Most DSL or Cable modem solutions employ a device called a “Residential Gateway,” that converts a transmission signal to a Local Area Network signal. Since most routers can clone the MAC address of a Network Interface Controller, it might be natural to want to more securely “lock down,” the implementation using MAC address filtering.
A superior setup might see the Gateway turning on MAC address filtering, with exactly one Media Access Control address, and that address chosen at random, not off the network.
Then, the router (downstream of the Gateway) is instructed to present or “clone” that particular MAC. As such, the Gateway now believes that the router is the only authorized device on the network.
Internally, the router is then instructed with a white list, to recognize only the MAC’s of authorized machines. Note: most routers list Hardwired MAC’s and Wireless MAC’s separately.
In a home network situation, this would not be as friendly to guests, as one might want to be, but it would be completely secure against external browsing. The “gold standard” for security is that it should be impossible to compromise without physical access.
Cap it off by instructing the Gateway not to reply to pings, and your network can be both unobtrusive and secure against anyone without physical access.