First you must realise that an access-list will not protect you from worms or viruses. These are active at the application layer, and a router only works to the network/tranport layer, so it does not have any visability of these threats. You need to use a firewall with the added hardware or software to check for these, or more likely, run anti-virus and anti-malware software on your PCs. To prevent more network based attacks you should at least run firewall versions of the IOS on the router. Then use the 'inspect' commands to allow back in the replies to any packets you send out, and it blocks anything else comming in. If you don't have that, then you are taking a risk. Use NAT (network address translation) for your connection to the Internet, that helps to protect your PCs on the inside, because it removes them from being directly accessed by anyone on the Internet. Also harden up the router, at least put an access-list and access class commands on the vty ports, to prevent anyone outside logging into the router. Have a look at this page on the Cisco website, regarding the hardening of IOS routers. You don't need to do all these things, but doing at least some of them will make your installation more secure. http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml My advice would still be to get the firewall version of the IOS, and also make sure all your machines have up to date virus and anti-malware software running. And remember, you are a small fish in a big pond, so a major attack at the network level is unlikely, so the virus check and anti-malware is your best defence.

First you must realise that an access-list will not protect you from worms or viruses. These are active at the application layer, and a router only works to the network/tranport layer, so it does not have any visability of these threats. You need to use a firewall with the added hardware or software to check for these, or more likely, run anti-virus and anti-malware software on your PCs. To prevent more network based attacks you should at least run firewall versions of the IOS on the router. Then use the 'inspect' commands to allow back in the replies to any packets you send out, and it blocks anything else comming in. If you don't have that, then you are taking a risk. Use NAT (network address translation) for your connection to the Internet, that helps to protect your PCs on the inside, because it removes them from being directly accessed by anyone on the Internet. Also harden up the router, at least put an access-list and access class commands on the vty ports, to prevent anyone outside logging into the router. Have a look at this page on the Cisco website, regarding the hardening of IOS routers. You don't need to do all these things, but doing at least some of them will make your installation more secure. http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml My advice would still be to get the firewall version of the IOS, and also make sure all your machines have up to date virus and anti-malware software running. And remember, you are a small fish in a big pond, so a major attack at the network level is unlikely, so the virus check and anti-malware is your best defence.