecessary complexity that creates security gaps through misconfiguration.

Hardware vs. Software Firewalls

Hardware firewalls are dedicated physical devices that sit between your network and the internet. They protect all network-connected devices simultaneously—workstations, servers, printers, tablets, and smartphones that access taxpayer data—through one configurable, auditable point. Practices with five or more employees or multiple office locations should implement hardware firewalls without exception.

Software firewalls, including Windows Defender Firewall, provide host-level protection on individual computers. They do not meet Security Six requirements when used alone because they protect only the device where they run. A hardware firewall remains the correct choice even for a single-person home office. Solo practitioners sometimes assume a software firewall suffices—but every device on your home network that touches client data requires protection, and a hardware device delivers that from one management point.

Next-Generation Firewalls (NGFW) for Tax Offices

Modern tax practices should implement Next-Generation Firewalls (NGFW) that combine traditional firewall capabilities with advanced threat protection. NGFW technology addresses the evolved attack techniques increasingly directed at financial services firms during tax season: encrypted channels carrying malware, legitimate-looking application traffic, and protocol tunneling that bypasses traditional port-based firewall rules.

Key NGFW capabilities for tax office protection include deep packet inspection (DPI) examining packet data contents for malware and protocol violations, SSL/TLS inspection that decrypts encrypted traffic to detect threats hiding in HTTPS connections, integrated application control identifying software by signature rather than port, and threat intelligence feeds that block known malicious IP addresses in real time. Business-grade NGFW vendors serving small and mid-sized practices include Fortinet, SonicWall, Cisco Meraki, and Palo Alto Networks.

Managed Firewall Services vs. In-House Management

Tax practices face a practical decision: manage the firewall internally or engage a Managed Security Service Provider (MSSP). Self-managed firewalls require dedicated IT staff with firewall expertise, ongoing security training, and monitoring capabilities. For most practices under 50 employees, self-management creates compliance risks through configuration errors, delayed security updates, and inadequate log review.

Managed firewall services provide professional configuration, around-the-clock monitoring, automatic updates, quarterly security reviews, and the compliance documentation that IRS auditors require. Monthly costs range from $200 to $800 depending on practice size and service level—less than the cost of hiring a part-time IT employee, and far less than the average $184,000 breach recovery cost or $100,000-per-violation FTC penalty exposure. The IRS does not require managed services, but practices that self-manage must demonstrate equivalent expertise and produce equivalent documentation during audits.

Security Six Firewall Implementation Steps

1

Inventory Your Network Environment

Document all devices that store, process, or transmit taxpayer data—workstations, servers, printers, tablets, and smartphones. This inventory drives your firewall rule set and forms a required Written Information Security Plan (WISP) component.

2

Select Enterprise-Grade Firewall Hardware

Choose a business-class NGFW from vendors such as Fortinet, Palo Alto Networks, Cisco Meraki, or SonicWall. Confirm the device includes IPS, application control, VPN, and SSL/TLS inspection in its licensed feature set before purchasing.

3

Configure Default-Deny Security Policies

Block all traffic by default, then create specific allow rules only for tax software cloud connections (Drake, Lacerte, ProSeries, UltraTax, TaxDome), approved email services, and operating system update channels. Document the business justification for every allow rule.

4

Enable IPS and Application Control

Activate intrusion prevention in blocking mode with daily signature updates. Configure application control to identify and block peer-to-peer file sharing, unauthorized remote access tools, and personal cloud storage services that could expose client data.

5

Set Up VPN with Multi-Factor Authentication

Configure client VPN with AES-256 encryption and multi-factor authentication (MFA) for all remote preparers. Disable split tunneling to force all internet traffic through the firewall when employees connect from outside the office.

6

Implement Full Security Event Logging

Configure logging for all denied connections, IPS events, VPN access, and configuration changes. Forward logs to a centralized syslog server or cloud log management service with seven-year automated retention per IRS requirements.

7

Document Configuration in Your WISP

Record your network architecture, firewall rule set, change management procedures, and monitoring responsibilities in your Written Information Security Plan. This documentation is the primary record IRS auditors review during PTIN compliance checks.

