Here's some quickie suggestions. I'm sure others will contribute as well.
Passwords in general
o Always use passwords that incorporate numbers and ! @
Example: lunch @
o Limit who gets the passwords
o Use different passwords for different classes of systems. Don't
set your router password and personal login to use the same one.
o Change the passwords regularly
o Don't allow any back doors (usually router-to-router)
o Allow only telnet access on the inside.
o If you're really paranoid, allow only console access, and run that
through a comm/terminal server with a separate (logged) access control
o Make sure the firewall host is secured completely aside from the firewall
o Use a packet filtering router to control what even gets to the firewall
o Change your password regularly
o For Firewall authenticated access, use an encrypted access method,
no clear passwords.
o Define the services you will allow both on a general and special-user basis
before you set up shop.
o Log all rule violations to either a separate (secure) machine, or write-only
media (WORM, CD-ROM, Paper)
o Change passwords regularly
o Log all transactions.
o Limit who is allowed to enter changes to the system (new names, etc.)
Remote Access servers
o Don't identify your organization in the welcome string
Use welcome phrases like "Welcome to Remote Access server #1"
o Log all login successes, failures, login times, durations, etc.
The amount of information you can glean from these is amazing.