The upcoming Internet of things (IoT) is foreseen to encompass massive numbers of connected devices, smart objects, and cyber-physical systems. Due to the large-scale and massive deployment of devices, it is deemed infeasible to safeguard 100% of the devices with state-of-the-art security countermeasures. Hence, large-scale IoT has inevitable loopholes for network intrusion and malware infiltration. Even worse, exploiting the high density of devices and direct wireless connectivity, malware infection can stealthily propagate through susceptible (i.e., unsecured) devices and form an epidemic outbreak without being noticed to security administration. A malware outbreak enables adversaries to compromise large population of devices, which can be exploited to launch versatile cyber and physical malicious attacks. In this context, we utilize spatial firewalls, to safeguard the IoT from malware outbreak. In particular, spatial firewalls are computationally capable devices equipped with state-of-the-art security and anti-malware programs that are spatially deployed across the network to filter the wireless traffic in order to detect and thwart malware propagation. Using tools from percolation theory, we prove that there exists a critical density of spatial firewalls beyond which malware outbreak is impossible. This, in turns, safeguards the IoT from malware epidemics regardless of the infection/treatment rates. To this end, a tractable upper bound for the critical density of spatial firewalls is obtained. Furthermore, we characterize the relative communications ranges of the spatial firewalls and IoT devices to ensure secure network connectivity. The percentage of devices secured by the firewalls is also characterized.