8

Conduct Annual Testing and Validation

Schedule annual penetration testing, vulnerability scanning, and firewall rule effectiveness reviews per IRS Publication 4557 Section 4.4. Address high-risk findings within 30 days, medium-risk within 90 days, and document all remediation actions taken.

Essential Firewall Configuration for IRS Compliance

Default-Deny Security Posture

A Security Six-compliant firewall must implement a default-deny security posture: all network traffic is blocked unless explicitly permitted by a documented security rule. This approach aligns with NIST SP 800-53 Rev. 5 access control requirements and ensures that unknown or unauthorized traffic cannot traverse your network perimeter by default.

Create specific allow rules only for the services your practice genuinely needs: tax preparation software cloud connections for platforms like Drake, Lacerte, ProSeries, UltraTax, and TaxDome; approved email platforms such as Microsoft 365 or Google Workspace; essential business cloud services; remote access VPN for authorized employees; and operating system and software update delivery channels. Document the business justification for every allow rule—IRS auditors review this documentation to verify that your security policies align with your actual data protection obligations.

Intrusion Prevention System Configuration

Enable IPS signatures covering the attack vectors most frequently directed at tax practices. SQL injection attacks target web-based tax software and database systems. Cross-site scripting (XSS) exploits inject malicious scripts through web application interfaces. Brute force authentication attacks systematically attempt credential combinations—a technique attackers direct specifically at tax preparation portals during filing season. Ransomware Command and Control (C2) traffic signatures stop malware from communicating with attacker infrastructure after initial infection. Data exfiltration pattern detection identifies large outbound transfers that may signal an active breach in progress.

Configure IPS in prevention mode—blocking detected threats rather than merely logging them. Tune sensitivity levels during pre-season preparation to balance security effectiveness against false positives that could disrupt client service workflows.

Application Control and Web Filtering

Application control identifies and manages software by application signatures rather than ports and protocols. This capability is essential because modern malware uses standard ports (80 and 443) to evade traditional firewall rules. Configure application control to block peer-to-peer file sharing, proxy and anonymizer tools, and personal cloud storage services (such as personal Dropbox or Google Drive accounts) that fall outside approved business platforms. Web filtering complements application control by blocking access to known malicious sites, phishing domains, and high-risk categories. Whitelist legitimate tax and accounting sites to prevent false positives that could disrupt filing workflows.

VPN Configuration for Remote Tax Preparers

Remote work requires secure VPN access that extends Security Six firewall protection to home offices and mobile workers. Configure VPN with AES-256 encryption as the minimum encryption standard. Require multi-factor authentication combining a password with a time-based code or hardware token for every remote connection. Disable split tunneling to force all internet traffic through the firewall when connected to the VPN—not just traffic destined for your office network. Implement endpoint security checks verifying that connecting devices carry current antivirus signatures and operating system patches before granting access. Set automatic session timeouts disconnecting idle VPN sessions after 30 minutes.

For solo practitioners primarily working from a home office, VPN may seem redundant for daily operations. It becomes essential the moment you access client data from a coffee shop, client office, or hotel—scenarios that arise more frequently during busy season than practitioners anticipate. Our guide to choosing a business VPN covers technical specifications and tax compliance requirements in detail.

Security Six Firewall Configuration Checklist

  • Configure default-deny firewall policy blocking all traffic except explicitly allowed rules
  • Enable stateful packet inspection (SPI) on all network interfaces
  • Activate intrusion prevention system (IPS) in blocking mode with daily signature updates
  • Implement application control to manage applications by signature, not just by port
  • Configure web filtering to block malware sites, phishing domains, and high-risk categories
  • Enable SSL/TLS inspection for encrypted traffic analysis with proper certificate deployment
  • Set up VPN with AES-256 encryption and multi-factor authentication for all remote access
  • Configure full logging for all security events, denied connections, and configuration changes
  • Forward logs to centralized storage with 7-year automated retention per IRS requirements
  • Disable unused network services and protocols such as Telnet, FTP, and SMBv1
  • Change all default administrative passwords and enforce a strong password policy
  • Configure automated backup of firewall configuration to a secure offsite location
  • Enable NTP time synchronization for accurate and auditable log timestamps
  • Set up automated alerts for high-severity security events and unauthorized configuration changes
  • Document all firewall rules with business justification, rule owner, and last review date

Logging, Monitoring, and Compliance Documentation

Security Six firewall logging requirements extend well beyond basic configuration. The IRS expects thorough security event logs with documented review procedures demonstrating active monitoring throughout the year—not only during filing season. A firewall that logs nothing provides no audit trail, which creates the same regulatory exposure as having no firewall at all.

