Establish Ingress and Egress address filtering policies

Establish policies on your border router to filter security violations both outbound (egress) and inbound (ingress) based on IP address. Except for unique and unusual cases, all IP addresses that are attempting to access the Internet from inside of your network should bear an address that is assigned to your LAN. For instance, may have a legitimate need to access the Internet through the router, but is most likely to be spoofed, and part of an attack.

Inversely, traffic from the outside of the Internet should not claim a source address that is part of your internal network. For that reason, inbound addresses of 192.168.X.X, 172.16.X.X and 10.X.X.X should be blocked.

And lastly, all traffic with either a source or a destination address that is reserved or unroutable should not be permitted to pass thorough the router. This can include the loopback address of or the class E address block of

Fortifying router security
   Step 1: Change the default password!
   Step 2: Disable IP directed broadcasts
   Step 3: Disable HTTP configuration for the router, if possible
   Step 4: Block ICMP ping requests
   Step 5: Disable IP source routing
   Step 6: Determine your packet filtering needs
   Step 7: Establish Ingress and Egress address filtering policies
 Step 8: Maintain physical security of the router
   Step 9: Take the time to review the security logs

About the author
Chris Cox is a network administrator for the United States Army, based in Fort Irwin, California.

This tip originally appeared on

Dig Deeper on Campus area networks and services