1) Your ISP router shouldn't be your firewall. Consider it as sitting in the DMZ. 2) Lock down external services offered by your ISP router and only allow access from internal IPs. 3) Use a real firewall such as an Astaro or Vyatta just inside your ISP router.