Folks seem to be concentrating on locking down the front door. You also need to watch all the backdoors. With multi-protocol equipment, there are a lot of backdoors. Is syslog sending plaintext information, when was the last time you changed snmp community strings, do you have read-write snmp or rsh/rcp access enabled, are ancilliary services like ntp, ospf and bgp authenticated? Have you turned off any services you aren't using such as MOP? If you network load your configuration, how do you know you got your configuration? Do you understand how arp works/doesn't work. After securing your network, one security issue I rarely see explicitly addressed is what do you do when your authentication stops working for whatever reason. Have you made plans for breaking into your own network. Vendor backdoors should require physical access to the equipment (e.g. moving a switch) not just knowledge of a "secret" maintenance password or special signal over a remote control line (e.g. break).