What Your Firewall Must Log

Configure your firewall to capture and retain six categories of security events. Denied connection attempts should record every blocked inbound and outbound connection with source IP, destination, protocol, and timestamp. Allowed connections to sensitive systems track authorized access to tax software servers, file servers, and database systems. Configuration changes log every firewall rule modification, policy update, and administrative action with user attribution—this is the change management record IRS auditors examine most closely. VPN access events record successful and failed authentication attempts, connection duration, and data volumes transferred per session. IPS events document detected and blocked attack attempts with severity classification and threat descriptions. System events capture firewall startup and shutdown cycles, service failures, hardware issues, and update installations.

Forward all logs to a dedicated syslog server or Security Information and Event Management (SIEM) system for centralized storage and analysis. Local firewall storage is insufficient for compliance because on-device capacity is limited and producing audit reports from device-resident logs alone is impractical for multi-year reviews.

Retention, Review, and Incident Response Integration

IRS Publication 4557 requires tax practices to retain security logs for the same duration as tax return records—a minimum of seven years. Maintain active logs in searchable format for at least 90 days for incident investigation, then archive older logs in compressed format on secure backup storage that meets your tax data protection requirements. Cloud-based log management services cost $20 to $50 monthly for solo practitioners, eliminating the complexity of managing on-premises log servers while meeting retention requirements automatically.

Logging without review provides no security value. Establish formal monitoring procedures: daily review of IPS alerts and VPN authentication failures, weekly analysis of denied connection patterns and bandwidth anomalies, monthly reporting summarizing blocked threats and configuration changes, and quarterly audits examining firewall rule effectiveness and compliance gaps. Document every security event investigation with findings, root cause analysis, and remediation actions.

Your Security Six firewall also serves as a detection and containment tool within your broader incident response plan. Configure automated alerts that trigger incident response procedures for multiple IPS alerts from a single source, large outbound data transfers suggesting exfiltration, VPN access from unusual geographic locations, and firewall configuration changes outside scheduled maintenance windows. Test firewall integration with incident response procedures during annual tabletop exercises.

Bottom Line on Firewall Logging

A firewall that doesn't log is a firewall that can't prove compliance. IRS auditors reviewing PTIN holders examine firewall configuration files, change logs, and security event reports. If your logging is incomplete or retention falls short of seven years, you face the same regulatory exposure as firms that skipped firewall deployment entirely. Set up centralized logging with automated retention from day one—not after an audit notice arrives.

Five Firewall Mistakes That Create Compliance Gaps

Tax practices consistently make the same configuration errors during Security Six firewall implementation. Each mistake creates a compliance gap that surfaces during IRS audits or—more expensively—during an actual breach investigation when forensic evidence is needed.

Mistake 1: Using Consumer-Grade Equipment

Consumer routers from Netgear, Linksys, or TP-Link do not meet Security Six requirements despite their basic firewall labeling. These devices lack stateful inspection depth, application awareness, intrusion prevention, and the event logging depth that IRS Publication 4557 demands. Enterprise-grade firewall hardware is a non-negotiable requirement even for solo practitioners in home offices. The cost difference—typically $500 to $1,500 annually including managed services—is a fraction of the $100,000-per-violation penalty exposure.

Mistake 2: Set-and-Forget Deployment

Deploying a firewall without a maintenance plan creates security drift as business needs change, threats evolve, and configurations become outdated. Implement quarterly business reviews examining rule effectiveness, removing inactive rules, and updating security policies when you add employees, adopt new software, or change remote work arrangements. Solo practitioners using managed service providers sometimes assume routine updates handle everything. Technical maintenance is automatic, but aligning firewall policies with current practice operations requires deliberate quarterly review.

