To secure the data plane, adhere to these best practices:
Block unwanted traffic at the router. If your corporate policy does not allow TFTP traffic, just implement ACLs that deny traffic that is not allowed. You can implement ACLs inbound or outbound on any Layer 3 interface on the router. With extended ACLs, which can match based on the source and/or destination address, placing the ACL closer to the source saves resources because it denies the packet before it consumes network bandwidth and before route lookups are done on a router that is filtering inbound rather than outbound. Filtering on protocols or traffic types known to be malicious is a good idea.
Reduce the chance of DoS attacks. Techniques such as TCP Intercept and firewall services can reduce the risk of SYN-flood attacks.
Reduce spoofing attacks. For example, you can filter (deny) packets trying to enter your network (from the outside) that claim to have a source IP address that is from your internal network.
Provide bandwidth management. Implementing rate-limiting on certain types of traffic can also reduce the risk of an attack (Internet Control Message Protocol [ICMP], for example, which would normally be used in small quantities for legitimate traffic).
When possible, use an IPS to inhibit the entry of malicious traffic into the network.