Securing Content feeding to FAST ESP

Part of my job is to support some clients that still use FAST ESP and an interesting question came up:

What is the best way to secure the Content feeding to FAST ESP so malicious users or Devs don't accidently delete an index?

While investigating restricting access to FAST ESP ContentDistributor it seems that the Best Practice to complete this is with using firewall rules (OS or networking) to block access to the CD port (default TCP 16100) from all systems other than production Content API feeder systems. The second, and less secure, option would be to change the ContentDistributor port to a non-standard port. 

There is not a way to password protect the CD via the FAST ESP product at this time.

Please note that there are multiple options that may fit your environment so I will list them all:
Option #1  - Firewall block access to the CD port (TCP 16100)

Option #2  - Change the ContentDistributor port to a non-standard port

Option #3: There is an SSL mode for the Content API, the con here is that this would take some code changes on you current feeders.

Option #4: There is also an ESP Component level IP ACL system. You can add the CD component and IPs/network range of the production feeders. This is a good option that will not need any
coding on the feeder level but might add some slight overhead to the ESP system and it is recommended to test thoroughly.