Mistake 3: Inadequate Logging and Retention

Many practices enable basic logging but fail to configure thorough security event capture or implement seven-year retention. Without complete logs, you cannot investigate security incidents, demonstrate compliance during audits, or defend against liability claims following a breach. Configure centralized log management with automated retention policies from day one—retrofitting this capability after your first audit notice is more expensive than building it correctly at deployment.

Mistake 4: Disabling Security Features for Convenience

Turning off SSL inspection because it requires certificate installation, disabling IPS to reduce false positives, or creating overly broad allow rules for ease of management all introduce exploitable gaps. The correct response to a false positive is tuning the rule, not removing the protection. Work with your MSSP to refine IPS sensitivity and whitelist legitimate applications that trigger false alerts. Convenience-based security decisions are the primary reason audited practices fail their compliance reviews.

Mistake 5: Incomplete VPN Security Controls

Implementing VPN access without multi-factor authentication, endpoint compliance checking, or split-tunneling restrictions allows a compromised home computer direct access to taxpayer data. Remote access requires the same security rigor as physical office access with documented authentication and authorization controls. This mistake appears most often among solo practitioners who configure VPN primarily for convenience rather than compliance. Require MFA and endpoint checks from initial deployment—not as an afterthought.

WISP Documentation: What IRS Auditors Examine

Security Six firewall implementation requires thorough documentation integrated into your Written Information Security Plan (WISP). The IRS reviews this documentation during PTIN audits to verify compliance with Publication 4557 requirements. A functioning firewall without accompanying documentation is indistinguishable from no firewall to an auditor conducting a remote review.

Your WISP must include network architecture diagrams showing firewall placement, protected network segments, DMZ configuration if applicable, and internet connection paths. A firewall rule documentation table should list every security rule with its business justification, rule owner, creation date, and last review date. Store a complete firewall configuration export as both an audit record and a disaster recovery baseline—this is what allows your practice to restore operations after a hardware failure without losing weeks of security tuning.

Document your change management procedures: who has authority to modify firewall rules, how changes are requested and approved, and how configuration backups are validated after changes. Specify monitoring responsibilities with named individuals accountable for daily log review, alert response, and quarterly audits. Include vendor contact information and support contract details for your firewall hardware or MSSP.

IRS Publication 4557 Section 4.4 requires annual testing of security controls including firewall effectiveness. Annual requirements include penetration testing attempting to bypass firewall controls, vulnerability scanning of management interfaces, rule effectiveness review identifying overly permissive or unused rules, and disaster recovery testing restoring configuration from backup. Address high-risk findings within 30 days and medium-risk findings within 90 days—document all remediation timelines and outcomes, as incomplete remediation documentation is treated as failure to remediate during follow-up audits.

If you need a pre-built framework, our WISP template for tax preparers includes all required firewall documentation sections. For a full picture of the PTIN and WISP requirements that apply specifically to your practice type, review our guide to PTIN and WISP compliance requirements.

Get Your WISP Documentation Ready

Our security team has helped thousands of tax professionals build IRS-compliant Written Information Security Plans that include all required firewall documentation sections, network diagrams, and audit-ready change management procedures.

Get Your Tax Office Firewall Assessed

Our security experts will evaluate your current firewall configuration against Security Six requirements, identify compliance gaps, and provide a documented remediation plan tailored to your practice size and budget.

Frequently Asked Questions

The Security Six framework comes from IRS Publication 4557 and identifies six baseline cybersecurity controls that all tax preparers with a PTIN must implement. A Security Six-compliant firewall is a business-grade network security device with stateful packet inspection, an Intrusion Prevention System (IPS), application control, VPN capability, full security event logging, and centralized management. Every tax preparer filing returns on behalf of clients—including solo practitioners working from home offices—is required to have one. There is no size threshold; the IRS applies the same standard to a one-person home practice as to a firm with 50 employees.

