Establish policies on your border router to filter security violations both outbound (egress) and inbound (ingress) based on IP address. Except for unique and unusual cases, all IP addresses that are attempting to access the Internet from inside of your network should bear an address that is assigned to your LAN. For instance, 192.168.0.1 may have a legitimate need to access the Internet through the router, but 220.127.116.11 is most likely to be spoofed, and part of an attack.
Inversely, traffic from the outside of the Internet should not claim a source address that is part of your internal network. For that reason, inbound addresses of 192.168.X.X, 172.16.X.X and 10.X.X.X should be blocked.
And lastly, all traffic with either a source or a destination address that is reserved or unroutable should not be permitted to pass thorough the router. This can include the loopback address of 127.0.0.1 or the class E address block of 240.0.0.0-254.255.255.255.
Fortifying router security
Step 1: Change the default password!
Step 2: Disable IP directed broadcasts
Step 3: Disable HTTP configuration for the router, if possible
Step 4: Block ICMP ping requests
Step 5: Disable IP source routing
Step 6: Determine your packet filtering needs
Step 7: Establish Ingress and Egress address filtering policies
Step 8: Maintain physical security of the router
Step 9: Take the time to review the security logs
About the author
Chris Cox is a network administrator for the United States Army, based in Fort Irwin, California.
This tip originally appeared on SearchNetworking.com.
This was first published in January 2007