No. Consumer routers provided by internet service providers and retail home routers do not meet Security Six requirements. They typically offer basic Network Address Translation (NAT), which provides minimal perimeter filtering and none of the intrusion prevention, application awareness, SSL/TLS inspection, or seven-year security event logging that IRS Publication 4557 requires. Even for a home-based solo practitioner, you need a separate business-grade or enterprise-class firewall device. ISP equipment was designed for general consumer internet access, not for protecting sensitive taxpayer data in a regulated professional environment.

The FTC Safeguards Rule under 16 CFR § 314 authorizes civil penalties up to $100,000 per violation, with each missing security control potentially treated as a separate violation. The IRS can suspend your PTIN pending remediation, which prevents you from filing returns on behalf of clients until compliance is fully documented and verified. Beyond regulatory penalties, tax practices operating without documented security controls face significantly greater liability in civil litigation from clients whose data is exposed in a breach—courts and plaintiffs' attorneys treat undocumented controls as evidence of negligence.

Costs vary by practice size and whether you self-manage or use a managed service. Business-grade NGFW hardware typically costs $500 to $2,000 for the device, plus $500 to $3,000 annually for support contracts and firmware subscriptions. Managed firewall services—which include professional configuration, 24/7 monitoring, automatic updates, and compliance documentation—range from $200 to $800 per month depending on practice size and service scope. For most solo practitioners and small firms, managed services provide better compliance outcomes at lower total cost than self-managing equivalent hardware, because they include the documentation and monitoring that IRS auditors require.

VPN is a Security Six requirement regardless of your primary work location. The IRS requires VPN capability as part of your firewall configuration because tax preparers routinely access client data from client offices, hotels, conferences, and home during busy season. If you access taxpayer data only from a single physical office location on a network protected by your firewall, VPN for daily operations may be less pressing—but the configuration, documentation, and tested capability must exist. Configure VPN with multi-factor authentication on all laptops and mobile devices that could ever connect to client data remotely, so you're prepared when the need arises.

IRS Publication 4557 requires retaining security logs for the same duration as tax return records—a minimum of seven years. Maintain active logs in searchable format for at least 90 days for incident investigation. Archive older logs in compressed format on secure backup storage. Cloud-based log management services automate this retention for $20 to $50 per month for small practices, eliminating manual archival complexity while ensuring IRS-compliant retention periods. Conduct periodic restoration tests confirming that archived logs remain accessible and intact for potential audit or legal proceedings.

The IRS does not require managed services—self-management is permitted if you have the technical expertise and can produce equivalent documentation. In practice, self-managing a Security Six-compliant firewall requires IT staff with firewall expertise, ongoing security training, and the ability to review logs and respond to alerts. For most tax practices under 50 employees, self-management creates compliance risks through configuration errors, delayed security updates, and inadequate log review. During PTIN audits, IRS reviewers examine firewall configuration files, change logs, and security event reports—documentation that managed service providers generate automatically as part of their standard service delivery.

Your Written Information Security Plan must include: network architecture diagrams showing firewall placement and protected network segments; a firewall rule table with business justifications for each rule; a complete configuration export as a disaster recovery baseline; change management procedures documenting approval and testing processes; monitoring and review procedures with named responsible individuals; vendor information and support contract details; and annual testing records including penetration test results, vulnerability scan findings, and remediation timelines. Without this documentation, a functioning firewall still fails an IRS audit because auditors cannot verify its configuration or your ongoing management practices without the written record.

IRS Publication 4557 Section 4.4 requires annual security control testing including firewall effectiveness assessments performed by qualified personnel with documented results. Beyond the annual requirement, update firewall firmware and IPS signatures as they are released—for most enterprise devices this means automated daily or weekly updates managed by the manufacturer or your MSSP. Conduct quarterly business reviews examining whether your rule set still matches your actual operations, especially after hiring or terminating employees, adding remote workers, or adopting new tax software. Address high-risk audit findings within 30 days and medium-risk findings within 90 days, documenting all remediation actions and closure dates.

Share

Share on X
Share on LinkedIn
Share on Facebook
Send via Email
Copy URL
(800) 492-6076
Share

Schedule

Need help with IRS compliance?

Our tax cybersecurity specialists can review your security posture and help you get compliant.

Protect your tax practice from cyber threats

Schedule a free consultation to assess your firm's security posture.